A Structured Approach to Incident Postmortems

Abstract Imagine you are the Chief Information Security Officer (CISO) and your boss, the CIO or CEO, is asking some simple questions: “How secure are our information systems? Is security getting better or worse? How do you know that?” You could describe the successful installation of the newest firewalls, the performance of the intrusion detection systems, the centralized deployment of up-to-date anti-virus solutions, the application of software patches on all network devices, and the popularity of your security awareness program. But that is not an answer to the questions. Your boss wants to know not only what you have done to lower the risk, but also how effective you have been. It is all about process, metrics, and trend monitoring. And money, of course!