Your Role as Incident Commander

Your Role as Incident Commander

You are not the incident handler. You are not the investigator. You are the coordinator.

What You Own

Decision-making authority. You make the call on:

• Whether this is a real incident or a false alarm
• Whether to escalate (and to whom)
• Whether to go into "response mode"
• Whether to involve customers, partners, or law enforcement
• Whether to preserve evidence or contain immediately
• What gets communicated, to whom, and when
• When the incident is resolved
• When the post-mortem happens

Communication. You are the single voice for the incident. You tell the CEO, board, customers what's happening.

Timeline and documentation. You keep a log. Everything gets timestamped. Every decision gets recorded with reasoning.

Team coordination. Make sure people aren't duplicating work. Make sure teams aren't stepping on each other. Make sure people take breaks.

Escalation decisions. If the incident is bigger than your team can handle, you decide who to bring in (legal, comms, law enforcement).

What You DON'T Own

Investigation. The investigator owns how the compromise happened. You don't micromanage.

Response execution. If you decide to isolate a system, the team member who owns it executes it. You don't execute.

Customer communications. Legal and comms own what you say to customers. You provide facts.

Post-mortem blame. The post-mortem is about systems and process, not about who messed up.

The Balance

You're like an air traffic controller. You coordinate, you talk to the teams, you make sure they don't crash. You're not doing the work. You're coordinating.

---

One more thing: Incident commanding is exhausting. Expect incomplete information. Expect to make decisions under uncertainty. That's your job.