Apparently what Mike Tyson actually said in a 1987 interview was, "Everybody has plans until they get hit for the first time". In any case this is still a variant of the common theme of “No plan survives first contact with the enemy”, ascribed variously to von Moltke or von Clausewitz. 

What bugs me about the Tyson quote, is less about the quote which is undeniably correct in the spirit of the idea it’s meant to convey. But, rather there’s a tendency for people to misuse the quote as a reason not to plan at all. The reality is the exact opposite, it is precisely because when you have that first contact with the enemy or get smacked in the face that things are going to go to hell real fast. However, having prepared and planned for that you are going to fall back on your muscle memory, adapt, and fare better than if you were purely relying on untrained and unprepared instinct alone. You then might still have a fighting chance of executing the original strategic plan you had for the fight, the work, or whatever else. 

As much as I generally dislike sports analogies, the concept of an American football “checkdown” is very useful. In football, a checkdown refers to a short, safe pass thrown by the quarterback to a receiver when the primary downfield passing options are covered. It's a "safety valve" option used when the quarterback has no other option under pressure. I first learned this concept not in football (I played the faster and less armored version known as rugby) but in public speaking. When you lose your train of thought, when something goes wrong or when, for whatever reason, nerves get the better of you then have some prepared “checkdowns” to give you some time and space. It might be a prepared anecdote, a body movement or pause or even a question you want to pose to the audience. It’s all about giving you something automatic to do to give you space and time to get back on track. This is planning to be prepared - to make you flexible not brittle.  

The same applies to topics of security, incident response and resilience in general that resilience is about capabilities not just plans. 

Resilience can be thought of as the ability to absorb shocks, adjust as needed and continue operation in the face of adversity. In other words, to meet your obligations no matter what is thrown at you - perhaps with some graceful degradation of specific service levels - no matter how hard you got smacked in the metaphorical face. It is not simply the ability to deflect, avoid or prevent events.  Events in this context can be across all business and technology risk domains - whether they are slow or fast moving - from cyber to pandemics. 

One of the common mistakes many organizations make is to think that resilience can be obtained by simply writing down comprehensive plans and procedures on what to do and how to respond to specific events. When someone thinks of a new event or scenario then a new plan is written and carefully filed away in the Big Book of Plans ®. Eventually there is a whole virtual shelf full of these things. Sometimes plans are even tested to see if they actually work. 

There are three major problems with this, when facing the reality of actual events:

• In an actual crisis situation, adrenaline-fueled people are unlikely to take the time to consult large manuals or standard operating procedures to tell them what to do.   

• Most crises or significant events are unique and even if you consulted the plans it would be a lot of effort to contort them to the specific situation you are facing.  

• Not all plans can be tested frequently and so the underlying means (people, process, technology) of implementing actions in those plans may not have been sufficiently maintained and may only be seen to be deficient when they are most needed. 

The answer to these problems is deceptively simple but profoundly effective. That is to focus on capabilities not plans. Established capabilities are combined / utilized at a time of need by a trained work-force to deal with whatever event is thrown at them. Capabilities are constantly maintained and tested independently from crisis / event drills. These drills can then focus on building crisis response muscle memory across the organization.

More specifically, general resilience comes from:

1. Establish Baseline Capabilities. A set of people, process and technology capabilities that are maintained to defined service levels and continuously monitored as being able to meet those service levels. Examples: remote access services for your workforce able to support everyone connected simultaneously, dispersed physical offices and back-up sites, pre-negotiated contracts to expand office space or add new temporary locations, employee wellness / medical support, dispersed technology delivery, tested burst capacity, cloud zone/region resilience, distributed voice and video communications including the capability to be used on non-corporate devices in secure ways when needed, and critical business operations pre-dispersed among disparate locations or regions. 

2. Regularly Use the Capabilities. Run day to day business operations using these capabilities as much as you can, so that they are assured of correct operation. If you can't, then test them regularly such that they meet defined service levels. Example: if your crisis communications technologies are not the same as the technologies people use every day then they are unlikely to be used successfully in a crisis, instead create inherently resilient / survivable communications approaches - and if do you need something totally different then use it regularly across your population in some other way, such as holding regular staff meetings on the back-up communications system. 

3. Manage Capacity. Understand the capacity constraints of your capabilities and if you can't economically run with excess capacity then conduct regular testing of your ability to quickly ramp up such capacity when you might need it such as in a burst to cloud approach. 

4. Seperate Drills and Capability Testing. Separate out operational testing from crisis response drills. I've come across many large scale drills that have had issues because of failures in basic capabilities such as crisis communications technology (e.g. getting the call tree going), deficiencies in technology at back-up sites, lack of access to back-up sites, or revealed capacity constraints that cause the drill to fail early. At one level these are still a success because the organization learnt and fixed these things, at another level it's a failure because they never got to really fulfill the intent of the crisis drill: to build muscle memory for adaptive response. Instead, make sure that all the capabilities that are needed for resilience have regular testing to assure their operation so that their failure never has to be revealed during a drill - or for that matter a real event.    

5. Conduct Micro-Drills. The goal of drills and resilience exercises is to build and constantly enhance the organization muscle memory of how to respond to events or crises. You need to constantly drill / exercise but you can't do this if you only ever do massive ones - the sort maybe you can only do a few times a year. You can increase the volume and frequency of drills using "micro-drills". These are small tests typically less than 1 hour involving subsets of the organization to assure response to various types of events or broader scenarios, for example: launching an executive crisis response call, coordinating a leadership meeting at short notice from a back-up location, fully failing over to back-up systems in the event of any IT failure. In fact, getting "trigger happy" in invoking crisis responses to any and many events is a useful practice. If you find yourself thinking whether a situation is worthy of going into full response mode then occasionally do it no matter what, just to exercise your response and sustain your muscle memory for the real deal. 

6. Minimize Blast Radius. Minimize the blast radius of potential events and increase loose coupling of systems and processes (including those in your supply chain) such that response to any event is easier to deal with. If there’s a potential event that can, literally, take out your entire company then the action is to not only exercise your response and recovery to that potential event but also to intensely work to remove the possibility of that event having such extensive impact. 

7. Look Around Corners. Broaden how you think about threat intelligence to include sourcing data about incidents and close-calls across the spectrum of risks from all types of organizations across all sectors. Use this feed to challenge assumptions and, with your scenario catalog, do the work to assess how well your capabilities would perform. Use these as sources for future drills. Think about the worst case by combining scenarios in more extreme ways: a WOW (Worst of the Worst) scenario planning exercise in which you assess how resilient you will be in the face of several really bad scenarios happening all at once can really test your mettle.

8. Use Playbooks and Checklists. Now, having said you should focus on capabilities not plans, you do need some operational documentation. However, these become much more abbreviated in the form of playbooks or checklists for the use of capabilities (e.g. who and when to communicate events to), what time bound activities need to happen as people are forming first response (e.g. the 8 things to do in first 30 minutes of a declared security incident), or trigger-based action plans (e.g. what to enact when a Phase 5 pandemic is declared).

9. Establish Crisis Leadership Structures. A large part of the success criteria for dealing with serious events is, naturally, how leadership manages the response. This is as much organization design and culture as opposed to the inherent qualities of particular leaders. Having separate but highly linked response forums / calls for executives (enterprise crisis management) and operators/engineers (incident response teams) is critical to ensure people remain focused. How many times have you been on an incident response call when numerous C-suite executives join at random times and ask for an immediate update? This can derail the response process. Instead, there should be rehearsed communication protocols, prepared responses (think of this as a communications toolkit capability) and designated "runners" to bridge different management forums. Throughout a drill or an actual event response constantly assess whether teams are working effectively, remembering that sometimes your best crisis leaders are not those in positions of utmost authority in regular situations - “war time” and “peace time” leaders are often different. 

Bottom line: the most resilient organizations have a tremendous set of base capabilities (people, process and technology) already established, they have sustained organizational muscle memory to arrange (and constantly rearrange) those capabilities in response to a developing situation and the culture to constantly adjust both of those - quickly. They will have have plans but they don’t depend on plans.