A recent discussion in the cybercrime investigation course I teach at my university got me thinking about the use of post incident root cause analysis, often called incident post mortems. Some organizations do not find them valuable, their logic being that the job of the information security professional is protecting the network rather than chasing bad guys. Now that point of view may be arguable, but it really is not the issue. The issue is finding out what happened and why when an incident occurs.