Incident Response Under Fire: Lessons from the Frontlines with IBM’s Tony Kirtley

When a cyber incident strikes, few people are better prepared to lead the charge than Tony

Kirtley, Global Incident Response Leader at IBM X-Force. In a recent episode of Bourbon & Bytes, Cape Endeavors CEO Terry McGraw sat down with Tony to explore the realities of modern incident response—what works, what organizations often miss, and how leadership under pressure can make the difference between recovery and ruin.

What’s Really Behind Today’s Breaches?

Despite the hype around new attack methods, Tony and Terry agreed that the top three initial access vectors haven’t changed much:

1. Phishing emails delivering malware

2. Stolen credentials enabled by weak MFA or poor controls

3. Unpatched systems or zero-day vulnerabilities

What has shifted is scale. Breaches through third-party providers have become a dominant theme, allowing attackers to leapfrog across entire supply chains. As Tony pointed out, “What works still works—because many organizations haven’t done the blocking and tackling needed to close those gaps.”

The Most Overlooked Weakness: Asset Management

If there’s one surprise that never fails to show up in IR engagements, it’s this: companies don’t know what they have.

• Unknown assets are often the first to be compromised.

• Sensitive data is left unsecured because organizations don’t know where it resides.

• Incident response plans exist—but rarely get pulled off the shelf when it matters.

For Tony, asset management and actually exercising the IR plan are two of the most underdeveloped disciplines in enterprise cybersecurity.

The Human Factor: Leading Through Chaos

Cyber incidents aren’t just technical events—they’re human crises. Terry and Tony revisited their research on applying the Kubler-Ross grief cycle (denial, anger, bargaining, depression, acceptance) to incident response.

Organizations that remain stuck in denial or bargaining—pushing employees harder rather than making calm, rational decisions—prolong recovery and make costly mistakes. By contrast, those that quickly move to acceptance are able to:

• Bring in external expertise faster

• Make clear decisions under pressure

• Contain both the technical and emotional fallout

Communications: What You Say Can Save—or Sink—You

Another recurring theme was communication strategy. Both internal and external messaging can make or break a response:

• Internally, don’t over- or understate what’s happening. Employees will fill the vacuum with speculation.

• Externally, say too much or too little, and you risk lawsuits, regulatory penalties, or leadership firings.

• For high-stakes breaches, professional crisis communications support is often essential.

Practical Advice for Leaders

Drawing on decades of frontline experience, Tony offered a set of hard-won recommendations for boards and executives:

1. Mature Your IR Program – Partner with professionals, test your plans, and exercise regularly.

2. Know Your Assets & Data – You can’t protect what you don’t know you have.

3. Secure Active Directory – Most large-scale breaches involve AD compromise. Invest here.

4. Practice Privileged Access Management – Prevent attackers from laterally moving and disabling defenses.

5. Protect Your Backups – Use out-of-band or immutable backups that can’t be compromised.

6. Plan for Communications – Align roles, responsibilities, and messaging before crisis hits.

Final Word: CMMC Incident Response and Compliance

Incidents are chaotic by nature—but preparation is what separates resilience from catastrophe. Both Terry and Tony emphasized that organizations must rehearse the crisis before the crisis:

• Tabletop exercises

• Cross-functional drills

• Honest evaluations of readiness

  
  

This is not just good business—it’s also a compliance requirement. The Cybersecurity Maturity Model Certification (CMMC) framework, based on NIST SP 800-171, includes Incident Response (IR) as one of its 14 domains. Contractors must demonstrate their ability to detect, analyze, contain, and recover from incidents to meet compliance obligations.

Failing to maintain and exercise an incident response capability doesn’t just increase risk—it can cost defense contractors their ability to win or retain DoD contracts.

As Tony put it:

For defense contractors preparing for CMMC, the message is clear: CMMC incident response isn’t optional—it’s essential. It’s not just about passing an audit; it’s about proving you can protect Controlled Unclassified Information (CUI), your partners, and the mission itself.