When I was a child, my parents built a very humble home—what we call “unfinished construction”—in a neighborhood in the south of Bogotá. It was Christmas Eve, and we were filled with joy at achieving our dream of owning our own house.
However, just a few days later, while we were sleeping, some people broke in and stole absolutely everything. We had built a livable house, but we never considered security—we didn’t think about risks, threats, or our vulnerabilities, and as a result, we didn’t implement the appropriate controls.
The morning after that devastating incident, some neighbors came by to tell us that the neighborhood was dangerous, that certain security measures were needed, and that they knew how the thieves operated—apparently, they had been active in the area for quite some time. What a great time to tell us!, I thought.
I’m bringing up this childhood event as an example to help explain today’s topic. A few days ago, I was invited to participate in an information security panel at a university in Colombia, and one of the questions I enjoyed the most was:
“What lessons have been learned from the major security incidents in recent years? How can organizations improve their incident response capabilities?”
Here’s my point of view, especially since I was both surprised and honestly in strong disagreement with the panelists.
My short answer is:
“Companies aren’t learning a damn thing. ‘Lessons learned’? That doesn’t exist—or at least, it’s not being taken seriously in most organizations.”
But what are “lessons learned”?
According to the National Institute of Standards and Technology (NIST) in the United States, lessons learned are an integral part of incident management and the continuous improvement of security practices.
They refer to the process of reflecting on recent security incidents to identify both successes and failures, with the goal of improving future responses and preventing similar incidents.
NIST promotes the idea that this process should be a continuous and systematic exercise that contributes to strengthening security policies, procedures, and business operations.
In that childhood incident that shaped part of my life, my family and I went through a sort of “lessons learned” exercise (of course, at seven years old I didn’t call it that). We implemented controls to ensure something like that would never happen to us again, and we made a point to inform new neighbors about the risks and threats in the area.
The Harsh Reality in Organizations
During my years as a consultant, I have seen how organizations experiencing security breaches skip the lessons learned process, view it as a waste of time, or simply never have the time or interest to develop it.
On the other hand, companies that have not been affected by security incidents (or possibly are unaware they were victims) tend to underestimate the fact that they could be the target of an incident at any moment; and this is where analyzing what incidents are occurring in similar companies, in the same sector, or companies that use similar technologies becomes very important.
Below are some metrics we have taken from a sample of the 25 most critical incidents we have participated in over the last 10 years regarding the incident response process.
This analysis shows that only 4.8% of incidents involved the development of a document and sessions with a multidisciplinary team to analyze what went well, what went wrong, and what needed to be improved; which would be the ideal scenario.
In 9.5% of incidents, a simple meeting was held where the document was created, usually with only members of the security team. In 19% of cases, a simple log was created (in case the auditor asks 🥸), and in 66.7% of incidents, there was neither a meeting nor a document, meaning there were no lessons learned.
So, what’s the result?
The result is that we continue to face devastating security incidents—and we keep making the same mistakes over and over and over again. In other words, bad things happen to us, or we see bad things happening to our neighbors, and we do nothing, thinking it won’t happen to us—or that it won’t happen again.
Does that mean that if we implement a serious lessons learned process, we’ll never have incidents again?
Not exactly. But it will definitely reduce the probability and impact of future incidents—and if one does occur, we’ll know how to respond and recover faster and more effectively.
The Importance of Implementing a Lessons Learned Process
Developing a lessons learned process within an organization offers numerous benefits that can significantly enhance resilience and incident response maturity. Here are some of the key advantages:
1. Improved Incident Response Processes
A structured lessons learned process helps identify both strengths and weaknesses in incident response. This allows organizations to adjust strategies, tactics, and decision-making processes.
2. Prevention of Future Incidents
By analyzing past incidents and understanding their root causes, organizations can implement more effective preventive measures. This not only reduces the frequency of incidents but also minimizes their potential impact.
3. Culture of Continuous Learning
Promoting a lessons learned process encourages a culture of learning and ongoing improvement. This means incident response and management teams are more engaged and aware of the importance of security, often leading to greater proactivity in identifying and mitigating risks.
4. Stronger Trust and Reputation
When clients, partners, vendors, auditors, and regulators see that an organization takes security seriously and learns from incidents, it builds trust. A solid reputation in security management can be a key differentiator in competitive markets.
We’ve worked with organizations that actively share lessons learned with stakeholders to strengthen the entire value chain.
5. Resource Optimization
Failures are some of the best learning opportunities. By analyzing what failed—or what could have failed—organizations can optimize how they allocate resources. This includes more strategic budgeting for security, investing based on real risks rather than guesswork.
6. Cost Reduction
Security incidents are expensive—not only due to technical and operational costs, but also reputational damage and potential legal or regulatory penalties.
If we skip the lessons learned, we’ll likely end up paying far more when another incident occurs.
7. Security Innovation
Lessons learned can fuel innovation. By constantly reviewing and analyzing incidents, organizations often discover new and creative ways to approach security challenges. We’ve seen amazing ideas come out of the post-mortem sessions we’ve facilitated with clients.
8. Better Communication
Reviewing and discussing incidents and lessons learned improves cross-functional communication. This helps break down silos and fosters a collaborative approach to risk and security management.
So, if your organization suffers a security incident, make time to do the work—and avoid facing a similar one in the future.
And if you’ve been lucky enough not to suffer an incident, but a similar company, industry peer, or an organization using similar technologies has been a victim—then do the damn work anyway: analyze what happened, learn from it, and get better.
How can organizations effectively implement a lessons learned process?
Well, that’s what we’ll cover in our next post—
where we’ll use the home burglary incident from my childhood as an example to build a proper lessons learned framework.
Best regards 🤙
References:
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf