Career pathways

Incident manager

Who might be attracted to this role?

Adept communicators and resilient leaders who thrive in high-pressure situations and can coordinate effective collaboration toward a shared clear direction during a cyber crisis.

Entry points

  • Digital roles: IT service centres, Security analyst.
  • Non digital roles: Emergency management; Security intelligence and law enforcement, Crisis communications, Incident management or disaster recovery in other sectors e.g. energy, health.

SFIA behaviours

Foundation and Practitioner

  • Communication: coordinates the communication processes for technical and non-technical information during a cyber incident.
  • Problem solving: required to deliver projects to improve cyber incident management.
  • Collaboration: required to work closely with technical, non-technical and communication experts during a cyber incident.
  • Leadership: responsible for leading and operating the incident management processes in response to cyber incidents and potential cyber incidents. Required to deliver outcomes through self-management, sometimes with guidance from team leaders.

Higher

  • Communication: has clear direction and messaging, explains technical risks in business language and context.
  • Problem solving: quickly understands issues and impacts and determines an effective response.
  • Collaboration: works closely with individuals, teams and partners, across different areas of expertise and roles, towards effective preparedness and response.
  • Leadership: provides direction and guides others through the response process and making critical decisions

Transition points

Possible next steps include:

  • Security analyst
  • Cyber security researcher
  • GRC Adviser
  • Incident manager
  • Digital forensics
  • Cyber security leader

Proficiency level

Mapping

SFIA professional skills

  • Customer service support CSMG
  • Incident management USUP
  • Information assurance INAS
  • Information security SCTY
  • Security operations SCAD

Competencies

  • How to assist different teams and stakeholders to manage incident preparedness and response.
  • How to support incident management activities including updating plans based on evolving threats and learnings.
  • How to follow legal and regulatory requirements related to incidents including reporting.
  • How to interpret risks, incidents and metrics.
  • Understands key threats, controls and potential incident management responses in the context of the organisation.

70:20:10 examples

70: Suggested experiential learning

  • Monitor key communication channels (e.g. phone, email).
  • Support exercise planning, delivery and review.
  • Support incident management plan development and reviews
  • Support incident recovery and debrief activities.
  • Assist with monitoring and assessing alerts.
  • Collaborate with IT problem and change management staff and processes.

20: Suggested professional development

  • Find a mentor.
  • Shadow other practitioners.
  • Join a cyber security professional association and participate in events such as tabletop exercises.
  • Develop situational awareness of cyber security / incident trends e.g. podcasts, case studies, white papers, news sites, forums.

10: Example formal learning

  • Bachelor degree or post graduate degree in cyber security or a related field (e.g. communications)
  • Certificate IV, Diploma or Advanced Diploma in cyber security or related field (e.g. IT, communications).

Others:

  • Certified in Cyber Security (CC)
  • CompTIA Security +
  • Crisis communications
  • Cyber Security Foundation + Practitioner
  • ITIL Foundations
  • SANS SEC301: Introduction to Cyber Security

Mapping

SFIA professional skills

  • Incident management USUP
  • Information assurance INAS
  • Information security SCTY
  • Security operations SCAD
  • Stakeholder relationship management RLMT

Competencies

  • How to coordinate incident management activities including updating plans based on evolving threats, learnings and stakeholder feedback.
  • How to understand and follow legal and regulatory requirements related to incidents.
  • How to analyse risks, incidents and metrics and communicate these effectively to different stakeholders and management.
  • How to coordinate different teams and stakeholders to manage incident preparedness and response.
  • How to develop and run incident preparedness activities such as tabletop exercises with various stakeholders.

70:20:10 examples

70: Suggested experiential learning

  • Support crisis communications especially internally and with partners.
  • Participate in exercise design, planning, delivery and review.
  • Coordinate incident management plan drafting, consultation, revision and approval.
  • Coordinate incident recovery and debriefs.
  • Evaluate alerts and communicate significance.
  • Contribute to reviews of regulatory frameworks (e.g. submissions).

20: Suggested professional development

  • Mentor and coach team members and peers.
  • Volunteer at industry events (e.g. help coordinate tabletop exercises).
  • Develop skills in areas of interest to become a subject matter expert.
  • Queensland Government strategic crisis management training (e.g. emergency, disaster).

10: Example formal learning

  • CISSP – Certified Information Systems Security Professional
  • CISM – Certified Information Security Manager
  • Crisis Communications

Mapping

SFIA professional skills

  • Incident management USUP
  • Information assurance INAS
  • Information security SCTY
  • Security operations SCAD
  • Stakeholder relationship management RLMT

Competencies

  • How to direct incident management activities including advising on updating plans based on evolving threats, learnings and stakeholder engagement.
  • How to review legal and regulatory requirements related to incidents.
  • How to analyse risks, incidents and metrics and communicate these effectively to different stakeholders including executives using business language.
  • How to direct the integration and alignment of incident management strategies with business goals, to mitigate risk, and provide high-level expertise in incident management to the business.
  • How to direct and coordinate the incident management and other teams and stakeholders to manage incident preparedness (e.g. exercises) and an effective response.
  • How to drive continuous improved by incorporating actions from reviews of exercises and actual incidents.

70:20:10 examples

70: Suggested experiential learning

  • Provide executive level crisis response and coordination

20: Suggested professional development

  • Make contributions to the industry e.g. keynotes, board representation.
  • Mentor emerging leaders.
  • Queensland Government strategic crisis management governance (e.g. State Disaster Coordination Group Member Induction).

10: Example formal learning

  • CISM – Certified Information Security Manager

Also see related Incident manager role profile.

Career story

Incident manager: Practitioner

Rob, Department of Customer Services, Open Data and Small and Family Business

Tell me about your career journey up to your current role. How did you get started in your role?

I came to cyber security by an unconventional pathway. I spent 18 years in the Australian Army as an officer in a combat role. I spent most of my career in the field or deployed overseas far away from a computer screen.

In my spare time I decided to undertake some study for professional development. I decided to study cyber security because I knew the importance of securing information. I quickly became enthralled in the field of cyber security and the asymmetric power it gave criminals and nation state actors. I was also shocked by the scale of the impact of cybercrime on our population.

Through a veteran networking group, I learned of the Queensland Government Cyber Security Unit and their role in providing cyber security services to the whole-of-Queensland-government. I was fortunate in that they were looking for a non-technical person to fulfill an incident management role, so I applied through Smart Jobs.

What attracted you to your current role?

I am motivated by a desire to protect good people and to stop bad guys. I think we all know a family member that has been scammed by a cybercriminal, our data leaked in a high-profile hack or been unable to access online services due to a disruption to services.

What I love about incident management is that we regularly deal with real life incidents that impact real people. When you see a data leak occur or you are helping to respond to a disruption to service it is fulfilling to know that the actions we take are helping to minimize the harm to Queenslanders and helping to maintain the online services that they rely on every day.

What were the key skills and job experiences from your previous career or role that helped you transition to your current role?

Being able to stay calm and communicate clearly in a stressful situation is paramount. Experiencing a cyber incident may be one of the most stressful experiences an organisation or individual can go through in their professional career. At these times it is important to remain calm, follow the processes, break the big problem into manageable and solvable problems, and communicate decisions clearly.

Were there any specific learning and development courses or certifications that were helpful for you to make the switch or enter this role?

I did a post graduate degree in Cyber Security Operations before I started this role. While I do not think that this is essential, it was helpful because I did not have an IT or technical background. The study gave me a very good understanding of the fundamentals of cyber security, the relevant legislation, frameworks, and principles.

What key behavioural skills are most important for this role profile?

I think that the most important skill to have in this role are the ability to problem solve. A cyber security incident can look like such a huge problem, but it is important to be able to break it down to the multitude of smaller problems that need to be solved. What is the impact to services, what are the regulatory implications, what are the legislated notification requirements, is there a risk to other entities? Being able to step through and solve these problems in a methodical manner is key.

Collaboration is also very important. In incident management we engage stakeholders from across the public and private sector to respond to incidents. Being a team player is critical.

Finally, I think communication is vital in this role. We are required to regularly engage with technical and non-technical experts from a range of fields at every level from analyst on a keyboard to executives' leaders deciding what services to prioritise. Being able to clearly and accurately communicate enables effective incident management.

What key professional skills are most important?

The key professional skills I use daily are Incident management, Stakeholder relationship management and Information security.

Can you walk me through a typical day or week in your current role?

I usually begin my morning by reviewing cyber intelligence products, cyber security alerts and other open sources to get an understanding of the current threat landscape. I also use this as an opportunity to determine if any reported incidents might have links to the Queensland public sector.

But from there, every day is different; you never know what is going to happen when you start work for the day.

I might be required to assist a state government entity to manage or respond to an ongoing security incident. I regularly draft communications artefacts to brief executive level leadership to make them aware of ongoing incidents or relevant updates or assist in the preparation of public statements and releases to ensure that Queenslanders are informed of ongoing incidents and receive the best advice on what to do in response to a cyber-attack.

I regularly attend inter-jurisdictional coordination meetings with stakeholders from Commonwealth and other State governments in relation to significant cyber incidents. At these coordination meetings I represent Queensland interests and assist in coordinating the response to protect Queenslanders and the services they rely on.

Even when we are not dealing with an ongoing incident the preparation phase never stops. I assist government departments with reviewing and uplifting their incident management policy or procedures. I also get the opportunity to regularly assist in the planning or delivering of a cyber security exercise to make sure we are all prepared for an incident may occur.

What advice would you give to someone wanting to get started in or transition to a role that you are in?

I think it is worthwhile, and I always feel like we are working on the “pointy end” of cyber security. I would advise that people learn incident management frameworks and processes, stay up to date with contemporary threats and campaigns, ensure that they can communicate clearly in stressful situations and be willing to work hard to stop the bad guys

Last updated:
30 June 2025