If at first you don’t succeed, try, try again.” Although catchy, we all know that the real keys to success after failure are reflection and adaptation, not mere persistence. With this in mind, let us review the last category of NIST’s Response function, titled Improvements, and its focus on implementing lessons learned and updating strategies.



Responding to a major incident is an enterprise-wide affair. As NIST notes, effective incident handling requires coordination among “mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).” Unfortunately, therein lies the rub. Organizations that lack coordination during incident response have the most to gain from capturing and implementing lessons learned. Yet, a mature lessons-learned process often requires coordination among the very same entities. Be on the lookout for this vicious cycle.


Capture Lessons Both During and After Response.

An Incident Response Plan should encourage participants to capture lessons as they occur, when feasible, and should propose formal improvement sessions within two weeks of any major incident. Regardless of the timing, when capturing problems (for example, process friction and negative outcomes), contributors should take a first shot at identifying potential solutions together with their pros and cons. Equally important, many lessons learned are positive. Be sure to capture (and celebrate) successes that otherwise might be lost during the stress of incident handling, and identify best practices that can be widely shared. Finally, after recommendations are approved, companies should track implementation and share them with other groups consistent with their sensitivity and general applicability. This may require updating plans and strategies, together with rolling out revised testing and training. When a new incident occurs, it may be helpful to review the lessons learned from the last one.


Use a Skilled Facilitator.

The author and facilitator Norman Kerth recommends an important ground rule to prevent hostility, mudslinging and discouragement. Require participants to pledge upfront: “Regardless of what we discover, we understand and truly believe that everyone did the best job he or she could, given what was known at the time, his or her skills and abilities, the resources available, and the situation at hand.” In addition, some companies use facilitators either who are, or who serve at the direction of, outside counsel in order to preserve attorney-client privileges that may exist after a breach. The best facilitators provide a safe, trusted environment to draw out useful information, build morale and highlight what employees did well, all while avoiding the blame game.


Invest in the Lessons Learned Process.

When an organization pulls itself up after a major incident and implements a strong lessons-learned program, the resulting coordination and trust improves current teamwork and future incident response beyond any particular lesson’s value. On the other hand, a company that fails to take lessons learned seriously will eventually learn to do so, but only after they try, try again.


About the Columnist

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.