Never Waste a Good Incident
Boards should treat incidents as learning moments. Culture, executive commitment, response speed, and asset insight matter as much as frameworks or technology
Y · Why this matters. Security incidents will happen. Y = Why: why let hard-won experience pass without improving people, processes, and controls on the next ridge?
What the resources findings. Bobbert and Papelard argue that business information security fails when organisations rely too heavily on frameworks, technology, and procedures. Their study starts from incidents such as WannaCry, which infected more than 230,000 PCs in more than 150 countries, and asks what actually improves security in practice.
The strongest factors are not only technical. Figure three ranks senior management commitment, culture, tone at the top, lessons learned from incidents, budget, compliance, awareness, business commitment, and knowledge of critical assets among the top ten critical success factors. Five of the top ten relate to culture, ethics, and behaviour.
The paper’s board message is direct: a breach can create urgency, but only leadership turns it into maturity. Security value improves when boards understand assets, reduce the time between detection and mitigation, fund the right capabilities, and make security part of the organisation’s normal behaviour.
Three learnings and methodological approaches.
- Institutionalise incident learning through after-action reviews, evidence capture, and clear ownership for remediation.
- Translate security into board language: asset value, exposure, response time, resilience, and financial consequence.
- Build culture deliberately, because rules and tools cannot compensate for weak tone, poor awareness, or unclear accountability.
The route. The method combines literature review, case study research, practitioner validation, and Group Support System sessions. The route is valuable because it lets expert groups test, rank, and refine critical success factors before the summit claim is made.
Read the original — https://www.isaca.org/resources/isaca-journal/issues/2018/volume-3/never-waste-a-good-information-security-incident-an-explorative-study-into-critical-success-factors