The U.S. armed forces is famous for breeding a specific type of leader: strong, steadfast and resolute in the face of crisis. These are the people you want in charge when the going gets tough, when the fire is coming in and you need quick, firm decisions to tackle the issue at hand.

You don’t usually find leaders like this in corporate America — but you will find them at IBM Security.

Mike Barcomb is the incident command leader at IBM X-Force, a role he took up in 2017 after more than two decades with the company. He’s also a retired colonel from the U.S. Army Reserve. During his time in the U.S. Army, Mike successfully led military and civilian personnel at various levels for 30 years, serving his active duty as a systems integration officer in Afghanistan from 2004–05.

At IBM, he draws upon his military leadership experience to develop robust incident response strategies.

Getting the IBM Cadets in Line

Mike and his team have achieved something quite remarkable: In the short time since joining X-Force, he has used his background and knowledge to orchestrate a process for responding to pandemic cyberattacks, such as WannaCry and NotPetya. The strategy is designed to enable IBM’s many thousands of employees to address security issues on a global scale. It orchestrates multiple functions — such as customer support, communications, marketing, sales and the C-suite — and solidifies IBM’s best-in-class incident management system.

The team’s hard work enables IBM to react to global threats quickly and efficiently and to effectively communicate with customers and media across the world.

“A major cyber event requires a plan unlike any other. It is one area of business where all divisions must operate as one — HR [human resources], legal, marketing, technical and products. These groups must come together, understand their responsibilities and be able to provide a single source of truth for clients,” Mike said. “And once that plan is in place, it must regularly be practiced and drilled. A key component of this plan is understanding who your key stakeholders are in each organization and how you can reach them or their backups at a moments notice. Cyber events don’t live a 9-to-5 — your team can’t either. Time is your enemy.”

Mike’s team was brought on board to help define the process and plan, and then to rehearse the process for response. It’s a continuous cycle of checking for new threats, updating incident response plans and playbooks, validating alert rosters and then testing it all via tabletop or simulation exercises. This process helps responders understand their roles and what’s expected of them so that when incidents do occur, they can spring right into action. This strategy plays right into Mike’s military experience.

“Whether it be rehearsing a fire drill in a school or for sports teams or first responders, you have to continually rehearse because things change — threats change,” Mike said. “I don’t think over-rehearsing would be a negative. It’s the opposite: We need to ensure we’re doing that. There is no way to be overprepared for the unpreparable.”

Before the rehearsals, however, you must have that plan in place. Otherwise, you don’t know what you’re practicing.

“Once you have that plan in place, if you’re not rehearsing, it’s a stale document,” he said. “It’s just there.”

 Why Quick Thinking Is Crucial to Incident Response

Mike likens his way of thinking to that of a first responder. It doesn’t matter if it’s Sunday afternoon in the middle of a football game — when the alarm goes off in the firehouse, you go to work helping people.

Likewise, an EMT doesn’t enter your house while you’re having a heart attack and then consult the hospital’s board of directors on how to treat you best. Just as a military leader needs to remain calm in the face of adversity, a first responder must instinctively know what to do. It’s this mindset that drives IBM’s incident response strategy.

“It’s a culture where you’re willing to accept change — you’re willing to drop what you’re currently working on and focus on whatever that task is at hand at that point in time,” Mike said. “We are looking to solve whatever the problem may be, but keeping the customers’ safety and their business at the forefront.”

Mike is clear about the value he takes from his work in the Reserve and how “immediate, informed decisiveness” is crucial in times of crisis. The military has an organizational structure and leaders that are expected to make difficult decisions, drive on and adjust if needed.

“If I go back and think about my time as a cadet, early on you were challenged to make a decision quickly,” he recalled. “It may not be the right one, but you made a decision and you’ll learn from it and if there’s something you have to adjust later on, you do. You don’t have time for consensus building and trying to figure out what do we think we’re going to do.”

IBM X-Force: Plan, Rehearse, Repeat

Mike’s military background trained him to work with people of different skill sets — in various locations around the world — to plan, rehearse and execute incident response processes. As a result, Mike said, these strategies have become “like muscle memory — second nature.”

Mike highlighted two important military concepts that he applies to cybersecurity: duty to act and duty to respond.

“Duty to act simply means the individuals involved in a cyber event have a specific role as part of the response team and that role has certain responsibilities must be fulfilled in order to fulfill your overall mission,” Mike said. “Duty to respond is the concept that when a cyber event occurs, you will be actively involved in helping to get your team and company up and running again — regardless of the time, the day of the week or where you happen to be when it occurs.”

Mike believes these commitments to duty are “critical to implementing a successful cyber resiliency plan.”

There’s a lot to be said for bringing military thinking into cybersecurity. After all, the IBM X-Force team’s day-to-day work involves attacks and counterattacks, strategic thinking and second-guessing the enemy. Mike’s colleagues are quick to praise the rigor and leadership he’s brought to incident command, but for Mike, it’s “a total team effort.”

Perhaps this is one of the biggest lessons he’s brought from the military: The whole is more important than the individual, as long as the end game remains in sight.

Meet X-Force Command Center Creative Director Allison Ritter

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…