How do you share security incident lessons with stakeholders?

Whilst an IRPM can be valuable for consolidation, if you're following an effective incident response plan or process, then you should have already documented all the facts throughout the investigation. It also would help to identify the key stakeholders which need to be present when the lessons learnt are shared.

Introduce the OODA Loop training again. This should be introduced at the in briefing side for all employees, introduce the incident, facilitate an open discussion then reintroduce the above, this will put Managers and Supervisors at an advantage if this incident occurs again.

I have a deep respect for companies that can allow the hard times of a breach or incident be used as a teaching tool. I agree with Mollie, that if you have an effective incident response plan or a professional team helping you through the after actions, then it should be well documented. Going through that document with a group of people to identify what lessons can be learned is very important. I would strongly suggest articulating the lesson for each point to make sure it is clear.

Initiating incident response by extracting lessons from evidence and data is foundational. Leveraging frameworks like Incident Response Post-Mortem (IRPM) streamlines this process. Addressing timelines, root causes, strengths, and challenges, IRPM nurtures a culture of improvement. It's a strategic path toward bolstering security practices and resilience, translating insights into tangible safeguards.

When the incident occurs, the first step I'll do is to make sure all stakeholders calm, not panic, with understandable words and terms within communication, so we can investigate and analysis the available evidence, data, etc.

Sometimes lessons learnt needn't be as formal as this - the full incident investigation may have already been documented throughout the investigation. Personally I hold a lessons learnt wash-up meeting with all key stakeholders to run through the findings, agree a plan for remediation, and then communicate actions/responsibilities as appropriate.

Tell the truth about the incident, do not panic about the situation, team is on progress to investigate the root cause, impact, etc. Inform them that we will give an update for the details and investigation results periodically.

Senior cyber leadership will be savvy in applying a lens to view the narrative from other lines of business. How does this need to read in terms of finance, customer support, customer success, legal. Drafting with a pair of lines of business goggles will reduce headache in the end.

Apply the "so what?" approach - every time you make a statement, ask yourself so what? What does this mean for the organisation? Why should they care? Effective lessons learnt relies on the stakeholders understanding the business impact of this incident and any ongoing risk.

The words we choose to use in any communication can do amazing wonders in helping get the message accepted and proper action taken. I am a huge proponent of not using shame and guilt, even if there is legitimate blame that can be applied. Using unifying language will help your team recover but also help strengthen the bond of the team to motivate them to work hard to get your company past this difficult time.

Technical language often make situation more difficult and horrible, i believe with good communication clear and simple languages can make situation stakeholders not emotional and convey them that we have lesson from this incident

Backing incident lessons with solid evidence is the cornerstone of effective communication. Presenting a comprehensive and objective analysis adds weight to the insights shared. Visual aids are invaluable in breaking down complex concepts, enabling stakeholders to grasp the intricacies of the incident and response. For instance, a timeline chart provides a clear sequence, while a SWOT analysis matrix succinctly outlines areas for enhancement. This methodical approach ensures that the lessons learned are not just words but actionable insights driving meaningful change.

Sadly, this is one thing that doesn't happen often in my experience. But when it does the effect is wonderful. Asking for feedback on the messaging, the way it was handled, the information that was released and the future plan can shed light on paths you might not be thinking. I have found that sometimes a good conversation can spark a thought that could change a whole path for the better.

If a publicly traded company it's important to not only do this post mortem, but also get input prior to an incident from both external and internal audit.

collaboration with the stakeholders, ask them for the feedback will be good and best for the engagement and relationship in the future.

Before following up, ensure that everybody's expectations are set. Ensure that they know what actions are due to take place, when and by whom, and then track actions accordingly, providing timely updates. Make sure you also call out any dependencies on other stakeholders, workstreams or systems/services, so that people understand any complexity that may arise.

Stakeholders often request root cause analysis as well. This is to ensure the specific incident can be prevented from occurring again. Be sure to pay attention to who your audience is and tailor your lingo accordingly. Ask yourself, “are the people requesting this information highly technical?” If not, do not make the mistake of using jargon, abbreviations, going too into detail, etc. and confusing them.

Update periodically and transparancy will make stakeholder confident with the incident handler team and give trust to the team.