When Perfect Plans Meet Imperfect Reality

This is the second post in the Incident Response Series. Read the first post here

Remember that 52% from my poll who were “very confident” in their IR plans? I keep thinking about them.

Because I’ve spent a lot of time thinking about a case study that’s going to be part of my ISC2 talk, and it’s the kind of story that makes you question everything you think you know about incident response.

The Pessimist’s Paradox

Here’s something I’ve noticed about us security people: We’re pessimists about everything.

New vulnerability discovered? We assume the worst. Zero-day exploit? We’re already planning for mass compromise. User clicked a phishing link? We’re mentally preparing for full domain takeover.

We’re professionally paranoid about everything… except our own programs.

Somehow, when it comes to our incident response plans, we flip that script entirely. Our EDR will catch the attack. Our backups are properly segmented. Our team will be available when we need them. Our network shutdown procedures will work flawlessly.

It’s like we have a blind spot the size of our own infrastructure.

When Optimism Meets Reality

We talk about incident response in terms of business impact. Revenue loss. Reputation damage. Regulatory fines. But sometimes the consequences are more immediate. More human.

Ascension Healthcare, May 2024. Ransomware attack.

This wasn’t just about billing systems going offline or having to work with paper records for a few days. Hospital staff couldn’t access lab results. Medication dosing systems failed. The routine safety checks that prevent potentially fatal mistakes? Gone.

Some Ascension hospitals had to divert ambulances because they couldn’t safely treat patients.

The research on ransomware attacks in healthcare is sobering: patient volumes drop 17-26% in the first week. In-hospital mortality rates increase by 35-41% for admitted patients.

Here’s the kicker: I guarantee you the security team at Ascension were pessimists about threats. They knew ransomware was a real risk. They probably had sleepless nights worrying about attacks.

But when it came to their own IR plan? That optimism bias kicked in.

The Question That Haunts Me

Here’s what I can’t stop thinking about: Ascension had an incident response plan. They had cybersecurity professionals. They had frameworks and procedures.

So what went wrong?

The answer isn’t what most people think. It’s not about having better backups or faster detection or more advanced EDR. Those are symptoms of the real problem.

The real problem is something I’ve seen in organization after organization, and once you see the pattern, you can’t unsee it.

The Pattern I Can’t Ignore

Over the past few months, I’ve been analyzing major incidents—not just the ones that make headlines, but the ones that happen quietly to organizations that “did everything right.”

There’s a common thread. A specific moment in each incident where the plan stops working and people start improvising.

That moment? It’s predictable. And it’s preventable.

But not in the way you think.

Why This Matters Right Now

I shared that Ascension story not to scare you, but to illustrate stakes. Because when that nagging voice in your head asks “but what if…?” about your IR plan, it’s not paranoia.

It’s pattern recognition.

Your brain is picking up on something your conscious mind hasn’t fully processed yet. That gap between “very confident” and “completely confident”? It exists for a reason.

What I Can’t Say Here

I’ve been wrestling with how much to share in these blog posts versus saving for my ISC2 talk. The truth is, the full story is complex. The solutions require a shift in how we think about preparedness. And frankly, some of what I’ve learned challenges assumptions most of us take for granted.

Which is exactly why we need to talk about it.

If you’re one of the 52% who voted “very confident,” I need you to hear this story. All of it.

Because that voice asking “what if?” It’s been right all along.

I’m sharing the complete analysis—the patterns, the blind spots, and the solutions that actually work—at ISC2 Security Congress on October 28. Use code NETWORK25SC for 15% off registration.

Currently available for CISO and Head of Security roles (full-time, fractional, or advisory). If your organization needs someone who understands the difference between confidence and readiness, let’s connect.