The U.S. armed forces is famous for breeding a specific type of leader: strong, steadfast and resolute in the face of crisis. These are the people you want in charge when the going gets tough, when the fire is coming in and you need quick, firm decisions to tackle the issue at hand.

You don’t usually find leaders like this in corporate America — but you will find them at IBM Security.

Mike Barcomb is the incident command leader at IBM X-Force, a role he took up in 2017 after more than two decades with the company. He’s also a retired colonel from the U.S. Army Reserve. During his time in the U.S. Army, Mike successfully led military and civilian personnel at various levels for 30 years, serving his active duty as a systems integration officer in Afghanistan from 2004–05.

At IBM, he draws upon his military leadership experience to develop robust incident response strategies.

Getting the IBM Cadets in Line

Mike and his team have achieved something quite remarkable: In the short time since joining X-Force, he has used his background and knowledge to orchestrate a process for responding to pandemic cyberattacks, such as WannaCry and NotPetya. The strategy is designed to enable IBM’s many thousands of employees to address security issues on a global scale. It orchestrates multiple functions — such as customer support, communications, marketing, sales and the C-suite — and solidifies IBM’s best-in-class incident management system.

The team’s hard work enables IBM to react to global threats quickly and efficiently and to effectively communicate with customers and media across the world.

“A major cyber event requires a plan unlike any other. It is one area of business where all divisions must operate as one — HR [human resources], legal, marketing, technical and products. These groups must come together, understand their responsibilities and be able to provide a single source of truth for clients,” Mike said. “And once that plan is in place, it must regularly be practiced and drilled. A key component of this plan is understanding who your key stakeholders are in each organization and how you can reach them or their backups at a moments notice. Cyber events don’t live a 9-to-5 — your team can’t either. Time is your enemy.”

Mike’s team was brought on board to help define the process and plan, and then to rehearse the process for response. It’s a continuous cycle of checking for new threats, updating incident response plans and playbooks, validating alert rosters and then testing it all via tabletop or simulation exercises. This process helps responders understand their roles and what’s expected of them so that when incidents do occur, they can spring right into action. This strategy plays right into Mike’s military experience.

“Whether it be rehearsing a fire drill in a school or for sports teams or first responders, you have to continually rehearse because things change — threats change,” Mike said. “I don’t think over-rehearsing would be a negative. It’s the opposite: We need to ensure we’re doing that. There is no way to be overprepared for the unpreparable.”

Before the rehearsals, however, you must have that plan in place. Otherwise, you don’t know what you’re practicing.

“Once you have that plan in place, if you’re not rehearsing, it’s a stale document,” he said. “It’s just there.”

 Why Quick Thinking Is Crucial to Incident Response

Mike likens his way of thinking to that of a first responder. It doesn’t matter if it’s Sunday afternoon in the middle of a football game — when the alarm goes off in the firehouse, you go to work helping people.

Likewise, an EMT doesn’t enter your house while you’re having a heart attack and then consult the hospital’s board of directors on how to treat you best. Just as a military leader needs to remain calm in the face of adversity, a first responder must instinctively know what to do. It’s this mindset that drives IBM’s incident response strategy.

“It’s a culture where you’re willing to accept change — you’re willing to drop what you’re currently working on and focus on whatever that task is at hand at that point in time,” Mike said. “We are looking to solve whatever the problem may be, but keeping the customers’ safety and their business at the forefront.”

Mike is clear about the value he takes from his work in the Reserve and how “immediate, informed decisiveness” is crucial in times of crisis. The military has an organizational structure and leaders that are expected to make difficult decisions, drive on and adjust if needed.

“If I go back and think about my time as a cadet, early on you were challenged to make a decision quickly,” he recalled. “It may not be the right one, but you made a decision and you’ll learn from it and if there’s something you have to adjust later on, you do. You don’t have time for consensus building and trying to figure out what do we think we’re going to do.”

IBM X-Force: Plan, Rehearse, Repeat

Mike’s military background trained him to work with people of different skill sets — in various locations around the world — to plan, rehearse and execute incident response processes. As a result, Mike said, these strategies have become “like muscle memory — second nature.”

Mike highlighted two important military concepts that he applies to cybersecurity: duty to act and duty to respond.

“Duty to act simply means the individuals involved in a cyber event have a specific role as part of the response team and that role has certain responsibilities must be fulfilled in order to fulfill your overall mission,” Mike said. “Duty to respond is the concept that when a cyber event occurs, you will be actively involved in helping to get your team and company up and running again — regardless of the time, the day of the week or where you happen to be when it occurs.”

Mike believes these commitments to duty are “critical to implementing a successful cyber resiliency plan.”

There’s a lot to be said for bringing military thinking into cybersecurity. After all, the IBM X-Force team’s day-to-day work involves attacks and counterattacks, strategic thinking and second-guessing the enemy. Mike’s colleagues are quick to praise the rigor and leadership he’s brought to incident command, but for Mike, it’s “a total team effort.”

Perhaps this is one of the biggest lessons he’s brought from the military: The whole is more important than the individual, as long as the end game remains in sight.

Meet X-Force Command Center Creative Director Allison Ritter

More from Incident Response

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today