Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.”

Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant to cybersecurity.

Both the National Institute of Standards and Technology (NIST) and the SANS Institute describe the learning phase of incident response as one of the most crucial steps, helping businesses to refine and strengthen both their prevention and response protocols.

However, 42% of businesses fail to review and update their incident response plans on a regular basis. If you find yourself experiencing the same security breaches over and over again, you might be one of them. Here’s why you should actively learn from the experience, and how to go about it.

Lessons Learned Session

A lessons learned session takes place after the resolution of a security incident. It involves taking stock of the incident; getting to the root of how and why it happened; evaluating how well your incident response plan worked to resolve the issue; and identifying improvements that need to be made.

Identifying Areas of Weakness

The most obvious benefit of a lessons learned session is that it helps you to identify gaps in your organizational security practices. Was the lapse due to human error? Systems failure? Inadequate security practices? If you don’t know these problems exist, you can’t take the appropriate action to fix them.

Improving Incident Response

Lessons learned sessions help you to understand not only why the incident occurred, but also how effective your response was. For example, were you able to respond quickly and effectively, or did red tape get in the way? Did your team know exactly what to do, or did they struggle to remember their training? Questions like these will highlight areas that need to be improved for next time.

Recognizing the Positive

Don’t just focus on what went wrong in a lessons learned session; it’s also important to highlight what went well. Taking the time to identify successful elements of your response can help to inform robust future security practices while acknowledging and rewarding positive employee performance will set a standard and incentivize similar behaviors in the future.

Lessons Learned Training

Just as frameworks like NIST 800-171 require you to periodically test your Incident Response processes using activities like tabletop exercises, incorporate your lessons learned sessions into these activities as well. Not only will that lead to improvements in your incident response plan, but it will train your teams in how to do effective lessons learned analysis.

The Lessons Learned Process

According to Lessons learned: taking it to the next level, an incident response paper by Rowe and Sykes, lessons learned sessions are most effective when they follow a well-defined five-step process:

  1. Identify and collect all comments and recommendations that may be useful for future projects.
  2. Document all findings and share them with key stakeholders.
  3. Analyze and organize all documentation for future application.
  4. Store documentation in a repository that can be accessed by all key stakeholder.
  5. Retrieve documentation for use on current or future incidents.

This process should be implemented as soon as possible after an incident when the particulars are still fresh in everybody’s minds. In fact, if the incident will take an especially long time to resolve, then beginning the process even sooner might uncover helpful information to support the resolution.

Stakeholders from as many key groups as possible should be present for lessons learned sessions. It’s especially important to have representatives from your IT and executive teams, as the former will be able to implement recommendations and the latter will be able to authorize action and remove bureaucratic obstacles.

We’ve Held a Lessons Learned Session — What Next?

Your lessons learned session will likely turn up numerous security gaps, weaknesses, and other areas that need attention. This is the part that often discourages businesses from lessons learned sessions in the first place — after all, if you go looking for problems to fix, then you must fix them! If you don’t have the time or money to do this, then it’s tempting to skip this step altogether and hope for the best.

With the financial impact of the average data breach running into hundreds of millions, this strategy is only going to cost you more money in the long run. Instead, face the incident head-on and use the lessons learned session as an opportunity to proactively fortify your business against future threats.

Here are some examples of actions you might take to improve your cybersecurity and incident response for next time:

  • If you found that the incident occurred because your staff missed the signs of a threat or were unsure how to respond, then you may invest in more comprehensive and/or frequent training.
  • If bureaucratic layers slowed down your response, you might meet with the C-suite to request executive delegation in future emergency situations, and enshrine this in your incident response plan.
  • If a loophole in one of your systems was exploited, conduct a thorough review of the system to ensure it is fit for purpose and replace if necessary.

Whatever you do, though…

Don’t Let History Repeat Itself

Every incident has a lesson to teach you, but we know that implementing these lessons isn’t always easy. That’s why CyberSheath specializes in providing comprehensive, affordable incident response solutions to businesses like yours. Contact us today to find out how we can help.


Join our May 29th 12 pm ET webinar Mastering CUI Boundaries: A Comprehensive Guide to Scoping, SPRS Input and Audit Navigation.
This is default text for notification bar