If you are doing Incident Response and it feels like everything is getting out of hand, the single best thing I can suggest is SLOW DOWN.
A few incidents this week where I've watched good teams fumble because various pressures have made them rush way too much.
A good incident manager will provide top cover ("interrupt layer") to allow responders to do their thing, but this can be hard with urgent, aggressive or worried executive stakeholders.
It still needs to be done though.
There is no magic solution for this but in general, it helps if the Incident Manager sets expectations from the start. Tell the execs that they'll get updates at set intervals and be realistic. Investigation takes time - just because they want it "now" doesn't make it possible.
It should go without saying but if you set up a reporting cadence - stick to it NO MATTER WHAT. If you promise an update every 2 hours, missing or being late instantly undermines your credibility as an incident manager.
Yes, this can be hard. You have to deal with worried execs and obstinate service owners, but that is why you are the Incident Manager. You need to create the breathing room for your responders to do their thing. You need to calm the leadership and you need to assert authority.
It is also pretty important to manage the flow of information. If your responders are being given "helpful" data from a dozen teams, with no real collection plan, you are going to waste all your effort trying to process stuff you don't want.
tl:dr
"If you are going to fast to take notes, you are going too fast"
and your managers need to manage, not respond.
You can follow @tazwake.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: