The U.S. armed forces is famous for breeding a specific type of leader: strong, steadfast and resolute in the face of crisis. These are the people you want in charge when the going gets tough, when the fire is coming in and you need quick, firm decisions to tackle the issue at hand.

You don’t usually find leaders like this in corporate America — but you will find them at IBM Security.

Mike Barcomb is the incident command leader at IBM X-Force, a role he took up in 2017 after more than two decades with the company. He’s also a retired colonel from the U.S. Army Reserve. During his time in the U.S. Army, Mike successfully led military and civilian personnel at various levels for 30 years, serving his active duty as a systems integration officer in Afghanistan from 2004–05.

At IBM, he draws upon his military leadership experience to develop robust incident response strategies.

Getting the IBM Cadets in Line

Mike and his team have achieved something quite remarkable: In the short time since joining X-Force, he has used his background and knowledge to orchestrate a process for responding to pandemic cyberattacks, such as WannaCry and NotPetya. The strategy is designed to enable IBM’s many thousands of employees to address security issues on a global scale. It orchestrates multiple functions — such as customer support, communications, marketing, sales and the C-suite — and solidifies IBM’s best-in-class incident management system.

The team’s hard work enables IBM to react to global threats quickly and efficiently and to effectively communicate with customers and media across the world.

“A major cyber event requires a plan unlike any other. It is one area of business where all divisions must operate as one — HR [human resources], legal, marketing, technical and products. These groups must come together, understand their responsibilities and be able to provide a single source of truth for clients,” Mike said. “And once that plan is in place, it must regularly be practiced and drilled. A key component of this plan is understanding who your key stakeholders are in each organization and how you can reach them or their backups at a moments notice. Cyber events don’t live a 9-to-5 — your team can’t either. Time is your enemy.”

Mike’s team was brought on board to help define the process and plan, and then to rehearse the process for response. It’s a continuous cycle of checking for new threats, updating incident response plans and playbooks, validating alert rosters and then testing it all via tabletop or simulation exercises. This process helps responders understand their roles and what’s expected of them so that when incidents do occur, they can spring right into action. This strategy plays right into Mike’s military experience.

“Whether it be rehearsing a fire drill in a school or for sports teams or first responders, you have to continually rehearse because things change — threats change,” Mike said. “I don’t think over-rehearsing would be a negative. It’s the opposite: We need to ensure we’re doing that. There is no way to be overprepared for the unpreparable.”

Before the rehearsals, however, you must have that plan in place. Otherwise, you don’t know what you’re practicing.

“Once you have that plan in place, if you’re not rehearsing, it’s a stale document,” he said. “It’s just there.”

 Why Quick Thinking Is Crucial to Incident Response

Mike likens his way of thinking to that of a first responder. It doesn’t matter if it’s Sunday afternoon in the middle of a football game — when the alarm goes off in the firehouse, you go to work helping people.

Likewise, an EMT doesn’t enter your house while you’re having a heart attack and then consult the hospital’s board of directors on how to treat you best. Just as a military leader needs to remain calm in the face of adversity, a first responder must instinctively know what to do. It’s this mindset that drives IBM’s incident response strategy.

“It’s a culture where you’re willing to accept change — you’re willing to drop what you’re currently working on and focus on whatever that task is at hand at that point in time,” Mike said. “We are looking to solve whatever the problem may be, but keeping the customers’ safety and their business at the forefront.”

Mike is clear about the value he takes from his work in the Reserve and how “immediate, informed decisiveness” is crucial in times of crisis. The military has an organizational structure and leaders that are expected to make difficult decisions, drive on and adjust if needed.

“If I go back and think about my time as a cadet, early on you were challenged to make a decision quickly,” he recalled. “It may not be the right one, but you made a decision and you’ll learn from it and if there’s something you have to adjust later on, you do. You don’t have time for consensus building and trying to figure out what do we think we’re going to do.”

IBM X-Force: Plan, Rehearse, Repeat

Mike’s military background trained him to work with people of different skill sets — in various locations around the world — to plan, rehearse and execute incident response processes. As a result, Mike said, these strategies have become “like muscle memory — second nature.”

Mike highlighted two important military concepts that he applies to cybersecurity: duty to act and duty to respond.

“Duty to act simply means the individuals involved in a cyber event have a specific role as part of the response team and that role has certain responsibilities must be fulfilled in order to fulfill your overall mission,” Mike said. “Duty to respond is the concept that when a cyber event occurs, you will be actively involved in helping to get your team and company up and running again — regardless of the time, the day of the week or where you happen to be when it occurs.”

Mike believes these commitments to duty are “critical to implementing a successful cyber resiliency plan.”

There’s a lot to be said for bringing military thinking into cybersecurity. After all, the IBM X-Force team’s day-to-day work involves attacks and counterattacks, strategic thinking and second-guessing the enemy. Mike’s colleagues are quick to praise the rigor and leadership he’s brought to incident command, but for Mike, it’s “a total team effort.”

Perhaps this is one of the biggest lessons he’s brought from the military: The whole is more important than the individual, as long as the end game remains in sight.

Meet X-Force Command Center Creative Director Allison Ritter

More from Incident Response

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today