In a perfect world, every organization could block every attack, no employee would ever make a mistake, and there would be advance warning that an organization is on some cybercriminal’s list of targets. Since organizations operate in a world that is far from perfect, however, they are forced to accept that bad things will happen. History and headlines show they cannot erect enough barriers to stop cybercriminals from trying to penetrate defenses, they cannot hire perfect employees and they must assume their name has been bandied about as a potential target.
One of the things they can do, however, is use each incident as a learning opportunity by conducting a thorough postmortem. To maximize the benefits of a post-incident analysis, organizations should remember two things: agility and blamelessness.
To a developer, agility is a development methodology that provides significant benefits over the traditional waterfall method. However, agility implies a system of thinking, processing information and executing plans. As such, agility belongs in the realm of security as much as it belongs in the realm of development.
Currently, the advantages offered by agility tend to be reaped more by cybercriminals than by security professionals. The bad guys get to go first, and since they are not bound by compliance issues or regulations, have no concern for the rights of individuals and don’t have to answer to advocacy groups or government agencies, they have the advantage. Cybercriminals embrace agility to launch attacks that can change from one day to the next.
Unless security professionals are as agile as the crooks, they will be limited to reacting to incidents instead of proactively preventing them. One way to help level the playing field is to build in the ability to move quickly when an incident occurs—and this includes a plan to conduct an effective, thorough and efficient postmortem.
However, a postmortem implies that an incident is over and is now undergoing a final review. If organizations are truly agile, they will have conducted at least one retrospective prior to the postmortem. Agile retrospectives are conducted to assist the team in making immediate changes and are more about action than review.
For retrospectives and postmortems to be effective, the second key is to ensure that postmortems are blameless. The end goal is to get to the truth so that organizations can better protect their operations in the future. Assigning blame can make it much more difficult to uncover the truth.
For example, if an employee clicks on a link that spreads malware throughout the corporate network, he or she might be afraid to admit the mistake for fear of being chastised privately or blamed publicly. The organization then wastes time searching for the source of the infection, instead of being able to deal with the incident immediately. Therefore, the postmortem must be blameless and cordial, with no finger-pointing allowed. Keep the focus on what happened rather than who is responsible.
Postmortem Best Practices
Understanding the two “prime directives” for conducting a postmortem, organizations have a few other considerations to help them gain the most from their post-incident evaluation. First, they need to learn precisely what happened and how it can be explained concisely, accurately and appropriately. If the chain of events is not understood, an organization will not be able to enlighten team members or non-technical employees.
Next, the incident should be used as a learning experience to ensure that the problem will not occur again. Organizations should evaluate whether the issue is a simple employee mistake, a tool on which staff members were not trained, miscommunication or a process that is broken. Everyone should be focused on preventing another occurrence, as well as ways to achieve continuous improvement.
After the facts are uncovered, an organization must take action, ignoring “should have” and “could have” statements and focusing energies on “will” and “must.” In addition, organization must establish priorities and assign follow-up actions before ending the postmortem.
Also, employees and team members should be encouraged to discuss potential issues whenever they arise. Employees may need guidance on whether an action is safe, team members may need to confess that they made a mistake or supervisors may want to discuss ways to help workers learn how to identify suspicious emails.
Trust and communication are essential if organizations want to gain the greatest benefit from their postmortem. Organizations need to stay open and approachable so they can reduce the number of incidents, improve incident response and strengthen their company’s defenses.