Why is a post-mortem review of an incident the most important step in the incident response methodology?

The post-mortem review of an incident provides answers to the who, what, how, when, and where of both the incident and it’s handling by the incident response team.

The team now has the luxury of time and hindsight to analyze what happened, what was done right, and what can be improved.

Discussing all aspects of the incident and its handling, coming up with efficient processes based on the analysis, and documenting all that was discussed is part of the post-mortem review.

This helps the team be better prepared for the future, develop plans for prevention, and provide a knowledge source for reference – all of which serve to improve the organization’s security health.