This past weekend, I was watching one of my daughters at goal keeper training (soccer / football).  She trains with a small group of other keepers, and their coach runs them through a number of drills, simulations, and scenarios to help them develop skills.

During one of the scenarios, my daughter allowed a goal and her coach asked her, “Your mistake – was it a technical mistake, or a decision mistake?”  In other words, did you make the wrong choice, or did you make a good choice and fail to execute effectively?

What kind of mistake did you make?

I found that to be a very astute question, and I believe it’s one that applies to information security, as well.  After an incident, it is common to do a post-incident review to see what we can learn from the situation and I think this simple question is very clarifying.

Here are some examples:

  • Someone compromises your systems by exploiting a weakness you weren’t aware of and, therefore, weren’t watching for.
    • I’d call that a technical mistake, since it was a weakness in our defenses and detection capabilities.
  • Someone compromises your systems by exploiting a weakness we were aware of but chose not to address.
    • Definitely a decision (or judgmental) mistake.

Fifty shades of grey

But what if things get a little trickier to classify?   For example:
  • Someone compromises your systems by exploiting a weakness you were aware of, implemented controls to mitigate, but they got through anyway.
    • What would you call that?
    • Is it a technical mistake because your controls were inadequate or improperly implemented?
    • Is it a decision mistake, because you didn’t spend enough time understanding the risk and, therefore, didn’t exercise enough due care to implement the control properly?

The answer isn’t always black & white.  Sometimes the answer may be a bit of both, but the key learnings and improvements we gain come as a result of the discussion around the issues that are loaded with “shades of grey.”

If you find it was a decision or judgmental mistake, you can then explore the “why” of your mistake to learn even more.  Were you naïve?  Was it a resource issue?  Was it a political decision?  Were you procrastinating?  Was it in your plan but you simply hadn’t gotten to it yet?

In any case, you may learn something that causes you to re-evaluate other decisions or deferred actions and choose to bring them back into short-term execution.  I’d call that a good outcome.

“Your mistake – was it a technical mistake, or a decision mistake?”

I love this question because it drives the right kind of discussion for us to develop a common understanding and create tangible learning from our mistakes.

If you’re not doing post-incident reviews, you’re missing out on a great improvement opportunity.  If you are doing post-incident reviews, how about adding this simple question to your discussion list?

Categories: IT Security and Data Protection, , , Risk-Based Security for Executives, , , IT Security and Data Protection, , IT Security and Data Protection,


Leave a Reply

Dwayne Melancon

Dwayne Melancon has contributed 131 posts to The State of Security.

View all posts by Dwayne Melancon >