ForgeAwareness
Get started
Incident Commander Playbook/Course player
0 of 6 complete0%
Module 15 min

Your Role as Incident Commander

TL;DR

What you own, what you don't, and how to avoid stepping on toes.

Your Role as Incident Commander

You are not the incident handler. You are not the investigator. You are the coordinator.

What You Own

Decision-making authority. You make the call on:

  • Whether this is a real incident or a false alarm
  • Whether to escalate (and to whom)
  • Whether to go into "response mode"
  • Whether to involve customers/partners/law enforcement
  • Whether to preserve evidence or contain immediately
  • What gets communicated, to whom, and when
  • When the incident is resolved
  • When the post-mortem happens

Communication. You are the single voice for your security team on the incident. You tell the CEO, the board, customers, and external parties what's happening.

Timeline and documentation. You keep a log. Everything gets timestamped. Every decision gets recorded. Why you made it. What information you had. This is critical for the post-mortem.

Team coordination. Make sure people aren't duplicating work. Make sure teams aren't stepping on each other. Make sure people take breaks.

Escalation decisions. If the incident is bigger than your security team can handle, you decide who to bring in (legal, comms, external IR firm, law enforcement).

What You DON'T Own

Investigation. The investigator owns how the compromise happened. You don't micromanage.

Response execution. If you decide to isolate a system, the your security team member who owns it executes it. You don't execute.

Customer communications. Legal and communications own what you say to customers. You provide facts.

Business continuity. Operations owns whether you fail over to backup systems. You provide technical info.

Post-mortem blame. The post-mortem is about systems and process, not about who messed up.

The Balance

You're like an air traffic controller. You coordinate, you talk to the planes, you make sure they don't crash. You're not flying the plane. You're not maintaining it. You're coordinating.

One more thing: Incident commanding is exhausting. Expect to be in "incident mode" for hours or days. Expect incomplete information. Expect to make decisions under uncertainty. That's your job.

Knowledge check

Knowledge check 1

As an incident commander, what's your primary responsibility?