Lessons Learned: Share Them!


Here we are, the end of another year, and the question I ask always is, what have we learned?

If we are not learning something, be it from a success or a failure, or something in-between, then how can we move forward?

Information security is something that needs to continuously improve and refine itself, otherwise it will fall behind the curve of those that choose a different avenue to your beloved data store.

A tool that information security practitioners often use, especially after a security incident like a virus outbreak or full out attack, is holding a “Lessons Learned” meeting.

The core concept is to be able to take something away for the incident, no matter how big or small, so that the next encounter of a similar kind does not have the same result as the first.

Taking a look back at the events that transpired over a year is the same idea. You may have encounter your first role based access model, or written your 100th requirements document, or maybe you learned what the “Security Lifecycle” looks like compared to your software development lifecycle. In any case, the projects, roll outs, implementations, or disasters you participated in earlier this year, played out differently later in the year. Hopefully they were easier, more efficient, and more secure, more reliable than the first time.

The Disaster

My year was a crazy one: it started off with a disaster and ended at a pot of gold.

The disastrous event for me was a catastrophic loss of data.  I had an outdated laptop that I was replacing with a shinny new one. So like a good little IT guy I backed everything up on my portable USB hard drive, and like any good security professional, I encrypted the contents with the most robust solution.

With my new laptop on order, I decided to have some fun and try out some new forensic techniques. I have never had to recover information of a physically damaged hard drive, so I took my old one out and started by tossing it down a flight of concrete stairs.

Sounding like a rattle snake, I was almost satisfied, but I figured I wanted something a little more challenging, so I took out a blow torch and made like it was in a bad house fire.

Long story short, I am not the CIA and don't have the tools needed to extract data from something in that condition. Oh well.

New laptop arrived, I get it all set up, just need to restore my backup. Enter a catastrophic brain freeze. Where did I put my USB drive? It had been about a week or so since I put it away in a safe place so I wouldn't lose it.

Three days later, I found it, at the bottom of my washing machine. It had gone through an entire weekend of laundry, and the device was as good as the blow torched version. I guess I got distracted somewhere between my office and the “safe place”.

Lesson Learned

If we put my personal story into a business scenario, you can see that we have a breakdown in procedure. The administrator who was placed with the responsibility of backup and archiving the data didn't complete the task, even through the actual data was backed up and secured correctly.

Lesson learned? All procedures must be followed through to completion even when you know it inside out and backwards, because one day you might miss a step.

Later in the year, about the time “Insert Security Here ->” came out, the organization I was doing some consulting work for had a big network outage. This was a well funded and well run organization with some very talented people working for it.  I can't get into the details, but it all boiled down to a group of people forgetting to follow a procedure, called change management, through to the end.

Change management is something I am sure most of you are familiar with: A fundamental ITIL process that has evolved over the years from lessons learned. How many systems, devices, and IT folk had to blow up before we finally got to a comprehensive process for implementing change?

Even with the most detailed process, steps can still be messed up, or missed entirely.

When I was discussing the simplicity of checklists in “Security Tool Chest:Checklists”, this is one of the points I was trying to highlight. Tracking your progress with a checklist alongside the process will ensure the process is followed through to the end.

Checklists are also great tools for a Lessons Learned meetings, as they ensure the same questions, discussion points, objectives are attained each and every time. If the meeting had a different format, or if a critical question was forgotten, the value of the output from the meeting diminishes, and progress is lost.

At the end of the year, having a big lessons learned meeting will really expose the fact that “Security is Everyone's Responsibility”. If you didn't learn that lesson this year, please allow me to extend my virtual hand through your computer monitor and... well, just read the article.


So that gets us to the pot of gold at the end of the year for me. It came to me as I stated writing this, the final column for the year. Not really a piece of gold, but a valuable lesson I have learned in writing these articles for you:

A true modern analyst takes the lessons learned throughout their career and hands them down to those following in their footsteps.

Happy holidays, and see you in the new year!

Author: Stewart Allen is a certified Information Security Consultant with over 12 years of experience specializing in Health Care and Financial Service industries. Acting as an Information Security Advisor, Mr Allen is responsible for finding opportunities for his clients to achieve their business goals, while helping to ensure information assets are secure. If you would like to learn more about the author he can be found on LinkedIn at



Copyright 2006-2024 by Modern Analyst Media LLC