The Slack notification reads: “#critical-security: RANSOMWARE DETECTED ON FILE-SVR-03.” Twelve seconds later, the CTO calls the security analyst. The security analyst calls the IT director. The IT director calls the CEO. The CEO asks one question: “Who is in charge?” Fifteen minutes pass. Four senior leaders debate authority to pull production servers offline. The ransomware encrypts the backup server during the debate.
SOC 2 AICPA TSC CC7.3 and HIPAA 45 CFR 164.308(a)(6) require documented incident response procedures; auditors testing these controls typically expect named roles with assigned responsibilities as evidence that the IR program operates beyond paper. Documenting titles on an org chart is not sufficient. Auditors verify role assignments through tabletop exercise evidence demonstrating each team member executed their designated function under simulated pressure.
The organizations surviving real incidents share one structural element: a single Incident Commander with pre-authorized decision-making authority, a Technical Lead executing containment, and a Scribe documenting the timeline for legal and audit purposes. Three functions. Three people. One chain of command.
Every incident response team requires three core functions: the Incident Commander (IC) who makes decisions, the Technical Lead who executes containment and remediation, and the Scribe who documents the timeline for legal and audit purposes. Larger organizations add Legal Counsel, Public Relations, and Forensics as Strategic-tier roles. Drawing on NIST SP 800-61 Rev. 3 and CISA IR Playbook guidance, the IC holds pre-authorized decision-making authority including system shutdowns and emergency spending.
The Incident Commander: The Only Role Without a Keyboard
The Incident Commander (IC) is the single decision-maker during a live incident. IBM’s 2024 Cost of a Data Breach Report found that organizations using AI and automation (a proxy for structured, coordinated incident response) reduced their breach lifecycle by 98 days compared to organizations without. The command clarity an IC provides is a prerequisite for that kind of response coordination. Role confusion during the first 30 minutes of an incident is among the most common operational failures auditors find when reviewing post-incident reports. The IC does not touch the keyboard. The IC does not review logs. The IC makes decisions, directs the response team, and maintains situational awareness while everyone else executes.
Every minute the IC spends typing commands is a minute without someone coordinating the overall response. The organizations failing incident response are the ones where the most technical person tries to simultaneously fix the server, brief the CEO, and document the timeline. Three tasks. Zero done well.
IC Authority Requirements
Drawing on NIST SP 800-61 Rev. 3 and CISA IR Playbook guidance, the IC requires pre-authorized authority documented in your incident response plan. Three specific authorities must be formalized before an incident occurs:
- System shutdown authority: The IC authorizes taking production systems offline without executive approval during active containment. Waiting for CEO sign-off while malware spreads across the network is not an acceptable workflow.
- Emergency spending authority: The IC authorizes emergency expenses up to a documented limit (typically $25,000-$50,000) for forensic tools, contractor engagement, or infrastructure replacement.
- Communication authority: The IC controls when and what information leaves the response team. No one briefs the press, notifies customers, or contacts regulators until the IC confirms the containment status.
The audit fix. Draft a formal “Delegation of Authority” letter signed by the CEO granting the IC specific authorities: system shutdown, emergency spending (with dollar limit), and communication control. Attach the letter as an appendix to your incident response plan. Update the letter annually or whenever the IC role changes. Auditors testing AICPA TSC CC7.3 commonly review the Delegation of Authority letter as evidence of pre-authorized response capability.
What Is the Three-Tier Command Structure for Incident Response?
Flatten your incident response team and the response collapses. The three-tier model separates responders into distinct tiers with clear responsibilities and communication channels. The tier nomenclature (Bronze, Silver, Gold) originates from the UK emergency services Gold-Silver-Bronze command structure (with structural parallels to FEMA’s Incident Command System, which uses a separate organizational hierarchy of Command Staff and functional Sections). Both models share the same core principle: operational teams do not communicate directly with strategic leadership during an active response.
Tier 1: Operational (Bronze)
Members: System administrators, security analysts, network engineers, DevOps engineers.
Function: Hands on keyboard. Tier 1 executes the containment, eradication, and recovery procedures. They isolate infected systems, block malicious IPs, restore from backups, and deploy patches. They report status to the IC. They do not communicate with executives, customers, or regulators.
Tier 2: Tactical (Silver)
Members: Incident Commander and Scribe.
Function: Coordination and documentation. The IC directs Tier 1 operations, makes escalation decisions, and serves as the single source of truth for incident status. The Scribe documents every action, decision, and timestamp. This documentation feeds the post-incident review and creates the audit evidence trail for legal defense.
Tier 3: Strategic (Gold)
Members: Legal counsel, public relations, HR, C-suite executives.
Function: Air cover. Tier 3 handles regulators, the press, the board, and affected customers so the IC focuses on containment. Tier 3 does not give operational orders. The CEO does not direct the security analyst to “check the firewall.” Strategic decisions (breach notification timing, regulatory disclosure, customer communication) flow through Tier 3 after the IC confirms containment status.
The audit fix. Document the three-tier structure in your incident response plan with named individuals (primary and backup) for each role. Include contact information, escalation paths between tiers, and the communication rule: Tier 1 talks to Tier 2. Tier 2 talks to Tier 3. Tier 1 never communicates directly with Tier 3 during an active incident. Validate this structure during your quarterly tabletop exercise.
The RACI Matrix for Incident Response
A RACI matrix eliminates ambiguity about who performs, who approves, who advises, and who receives updates for each incident response action. Role confusion during the first 30 minutes of an incident is among the most common operational failures in post-incident reviews, and the RACI matrix is the structural tool that prevents it. Auditors reviewing AICPA TSC CC7.3 look for documented role assignments mapped to specific response activities.
| Activity | Incident Commander | Technical Lead | Legal / Executives |
|---|---|---|---|
| Declare incident | Accountable (A) | Consulted (C) | Informed (I) |
| Containment actions | Accountable (A) | Responsible (R) | Informed (I) |
| System shutdown | Accountable (A) | Responsible (R) | Informed (I) |
| Evidence preservation | Consulted (C) | Responsible (R) | Accountable (A) |
| Regulatory notification | Consulted (C) | Informed (I) | Accountable (A) |
| Customer communication | Consulted (C) | Informed (I) | Accountable (A) |
The audit fix. Include the RACI matrix as a standalone appendix in your incident response plan. During the Q1 tabletop exercise, test every row: present a scenario requiring each activity and verify the designated person executes their assigned role. If the RACI matrix fails during the exercise (wrong person takes action), update the matrix and re-test during the next quarterly drill.
How Should Legal and PR Coordinate During an Incident?
Legal counsel and public relations are Tier 3 (Strategic) roles. Both are essential. Both destroy response timelines when they operate outside their lane.
Legal Counsel
Role: Advisory. Legal counsel advises on evidence preservation requirements, regulatory notification obligations (HIPAA 60-day rule, state breach notification laws), and liability exposure. Legal does not direct containment operations.
Common failure: Legal requests the team “pause containment to preserve evidence.” The IC must override this request when pausing means the infection spreads to additional systems. Preserve forensic images of compromised systems during containment, not instead of containment. Stop the bleeding first.
Public Relations
Role: Messaging. PR drafts external communications for customer notification, press inquiries, and social media responses. PR releases statements only after the IC confirms containment status and Legal approves the language.
Common failure: PR issues a generic “we take security seriously” statement before the IC confirms what happened. Premature statements create legal exposure when subsequent investigation reveals inaccuracies. The IC controls the communication timeline.
The audit fix. Pre-draft three communication templates before an incident occurs: initial acknowledgment (within 4 hours), status update (within 24 hours), and resolution notice (within 72 hours). Have Legal pre-approve the template language. During an incident, PR fills in the specifics and the IC approves the timing. Pre-approved templates eliminate the 48-hour delay most organizations experience waiting for Legal review during a live incident.
Small Team Adaptation: The Hat Method
Organizations with fewer than five security staff wear multiple hats. The three core functions (IC, Technical Lead, Scribe) still apply. The assignment changes.
- Person A (Engineering Lead): Wears the Tier 1 Operational hat. Executes containment and remediation on the keyboard.
- Person B (Security/IT Director): Wears both the IC hat (Tier 2) and Strategic hat (Tier 3). Directs Person A, then briefs the CEO. Never simultaneously.
- Person C (Operations/Admin): Wears the Scribe hat. Documents every action Person A takes and every decision Person B makes. This person does not touch the keyboard or make decisions.
Roles combine. Functions do not merge. Person A cannot effectively fix the server while also coordinating the response and briefing the FBI. Separating the “hands” (Person A) from the “brain” (Person B) and the “pen” (Person C) preserves the command structure even with a three-person team.
The audit fix. Document the small-team role assignments in an appendix to your incident response plan titled “Minimum Staffing Configuration.” Name the primary and backup person for each combined role. Run a tabletop exercise specifically testing the three-person configuration. The exercise reveals whether one person wearing two hats creates a bottleneck. If it does, identify which function gets outsourced (typically forensics or Legal) and pre-engage a contractor.
The single most common incident response failure is the CEO attempting to serve as Incident Commander. The CEO carries too much emotional weight about business impact to make cold containment decisions at 3:00 AM. Designate a senior engineer or security director as IC, grant them formal authority through a signed delegation letter, and step out of the room. The organizations surviving ransomware have one thing in common: the person making decisions is not the person who owns the P&L.
Frequently Asked Questions
What roles should an incident response team include?
Incident response team roles divide into three core functions: the Incident Commander (decision-maker), Technical Lead (containment executor), and Scribe (timeline documenter). Larger organizations add Legal Counsel, Public Relations, HR, and external forensics as Strategic-tier roles. Drawing on NIST SP 800-61 Rev. 3 and CISA IR Playbook guidance, these three functions are the practical minimum for any organization size, though Rev. 3 also emphasizes right-sizing the overall incident response program to the organization’s scale.
Does the Incident Commander need to be technical?
The IC needs sufficient technical understanding to evaluate options presented by the Technical Lead, but practitioner consensus, informed by NIST SP 800-61 Rev. 3, holds that communication and coordination skills matter more than deep technical expertise for the IC role. The IC does not need to be the strongest engineer. A VP of Engineering with broad infrastructure knowledge typically outperforms a senior developer with deep but narrow expertise because the IC role demands decision-making speed across multiple parallel workstreams during a major incident.
Who should serve as Incident Commander in a small organization?
The IT Director or Security Manager typically serves as IC in organizations without dedicated security operations, based on practitioner guidance in NIST SP 800-61 Rev. 3 and the CISA IR Playbook. The CEO should not serve as IC due to the conflict between business impact concerns and cold containment decisions. The IC requires someone who prioritizes stopping the threat over preserving revenue during the containment window.
When should we bring in external legal counsel during an incident?
Immediately upon suspecting a data breach involving PII or PHI exposure. Your incident response plan should list outside counsel’s contact information in the Strategic-tier contact list with a pre-signed engagement letter. Waiting to find and retain counsel during an active incident adds 24 to 48 hours to your notification timeline (HIPAA 45 CFR 164.404 individual notification; 164.408 HHS notification).
What is a RACI matrix for incident response?
Incident response team roles map to a RACI matrix documenting who is Responsible (executes), Accountable (approves), Consulted (advises), and Informed (receives updates) for each response activity. The matrix eliminates ambiguity during high-pressure situations. Auditors reviewing SOC 2 AICPA TSC CC7.3 look for RACI documentation mapping roles to specific response activities.
How do we handle the IC role if one person serves as both IC and Technical Lead?
Combining IC and Technical Lead is acceptable in startups with three or fewer technical staff. This dual-role configuration is common among smaller organizations. The risk: the moment the IC starts typing commands, situational awareness drops. Mitigate by assigning the Scribe to verbally confirm all decisions before the IC shifts to technical execution. If budget allows, pre-engage a fractional CISO or incident response retainer to fill the IC role during real incidents.
Subscribe to The Authority Brief for next week’s analysis.
