The Predictability of Unpredictability

We can only prepare to be resilient.

At 0300 this morning, and I found myself thinking about a phrase drilled into us back in the day: expect the unexpected and get comfortable with unpredictability. That mindset doesn’t leave you, and it fits perfectly in the world of security.

You can plan, run red teams, and rehearse every known failure scenario. You can build strong defenses and document your incident response plans down to the minute. But no matter how much preparation you do, the future doesn’t play by your rules.

Things will go wrong. Not might... Will. That’s the part that’s predictable.

What matters is how you respond when they do. How quickly you can shift from shock to action. How well your systems recover. How much damage you can contain before the situation spirals.

Plan A might be strong and well-rehearsed, but Plan B is what keeps your organization alive when reality doesn’t follow the script. You won’t always know exactly what’s coming, but you can invest in resilience. You can prepare your people and systems to bend without breaking.

The real test is how well you’ve identified what matters most and how fast you can protect it when things fall apart. That’s where the work should focus. Everything else is noise.