How to Conduct an Agile Security Incident Postmortem

Mar 20, 2018
2 minutes
... views

This article was first published on DevOps.

In a perfect world, every organization could block every attack, no employee would ever make a mistake, and there would be advance warning that an organization might be on some cybercriminal's list of targets. Since organizations operate in a world that is far from perfect, however, they are forced to accept that bad things will happen. History and headlines show they cannot erect enough barriers to stop criminals from trying to penetrate defenses, they cannot hire perfect employees, and they will have to assume that their organization's name has been bandied about as a potential target.

About all they can do is use each incident as a learning opportunity by conducting a thorough postmortem. However, if organizations want to maximize the benefits of a post-incident analysis, they should remember two things — agility and blamelessness.


To a developer, agility is a development methodology that provides significant benefits over the traditional waterfall method. However, agility implies a system of thinking, processing information, and executing plans. As such, agility belongs in the realm of cybersecurity as much as it belongs in the realm of development.

Currently, the advantages offered by agility tend to be reaped more by cybercriminals than by cybersecurity professionals. The bad guys get to go first, and since they are not bound by compliance issues or regulations, have no concern for the rights of individuals, and do not have to answer to advocacy groups or government agencies. They have the advantage. Cybercriminals embrace agility to launch attacks that can change from one day to the next.

Unless cybersecurity professionals are as agile as the crooks, they will be limited to reacting to incidents instead of proactively preventing them. One way to help level the playing field is to build in the ability to move quickly when an incident occurs — including a plan to conduct an effective, thorough, and efficient postmortem.

However, a postmortem implies that the incident is over and is now undergoing a final review. If organizations are truly agile, they will have conducted at least one retrospective prior to the postmortem. Agile retrospectives are conducted to assist the team in making immediate changes and are more about action than review.

To get started on crafting your own tailored incident report, download our report template below.


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.