The U.S. armed forces is famous for breeding a specific type of leader: strong, steadfast and resolute in the face of crisis. These are the people you want in charge when the going gets tough, when the fire is coming in and you need quick, firm decisions to tackle the issue at hand.

You don’t usually find leaders like this in corporate America — but you will find them at IBM Security.

Mike Barcomb is the incident command leader at IBM X-Force, a role he took up in 2017 after more than two decades with the company. He’s also a retired colonel from the U.S. Army Reserve. During his time in the U.S. Army, Mike successfully led military and civilian personnel at various levels for 30 years, serving his active duty as a systems integration officer in Afghanistan from 2004–05.

At IBM, he draws upon his military leadership experience to develop robust incident response strategies.

Getting the IBM Cadets in Line

Mike and his team have achieved something quite remarkable: In the short time since joining X-Force, he has used his background and knowledge to orchestrate a process for responding to pandemic cyberattacks, such as WannaCry and NotPetya. The strategy is designed to enable IBM’s many thousands of employees to address security issues on a global scale. It orchestrates multiple functions — such as customer support, communications, marketing, sales and the C-suite — and solidifies IBM’s best-in-class incident management system.

The team’s hard work enables IBM to react to global threats quickly and efficiently and to effectively communicate with customers and media across the world.

“A major cyber event requires a plan unlike any other. It is one area of business where all divisions must operate as one — HR [human resources], legal, marketing, technical and products. These groups must come together, understand their responsibilities and be able to provide a single source of truth for clients,” Mike said. “And once that plan is in place, it must regularly be practiced and drilled. A key component of this plan is understanding who your key stakeholders are in each organization and how you can reach them or their backups at a moments notice. Cyber events don’t live a 9-to-5 — your team can’t either. Time is your enemy.”

Mike’s team was brought on board to help define the process and plan, and then to rehearse the process for response. It’s a continuous cycle of checking for new threats, updating incident response plans and playbooks, validating alert rosters and then testing it all via tabletop or simulation exercises. This process helps responders understand their roles and what’s expected of them so that when incidents do occur, they can spring right into action. This strategy plays right into Mike’s military experience.

“Whether it be rehearsing a fire drill in a school or for sports teams or first responders, you have to continually rehearse because things change — threats change,” Mike said. “I don’t think over-rehearsing would be a negative. It’s the opposite: We need to ensure we’re doing that. There is no way to be overprepared for the unpreparable.”

Before the rehearsals, however, you must have that plan in place. Otherwise, you don’t know what you’re practicing.

“Once you have that plan in place, if you’re not rehearsing, it’s a stale document,” he said. “It’s just there.”

 Why Quick Thinking Is Crucial to Incident Response

Mike likens his way of thinking to that of a first responder. It doesn’t matter if it’s Sunday afternoon in the middle of a football game — when the alarm goes off in the firehouse, you go to work helping people.

Likewise, an EMT doesn’t enter your house while you’re having a heart attack and then consult the hospital’s board of directors on how to treat you best. Just as a military leader needs to remain calm in the face of adversity, a first responder must instinctively know what to do. It’s this mindset that drives IBM’s incident response strategy.

“It’s a culture where you’re willing to accept change — you’re willing to drop what you’re currently working on and focus on whatever that task is at hand at that point in time,” Mike said. “We are looking to solve whatever the problem may be, but keeping the customers’ safety and their business at the forefront.”

Mike is clear about the value he takes from his work in the Reserve and how “immediate, informed decisiveness” is crucial in times of crisis. The military has an organizational structure and leaders that are expected to make difficult decisions, drive on and adjust if needed.

“If I go back and think about my time as a cadet, early on you were challenged to make a decision quickly,” he recalled. “It may not be the right one, but you made a decision and you’ll learn from it and if there’s something you have to adjust later on, you do. You don’t have time for consensus building and trying to figure out what do we think we’re going to do.”

IBM X-Force: Plan, Rehearse, Repeat

Mike’s military background trained him to work with people of different skill sets — in various locations around the world — to plan, rehearse and execute incident response processes. As a result, Mike said, these strategies have become “like muscle memory — second nature.”

Mike highlighted two important military concepts that he applies to cybersecurity: duty to act and duty to respond.

“Duty to act simply means the individuals involved in a cyber event have a specific role as part of the response team and that role has certain responsibilities must be fulfilled in order to fulfill your overall mission,” Mike said. “Duty to respond is the concept that when a cyber event occurs, you will be actively involved in helping to get your team and company up and running again — regardless of the time, the day of the week or where you happen to be when it occurs.”

Mike believes these commitments to duty are “critical to implementing a successful cyber resiliency plan.”

There’s a lot to be said for bringing military thinking into cybersecurity. After all, the IBM X-Force team’s day-to-day work involves attacks and counterattacks, strategic thinking and second-guessing the enemy. Mike’s colleagues are quick to praise the rigor and leadership he’s brought to incident command, but for Mike, it’s “a total team effort.”

Perhaps this is one of the biggest lessons he’s brought from the military: The whole is more important than the individual, as long as the end game remains in sight.

Meet X-Force Command Center Creative Director Allison Ritter

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today