Where do your incidents come from?
Where do your incidents come from?
How do you identity your highest severity incidents in the first place? Which data sources or products deliver the investigative leads? And which are critical to detection and response? These questions speak directly to the value of data sources, products, and functions.
What are the prevailing root causes? This speaks directly to the quality of incident management, particularly post-incident review.
I can’t stress enough the importance of being able to answer these questions as the leader of any operational team (cybersecurity, technology, or otherwise).