Incident Command Structure

In a classified military operation, one of the most critical lessons I learned was that uncertainty is never neutral. In the field, uncertainty always benefits the adversary. That is why military operations do not wait for full confirmation before acting; they assume the event is real and initiate processes accordingly. Years later, while leading an incident in the private sector, I saw how decisive that reflex can be. The initial signal looked minor from a technical perspective — a single anomaly, explainable activity, something that could easily be placed into a “to review” queue. But military discipline does not recognize “small signals”; it recognizes early signals. I applied the same mindset directly to incident management. Instead of waiting for confirmation, I clarified the command structure, assigned a single incident commander, and initiated analysis and containment in parallel rather than sequentially. A common reflex in the private sector is to understand first and act later; military discipline teaches the opposite. You stop the spread first, then you understand. Because time is not a technical metric — it is an operational variable, and it is the attacker’s greatest advantage. Military operations are process-driven, not personality-driven. Roles are predefined, communication formats are structured, and escalation thresholds are clear. When you apply the same principles to incident management, noise decreases, decision time drops dramatically, and teams shift from discussion to execution. This difference becomes critical in lateral movement scenarios where minutes shape architecture and hours can shape the domain. In real environments, the biggest differentiator is not tooling — it is operational discipline. Tools are similar, logs are similar, and teams are often equally capable. What changes outcomes is how the incident is managed. The military mindset treats an incident not as a technical issue, but as an operation. Once that shift happens, containment accelerates, communication simplifies, and decision quality improves. This is why incident maturity in the private sector starts with command and operational model — not the technology stack. Attacks may be technical, but incident management is always operational. #cybersecurity #incidentresponse #soc #cyberdefense #threathunting #leadership #securityoperations #ciso #enterprisesecurity #digitalresilience #infosec #cyberwarfare #operationalexcellence #riskmanagement #securityleadership

Leading Through a P1 Incident: As technology leaders, we know that P1 incidents are not a matter of if—but when. What defines us isn’t avoiding them, but how we operate when they occur. At #Zelle, the principles we follow during a P1 are simple but non-negotiable: 1️⃣ Stabilize First, Diagnose Second: Contain the impact, ensure safety of the ecosystem, and restore critical services before chasing root cause. 2️⃣ Clear Roles, One Commander: Every incident has a single Incident Commander. This avoids confusion and keeps the team aligned. Everyone else plays their role—engineering, comms, support—without overlap. 3️⃣ Communication is as Critical as Resolution: Our partners and users deserve transparency. Timely updates—internal and external—are as important as fixing the issue itself. Silence creates uncertainty. 4️⃣ Data Over Assumptions: In a crisis, adrenaline tempts us to jump to conclusions. We rely on observability, logs, metrics, and cross-checks before making calls. Facts > instincts. 5️⃣ Post-Mortems are Sacred: When the fire is out, the learning begins. Every P1 gets a blameless post-incident review. We document what happened, what worked, what failed, and what we’ll improve—because resilience is built iteratively. Operating in a P1 is about discipline under pressure. It’s where culture, process, and technology converge. The goal isn’t just recovery—it’s building trust every single time. Happy Friday! #Leadership #CTO #EngineeringManagement #DigitalResilience #EWS #Zelle #TechLeadership #CrisisManagement #Innovation #LearningCulture

The first hour of a crisis defines the outcome. In most organisations, that hour is spent clarifying authority. Who has decision mandate? Who escalates to the board? Who speaks externally? Who protects people? Who assesses financial exposure? If these questions are answered during the event, the structure is already failing. Crisis compresses time and degrades judgement. Information fragments. Priorities collide. Pressure escalates. Clarity must exist before the disruption. ⸻ 1️⃣ Formal Crisis Structure A crisis team must be explicitly designated and visible at executive level. Core functions: • Executive authority • Risk • Legal • Security • HR • Communications • Technology • Operations Each role requires: • Named deputy • 24/7 accessibility • Documented decision mandate Undefined authority leads to hesitation. Hesitation increases exposure. ⸻ 2️⃣ Pre-Assigned Accountability Before any incident, define ownership for: 📢 External communication 💬 Internal employee messaging 🛡 Personnel safety decisions 📦 Client prioritisation ⚖ Regulatory notification 💻 Technical containment 💰 Liquidity and financial impact Overlapping responsibility slows escalation. Absent responsibility creates escalation. ⸻ 3️⃣ Escalation and Contact Protocol Executive chain of command. Board notification thresholds. Regulatory sequence. Critical vendor escalation. Security and emergency access. Reviewed quarterly. Unavailable decision-makers during a disruption represent a control deficiency. ⸻ 4️⃣ Rehearsal Tabletop exercises. Scenario simulations. Time pressure. Incomplete information. The objective is behavioural consistency under stress. Judgement narrows in crisis. Preparation compensates for that narrowing. ⸻ Crisis does not test intelligence. It tests governance design. From a board perspective, crisis readiness sits within fiduciary duty. Authority, capital protection and reputation are interconnected. ⸻ For executive teams: If a serious incident started tonight, would decisions be taken within 30 minutes? When was your structure last tested under realistic pressure? If this is relevant to your role, save it. Crisis frameworks are built before disruption, not during it. #CrisisManagement #RiskManagement #CorporateGovernance #BoardLeadership #Risk #BusinessResilience #ExecutiveLeadership #CRO

Most organizations don’t struggle in a crisis because they lack smart people. They struggle because they lack command-and-control discipline when pressure spikes. In policing, high-consequence events assume a few basics: clear command, shared situational awareness, common language, coordinated movement, disciplined communications, and accountability. In many corporate environments, a critical incident gets handled like a meeting, too many “decision-makers,” unclear authority, fragmented communications, and parallel teams acting on different assumptions. That isn’t a culture issue. It’s a risk issue. THE REALITY: The crisis “lead” is appropriately an executive owner (CEO/COO, business unit leader, designated incident executive) because the decisions are enterprise-level. THE SECURITY ROLE: Security often owns the crisis-management process, playbooks, coordination, communications rhythm, deconfliction, and the structure that keeps the response coherent. WHERE SECURITY SHINES: -      Build the system before it’s needed. -      Teach leaders how to use it. -      Keep it nimble when the tempo spikes. -      Serve as the trusted advisor who keeps the organization aligned, informed, and defensible. THE BASELINE: -      Clear incident lead. -      Clear decision rights. -      Common operating picture. -      Tight deconfliction and communications. -      Capture lessons and improve the playbook. THE GOAL: Speed and alignment that protects people and preserves the enterprise: stabilize operations fast, minimize downtime, reduce preventable mistakes, document decisions, manage liability, and ensure communications reinforce trust in the brand. Where does your organization still default to “committee” when it needs “command”?

In light of the recent gas incident involving Petronas, many have asked why there has been only one official statement and no press conference by the company. It’s a valid question. The answer lies in understanding how national disaster response protocols work in Malaysia—and the role of government-owned companies (GOCs) in such situations. First, it’s important to recognise that crisis management is not public relations. It is a structured and coordinated process involving multiple agencies working under a national framework to save lives, stabilise the situation, and ensure accurate communication—without disrupting ongoing operations or investigations. 1. Activation of the National Disaster Response Under Arahan MKN No. 1 (2022), the National Disaster Management Agency (NADMA) takes the lead when an incident is classified as a major disaster. NADMA coordinates the work of agencies at federal and state levels, including: ▶️ BOMBA: Urban search and rescue, fire suppression ▶️ PDRM: Security, crowd control, family reunification ▶️ MOH: Emergency medical care, mental health support These agencies operate under central command to avoid delays, duplication, or miscommunication. 2. The Role of the Incident Commander When a crisis enters a “red state” (active rescue phase), an Incident Commander is appointed as the sole spokesperson. This ensures consistent, clear communication and protects operational integrity and the privacy of those affected. In this case, BOMBA was appointed Incident Commander, which is why all updates on search and rescue efforts have come from them—entirely in line with protocol. Once the situation is stabilised and the site is handed back to the owner (Petronas), then and only then may the company’s spokesperson issue statements or briefings. 3. Petronas is a Government-Owned Company As a GOC, Petronas follows the national chain of command in crisis situations. In major incidents involving GOCs, the official spokesperson is typically the Government. We’ve seen this before: ▶️MH370: Defence Minister and Prime Minister ▶️LRT Collision: Transport Minister In this instance, the Prime Minister has already addressed the matter and given directives, and that serves as the Government’s—and Petronas’—official position. It is not standard procedure for GOCs to issue separate press briefings during the emergency response phase. Final Thoughts The absence of multiple statements does not signal a lack of action—it reflects adherence to a disciplined and well-established disaster management protocol. Our emergency rescue agencies have worked tirelessly and with professionalism under extremely difficult conditions. Let us give them the space to complete their tasks, and trust that updates will be provided when the time is right, and when it is safe and appropriate to do so.