What Could Go Right?

"What could go wrong?" is a defensive posture that caps your influence. The security teams building real political capital ask a different question: what could go right? Reverse engineer that outcome, and incident response stops being damage control and starts being strategy.

Share
What Could Go Right?
Photo by @aldyrkhanov on Unsplash

Transforming Incident Response Through Positive Framing

As security and privacy professionals, we’ve long operated in the shadow of Murphy's Law, constantly asking "what could go wrong?" while preparing for incidents. This defensive mindset, though necessary, often positions us as the harbingers of doom within our organizations. But what if we flipped the script? 

What if we started asking "what could go right?"

This shift in perspective isn't about reckless positivity or ignoring real threats. It's about reframing our incident readiness and response communications to highlight opportunities, demonstrate value, and build the social capital we need to be effective long-term.

The Power of Positive Incident Planning

Well-executed incident response doesn't just minimize impact. It can strengthen customer trust, demonstrate organizational resilience, and showcase the security team's strategic value.

Companies that handle incidents with transparency and swift action earn the opportunity to grow stronger customer relationships than before the incident. Customers who might have previously taken the company's integrity for granted now have concrete evidence of how the organization behaves when the stakes are high. The transparent and masterful handling of a difficult situation often builds more trust than years of smooth operations, because it proves the company's values aren't just marketing copy – they guide decision-making even when it's costly or uncomfortable. By planning for these positive outcomes, we prepare our teams to thrive through incidents, not merely survive them.

This isn't the first time we've explored how strategic framing transforms security communications. In our previous post about vulnerability communication with developers, we demonstrated how positioning findings as opportunities rather than failures dramatically improves developer engagement and remediation outcomes. The same communication theory principles that work for vulnerability management apply powerfully to incident response.

Creating New Possibilities & Preserving Choice

Perhaps most importantly, asking "what could go right?" fundamentally expands your options when incidents occur. Traditional incident response planning focuses on damage control and crisis management, often defining a “good” response as one that “went as well as could be expected.” Talk about forfeiting before the game even starts!  When teams effectively prepare for positive outcomes, they build the capabilities and stakeholder relationships that give them more flexibility during real incidents. 

This preservation of choice is one of the most valuable reasons to invest in incident response capabilities in the first place. We're not just buying insurance against disaster — we're purchasing the freedom to choose how we respond when challenges arise. A well-prepared team can pivot quickly between different communication and disclosure strategies that aren’t even available to less-prepared organizations.

When you've reverse-engineered success scenarios and built the capabilities to achieve them, incidents become decision points rather than predetermined disasters. Without this preparation, it's nearly impossible to meet or exceed stakeholder expectations during the chaos of an actual incident. Teams that haven't planned for positive outcomes find themselves reactive and defensive, scrambling to manage immediate damage rather than pursuing strategic opportunities.

However, new possibilities emerge when you've properly prepared for positive outcomes. You can proactively engage with media to shape the narrative rather than simply responding to criticism. You can turn regulatory interactions into demonstrations of your commitment to excellence rather than grudging compliance exercises. You can use the incident to showcase your organizational values and leadership to customers, partners, and industry peers. Most importantly, you can transform what could have been a reputation-damaging event into proof of your organization's resilience and trustworthiness.

Starting with the End

I regularly work with clients using a powerful exercise: imagine it's six months after a major incident, and you're reflecting on how well your organization handled it. What would you want to be true? What would you like to say about your response?

Common aspirational statements include: 

"Our customers praised our transparency and quick action." 

"We detected and contained the incident faster than industry averages." 

"Our communication was so clear that it became a case study." 

"The incident actually strengthened our relationship with regulators."

After identifying these desired outcomes, we reverse-engineer the incident response plan to make the aspirations achievable. If you want to be known for transparency, you build proactive communication protocols, tools, and platforms. If you want faster detection and response, you invest in monitoring capabilities and frameworks for rapid decision-making. If you want regulatory praise, you design compliance-forward response procedures and direct relationships. None of these things will happen accidentally. 

Practical Implementation

Start by conducting the aspirational reflection exercise with your incident response team. Ask: "Six months post-incident, what do we want stakeholders to say about how we handled it?" Document these desired outcomes, then reverse-engineer your response plans to make them a reality.

Rewrite your incident communication plans to include potential positive outcomes and opportunities. Train response teams to identify moments during incidents where proactive communication can strengthen stakeholder relationships. Develop metrics that capture what you enabled and improved, not just what you prevented.

Create "success scenarios" alongside your traditional incident scenarios. If you're tabletop testing a data breach, don't just practice damage control or legal disclosure requirements – practice the communications and actions that would earn stakeholder praise. This preparation ensures your team is ready to seize positive opportunities when they arise during real incidents.

The Strategic Advantage

Security and privacy professionals who master this positive framing fundamentally change their role within their organizations by becoming strategic partners who can help navigate challenges while identifying opportunities for growth and improvement.

Asking "what could go right?" transforms incident readiness from a defensive necessity into a strategic capability that drives organizational resilience and competitive advantage.