IR Coord · Domain 09/10

Incident Response Coordination

Run the war-room when ransomware hits. The producer's job, in a crisis.

No code required⏱ 12–24 monthsRemote Media transfer

01 · A realistic Tuesday

What the day actually looks like.

Most days are preparation — finalising tabletop agendas, updating runbooks, re-testing the on-call paging tree, sending weekly metrics emails. Then Friday 3:07pm: ransomware encrypts a Lagos branch's file shares. Within 15 minutes you've opened the war-room Zoom, paged the IR retainer (Mandiant/Unit 42), opened a dedicated Slack channel, started the timeline document, briefed the CEO's Chief of Staff in two paragraphs, and drafted holding statements. You don't analyse the malware — you run the bridge call.

02 · Who hires

Where the work lives.

MandiantUnit 42CrowdStrike ServicesKrollAreteCovewareSecureworksStroz FriedbergControl RisksBeazleyCoalitionAIG

03 · Skills

What you actually need.

Technical

NIST 800-61 lifecycle (read-level)
SANS PICERL framework
MITRE ATT&CK (read-level)
EDR product names (Falcon, Defender, SentinelOne)
Regulatory landscape (NDPA 72-hour rule, CBN RBCF, ISO 22301)

Soft

Translating engineer-speak to exec-speaktransferable
Same skill as turning DOP-talk into a director's note.
Calm under live-broadcast pressuretransferable
Running the bridge call IS live production.
Post-mortem writingtransferable
Production debriefs, retitled.
Chronology and storytellingtransferable
Discretion

04 · Career ladder

The shape of the journey.

1
IR Coordinator / Cyber Crisis Analyst0–2 yr
2
Senior IR Coordinator / Incident Manager2–5 yr
3
IR Consultant4–8 yr
4
IR Manager / CSIRT Lead6–11 yr
5
Head of Cyber Crisis9–15 yr
6
Deputy CISO / CISO13–22 yr

12–24 monthsto break in

36121824

Note. Times reflect typical paths for someone with strong communication and 10–15 hrs/week of focused study.

05 · Salary explorer

What it pays.

Ranges are directional. Currency: USD · annual. Last updated: 2025.

06 · Certifications

The cert sequence that won't bankrupt you.

Security+

CompTIA

Vocabulary baseline.

Recommended

$425 · ₦638k

PMP

PMI

The underrated cheat code — coordinators ARE project managers.

Recommended

$555 · ₦833k

EC-Council CIH

EC-Council

Incident Handler cert. $500–700 range.

Nice-to-have

$600 · ₦900k

GIAC GCIH

SANS / GIAC

Gold standard but never self-fund the SANS course.

Eventually needed

$999 · ₦1499k

ISO 22301 Lead Implementer

PECB

Business continuity. Strong differentiator. $700–1.5k.

Nice-to-have

$1100 · ₦1650k

07 · Remote-friendliness

Working from Lagos, Abuja, or anywhere.

5/5

Lagos timezone overlaps neatly with London business hours and partial US East-coast hours. Ideal for international IR retainers.

08 · Trade-offs

The good, the gritty, and who this suits.

Pros

+High-impact, high-visibility.
+Clean path to CISO.
+Portable across industries.
+Producers genuinely have a head start.

Cons

−On-call rotation.
−Vicarious stress from real incidents.
−'Neither technical enough nor management enough' identity battle early on.

Personality fit

If you've been the calmest person in the room when a shoot fell apart, you can do this.

09 · Watch this

Three to five hours that beat any cert.

Backdoors & Breaches: Live Tabletop Exercise Demo

Black Hills Infosec

Why watch. Watch a live tabletop exercise — what your job actually feels like.

How to Play Backdoors & Breaches

Black Hills Infosec

Why watch. Free card game you can run with friends. Best practice tool in the field.

Wisdom from the Cyber Security Battlefield

SANS DFIR

Why watch. Mark Goudie on real-world IR — battle-tested.

Introduction to Cybersecurity Incident Response

Cyberspatial

Why watch. Clear framework intro.

10 · Next step for this path

Do this by Friday.

This weekend: order Black Hills' Backdoors & Breaches deck (or print free PDF). Run a 90-minute tabletop with friends. Document what you learned in a LinkedIn post.