The Difference Between a Plan and Readiness

Most organizations have a cyber incident response plan.

Fewer have tested whether it works.

That distinction matters more than it might seem. A plan describes what should happen. Readiness is the demonstrated capability to execute when it does. The gap between those two things tends to be widest in organizations that have invested in documentation without investing equally in testing.

A tabletop exercise that produces no operational improvement is a weak signal of readiness. That’s worth saying directly.

Testing reveals what documentation can’t. It shows whether the people responsible for a response know their roles before the pressure is on. It shows whether communication protocols hold when the situation is ambiguous and the information is incomplete. It shows which parts of the plan were written for a scenario that doesn’t reflect how the organization actually operates.

For us, as directors, the governing question isn’t whether a plan exists. It’s what testing has revealed and what changed as a result. None of this is simple to govern from a distance, but it’s the right question to anchor to.

Having tested recovery plans in my years running technology organizations, and now asking these same questions as a board director, the difference between a plan that’s been pressure-tested and one that hasn’t is immediately visible when we simply ask management to describe what the testing changed.

What would we need to see to be confident that recovery capability is real and not assumed?

Looking for additional insights on this topic? I invite you to read more about the Fiduciary Resilience Model.