The U.S. armed forces is famous for breeding a specific type of leader: strong, steadfast and resolute in the face of crisis. These are the people you want in charge when the going gets tough, when the fire is coming in and you need quick, firm decisions to tackle the issue at hand.

You don’t usually find leaders like this in corporate America — but you will find them at IBM Security.

Mike Barcomb is the incident command leader at IBM X-Force, a role he took up in 2017 after more than two decades with the company. He’s also a retired colonel from the U.S. Army Reserve. During his time in the U.S. Army, Mike successfully led military and civilian personnel at various levels for 30 years, serving his active duty as a systems integration officer in Afghanistan from 2004–05.

At IBM, he draws upon his military leadership experience to develop robust incident response strategies.

Getting the IBM Cadets in Line

Mike and his team have achieved something quite remarkable: In the short time since joining X-Force, he has used his background and knowledge to orchestrate a process for responding to pandemic cyberattacks, such as WannaCry and NotPetya. The strategy is designed to enable IBM’s many thousands of employees to address security issues on a global scale. It orchestrates multiple functions — such as customer support, communications, marketing, sales and the C-suite — and solidifies IBM’s best-in-class incident management system.

The team’s hard work enables IBM to react to global threats quickly and efficiently and to effectively communicate with customers and media across the world.

“A major cyber event requires a plan unlike any other. It is one area of business where all divisions must operate as one — HR [human resources], legal, marketing, technical and products. These groups must come together, understand their responsibilities and be able to provide a single source of truth for clients,” Mike said. “And once that plan is in place, it must regularly be practiced and drilled. A key component of this plan is understanding who your key stakeholders are in each organization and how you can reach them or their backups at a moments notice. Cyber events don’t live a 9-to-5 — your team can’t either. Time is your enemy.”

Mike’s team was brought on board to help define the process and plan, and then to rehearse the process for response. It’s a continuous cycle of checking for new threats, updating incident response plans and playbooks, validating alert rosters and then testing it all via tabletop or simulation exercises. This process helps responders understand their roles and what’s expected of them so that when incidents do occur, they can spring right into action. This strategy plays right into Mike’s military experience.

“Whether it be rehearsing a fire drill in a school or for sports teams or first responders, you have to continually rehearse because things change — threats change,” Mike said. “I don’t think over-rehearsing would be a negative. It’s the opposite: We need to ensure we’re doing that. There is no way to be overprepared for the unpreparable.”

Before the rehearsals, however, you must have that plan in place. Otherwise, you don’t know what you’re practicing.

“Once you have that plan in place, if you’re not rehearsing, it’s a stale document,” he said. “It’s just there.”

 Why Quick Thinking Is Crucial to Incident Response

Mike likens his way of thinking to that of a first responder. It doesn’t matter if it’s Sunday afternoon in the middle of a football game — when the alarm goes off in the firehouse, you go to work helping people.

Likewise, an EMT doesn’t enter your house while you’re having a heart attack and then consult the hospital’s board of directors on how to treat you best. Just as a military leader needs to remain calm in the face of adversity, a first responder must instinctively know what to do. It’s this mindset that drives IBM’s incident response strategy.

“It’s a culture where you’re willing to accept change — you’re willing to drop what you’re currently working on and focus on whatever that task is at hand at that point in time,” Mike said. “We are looking to solve whatever the problem may be, but keeping the customers’ safety and their business at the forefront.”

Mike is clear about the value he takes from his work in the Reserve and how “immediate, informed decisiveness” is crucial in times of crisis. The military has an organizational structure and leaders that are expected to make difficult decisions, drive on and adjust if needed.

“If I go back and think about my time as a cadet, early on you were challenged to make a decision quickly,” he recalled. “It may not be the right one, but you made a decision and you’ll learn from it and if there’s something you have to adjust later on, you do. You don’t have time for consensus building and trying to figure out what do we think we’re going to do.”

IBM X-Force: Plan, Rehearse, Repeat

Mike’s military background trained him to work with people of different skill sets — in various locations around the world — to plan, rehearse and execute incident response processes. As a result, Mike said, these strategies have become “like muscle memory — second nature.”

Mike highlighted two important military concepts that he applies to cybersecurity: duty to act and duty to respond.

“Duty to act simply means the individuals involved in a cyber event have a specific role as part of the response team and that role has certain responsibilities must be fulfilled in order to fulfill your overall mission,” Mike said. “Duty to respond is the concept that when a cyber event occurs, you will be actively involved in helping to get your team and company up and running again — regardless of the time, the day of the week or where you happen to be when it occurs.”

Mike believes these commitments to duty are “critical to implementing a successful cyber resiliency plan.”

There’s a lot to be said for bringing military thinking into cybersecurity. After all, the IBM X-Force team’s day-to-day work involves attacks and counterattacks, strategic thinking and second-guessing the enemy. Mike’s colleagues are quick to praise the rigor and leadership he’s brought to incident command, but for Mike, it’s “a total team effort.”

Perhaps this is one of the biggest lessons he’s brought from the military: The whole is more important than the individual, as long as the end game remains in sight.

Meet X-Force Command Center Creative Director Allison Ritter

More from Incident Response

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

A Day in the Life: Working in Cyber Incident Response

As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your "go bag" because you cannot remote in to the breached system. It's all part of the game. Seasoned incident responders can handle this jab: "Why would you want a job like this? Are you crazy?" The truth…