Many information security companies struggle with changing their culture. It can be difficult to get an InfoSec team to focus fully on the issues that are important to the long-term health of the business: customer experience and process improvement. This article (part of a series) looks at some methods to implement cultural change at an InfoSec company in ways that will be sustainable and won’t alienate your team members.
2. In previous articles in this series on differentiating
your InfoSec consulting company, we’ve talked
about the importance of two core areas:
—Process improvement and
—Improving the customer experience
3. Most everyone would agree these are worthwhile
aims. We all want our processes to get better and
more efficient, and we all want clients to be satisfied
with our work. Truly improving in these areas
requires a culture aligned with these values.
4. But the nature of many InfoSec companies can
make it difficult to change the culture. For one thing,
there is often a rather frantic focus on just getting
projects finished, and this doesn’t leave time to
discuss bigger picture philosophies or allow time to
get everyone onboard for a larger process change.
5. Also, the high value of technical talent often means
that managers are hesitant to tackle process
changes. They don’t want to take the risk of
aggravating talent; they want to keep them happy.
Keeping talent happy is a great goal, of course--it
only becomes a negative when it interferes with
other, important areas of improvement.
6. In this article, we’ll go over some strategies for
enacting sustainable process change at your
InfoSec company whilst keeping your team
members happy. This article will assume you have
either already read the other articles in our series or
that you have some specific cultural changes you
want to implement but are having some problems.
8. Any meaningful improvement to a product or service
will stem from a focus on the client experience. And
most team members do want their clients to have a
good experience.
9. But you must explain to your team members why
your proposed changes are important to your
clients. For example. it’s not enough to simply
command: “Starting today, you must create testing
methodologies after every project and share them
with the team.” Your team must fully understand the
full chain of events that make a new procedure
important, which would go something like this:
10. 1. Improving methodologies means less time spent
on easily repeatable tasks.
2. Less time spent on easily repeatable tasks means
more time spent on unique project challenges.
3. More time spent on unique challenges means
better service for the client.
11. And they should understand the downside to
continuing to do things the old way.
For example, when all team members use their own
methodologies and there is no consistency from
project to project, this hurts the client’s experience
(especially for repeat clients).
12. Major takeaway: Talk to your
team about the greater
philosophical reasons for your
changes. Make them see that
you are doing this for the
customer.
14. In a similar way, team members need to see how
changes help them do their job more easily and help
them hone their craft. The logic here is basically:
15. 1. Making procedures more efficient means team
members spend less project time on easily
repeatable tasks.
2. This leaves team members more project time for
doing the fun and creative hacking--the stuff they
love to do.
3. More time spent on interesting and challenging
hacking makes a hacker smarter and better at his
job, which improves his standing in the industry,
increases his reputation, payrate, etc.
16. To create real cultural change, it’s necessary to get
true buy-in from everyone. And this means that your
team needs to see what’s in it for them. The more
you can make them see what’s in it for them, the
more buy-in you get and the easier it is to shift the
culture.
17. If you haven’t already, check out one of our past
articles on how more process standardization can,
perhaps counterintuitively to some people, actually
increase creativity.
19. If a large company change does not have the buy-in
of senior and influential members of your team, it
probably won’t succeed. For example, if you have a
senior tester or manager denigrate a new process
openly, that has a huge impact on whether the
people working with him will be more or less likely
to use it.
20. To mitigate this conflict, try to help these team
members understand the importance of the changes
you’ve put in place, both for your clients and for
them personally. Also explain that their buy-in is
especially important in creating a trickle-down effect
in the company.
21. An important point: You may have employees who
are not technically in powerful positions but who
nonetheless may be very socially influential. It’s
important to discover who those team members are
so you can do your best to persuade them, too.
22. A potential stumbling block. One possible obstacle
is that some of your more senior team members
may have had negative past experiences with failed
process overhauls. They may be thinking, “Yeah, I’ve
seen people try to do this kind of thing before.
23. It’s pointless and won’t work.” This is actually a
great opportunity to ask those members about
those past attempts at change. What worked and
why did it work? What didn’t work and why not? If
you give them a chance to be a part of the
discussion, they will feel more involved and positive
about the effort.
25. When you try to sell the changes to your team, use
real stories and anecdotes. Real stories are powerful
and convincing and help people see the value of the
new way of doing things.
This is why companies use testimonials from
customers to show the value of their products.
Thought of in another way, what you are doing can
be thought of as selling ideas to your team, so be
willing to use any promotional tactics at your
disposal.
26. For example, at a team meeting, you can talk about
how a new procedure resulted in measurable
positive results for a specific client, and read a
testimonial from the satisfied client. Go on to explain
how that got you thinking about extrapolating
similar results across the board, and how that
translated into the changes that you are going to be
implementing over the next few weeks.
27. They key message to convey is that new ideas are
not coming out of thin air; they are grounded in solid
value added to your clients, the company or the
team. You just need to find the right way to let team
members know how you got to the conclusions you
did, and what needs to happen next.
28. Or you can get a team member to describe how a
new procedure saved them time on a project and
how they had more time to devote to tests that were
actually intellectually engaging.
30. These days, most InfoSec companies rely on remote
workers. If you have remote workers, don’t forget
about them. Process changes need to be done
company-wide or it’s unlikely they’ll be successful.
31. Plan ways to communicate the new processes to
your remote workers. When was the last time you
had a one-to-one with each of your remote
workers? How can you expect for them to be
invested and onboard new processes if you haven’t
checked in with them for several months?
32. Schedule video conferences and
make sure your team knows that
these are important events. If
anyone can’t attend them (e.g.
they need to be off-site for a
client visit), go out of your way
to bring them in the loop. You
need to reach out to anyone and
take the time to explain the
importance of what you are
doing, if you want them to
embrace your ideas.
33. If at all possible, consider having all your workers
travel to a single location to roll out and talk about
the new changes.
35. When the goals of a change initiative are too vague,
the initiative will rarely succeed. You need to have
goals that are measurable, so that you know if the
cultural changes are sticking. You need to have
goals that can fail, so that you know when you are
not succeeding.
36. For example, if one of your goals is something
ambiguous like: “Improve internal understanding of
tech methodologies,” there is no real way to
measure that. You will never know if you’ve actually
succeeded.
So make your goals concrete and measurable, like
“Review 1-2 methodologies each month.”
38. It can be daunting to create large cultural and
procedural changes at a company, we know.
Especially because the people responsible for those
changes can sometimes be blamed for things that
go wrong.
39. So it’s worth pointing out that some of the best and
most long-lasting process improvements start small
and grow from there. You should focus on making
small but lasting and widely-used improvements.
40. You don’t have to roll out a hugely complex series of
changes all at once. Instead, you can make small
changes that create noticeable benefits, then track
and measure them. This will create a snowball effect
that leads to bigger and more widespread changes.
41. For some of our best ideas on making this happen in
your company, read “Getting Quick Wins”.
42. Next...
Hopefully this article has shown you a few ideas for
creating long-lasting, sustainable cultural change at
your InfoSec consulting company. If you liked this
article, check back on our site for future related
articles.
43. Was This Article Helpful?
Security Roots’ founder Daniel Martin conceived
and created the open-source collaboration tool
Dradis Framework in 2007. The success of that
application led to the creation of the Security Roots
company and Dradis Professional Edition software.
44. Over the years, Security Roots has helped hundreds
of InfoSec clients improve their team collaboration
and report creation processes. If you have any
questions about what we do or the solutions we
provide, please fill out our Contact Form and we’ll
be in touch right away.