The security incident cycle consists of 4 major interrelated phases: Plan, Resist, Detect and Respond. Organizations that struggle with security incidents often do so because they focus too much on one of the phrases, ignoring the rest.
I discussed the big picture of the security incident cycle at the SANS Forensics Blog, building upon the presentation I heard from Richard Bejtlich. I also outlined common failures related to the cycle: Pussyfoot Planning, Resolute Resistance, Dramatic Detection and Ravenous Response.
In addition to failing to devote proper attention to each phase of the security incident cycle, organizations often fail at knowing when and how to transition from one phase to another when dealing with an incident. The challenge is in part due to the differences in technologies and skill sets used in each phase, as well as in the different reporting structure of teams that need to collaborate when navigating the cycle.