Addressing the business concerns after a security incident

The implementation of a security incident response process is an essential activity for every CISO. Such security incident response process requires the identification of a point of contact for security issues, the adoption of a security issue disclosure process and the creation of an informal security response team(s). In the case of a security incident, CISOs are often tasked to conduct root cause analysis for incidents, collect per-incident metrics and recommend corrective actions.
Once the root causes of the incident have been identified and corrective actions have been taken to contain the impact of the security incident, the main question for CISOs is what should be done to prevent similar security incidents to occur in the future. If an application has been targeted by an attack and sensitive data was either lost or compromised the main question is to whether similar applications and software might be also at risk of similar attacks and incidents in the future. The main question for the CISO is which application security measures and activities should be targeted for spending to mitigate the risks of breaches of sensitive data due to malware and hacking attacks to applications and software that are developed and managed by the organization.
Source :
https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf