Hands off keyboard: Cyber Incident Commander primer
10-14, 11:30–11:50 (US/Eastern), Room 402

You have been appointed as the Incident Commander for a security incident. Congratulations! Do you know what is expected of you? Have you received any training on Incident Command and role expectations? Does your IR plan or playbooks help you execute on your incident command duties? If you answer no to any of these questions, then this presentation is for you...and you are not alone. While there is a ton of educational material on DFIR and hands-on-keyboard Incident Response, there is very little focus on the Incident Commander role. In my experience a good incident commander can make a big difference in making “IR boring” - that desired state where surprises are minimized and where the IR team executes on their mission like the pit crew on an F1 race.

In this session I will share lessons learned in Incident Command from multiple types of IR engagements (product security, data breaches, network compromise, and “major risk” incidents like Log4j). We will talk about the Triangle of IR communications, how to lead an incident meeting (yes, a meeting!), and the importance of “remaining neutral”, even when handling overexcited executives. There will be some stories, but you will leave with practical advice and actions you can take in your next incident.

Jorge leads Detection and Response at Zoom, encompassing the SOC, IR, Detection Engineering, Threat Intelligence, and Security Logging. Prior to Zoom he led Security Operations and Response at Peloton, held several security and non-security roles at Microsoft, and piloted a desk in the US Air Force. Jorge hails from Puerto Rico, but has lived in ten different cities before relocating to the Alpharetta area in 2021.