5 Key Elements of Successful Knowledge Transfer in Incident Response

Back to all articles

knowledge transfer in incident response

In our recent blog post, we discussed the need for knowledge transfer and why it has to become a crucial part of the incident response process and an organization’s security program. This time we will take a closer look and take the topic one step further to discuss how to successfully implement knowledge transfer in incident response.

Background

It’s important to note that knowledge transfer within an organization does not only happen within Security Operations Centers (SOCs) between incident responders and must also include other departments involved in the IR process. The Legal department should be included in order to ensure and oversee regulatory compliance as well as the Human Resources team to monitor the security incident processes that take place across the entire organizational landscape. Last but not least, management stakeholders need to be updated on areas such as ROI to ensure they have the latest data available to make key decisions.

Based on the need for knowledge transfer in incident response and the difficulties it currently presents within security teams, this blog post focuses on the details of 5 key elements needed for achieving successful knowledge transfer.

  1. Understanding your audience – knowing the people who are going to receive the knowledge that you’re going to put out (for example, you’re not going to use technical terms for a legal audience).
  2. Develop a focused curriculum – creating a curriculum that’s engaging to the audience you are going to work with.
  3. Designate the appropriate delivery method – there’s a number of different delivery methods for moving the transfer of knowledge (for example automated, manual or a combination of both).
  4. Designate a messenger – this is probably one of the most critical parts of the five key elements because you’ll want someone who is going to be speaking from the point of view of actually having been there, or having experienced the things they are to deliver.
  5. Evaluate the results – Is it the right information that we’re pushing forward? Is this what they need to be successful? Is there a way to edit this information efficiently and effectively to keep it up to date?

Breaking Down the Elements

Now let’s break down the components of knowledge transfer in incident response in more detail and see how we can implement them individually to achieve success.

Understanding your audience

You must provide as much context as possible to ensure the clarity of the task. Moreover, providing context is essential for people to pull that information in and process it within their own experience. Another important step is to identify who will actually be getting the most benefit from the information, not just who may top the organizational charts – the people who are actually expected to accomplish the tasks are the priority.

Craft the message to the audience (IT jargon with legal and HR folks could result in blank faces). Make sure that you craft your message so that the audience understands what you’re trying to deliver. Don’t be afraid to schedule time after the training session for follow-up questions. This is sometimes your most valuable interaction with the attendees.

Developing focused materials

The information transfer should focus on clearly defined goals for the identified audience, for example, ITSEC has one set of goals, legal another, senior stakeholders yet a third. Focus the information on those tasks that are relevant to resolving the identified issues – you should make sure to address only those tasks that are critical to solving a certain issue.

Materials should be based on regulations and standards. If there isn’t a defined set of regulations, utilize your local policies and best practices from the industry. All of these things ensure validity in the process of knowledge transfer.

Determining the appropriate delivery method

This can be performed manually or automatically. If it is done manually, the following tips should be taken into consideration:

  • Have regularly scheduled training sessions – having someone in, take a seat – this can sometimes be tricky because you might be pulling people during their off time, or you have to do it in shifts
  • Internal methods of communication – this will help passing messages along, or use some type of a chat, intranet, or something similar to that nature, so people can stay in tune with what exactly is happening
  • Access to webinars and online content – this is more self-styled; if an incident responder hesitates on how to do a particular task, they can look for a webinar online or content that has the answers from previous historic events.

On the other hand, if this is performed automatically, then the following steps should be considered:

  • Have a formalized knowledge base – this basically means that you can put all of the knowledge transfer articles in one centralized database which is easily accessible
  • Create structured playbooks – these are an integrated part of security orchestration automated response – incident responders are using them now as part of their incident management program. Being able to use structured playbooks to transfer knowledge is like killing several birds with one stone.

Designating a messenger

In order to choose the most suitable person for this position, there are a number of qualifying factors to take into consideration. The best candidate should be an expert in the subject matter, should allow a cross-section of subject matter experts to contribute and also ensure they are part of periodic reviews.

Evaluating the results

As the final step of the process, it is key to ensure results are evaluated and this is an integral part of the post-incident response process. It should be determined if the knowledge transfer process was effective, was any information missing or could any further processes be improved in the future. Based on these evaluations and developments, training materials should be updated and also undergo periodic reviews to ensure they remain up to date.

Final thoughts

With all of the above said, it can be easily concluded that knowledge transfer loses its main purpose when executed ad-hoc and in an informal manner. Organizations need to figure out the importance of knowledge transfer and come up with a structured, multi-layered program that will be designed to be of service to all stakeholder audiences and more importantly, is in line with the goals of the organization and the needs of the clients. In the case of incident response, implementing an automated approach, using a centralized database, with designated playbooks for different incident types will ensure knowledge transfer is consistent and repeatable and remains within the business.

If you would like to learn more about how to facilitate knowledge transfer, in particularly within security operations and by utilizing security orchestration, automation and response, check out our recent webinar hereHow to Facilitate Knowledge Transfer within SecOps Utilizing SOAR Technology”.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request Your Live IncMan SOAR Demo.

DFLabs IncMan SOAR is the pioneering Security Orchestration, Automation and Response (SOAR) platform to automate, orchestrate and measure security operations tasks.

IncMan SOAR harnesses machine learning and automation capabilities to augment human analysts to maximize the effectiveness and efficiency of security operations teams, reducing the time from breach discovery to resolution by up to 80%.

What You'll See in a Demo

See for yourself why IncMan SOAR is the preferred solution of Fortune 500, Global 2000 and MSSP clients. DFLabs IncMan SOAR at a glance:

  • Full and semi-automated Incident Response, improving response times by up to 80%
  • Covers the entire spectrum of IR and SecOps
  • Automated Responder Knowledge (ARK) generated by machine learning
  • Highly flexible and customizable, with over 100 templates and automation actions out of the box
  • Correlation engine correlates all relevant IOCs and artefacts between incidents
  • Multi-tenancy and granular role-based access
  • Dual mode playbooks and intelligence sharing
  • Powerful case management with integrated forensics capabilities.

Yes, I want a demo

DFLabs would like to stay in touch to provide you with marketing related content. By ticking the box you consent to receive educational, company and promotional information from DFLabs and accept DFLabs' Privacy Policy.

* Required fields