Infosec Incidents: Technical or judgement mistakes?
This past weekend, I was watching one of my daughters at goal keeper training (soccer / football). She trains with a small group of other keepers, and their coach runs them through a number of drills, simulations, and scenarios to help them develop skills.
During one of the scenarios, my daughter allowed a goal and her coach asked her, “Your mistake – was it a technical mistake, or a decision mistake?” In other words, did you make the wrong choice, or did you make a good choice and fail to execute effectively?
What kind of mistake did you make?
I found that to be a very astute question, and I believe it’s one that applies to information security, as well. After an incident, it is common to do a post-incident review to see what we can learn from the situation and I think this simple question is very clarifying.
Here are some examples:
- Someone compromises your systems by exploiting a weakness you weren’t aware of and, therefore, weren’t watching for.
- I’d call that a technical mistake, since it was a weakness in our defenses and detection capabilities.
- Someone compromises your systems by exploiting a weakness we were aware of but chose not to address.
- Definitely a decision (or judgmental) mistake.
Fifty shades of grey
- Someone compromises your systems by exploiting a weakness you were aware of, implemented controls to mitigate, but they got through anyway.
- What would you call that?
- Is it a technical mistake because your controls were inadequate or improperly implemented?
- Is it a decision mistake, because you didn’t spend enough time understanding the risk and, therefore, didn’t exercise enough due care to implement the control properly?
The answer isn’t always black & white. Sometimes the answer may be a bit of both, but the key learnings and improvements we gain come as a result of the discussion around the issues that are loaded with “shades of grey.”
If you find it was a decision or judgmental mistake, you can then explore the “why” of your mistake to learn even more. Were you naïve? Was it a resource issue? Was it a political decision? Were you procrastinating? Was it in your plan but you simply hadn’t gotten to it yet?
In any case, you may learn something that causes you to re-evaluate other decisions or deferred actions and choose to bring them back into short-term execution. I’d call that a good outcome.
“Your mistake – was it a technical mistake, or a decision mistake?”
I love this question because it drives the right kind of discussion for us to develop a common understanding and create tangible learning from our mistakes.
If you’re not doing post-incident reviews, you’re missing out on a great improvement opportunity. If you are doing post-incident reviews, how about adding this simple question to your discussion list?