The Incident Commander Role: Duties & Best Practices for ICs

Imagine that a critical incident — a major outage, cyberattack or disaster — occurs out of nowhere in your company. In such a case, you'll try to minimize the damage and get back to normal operations as quickly as possible. 

But how will you do that? You've no idea how to manage such incidents.

This is where incident commanders come in.

They're trained professionals who lead the response to critical incidents. They have the skills and experience to assess the situation quickly, coordinate the response efforts, and make critical decisions under pressure.

---

---

What is an Incident Commander? 

An incident commander (IC) is a person who's responsible for managing all aspects of incident response. This can range from assessing the situation and developing a plan of action to reaching a successful outcome.

Here's how incident commanders handle critical incidents:

1. Identify the objectives of the incident response.
2. Next, devise a command plan to address the problem.
3. Monitor the situation and make adjustments as needed.

There may be situations when your Plan A doesn't work. So, ICs always keep a backup plan to anticipate unexpected changes like these that may occur during the investigation. This secondary plan outlines different scenarios and how the organization can respond, depending on the situation. 

Unofficially, ICs can work with many people across an organization, including SMEs. Since SMEs are experts in their field and have the knowledge and experience to identify the issue's root causes. That's why ICs listen to their input to understand the bigger picture.

More formally, ICs might work in tandem with an incident command system.

What is an Incident Command System?

An incident command system (ICS) is a standardized approach to managing emergency incidents. It provides a clear chain of command to ensure that all responding agencies and personnel are working together in a coordinated manner to achieve a common goal.

5 C’s of an Incident Command System

Here are the 5 significant teams within an Incident Command System:

1. Command. The Command team directs the incident. Here, the IC sets objectives, determines priorities and develops a response plan. The IC also ensures that all resources needed for the response are available and deployed promptly and effectively.
2. Operations. The Operations staff manages resources, coordinates with personnel and ensures that response efforts align with the objectives and priorities.
3. Planning. The Planning team gathers and analyzes information about the incident, determines resource needs and develops strategies to achieve the objectives set by the IC. 
4. Logistics. The Logistics team acquires and provides resources like equipment, supplies and facilities for response operations. 
5. Finance/Administration. This team is responsible for managing the financial and administrative aspects of the incident. Team members track expenses and process contracts and agreements to ensure that all documentation related to the incident is maintained.

(Related reading: How Splunk Supports Incident Response.)

Why do teams need an Incident Commander? 

An unexpected cyberattack can occur in any organization at any time. In such situations, organizations rush toward an Incident Commander. Because they're the ones who can take charge of incidents, assess the risks and coordinate the response.

Without an Incident Commander, incident management teams may work in silos, duplicating each other's efforts or missing critical details. 

Instead, the IC guides the commanding teams to work in a coordinated manner, avoiding duplication of work and ensuring that everyone is on the same page. They analyze the situation and determine what actions have been taken and what needs to be done next.

To adjust the response plan, ICs also keep track of what has worked and what hasn't. 

(Related reading: Incident Severity Levels 1-5 & Top Incident Response Metrics.)

Duties & responsibilities of Incident Commanders

As the Incident Commander, you have a critical role in coordinating the response effort and leading your team to success. Here are all the duties and responsibilities that it takes to manage a crisis.

Preparing for & communicating the incident

As an IC, your primary responsibility is to collect all the information relating to the incident and share it with the team members. For this, you've to be exceptionally good at one thing — communication. 

Effective communication ensures you share the right information with team members at the right time. Sometimes, the incident is not easy, so you may also have to train the team members.  

When training incident team members, don't forget to give them a generic action plan. Since unexpected incidents can occur at any time, that's why it's always an excellent option to have a general plan that team members can use to move further until you find the right strategy for them to implement. 

Carrying out assessments 

Incident assessment is a primary response when it comes to understanding the cause of the incident. To carry out an assessment, ICs look into different aspects to test and identify why the incident occurred and what were the weak points. 

Once the incident assessment is done, it's time to make crucial decisions to resolve the incident. At this stage, an IC starts working on the incident management process. 

Here are some crucial decisions that an Incident Commander makes:

• What should the team do to work toward the incident settlement?
• How to address the incident? 
• What things should be avoided in the entire process? 
• Who'll be involved in the process, and at what stages?
• How frequently should the team update you about the progress?

Creating the action plan

After deciding on essential things, it's time to implement decisions. Incident Commanders create an incident-specific action plan. Here's how you can make it too:

1. Start by noting down the goals. Include everything that you want to achieve as a result. 
2. Build a step-by-step structure or outline to achieve your goals and reach the end. 
3. Create proper strategies and tactics by looking at the bigger picture, not just your perspective.
4. Involve SMEs to take their insights and guide the team to follow that kick-ass strategy. 
5. Prioritize the tasks. Decide what needs to be done first, second, third, and so on.

This helps ensure that the most critical tasks are completed first and the flow is maintained. 

And let me break one common myth here. As an IC, your job is not limited to creating this plan. You have to stay engaged to actually guide incident command teams about how to follow this structure to reach the end.

Delegating tasks 

After ICs create an incident command plan, they start assigning tasks to the team per expertise levels. There may be tasks that require specific skills and knowledge. So, they pick the right people to put in the right effort in such situations.

For more complex incidents, the IC takes charge and creates multiple teams to tackle different aspects of the incident. By doing this, the process of addressing the problem is sped up.

Communication and coordination with the team

ICs frequently oversee the progress of the work with a bird's eye view to stay up to date with what's happening. And they also serve as a facilitator for the teams and members to maintain a working flow. 

They also communicate with team members and ask for regular updates and reports to ensure they have all the necessary information. It allows the Incident Commander to provide feedback and guidance to the team as needed.

Maintaining a calm environment 

Panic and chaos are common during incidents. In such situations, people can't think clearly and tend to make the worst decisions. 

So as an Incident Commander, you should create a calm environment to help people stay focused and produce quality work. Here's how an incident commander creates a calm environment: 

• Establish clear expectations and communicate clearly.  
• Provide support and guidance when needed.
• Anticipate potential problems and mitigate potential risks. 
• Give team members the opportunity to ask questions.

Document & review the post-mortem (lessons learned)

After the team has brought the incident to its end, an IC reviews the results. They go through post-mortem reports thoroughly to evaluate the team's performance and determine if the objectives of the incident were met.

Incident Commanders also arrange a post-mortem meeting where they discuss everything about the incident, from why it occurred, what was done to resolve it, and what the team can learn from it. This helps them prepare for handling similar incidents in the future.

Skills for becoming an Incident Commander

OK. So you want to become an IC, great! Becoming an incident commander is a complex process that requires the right combination of knowledge, skills and experience. 

---

---

Here are the skills you need as an Incident Commander to ace your job:

Problem-solving 

As an Incident Commander, you must be a problem solver. You need to know how to identify and solve complex problems in high-pressure situations. Side by side, you will also need to think critically and creatively to come up with practical solutions.

Communication 

Effective communication is vital when it comes to managing an incident. You should be a top-notch communicator to deliver your ideas clearly and concisely to your team.

Decision making 

An Incident Commander makes critical decisions that could impact the safety and well-being of others. They weigh the pros and cons of different options and make confident decisions.

Proactive listening 

It's not just about talking — ICs are also fantastic listeners. They seek out and understand different perspectives to use that information and make better decisions.

Adaptability

No two incidents are the same. As an Incident Commander, you must adapt to changing circumstances quickly and effectively.

Leadership

As an Incident Commander, you have to lead a team of responders. You must inspire and motivate the team — while also providing clear guidance and direction to illustrate your leadership. 

Time management 

Time is of the essence when it comes to managing an incident. That's why ICs prioritize tasks and make the most of every minute.

Previous experience with similar incidents

While it's not strictly necessary, having experience dealing with similar incidents is a significant advantage. It’ll help you anticipate potential problems and come up with effective solutions more quickly.

Best practices for Incident Commanders 

As an Incident Commander, you ensure your organization's safety and success during an incident. While incidents are unpredictable, there are a few best practices to help you navigate them effectively. So, let's dive into them. 

Keep up with industry best practices

The world of incident management is constantly evolving, so staying up-to-date with the latest best practices and trends is essential. A great way to do that is to attend conferences and network with other professionals in the field.

(Related reading: Top Security Conferences To Attend)

Planning ahead of the problem

Effective incident management starts with a solid plan. An IC should take the time to develop and document an incident response plan, including clear roles and responsibilities for each team member.

Know your organization and IT teams

As an Incident Commander, you work closely with your organization and IT teams. So, you should understand each team member's different roles and responsibilities, and the overall structure of your organization.

Focus on the tasks at hand

During an incident, it's easy to get overwhelmed by the sheer volume of tasks an IC needs to complete. To stay focused, you should prioritize tasks based on their urgency and importance and break them into smaller, more manageable chunks. This helps in speeding up the work without getting exhausted. 

Maintain a calm and professional demeanor

In high-pressure situations, ICs remain calm and focused. This helps them make better decisions and inspires confidence in the team and stakeholders.

Prioritize postmortems after the incident 

Once the incident is over, it's good to conduct a thorough postmortem analysis to identify areas for improvement. So, an IC must take the time to document lessons learned and make any necessary changes to team or incident response plans for the future.

Wrap up

Incident Commanders manage critical incidents, such as cyberattacks or disasters. They lead the response efforts, make critical decisions under pressure and coordinate the response teams. 

Effective communication, assessment, action plan creation, delegation and coordination are the key duties of an IC. Without an IC, incident management teams may miss critical details. But an IC ensures everyone is on the same page and that the incident response is efficient and effective.

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.