What to Expect from Your Incident Manager (And Why You Shouldn’t Try to Wing a Cyber Crisis Without One)

Written By Noel Bradford

If you’ve never had to deal with a cyber breach, congratulations. Also: statistically, your time will come. Whether it’s ransomware, a phishing incident gone nuclear, or a rogue staff member with a USB stick and a grudge, something will go wrong. And when it does, your Incident Manager (IM) will become the most important person in your business. Yes, more important than whoever still thinks printing emails is a good idea.

So what should you expect from an Incident Manager? Why are they worth their sometimes eye-watering daily rate? And why is not having one on standby the business equivalent of driving uninsured?

Let’s walk through what a proper IM does — and why they’re not just a “nice-to-have” when things go bang.

The IM Is Not Your IT Manager in a Cape

Let’s get this out of the way: your regular IT Manager, even if they’re fantastic, is not your Incident Manager. Your MSP or outsourced IT provider? Also not your Incident Manager. Why?

Because everyone in the problem can’t objectively manage the problem.

An Incident Manager is an independent voice of reason. They sit outside the blame game and focus entirely on containment, coordination, communication, and control. Think of them as the incident equivalent of an air traffic controller — except instead of avoiding mid-air collisions, they’re trying to stop your company being flattened by regulatory fines, reputational damage, and technical chaos.

What a Good Incident Manager Actually Does

So what do you get for your money when you bring in an IM?

🧠 1. Strategic Oversight in Chaos

When your network is on fire, you don’t need five opinions from five vendors. You need someone in charge. The IM owns the timeline. They decide what gets done, in what order, by whom, and with what level of urgency. They’re the conductor of a very panicked orchestra.

They will:

  • Prioritise and sequence actions: contain, eradicate, recover.

  • Keep everyone on task (yes, even directors and vendors).

  • Document every step for the inevitable audit and post-mortem.

  • Act as the single point of truth in a room full of noise.

🗣️ 2. Control of Communications

A great IM will:

  • Manage internal comms to staff: who knows what, and when.

  • Handle (or approve) external comms: regulators, customers, press.

  • Prep the board or exec team with talking points, not guesswork.

This matters. Say the wrong thing to the ICO or your insurance provider and you might accidentally void your policy or trigger an investigation. Say the wrong thing to your customers and you might not have any left.

📊 3. Liaison with Legal, Compliance and Insurers

One of the most valuable things an IM brings? Understanding the regulatory and legal minefield. From GDPR notification timeframes to handling FOI requests to keeping your insurance provider onside — this is where an amateur response can cost you millions.

A seasoned IM will work hand-in-glove with:

  • Your Data Protection Officer or legal counsel.

  • Your cyber insurance provider.

  • Any external investigators or regulators (ICO, NCSC, Police, etc).

🔒 4. Technical Coordination

The IM doesn’t do the technical fixes — they coordinate the people who do. They ensure:

  • Your MSP isn’t quietly reimaging machines while wiping all the evidence.

  • Logs are captured and preserved before they’re overwritten.

  • Forensics is called in before decisions are made about root cause.

  • Patching, hardening, and cleanup happen after evidence collection.

Think of them as a tactical battlefield commander — not the one pulling the trigger, but absolutely the one deciding who moves where and when.

📅 5. Managing the Timeline and Recovery Plan

One of the key roles of an IM is managing business expectations:

  • When will services be restored?

  • What data was accessed or exfiltrated?

  • When will we be able to notify stakeholders?

  • How long until operations are back to normal?

They’ll create and update the Incident Response Timeline — your north star during chaos. They’ll make sure everyone from Accounts to HR knows what they’re doing and when.

Yes, They’re Expensive. No, They’re Not Optional.

Let’s address the elephant in the room: good IMs charge serious money. Day rates in the UK can range from £1,000 to £3,000 depending on seniority, breach complexity, and contractual arrangement.

But here’s the thing: so do breach fines.

  • ICO fines can hit £17.5 million or 4% of your turnover.

  • Reputational damage can knock 10-30% off your customer base.

  • Missed regulatory deadlines or poor communication can void cyber insurance policies.

You’re not buying a luxury. You’re buying business survival.

You Can’t DIY Your Way Out of a Cyber Incident

A quick note for the cost-cutters out there: you cannot “project manage” your own cyber breach. This is not a Saturday flatpack job. You can’t wing it with a whiteboard and hope for the best.

Most businesses who try end up:

  • In breach of GDPR reporting deadlines.

  • Deleting critical forensic evidence.

  • Blaming the wrong party.

  • Getting publicly roasted by the press or regulators.

Don’t be that business.

The Ideal Time to Hire an Incident Manager?

Before the breach.

Many IMs (and good MSPs who bring in IMs) offer retainer agreements. That means:

  • They know your environment in advance.

  • They’ve seen your incident response plan (you have one, right?)

  • They’re ready to hit the ground running.

This can literally shave hours off your response time — and that, in turn, saves you money, customers, and potentially your business.

Mini Glossary: Acronyms You’ll Hear During a Breach

Acronym What It Means Why You Should Care
IM Incident Manager Your breach boss. The grown-up in the room.
MSP Managed Service Provider Your outsourced IT. Not the same as an IM.
ICO Information Commissioner’s Office The UK data protection regulator. They issue the fines.
NCSC National Cyber Security Centre Offers support and guidance in UK cyber incidents.
DPO Data Protection Officer Responsible for privacy and data handling compliance.
IRP Incident Response Plan The document your IM uses to run the show (if you have one).
MTTD Mean Time To Detect How long it takes to spot the breach. Usually longer than you think.
MTTR Mean Time To Respond How long it takes to stop the bleeding.

When the Fan Gets Hit, You’ll Want the Adult in the Room

Cyber incidents don’t just affect IT. They affect everything — your people, your operations, your cashflow, your reputation. When you’re in the middle of it, you don’t want a committee. You want command.

An Incident Manager is command.

Don’t think of them as expensive.

Think of them as cheaper than chaos.

💬 Ready to Talk About Incident Response?

If you’ve read this far, it probably means you’re either:

a) sensible enough to plan ahead, or
b) already knee-deep in a breach and Googling in a panic.

Either way — now is the right time to get your house in order.

Want to talk about how to plan for the worst (while hoping for the best)?
Get in touch.
I’ve been in this game long enough to know where the traps are — and how to sidestep them when time is tight and pressure is high.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

Apple’s 3 Zero-Days: If You Haven’t Updated Yet, What Are You Even Doing With Your Life?
Next

"We’ve Been Breached!" – What UK SMBs Must Do in the First 24 Hours (and Why Most Get It Wrong)