Get A Quote

Incident Response Planning in a Nutshell: Leveraging Lessons Learned

“Some of the best lessons we ever learn are learned from past mistakes. The error of the past is the wisdom and success of the future.” – Dale Turner, American singer-songwriter and record producer

As final part of our 5-part series about Incident Response Planning (IRP), this article dives deeper into how the often-overlooked lessons learned exercise can help organizations improve their incident response planning capabilities going forward.

Find more detailed information about IRP in the articles below:


Why IRP lessons learned sessions are important

While often overlooked, lessons learned sessions are crucial to improving an organization’s security posture and readiness to face security incidents in the future. They help evaluate incident response performance, identify challenges and improve incident response capabilities going forward. For lessons learned sessions to be effective, they need to contain at minimum 4 different functions, follow a strict process, provide answers to specific questions about the incident and establish clearly-defined action items for follow up and continuous improvement.

According to NIST Special Publication 800-61, Rev. 2, “one of the most important parts of incident response is also the most often omitted: learning and improving”. In fact, only 58% of organizations regularly review and update their incident response processes – a number far too low to guarantee effective safeguards against security incidents (The SANS Institute, 2017).

This article covers:

  1. which key elements should be covered,
  2. when they should take place,
  3. who should participate, and
  4. what actions should be taken to move your organization forward after suffering from a security incident.


What are lessons learned sessions?

The Project Management Institute (PMI) defined as “the learning gained from the process of performing the project”. In the context of security incidents, they usually take place after a security incident has occurred and has been mitigated.

The SANS Institute identified Lessons Learned as one of the 6 critical stages of the Incident Response Process (after Preparation, Identification, Containment, Eradication and Recovery).

Lessons learned sessions are recommended to evaluate your mistakes, take stock of what happened during the incident and assess how your team has dealt with mitigating the impact of the incident. The purpose of a lessons learned session to share and use the knowledge gathered from a security incident to:


Lessons Learned Benefits

Lessons learned sessions offer a variety of benefits for the incident response team, the organization as well as existing and future incidents. A properly executed lessons learned exercise can help organizations:


►►►Tip: Make sure to briefly go over these benefits at the beginning of each lessons learned session. This will help remind session attendees why their feedback and active participation is important.


What is the process to follow?

To make sure that lessons learned sessions are as effective as possible, they should follow a predefined, standardized 5-step process. Once all findings are collected, they should be documented and shared with all relevant parties. Then, findings should be analyzed and stored in a repository that is accessible to all relevant parties. This way, findings can be retrieved to be used for future potential incidents.

When should they take place?

The lessons learned session should take place as soon as possible following a security incident, preferably within a couple of days. The sooner the session is organized, the fresher the incident will be in the memory of those who have dealt with the incident.

In certain cases, it may also make sense to begin the lessons learned exercise prior to the end of the incident, depending on the complexity and criticality of the incidents. For example, organizations experiencing a security incident that takes a couple of months to mitigate should not wait until the incident is fully mitigated. Scheduling a lessons learned session while the incident is still ongoing may reveal relevant insights that could turn out to be useful for mitigation activities.


►►►Tip: If your organization is experiencing a security incident, ask yourself when it would make most sense to have a lessons learned session, not whether you have the time (chances are, you’ll never have the time…).


Who should participate?

The participants of a lessons learned session will vary depending on the size and structure of the organization, but should at least include the following functions:


►►►Tip: Depending on how your organization is structured, you may want to include additional functions such as Legal, HR, Communications/PR etc. Before organizing a lessons learned session, make sure to look at the key roles involved in dealing with the incident and choose your session members accordingly.


Which questions should be answered?

Although lessons learned sessions vary depending on the nature, scope and impact of the security incident, they should follow a similar structure and provide answers to at least these questions:

  1. What happened exactly during the incident, and at what times?
  2. Are documented procedures in place for incident handling? If yes, were they followed when the incident occurred? If not, what are the plans for establishing such procedures?
  3. How well did we perform in dealing with the incident? Did management act appropriately? Did employees act appropriately? If not, what can be improved?
  4. Is there anything we should do differently next time?
  5. Have we communicated the right amount of information to the right channels? If not, how can we ensure that post-incident communication is improved?
  6. Do we need any additional tools, resources or strategies that will help us better detect, evaluate and mitigate security incidents in the future?

What are the next steps?

Don’t be surprised if your lessons learned session unveils a myriad of issues and gaps about your current incident response handling practice. That’s a good thing! At the end of every lessons learned session, the person in charge of documenting the session should summarize which identified problem areas were revealed, what the proposed action items/solutions are to fix said problem areas, who will be responsible to take care of these action items, and when these solutions are expected to be implemented.

Action items examples:


►►►Tip: For lessons learned exercises to be effective, make sure that concrete action items are established, roles and responsibilities are assigned and specific dates are defined.

Related Blog: 5 Mistakes You Need to Avoid After a Data Breach


This concludes our 5-part blog series about Incident Response Planning. Be sure to subscribe to our blog to stay tuned for more content about cybersecurity, incident response and securing your organization.