The Slack notification reads: “#critical-security: RANSOMWARE DETECTED ON FILE-SVR-03.” Twelve seconds later, the CTO calls the security analyst. The security analyst calls the IT director. The IT director calls the CEO. The CEO asks one question: “Who is in charge?” Fifteen minutes pass. Four senior leaders debate authority to pull production servers offline. The ransomware encrypts the backup server during the debate.
SOC 2 CC7.3 and HIPAA 164.308(a)(6) require documented incident response team roles with assigned responsibilities [AICPA TSC CC7.3, HIPAA 164.308(a)(6)]. Documenting titles on an org chart is not sufficient. Auditors verify role assignments through tabletop exercise evidence demonstrating each team member executed their designated function under simulated pressure.
The organizations surviving real incidents share one structural element: a single Incident Commander with pre-authorized decision-making authority, a Technical Lead executing containment, and a Scribe documenting the timeline for legal and audit purposes. Three functions. Three people. One chain of command.
Every incident response team requires three core functions: the Incident Commander (IC) who makes decisions, the Technical Lead who executes containment and remediation, and the Scribe who documents the timeline for legal and audit purposes. Larger organizations add Legal Counsel, Public Relations, and Forensics as Strategic-tier roles. The IC holds pre-authorized decision-making authority including system shutdowns and emergency spending [NIST SP 800-61 Rev. 3].
The Incident Commander: The Only Role Without a Keyboard
The Incident Commander (IC) is the single decision-maker during a live incident, and organizations with a designated IC reduce mean time to containment by **40%** compared to teams operating without a formal command structure [SANS 2024 Incident Response Survey]. The IC does not touch the keyboard. The IC does not review logs. The IC makes decisions, directs the response team, and maintains situational awareness while everyone else executes.
Every minute the IC spends typing commands is a minute without someone coordinating the overall response. The organizations failing incident response are the ones where the most technical person tries to simultaneously fix the server, brief the CEO, and document the timeline. Three tasks. Zero done well.
IC Authority Requirements
The IC requires pre-authorized authority documented in your incident response plan. Three specific authorities must be formalized before an incident occurs:
- System shutdown authority: The IC authorizes taking production systems offline without executive approval during active containment. Waiting for CEO sign-off while malware spreads across the network is not an acceptable workflow.
- Emergency spending authority: The IC authorizes emergency expenses up to a documented limit (typically $25,000-$50,000) for forensic tools, contractor engagement, or infrastructure replacement.
- Communication authority: The IC controls when and what information leaves the response team. No one briefs the press, notifies customers, or contacts regulators until the IC confirms the containment status.
Draft a formal “Delegation of Authority” letter signed by the CEO granting the IC specific authorities: system shutdown, emergency spending (with dollar limit), and communication control. Attach the letter as an appendix to your incident response plan. Update the letter annually or whenever the IC role changes. This document is the single most important artifact auditors review for CC7.3 compliance [AICPA TSC CC7.3].
What Is the Three-Tier Command Structure for Incident Response?
Flatten your incident response team and the response collapses. The military and FEMA Incident Command System (ICS) model separates responders into three tiers with distinct responsibilities and communication channels [NIST SP 800-61 Rev. 3].
Tier 1: Operational (Bronze)
Members: System administrators, security analysts, network engineers, DevOps engineers.
Function: Hands on keyboard. Tier 1 executes the containment, eradication, and recovery procedures. They isolate infected systems, block malicious IPs, restore from backups, and deploy patches. They report status to the IC. They do not communicate with executives, customers, or regulators.
Tier 2: Tactical (Silver)
Members: Incident Commander and Scribe.
Function: Coordination and documentation. The IC directs Tier 1 operations, makes escalation decisions, and serves as the single source of truth for incident status. The Scribe documents every action, decision, and timestamp. This documentation feeds the post-incident review and creates the audit evidence trail for legal defense.
Tier 3: Strategic (Gold)
Members: Legal counsel, public relations, HR, C-suite executives.
Function: Air cover. Tier 3 handles regulators, the press, the board, and affected customers so the IC focuses on containment. Tier 3 does not give operational orders. The CEO does not direct the security analyst to “check the firewall.” Strategic decisions (breach notification timing, regulatory disclosure, customer communication) flow through Tier 3 after the IC confirms containment status.
Document the three-tier structure in your incident response plan with named individuals (primary and backup) for each role. Include contact information, escalation paths between tiers, and the communication rule: Tier 1 talks to Tier 2. Tier 2 talks to Tier 3. Tier 1 never communicates directly with Tier 3 during an active incident. Validate this structure during your quarterly tabletop exercise.
The RACI Matrix for Incident Response
A RACI matrix eliminates ambiguity about who performs, who approves, who advises, and who receives updates for each incident response action. **54% of incident response failures** involve role confusion during the first 30 minutes of an incident [IBM Cost of a Data Breach 2024]. Auditors reviewing CC7.3 look for documented role assignments mapped to specific response activities [AICPA TSC CC7.3].
| Activity | Incident Commander | Technical Lead | Legal / Executives |
|---|---|---|---|
| Declare incident | Accountable (A) | Consulted (C) | Informed (I) |
| Containment actions | Accountable (A) | Responsible (R) | Informed (I) |
| System shutdown | Accountable (A) | Responsible (R) | Informed (I) |
| Evidence preservation | Consulted (C) | Responsible (R) | Accountable (A) |
| Regulatory notification | Consulted (C) | Informed (I) | Accountable (A) |
| Customer communication | Consulted (C) | Informed (I) | Accountable (A) |
Include the RACI matrix as a standalone appendix in your incident response plan. During the Q1 tabletop exercise, test every row: present a scenario requiring each activity and verify the designated person executes their assigned role. If the RACI matrix fails during the exercise (wrong person takes action), update the matrix and re-test during the next quarterly drill.
How Should Legal and PR Coordinate During an Incident?
Legal counsel and public relations are Tier 3 (Strategic) roles. Both are essential. Both destroy response timelines when they operate outside their lane.
Legal Counsel
Role: Advisory. Legal counsel advises on evidence preservation requirements, regulatory notification obligations (HIPAA 60-day rule, state breach notification laws), and liability exposure. Legal does not direct containment operations.
Common failure: Legal requests the team “pause containment to preserve evidence.” The IC must override this request when pausing means the infection spreads to additional systems. Preserve forensic images of compromised systems during containment, not instead of containment. Stop the bleeding first.
Public Relations
Role: Messaging. PR drafts external communications for customer notification, press inquiries, and social media responses. PR releases statements only after the IC confirms containment status and Legal approves the language.
Common failure: PR issues a generic “we take security seriously” statement before the IC confirms what happened. Premature statements create legal exposure when subsequent investigation reveals inaccuracies. The IC controls the communication timeline.
Pre-draft three communication templates before an incident occurs: initial acknowledgment (within 4 hours), status update (within 24 hours), and resolution notice (within 72 hours). Have Legal pre-approve the template language. During an incident, PR fills in the specifics and the IC approves the timing. Pre-approved templates eliminate the 48-hour delay most organizations experience waiting for Legal review during a live incident.
Small Team Adaptation: The Hat Method
Organizations with fewer than five security staff wear multiple hats. The three core functions (IC, Technical Lead, Scribe) still apply. The assignment changes.
- Person A (Engineering Lead): Wears the Tier 1 Operational hat. Executes containment and remediation on the keyboard.
- Person B (Security/IT Director): Wears both the IC hat (Tier 2) and Strategic hat (Tier 3). Directs Person A, then briefs the CEO. Never simultaneously.
- Person C (Operations/Admin): Wears the Scribe hat. Documents every action Person A takes and every decision Person B makes. This person does not touch the keyboard or make decisions.
Roles combine. Functions do not merge. Person A cannot effectively fix the server while also coordinating the response and briefing the FBI. Separating the “hands” (Person A) from the “brain” (Person B) and the “pen” (Person C) preserves the command structure even with a three-person team.
Document the small-team role assignments in an appendix to your incident response plan titled “Minimum Staffing Configuration.” Name the primary and backup person for each combined role. Run a tabletop exercise specifically testing the three-person configuration. The exercise reveals whether one person wearing two hats creates a bottleneck. If it does, identify which function gets outsourced (typically forensics or Legal) and pre-engage a contractor.
The single most common incident response failure is the CEO attempting to serve as Incident Commander. The CEO carries too much emotional weight about business impact to make cold containment decisions at 3:00 AM. Designate a senior engineer or security director as IC, grant them formal authority through a signed delegation letter, and step out of the room. The organizations surviving ransomware have one thing in common: the person making decisions is not the person who owns the P&L.
Frequently Asked Questions
What roles should an incident response team include?
Every incident response team requires three core functions: the Incident Commander (decision-maker), Technical Lead (containment executor), and Scribe (timeline documenter). Larger organizations add Legal Counsel, Public Relations, HR, and external forensics as Strategic-tier roles. The core three are non-negotiable regardless of organization size [NIST SP 800-61 Rev. 3].
Does the Incident Commander need to be technical?
The IC needs sufficient technical understanding to evaluate options presented by the Technical Lead, but NIST SP 800-61 Rev. 3 emphasizes communication and coordination skills over deep technical expertise for the IC role. The IC does not need to be the strongest engineer. A VP of Engineering with broad infrastructure knowledge outperforms a senior developer with deep but narrow expertise because the IC role demands decision-making speed across **6-8 parallel workstreams** during a major incident [SANS 2024 Incident Response Survey].
Who should serve as Incident Commander in a small organization?
The IT Director or Security Manager typically serves as IC in organizations with fewer than 50 employees, as recommended by NIST SP 800-61 Rev. 3 for organizations without dedicated security operations centers. The CEO should not serve as IC due to the conflict between business impact concerns and cold containment decisions. The IC requires someone who prioritizes stopping the threat over preserving revenue during the containment window.
When should we bring in external legal counsel during an incident?
Immediately upon suspecting a data breach involving PII or PHI exposure. Your incident response plan should list outside counsel’s contact information in the Strategic-tier contact list with a pre-signed engagement letter. Waiting to find and retain counsel during an active incident adds 24-48 hours to your notification timeline [HIPAA 164.408].
What is a RACI matrix for incident response?
A RACI matrix documents who is Responsible (executes), Accountable (approves), Consulted (advises), and Informed (receives updates) for each incident response activity. The matrix eliminates ambiguity during high-pressure situations. Auditors reviewing SOC 2 CC7.3 look for RACI documentation mapping roles to specific response activities [AICPA TSC CC7.3].
How do we handle the IC role if one person serves as both IC and Technical Lead?
Combining IC and Technical Lead is acceptable in startups with three or fewer technical staff, with **62% of organizations** under 100 employees operating in this dual-role configuration [SANS 2024 Incident Response Survey]. The risk: the moment the IC starts typing commands, situational awareness drops. Mitigate by assigning the Scribe to verbally confirm all decisions before the IC shifts to technical execution. If budget allows, pre-engage a fractional CISO or incident response retainer to fill the IC role during real incidents.
Get The Authority Brief
Weekly compliance intelligence for security leaders and technology executives. Frameworks decoded. Audit strategies explained. Regulatory updates analyzed.
