You have been appointed as the Incident Commander for a security incident. Congratulations! Do you know what is expected of you? Have you received any training on Incident Command and role expectations? Does your IR plan or playbooks help you execute on your incident command duties? If you answer no to any of these questions, then this presentation is for you...and you are not alone. While there is a ton of educational material on DFIR and hands-on-keyboard Incident Response, there is very little focus on the Incident Commander role. In my experience a good incident commander can make a big difference in making “IR boring” - that desired state where surprises are minimized and where the IR team executes on their mission like the pit crew on an F1 race.

In this session I will share lessons learned in Incident Command from multiple types of IR engagements (product security, data breaches, network compromise, and “major risk” incidents like Log4j). We will talk about the Triangle of IR communications, how to lead an incident meeting (yes, a meeting!), and the importance of “remaining neutral”, even when handling overexcited executives. There will be some stories, but you will leave with practical advice and actions you can take in your next incident.