The post-incident review team should examine the root causes of the incident, whether they are technical, procedural, or human-related, and implement corrective actions and preventive measures to improve the organization’s security, Taylor says.
“Identifying the root cause of the incident is critical,” says Michael Brown, field CISO at IT Services and IT Consulting provider Presidio. “Teams need to determine if this was a technical vulnerability, process/technology gaps, or human error. This analysis ensures teams address the underlying issues, not just the symptoms.”
With a root cause analysis, “you want to figure out why the incident happened in the first place,” Haughian says. “Was it a missed software update? A phishing email someone clicked on? Or maybe it was a process that didn’t work as it should have. This is where you dig into the root cause — not just what went wrong, but why it went wrong. If you don’t figure that out, you’re likely to run into the same issue again.”
