There are three very different approaches you can take to configuration management. Each of them has benefits and disadvantages, and you need to blend aspects of all three to get the best value in your context.
Major incidents and security breaches are different. Learning from experience can turn out to be hugely expensive, or even result in the organization concerned going out of business. So how can you make sure that you handle these incidents correctly first time?