Most organizations don't do a good job of documenting institutional knowledge, a Forrester analyst says. Pictured: A "Help Wanted" sign is displayed at a gas station on June 23, 2021, in Los Angeles. (Photo by Mario Tama/Getty Images)

You have planned for earthquakes, power outages, and massive breaches. Have you planned for the level two analyst who is the only person who knows how to use the most jury-rigged depths of your security stack taking a job somewhere else?

Succession planning is often considered an executive concern — who is next in line to be CISO? Who is next in line for a managerial role? But lower-level employees, too, have years of hard-learned institutional knowledge specific to the enterprise that a replacement may have to learn on the fly.

In a new Forrester report, senior analyst Jess Burn talks about succession from the bottom to the top. SC Media spoke with her about how and why enterprises need to consider succession at all levels.

There's a feeling sometimes that enterprises can replace someone who leaves with anyone who has equivalent technical knowledge. In the report, you cite several examples of employee turnover before major breaches. What you're saying in the report is that enterprise-specific knowledge matters.

There's a loss of institutional knowledge. That's, I think, where a lot of these vacancies lead to breaches. If you've had somebody that's been with the organization for a good number of years, and that person now has a job that encompasses maybe the requirements of three different roles, and that person walks out the door without transferring any of that knowledge to anyone else, then when you bring someone in, that person still is going to take a year or more to understand where the bodies are buried. It takes time to really understand how the systems work together, how to get the right telemetry and how to look at things correctly to understand what might be happening from a detection and response perspective or a risk perspective.

Most companies don't do a very good job of documenting institutional knowledge at all. There's nothing for people to even refer to if that person has left, there isn't even any training that's going to make up for that loss of institutional knowledge. And that's where I think a lot of the vulnerability for those prolonged vacancies is what walks out the door.

And most companies have some aspects of security that have just been sewn together. Some systems are integrated with homegrown middleware and applications that only someone who's been there for five to 10 years understands.

Then, how do you train for institutional knowledge?

If you're home-growing people, that's job rotations. The example that I listed in the report of Highmark Health and the CISO there, Omar Khawaja is fantastic. He actually, you know, hired someone specifically to do learning design and organizational design, like someone whose background is really HR and has applied that to security.

They instituted an incredible job rotation program that includes his own job. People take it over for a period of time where he can only really be contacted in an absolute emergency, and then those people take all of that learning, bring it to the role and get them prepared for the next step.

Where the institutional knowledge comes from is shadowing. That's tough for security, because people are typically short on time, so this is a mindset change. Managers have to put in the time; they have to agree to be mentors. At Highmark Health, when I was speaking with him, he said, "You know, some people just didn't want to do that." He had to find the right crew of people that were willing to put in that time to be mentors and help people and have them shadow colleagues on job rotations.

From an employee perspective, a lot of people like to make sure they are the only ones who can do something to stay indispensable to a company. How do you shift that mindset?

I think that probably comes down to company culture, too. Providing incentives for knowledge sharing is probably the way to go, making sure that this person understands that there there are real rewards for them to get to their own next step.

The thing about people not wanting to share information is that they may not think there's another path for advancement, that for them, this is it — this is the only job that they have. And if they lose this, you know, there's nowhere else for them to go. So being able to provide another path for advancement, a path to seniority, may give them that incentive to share that institutional knowledge and prepare that next generation of people coming up behind them. There's got to be a reason. I think those folks that are prone to hoarding need to know that they, too, are going to be filling somebody else's shoes. To me, succession planning is really just this long clear path for advancement