Institutional knowledge is leaving companies at a rapid rate. Employees are very mobile, moving between companies fairly rapidly. Just as they learn something important, they are out the door. That knowledge is not always transferred to others staying behind. Here one day, gone the next. How can you explain a business decision, technology decision, or any other decision without information? Architects, developers, and business folks should be writing documents to cover all major decisions, but these happen long after the decisions have been made. We lack the reasons behind the decisions, the original questions asked, and all the work leading up to the decisions. We do not want to lose institutional knowledge. Now, into this breach comes a new set of tools.

There has been an uptick in ChatOps-style tools. These tools use chat functionality to capture conversations for later perusal, training, and even automation. Many of these tools have been used for years for troubleshooting. These tools bring the team together in ways we are only now beginning to fully understand. They also keep institutional knowledge within the organization. What makes them so useful? Why are they now prevalent? Why use specialized tools and not just social media tools?
The original chat-like interfaces were part of troubleshooting and problem-reporting tools. However, they weren’t instantaneous, and they didn’t record. Internet Relay Chat, Jabber, and other instant messaging tools initiated a change, offering real-time conversations. However, unless participants wanted to capture a conversation themselves, it was not readily available for recall. Today there are a number of tools that provide for specific parts of the IT stack, including the original troubleshooting. They record all conversations. These conversations can then be searched to determine the solution or possible solutions to similar issues. The data can be searched to find the why of a decision as well as the when. There are a number of general-use products from Moogsoft, Slack, and others. There is a growing number of ChatOps interfaces that are specific to security. One million security analysts will be needed over the next year. There are one million open security job requisitions.
There are just not enough people to fill this need. Into this breach comes automation, data capture, and training tools built around a chat interface commonly referred to as ChatOps. Companies such as Attivo Networks and Demisto have such interfaces.
There is a great benefit to using these styles of tools to share findings, ask questions of team members, get team member input, and engage in all the general niceties of team communication. However, these tools also come into play to fulfill another need. We can search the data for repetitive conversations and activities, and then script those activities. We can use the tools as a basis for finding repetitive automatable IT actions. We can also find where we have common solutions and automate those solutions upon request.
Here is a list of items these tools can address:

  • As a repository of knowledge
  • Finding automatable business processes
  • Finding and documenting processes (good, bad, or other)
  • Having a searchable history of all work that leads up to a technological or business decision
  • Replacing, in some cases, a lab book
  • Searching history for solutions to new but similar problems
  • Storing collected data for incident response
  • Training across work locations
  • Recording communications across work locations
  • Serving as a basis for finding similar issues or solutions

For incident response, such a tool is incredibly helpful. You automate what you can and leave the rest to be done by the experts, while training those who wish to learn. Involving others in the conversations allows those who do not necessarily have the skill to ask questions or to learn from existing conversations. New people will have different insights that will be helpful.
In essence, the institutional knowledge of an organization stays within the organization. That knowledge, history, and discovery can be used to train others, create use cases, even discuss the future. Incident response needs a communication platform that has those capabilities: one that automates what it can, becomes a source of knowledge for future problems and solutions, and allows remediation to happen. In effect, the experts do what they do best, but the recording allows others to find how they achieved a solution. Such a tool can become the source of knowledge for the why, the how, and the when of a decision or response. It can also be the tool that shows how many actions are repeatable. Perhaps it is just little bits of data gathering that are repeatable. Put those little bits together and you end up with a product, a time saver, or a new streamlined process.