5 Key Elements of Successful Knowledge Transfer in Incident Response

In our recent blog post, we discussed the need for knowledge transfer and why it has to become a crucial part of the incident response process and an organization’s security program. This time we will take a closer look and take the topic one step further to discuss how to successfully implement knowledge transfer in incident response.


It’s important to note that knowledge transfer within an organization does not only happen within Security Operations Centers (SOCs) between incident responders and must also include other departments involved in the IR process. The Legal department should be included in order to ensure and oversee regulatory compliance as well as the Human Resources team to monitor the security incident processes that take place across the entire organizational landscape. Last but not least, management stakeholders need to be updated on areas such as ROI to ensure they have the latest data available to make key decisions.

Based on the need for knowledge transfer in incident response and the difficulties it currently presents within security teams, this blog post focuses on the details of 5 key elements needed for achieving successful knowledge transfer.

  1. Understanding your audience – knowing the people who are going to receive the knowledge that you’re going to put out (for example, you’re not going to use technical terms for a legal audience).
  2. Develop a focused curriculum – creating a curriculum that’s engaging to the audience you are going to work with.
  3. Designate the appropriate delivery method – there’s a number of different delivery methods for moving the transfer of knowledge (for example automated, manual or a combination of both).
  4. Designate a messenger – this is probably one of the most critical parts of the five key elements because you’ll want someone who is going to be speaking from the point of view of actually having been there, or having experienced the things they are to deliver.
  5. Evaluate the results – Is it the right information that we’re pushing forward? Is this what they need to be successful? Is there a way to edit this information efficiently and effectively to keep it up to date?
Breaking Down the Elements

Now let’s break down the components of knowledge transfer in incident response in more detail and see how we can implement them individually to achieve success.

Understanding your audience

You must provide as much context as possible to ensure the clarity of the task. Moreover, providing context is essential for people to pull that information in and process it within their own experience. Another important step is to identify who will actually be getting the most benefit from the information, not just who may top the organizational charts – the people who are actually expected to accomplish the tasks are the priority.

Craft the message to the audience (IT jargon with legal and HR folks could result in blank faces).  Make sure that you craft your message so that the audience understands what you’re trying to deliver. Don’t be afraid to schedule time after the training session for follow-up questions. This is sometimes your most valuable interaction with the attendees.

Developing focused materials

The information transfer should focus on clearly defined goals for the identified audience, for example, ITSEC has one set of goals, legal another, senior stakeholders yet a third. Focus the information on those tasks that are relevant to resolving the identified issues – you should make sure to address only those tasks that are critical to solving a certain issue.

Materials should be based on regulations and standards. If there isn’t a defined set of regulations, utilize your local policies and best practices from the industry. All of these things ensure validity in the process of knowledge transfer.

Determining the appropriate delivery method

This can be performed manually or automatically. If it is done manually, the following tips should be taken into consideration:

  • Have regularly scheduled training sessions – having someone in, take a seat – this can sometimes be tricky because you might be pulling people during their off time, or you have to do it in shifts
  • Internal methods of communication – this will help passing messages along, or use some type of a chat, intranet, or something similar to that nature, so people can stay in tune with what exactly is happening
  • Access to webinars and online content – this is more self-styled; if an incident responder hesitates on how to do a particular task, they can look for a webinar online or content that has the answers from previous historic events.

On the other hand, if this is performed automatically, then the following steps should be considered:

  • Have a formalized knowledge base – this basically means that you can put all of the knowledge transfer articles in one centralized database which is easily accessible
  • Create structured playbooks – these are an integrated part of security orchestration automated response – incident responders are using them now as part of their incident management program. Being able to use structured playbooks to transfer knowledge is like killing several birds with one stone.
Designating a messenger

In order to choose the most suitable person for this position, there are a number of qualifying factors to take into consideration. The best candidate should be an expert in the subject matter, should allow a cross-section of subject matter experts to contribute and also ensure they are part of periodic reviews.

Evaluating the results

As the final step of the process, it is key to ensure results are evaluated and this is an integral part of the post-incident response process. It should be determined if the knowledge transfer process was effective, was any information missing or could any further processes be improved in the future. Based on these evaluations and developments, training materials should be updated and also undergo periodic reviews to ensure they remain up to date.

Final thoughts

With all of the above said, it can be easily concluded that knowledge transfer loses its main purpose when executed ad-hoc and in an informal manner. Organizations need to figure out the importance of knowledge transfer and come up with a structured, multi-layered program that will be designed to be of service to all stakeholder audiences and more importantly, is in line with the goals of the organization and the needs of the clients.  In the case of incident response, implementing an automated approach, using a centralized database, with designated playbooks for different incident types will ensure knowledge transfer is consistent and repeatable and remains within the business.

If you would like to learn more about how to facilitate knowledge transfer, in particularly within security operations and by utilizing security orchestration, automation and response, check out our recent webinar hereHow to Facilitate Knowledge Transfer within SecOps Utilizing SOAR Technology”.

Why Knowledge Transfer is Crucial in Incident Response

One common challenge for organizations in both the public and private sector that’s almost ubiquitous, is how successfully knowledge transfer happens between employees in a consistent way. A process for training and knowledge transfer often seems to be a low priority when other items are competing for time and money. As a result, knowledge transfer becomes somewhat an ad-hoc process. There’s frequently no formalized processes in place and this leads to inconsistent and unreliable performance of security team members.

What is knowledge transfer and why do we need it?

Essentially, it’s the transfer of knowledge related to incident response processes, intelligence, and procedures from senior, more experienced incident responders to less experienced ones, acting as an organizational force multiplier. “Force multiplier” here means taking existing resources and preparing them in a way that improves your organization’s or team’s processes. Depending on the industry, sometimes this is referred to as “tribal knowledge”.

Why do we need knowledge transfer as part of our IR infrastructure?

As threats evolve, our response capabilities have to evolve too. So how do we make sure that the knowledge picked up during an investigation by one incident responder is effectively communicated to the other team members? We all know that experience is the best teacher, but transferring the experience they have garnered from previous investigations can be time-consuming. One thing that incident response teams don’t have is a plethora of time to afford spending on all the tasks that need to be done. Therefore, a training program has to be built on a foundation of knowledge application (how it was effectively used), and not merely on the provision of knowledge (this usually comes out as anecdotal examples that frequently lack validity).

Knowledge transfer provides us with three key elements needed for a successful incident management process. That process has to be repeatable, defensible and consistent. Unfortunately, there are still many organizations that lack the capacity to transfer the knowledge and skills among employees, and a lot of the time as a senior more experienced expert leaves so does their knowledge. This is a significant issue that should be addressed and steps need to be taken in order to manage and mitigate this in the future.

Knowledge transfer is such an important segment of cybersecurity, it is strange how it’s still not a core part of SOC operations. There is hardware and software personnel leading to a growing necessity for integrating knowledge transfer into SOCs. Unfortunately, training doesn’t have a high priority when team members get so many alerts daily and are always reacting to the next potential serious incident. Typically an analyst joins an organization and they’re handed basic information and are thrown into the deep, without really having a good knowledge foundation.

Another important point to highlight is the difficulty to gauge the ROI. If you take an analyst that is untrained and measure how long it takes them to work on an incident compared to an analyst who is trained, it is a time-consuming process in itself. So, if we can’t gauge the ROI (it quickly becomes a non-priority considering the importance of SOC metrics, for example, mean time to detection, mean time to response and the number of incidents handled.

There are other alternatives to a formalized process, but with no structure it is easy for something such as an internal shared drive to become a dumping ground for information, leaving small positive impact on the daily operations.

Knowledge transfer doesn’t just concern incident responders. Legal experts need to be included for GDPR compliance and HR for personnel issues considering the dangers of insider threats. HR should be working closely with all teams and must be aware at all times of the processes taking place within the security team.

And finally, the stakeholders for ROI considerations and funding. It’s important that they know exactly how your processes and procedures work, even if it’s at a high level, so when the time comes to present quarterly reports and present them to the board, they’re have firm understanding exactly how it contributes to a positive ROI.

These are just some of the factors that determine why knowledge transfer should be a fundamental part of SOC operations and if knowledge transfer can be effectively facilitated it can have a positive impact on individual analysts, security teams and overall performance.  

In a future blog we will discuss the 5 key elements of implementing successful knowledge transfer in incident response, but if you can’t wait, why not check out our recent webinar on-demand now “How to Facilitate Knowledge Transfer in SecOps Utilizing SOAR Technology”.