Incident Command Roles: Who Does What

1. Incident Commander (IC)

Owns: Decisions, timeline, and accountability. The single point of authority during the incident.

Not necessarily: The most senior person, the CISO, or the best engineer.

Selection criteria: Calm under pressure, comfortable making decisions with incomplete information, trusted by executives to act. Often the best IC is a senior director, not the CISO — because the CISO needs to be free to brief the board.

Rotation: On anything longer than 8 hours, ICs rotate. Fatigue is the most common cause of bad decisions.

2. Scribe

Owns: The defensible record. Every decision, every notification, every timestamp, every handoff.

Why it is a dedicated role: If the same person who is making decisions is writing them down, they will not. The scribe is the reason the post-incident record holds up under regulatory and legal scrutiny.

Tooling: Inside IR-OS, the scribe writes directly into the hash-chained event ledger. Outside IR-OS, this role is typically performed in a shared document that will later be reconstructed into a timeline — a far less defensible approach. See the defensible record.

3. Communications Lead

Owns: Internal comms, customer comms, media comms, and board comms. Drafts every externally-facing statement.

Critical rule: Nothing goes out without Comms Lead drafting and Legal reviewing. Not a tweet, not a status page update, not a customer email. The number of incidents that spiraled because a product manager tweeted an apology cannot be overstated.

Pre-written templates: Comms Leads maintain a library of draft statements — "we are investigating," "we have contained," "we have notified" — that can be edited in minutes instead of drafted from scratch.

4. Legal Liaison

Owns: Privilege, notification decisions, regulator contact, law enforcement contact.

Typically: The General Counsel or a designated privacy/cyber attorney, working hand-in-glove with outside counsel for privilege.

Why outside counsel matters: Attorney-client privilege over forensics work is strongest when the forensics firm is engaged by outside counsel, not directly by the company. Plan this in advance.

Decisions owned: Whether to notify the SEC (Item 1.05), GDPR DPAs (Article 33), state AGs, HHS OCR, affected data subjects, law enforcement.

5. Technical Lead

Owns: Technical direction of containment, forensics, eradication, and recovery.

Not: The Incident Commander. These roles must be separated, because the Technical Lead is deep in the forensic weeds and the IC needs to stay focused on timelines, decisions, and stakeholders.

Coordinates with: The DFIR firm (often the panel firm from the cyber insurer), internal security engineers, and platform/infrastructure teams.

6. Executive Sponsor

Owns: Unblocking resources, approving cross-functional action, briefing the board.

Typically: The CEO, COO, or CIO. On large incidents, often the CEO becomes the Executive Sponsor by default.

Decisions owned: Shutting down production systems, engaging outside counsel, approving ransom payment (in consultation with Legal, CFO, and insurer), approving public statements.

Critical boundary: The Executive Sponsor does not run the incident. The IC runs the incident. The Executive Sponsor unblocks it.