Post-Mortem

A post-mortem is held after an incident has taken place.

The team sits down and talks through what happened, identifies causes, lessons learned, and how to move forward.

The key to an effective post-mortem is doing this in a way that does not place blame on your employees.

Not only will this avoid alienating team members, which can lead to them being reticent about bringing forth information in the future, but it can also help ensure that investigations into security incidents actually uncover the root cause

How to Conduct a Blameless Security Post-Mortem

Do Your Homework

Before the post-mortem takes place, make sure you take time to understand exactly what happened and figure out how to explain it to your team in appropriate terms.

Focus on the What (Not the Who)

When you do sit down, focus on what happened and not on who caused it to happen. In many cases, there’s not just one person involved, although someone may have been the “straw that broke the camel’s back.”

Regardless, you want to ensure that neither the people running the post-mortem nor any other employees point the finger at a specific person. The most important thing is not who did it; it’s understanding what happened so everyone can learn from it.

Focusing on what, not who, should neutralize emotions and eliminate blame, allowing you to deal with the facts logically.

Discuss How to Prevent Problems in the Future

Of course, the most important part of a post-mortem is making sure the problem doesn’t happen again. In some cases, this may be a matter of increasing employee education and training to make sure that everyone understands what they need to look out for in the future.

In other cases, there is a larger organizational issue — a broken process, misused tool, or misunderstood directives. The post-mortem is a good time to begin the correction process. For example, if a flawed process was ultimately to blame, have an open discussion about how that process needs to be amended and solicit input from everyone on next steps.

Keep the Door Open

Make it clear that team members can always come and talk if they aren’t sure whether something is safe, or if they think they’ve already done something that will compromise security.

Keeping the door open is the key to making sure they come to you when something happens.

Handle Performance Issues Separately

Sometimes it’s the case that a specific person has made repeated, ongoing mistakes that signal poor performance or other problems that may need to be corrected via human resources (not the security team).

But make absolutely sure to keep personnel issues out of the post-mortem.

Always Focus on Lessons Learned

The bottom line is that you should use security incidents as a learning experience, not as a forum for criticizing an employee who made a mistake. People should never be afraid to approach the team; they should always see you as the path to fixing a mistake and understanding what went wrong.

To make the most of a post-mortem, focus on what the entire organization can learn from any given incident. Put a process in place for communicating, as appropriate, to broader groups within your company. Educate your employees in order to strengthen their knowledge and improve their habits.

Communication and trust are core. A culture that is approachable and nonjudgmental will reduce the number of incidents and improve the response to incidents that do occur.