The Darkest Hour gives us an artistic glimpse into Churchill’s war room during the Battle of France. Emotions are running high, and voices are getting loud as they search for a way to deal with defeat. Yet, even in the movie, they mainly focus on the different paths and hold each other blameless for their ideas.
In contrast, organizations utilize war room-style meetings for post-mortem analysis. Instead of focusing on a path to a positive solution, they dive into the past incident and examine what went wrong. Unfortunately, most of the time, they descend into blame games.
We should start finding alternatives and focus on a blameless post-mortem to reduce burnout and stress in IT.
War Rooms and Post-Mortems
The war room and the incident post-mortem have a valid place in cybersecurity. The war room allows organizations to react to ongoing incidents, ensure a working crisis communication, and make on-time decisions. One of the most critical aspects is to have all the decision-makers at the table to quickly update them and reach a consensus on the best path forward.
Think about the MGM ransomware incidents or the latest healthcare ones. Deciding whether to pay the ransom would be the choice one could expect to be made in a war room setting. Most crucially, all of these would have been decisions, where the war room itself wouldn’t have added more pressure to the situation, as the circumstances already had high pressure and volatility.
However, the war room setting would no longer be necessary once the incidents were resolved. The long-term cybersecurity strategy, lessons learned, and the path forward after the systems are back online are all scenarios that require long-term focus and less reaction to quickly changing situations. An incident analysis doesn’t care if it takes 2 hours or 4. The quality of the work and the long-term outlook are much more crucial than fast decision-making.
Returning to Great Britain in World War 2, the British War Cabinet’s War Rooms were deactivated on August 16th. That was two days after Japan surrendered. The UK didn’t keep them alive to rebuild the country, analyze the lessons learned from the battles of Dunking and Singapore, or prevent World War 3.
We should have the same situation in cybersecurity. Once the incident is over, we don’t need the war rooms anymore. That isn’t the time for the added stress of quick decision-making or short-circuiting review processes. Once the incident is over, we need a blameless post-mortem. This post-mortem needs to analyze the lessons everyone needs to learn, the path forward, and the strategy changes to prevent the following incident.
Blameless Incident Review
A blameless incident review assumes that problems will happen. This implies that it isn’t up to the individual employee to prevent it. Instead, it focuses on the systemic changes needed to minimize the impact of any cybersecurity incident.
Thus, it looks at the bigger picture and lessons learned instead of passing the blame around. This approach is especially critical, as identifying issues in the past is always easier than predicting the future effects of actions. It also acknowledges that we are all only a tiny part of the IT system. Even if our actions initiated the incidents, failure at multiple levels will be required before it can lead to a company-wide meltdown.
Focussing on systemic errors and shortcomings turns it from assigning blame to an improvement process. It lets your team find creative solutions. They can look for ways to automate cybersecurity and the broader IT system to reduce the load on users and administrators. They can find ways to remove complexity and determine whether or not there are jobs that IT can and should offload to other departments.
This development isn’t possible if they seek to protect themselves from blame. Thus, conducting blameless post-mortems helps reduce the stress on IT employees and improves future situations.
Leave the War Room for War
Even in Cybersecurity, War Rooms have their purpose. They can help focus everyone on an ongoing incident and keep everyone up to date with the event. However, we shouldn’t utilize them after the incident. Their fast pace and narrow focus can increase stress and remove the long-term solution focus needed to build the IT system of the future.