Five Questions Executives Should Ask After Any Security Incident

The moment an incident is “contained,” the real work begins — and most leadership teams ask the wrong questions.

Too often the conversation stops at “Is it fixed?” and “How much did it cost?” Those are important, but they miss the deeper lessons that actually reduce future risk.

Here are the five questions I’ve learned to ask (and recommend every executive ask) after any meaningful security event:

1. What did we learn about our assumptions?
   Every incident reveals gaps between what we thought was true and reality.

2. Where did detection and response actually break down?
   Not just “what tool failed,” but where in the process did we lose visibility or time?

3. Which controls worked as designed, and which only worked on paper?
   This question separates theoretical security from operational resilience.

4. What organizational behaviors contributed?
   Technology rarely fails in isolation. People and process issues are almost always part of the story.

5. What one or two changes would meaningfully reduce the likelihood or impact of a similar event?
   Focus on high-leverage fixes, not dozens of minor ones.

Why This Matters

The organizations that improve after incidents treat them as strategic learning opportunities. Those that don’t simply reset and wait for the next one.

Practical Next Step

Schedule a short tabletop exercise with your leadership team. The insights gained in a few hours will be far more valuable than another policy review.

If you’re navigating the aftermath of an incident or want to strengthen your team’s resilience before the next event, I’d be happy to discuss. Book a complimentary strategy conversation.