Discussing incident response at cybersecurity conference Right of Boom

By Steve “The Doctor” Meek | Talk To Th3 Doc Podcast | The Fulcrum Group, Inc.

Doctor’s Diagnosis: A Podcast Doc-umentary: Incident Response Leadership Episode 132

I recently attended the vendor-agnostic cybersecurity conference called Right of Boom. The conference is designed for providers like me, basically IT firms that protect and run technology for small and mid-sized businesses. The focus of the organization is to improve cyber resilience using the right mix of people, process, and technology. I've attended this event multiple years because they center heavily on real-world defensive response, operational maturity and tools that actually work in practice, for security-led firms like ours.

I engaged a few of my peers and they were also able to impart some great tips. I tried to choose the ones most on par with small to midsize organizations. Kudos to them for sharing such great advice, which you can watch in the full video, linked at the end.

I walked away from this with one big reminder, incident response is not an IT “thing,” it is a leadership “thing.”

If you are a CEO, CFO, city manager, or operations leader in the DFW area, you don’t have to know every cyber acronym. You do have to know who is in charge when things go sideways, and how your organization keeps operating. Some of you may remember some of these concepts and topics from attending Fulcrum's Security Officer initiative meetings QSRs in 2025, or myself or David was able to chat with you about the shared risk responsibility model and how we all fit together with our vendors.

Also, small confession, I think about incident response the same way I think about basketball. When the game gets fast and hectic in clutch time, you don’t win by yelling “everybody shoot.” You win because someone sets up a play, throws a screen, slows the chaos, and gets the team into rhythm. (If you’ve watched the Dallas Mavericks long enough, you know exactly what I mean. Well, not every season, like when we might be tanking.)

Introduction – Lead With Why

At The Fulcrum Group in Keller, TX, our “why” is simple: help organizations in Dallas and Fort Worth avoid expensive surprises and keep improving, even when the world gets weird. That’s the heartbeat behind our alignment with the CIS security framework and the creation of SPOT Managed Security Services, to complement our SPOT Managed IT Services.

While some organizations have a higher risk tolerance, budget constrained or okay with just very, very basic cyber security, we also recognized that others are bound by compliance (for example, CJIS, HIPAA, FTC Safeguards). Or, recognize the true worth of their data and business operations and our No IT Jerks philosophy.

Right of Boom reinforced something we’ve believed for years: the companies that win aren’t the ones with the most gadgets. They are the ones that can keep serving customers, shipping product, running payroll, and paying vendors even when an incident hits. That’s resilience, not just security.

The Problem or Question

Here’s a top technical challenge I see with growing SMBs and local government teams across DFW:

A lot of organizations aren’t in “hyper-growth.” They’re in a season of protecting margin, tightening belts, and trying to do more with less. And in that environment, the risk isn’t “we grew too fast.” The risk is Office 365 configuration drift. Drift is what happens when your IT and security settings slowly change over time—new users get added, permissions creep, tools get tweaked, exceptions pile up—and nobody notices until something breaks or you get hit.

When teams are lean, priorities compete, and budgets are under scrutiny, the basics can quietly slide — until a cyber incident forces everybody to care all at once. Attackers are opportunistic and prefer to attack “easy targets”. It’s the old story punchline when you turn to your buddy and say, “I don’t need to be faster than the bear, I just need to be faster than you”.

That quiet gap between how your systems were supposed to run and how they actually run six months later usually shows up like this:

Microsoft 365 gets treated like “just email,” even though it’s now your identity platform, file server, collaboration hub, and business workflow engine… which means a little misconfiguration can turn into a big problem.

Identity and access are managed informally, living in ad hoc changes in the trees, instead of an executive-level view of the forest, for who has what access and why — mainly because identity is exactly where most modern incidents start. Stolen credentials are the engine of web application breaches, as they were involved in about 88% of breaches, according to Verizon’s 2025 Data Breach Investigations Report (DBIR).

“Incident response becomes ‘call the IT guy or MSP’… and then whoever spends the first hour just figuring out who to call and who is making decisions on things at the organization or who can approve anything.” Worse if things are encrypted, the next few hours become a scavenger hunt for the organization’s decision-maker, gathering and understanding details, finding contact phone numbers, cyber insurance policy info, determining what to say to employees and clients, and figuring out the list of who internally is responsible for what.

And when that punch lands, Mike Tyson’s line becomes painfully accurate:

“Everyone has a plan until they get punched in the mouth.”

The Fulcrum Way

At Fulcrum, we don’t try to turn executives into security engineers. We help leaders co-create outcomes using a repeatable operating system we call our STARPower™ Framework (partially borrowed from Information Technology Infrastructure Library’s frameworks to make IT service delivery better). It’s our way of turning innovation, best practices, insight and technology alignment into a predictable rhythm, not “random acts of improvement.”

We even created an executive-facing reporting tool to pull in data points from all of our tools. Our Quarterly Success Review (QSR) platform turns that messy IT data into a more clear “business scoreboard” to confirm business priorities for each 90 day sprint, for business alignment, risk advice, Ai strategy and reducing surprises..

In plain English, STARPower helps you:

  • Set the vision for what “better” looks like
  • Assess the current state with real baselines
  • Prioritize by risk and ROI (so you unlock budget for the highest-return work first)
  • Execute in small steps (less drama, more momentum)
  • Measure and adjust (because “hope” isn’t a KPI)

And here’s the leadership twist from Episode 132: incident response is a communications plan with a technical appendix.

So, we help organizations by:

  • Keeping the essentials ready: We could store your incident response plans, cyber insurance info, vendor contacts, and decision-maker call sheets (so the first hour isn’t a scavenger hunt).
  • Documenting the environment: Our tools keep online hardware, application, access, and recovery documentation current. If you have offline assets, asset logs or need to track disposal or sanitation can store those.
  • Aligning quarterly, reduce drift: With our QSR process, we can review what changed, what’s drifting, conduct account or privilege reviews but especially what to prioritize next.
  • Helping during an incident: We would start hands-on containment. But, your insurance carrier will want their approved, full-time forensics experts leading the charge. They would ask us to help but tell us what they want us to do and in what order. We have insight into the network design, and would help provide artifacts like logs and can provision access for any outside party.

Every organization that has had a breach at some point felt it would never happen to them. It’s going to happen to everyone. But, you can fight to limit how far an attacker gets and if it did happen, turn chaos into a roadmap: IR Planning recommends organizations convert any lessons learned into measurable improvements. Use assessments and reports for “best practice” recommendations for a setting, process or technology change that we can adjust, appropriate for your organizational context.

Real-World Example or Metric

From the Right of Boom notes, the themes kept repeating:

“Measure resilience, not just security.”

“Identity is the new perimeter.”

Treat Microsoft 365 like critical infrastructure

That aligns with what Microsoft calls Microsoft Secure Score, a measurable way to track your security posture and recommended improvements over time.

And when it comes to incident response practice, America’s friendly cyber defense agency Cybersecurity and Infrastructure Security Agency (CISA) flat-out provides Tabletop Exercise Packages and an Incident Response Plan Basics guide because preparing for the “first hour” matters as much as tooling.

If you want the Mark Twain version:

“A calm plan beats a loud panic, the way a lantern beats a complaint about the dark.”

(Okay, Twain didn’t say that, but he’d probably approve.)

Call to Action

If you’re a DFW leader and you want incident response that feels safe, then book a strategy conversation with our team at The Fulcrum Group. We’ll help you align security, IT, and innovation so your business can scale without panic.

Watch on YouTube:📺 https://youtu.be/0-s7rgVygmQ?si=mk8TKKbXIg4whvvg

Listen on your favorite podcast platform:🎧 https://pod.link/1807560282

About the Author — Steve “The Doctor” Meek, CISSP

Steve “The Doctor” Meek is a DFW-based IT strategist, cybersecurity leader, podcast host, and co-founder of a 24-year technology legacy in North Texas. A recipient of the 2024 MSP Titan of Industry Award for Community Impact, Steve brings decades of experience helping CEOs, city managers, and healthcare and manufacturing leaders navigate cybersecurity, AI readiness, and operational resilience. As host of Talk To Th3 Doc, he explores leadership and ownership topics to find practical insights for SMB decision-makers.

Founded in Keller, TX, The Fulcrum Group, Inc. delivers relationship-centered DFW Managed IT Services through its flagship SPOT Managed IT Services and SPOT Managed Security Services platforms. Using its proprietary STARPower™ Framework, Fulcrum helps businesses strengthen security, modernize operations, and plan technology with clarity and confidence. With a 100% Texas-based team and a “No IT Jerks” philosophy, Fulcrum has earned repeated national recognition on the MSP 501 and CRN Top 500, serving SMBs, local governments, and mission-driven organizations across North Texas.

Key Takeaways / FAQ

What should an executive own in incident response?

The roles, the decision tree, and the communication plan. The tech team handles the technical appendix. Each organization is responsible for protecting itself, and creating a RACI chart ahead of time can speed the “who” during and incident.

RACI roles

Responsible (R): The person/team that performs the work (for example, IT/MSP provider would have an open ticket and communicate up to declare a “potential incident” ). Multiple “R” roles are allowed if the task truly requires shared execution.

Accountable (A): The person who owns the outcome and has final decision authority (For example, the owner or an internally designated “Security Officer” might hear about incident and activate Incident Response plan and start incident log / timeline). There should be one “A” per task whenever possible.

Consulted (C): People who provide input, expertise, or approvals before or during the task (for example, two-way communications for triage scoping with parties such as ISPs, Microsoft and SaaS vendors).

Informed (I): People who must be kept updated on progress or outcomes (for example, one-way communication to all parties after key exec engages cyber insurance and gets assigned a breach coach).

How does this tie to scaling and innovation?

When unplanned work drops, capacity returns to improve the organization. Capacity allows you to target high ROI projects instead of living in repair mode. Aging infrastructure can be like a used car, seems cheap but always in the shop inconveniencing you and stealing money each month that you could use elsewhere.

What’s one easy first step this week?

Schedule a 60-minute tabletop: “What do we do in the first hour?” Here are six sample questions to ask during a “first hour” incident exercise?

Who do we call if we see or suspect something?

Who has authority to declare an “incident” or “breach”?

Who do we call, in what order—MSP/IT, cyber insurance, Microsoft/ISP/SaaS vendors, forensics?

What do we tell employees right away (what to stop doing, what to report, where to report it)?

If email or Teams is down, how do we communicate (primary channel + backup)?

What are the priorities during an outage- users, endpoints, servers, Microsoft 365, vendor app, internet, phones or other key apps (online billing)? Or, 5–10 systems that are most critical and what’s our recovery order if things go offline?

What does “The Fulcrum Way” look like in practice?

A quarterly technology alignment rhythm, improvements through SPOT Managed IT Services, SPOT Managed Security Services, and STARPower. It’s a repeatable cadence of measurement, planning, prevention, and progress—so your environment stays more standardized, secure, and ready for what’s next.