How compliance drives data resilience

SPONSORED FEATURE There's a perfect cyberstorm coming, says Andre Troskie. Just like the combination of hot and cold air eventually forms a hurricane, an array of issues are combining to threaten business resilience, warns the field CISO at data resilience company Veeam. The outcome won't be pretty.

"We're seeing geopolitics play out in the world now, with cyber warfare becoming a real and credible threat to our organizations and to the citizens of our countries," he warns. "Combine that with cybercrime, the tremendous uptick in ransomware attacks and other threat types, there's a world of increased risk."

While most companies try to convince businesses that it's a matter of when, not if, they're attacked, Veeam has gone one step beyond that. It's not about when you get pawned, Troskie says; it's about how often and how hard, along with how fast you can recover. Resilience is the focus now.

A perceived gap in cybersecurity skills and increasingly complex technology environments are making that recovery more difficult, he warns.

"It's not like when I started my career in the late 90s, when we had a firewall and a strong perimeter," he says. "Now we've got hybrid cloud, multi-cloud, and Kubernetes. So many things coming into production environments that open the door for mistakes or for gaps to be left open."

Regulators clamp down

National and regional regulators aware of the risks are busy enforcing resilience on businesses, demanding that they keep the lights on no matter what attackers throw — or at least get them back on as soon as possible. The Digital Operational Resilience Act (DORA), NIS2, and other rules around the world are forcing businesses to make their operations bounce back quickly, or face unpleasant consequences.

This regulatory focus has been evolving since the early 2000s. Troskie charts it back to the passage of Sarbanes Oxley. "It was the first time the world really had to sharpen its pencil in terms of how to ensure compliance," he says. "I think we're in that world again now."

Perhaps not exactly that world. SOX was a response to accounting scandals from the likes of Enron and WorldCom. Today's regulators are more focused on operational disruptions from cyber incidents.

Many of these regulations have common requirements, Troskie points out. Risk management and governance, incident response, and reporting mechanisms with tight timelines are typically on the to-do list. Third-party risk management, proven business continuity, and continuous monitoring and reporting are frequent mandates.

These are big asks for many businesses. "Organizations are still challenged, whether in their technical capability or the people or processes they have," he says. "We've got an uphill battle to make sure we can get that done."

What cyber resilience really means

For Veeam, resilience revolves around access to data. In modern organizations, data is like the oxygen that powers the brain. If it stops flowing, nothing works; the organism shuts down.

Veeam codified what data resilience looked like in a Data Resilience Maturity Model (DRMM) that it worked on with McKinsey. It came up with four levels of data resilience maturity:

• Basic: Reactive, manual, and highly exposed

• Intermediate: Reliable but fragmented, lacking automation

• Advanced: Strategic and proactive, yet missing full integration

• Best-in-class: Autonomous, AI-optimized, fully resilient

Surveying over 500 senior leaders in IT, security, and operations from large enterprises, it found some alarming results. Three in four organizations fell into the bottom two categories, while 30% of the CIOs in the least resilient companies thought they were doing better than they really were.

How to build resilience that holds up under pressure

Results like those are worrying not just for individual companies but for whole sectors. If a large proportion of companies in an industry can't recover well from attacks, that puts the entire ecosystem at risk. Whether its a bank that goes bankrupt and starts taking other banks with it, or a cyberattack that spreads across an entire country, the result is the same; real existential crisis.

So how do we shore up our defenses and become more resilient?

"If you look at the Digital Operational Resilience Act, it's right there in the name," says Edwin Weijdema, EMEA field CTO at Veeam. "It's operational resilience, not just IT resilience. That means we need to involve more than just the IT team."

Getting the board on board

Thinking about resilience as an operational problem moves it outside IT into other areas of the business, but that alone isn't enough. Organizations must also elevate their thinking about resilience from the operational to the strategic level.

Senior executive buy-in is one area where regulators will be helpful. Accountability for cyber incidents is shifting. In the past, the board could throw the CISO under the bus when disaster struck. Today, the regulators won't stand for it. They're coming for others in the C-suite who don't meet expectations.

Execs who fail to meet DORA's strict standards could be benched or held personally liable if failures are due to a lack of oversight. Mess up under NIS2 and you could be disqualified from directorship. The rules make it clear that you can't delegate responsibility to your IT team anymore.

Weijdema paints a picture where the whole organization has a culture of resilience that extends from the bottom to the top. That creates conditions where legal and communications teams get involved. Crisis managers are appointed, tabletop exercises held, and cross-role simulations conducted. In short, it's time to take this all a bit more seriously, even if you operate in a sector that traditionally hasn't.

Data resilience means both taking preventative action and creating conditions for quick recovery when attackers strike. It means thinking about the rapidly evolving threats that ransomware actors pose to your data and then taking steps to protect it ahead of time.

Quantifying risk

The problem is that companies under financial pressure don't get huge budgets to use without justifying their choices. They must carefully target their investments for maximum effect. To do that properly, they must quantify risk.

Many still use a finger-in-the-air approach to risk assessment but that has to change. Quantifying risk and describing it in language that the board recognizes, such as downtime, regulatory fines, and reputational damage, will help get executive buy-in, says Troskie.

To do that risk assessment properly they must understand the life cycle of their data, adds Weijdema.

"If you don't look at your data life cycle, you'll store more and more of it with no clue about it," he warns. "You need insights about that data. Is it really valuable? Should it be stored for 30 years or be deleted after one?"

Getting ahead of the regulators

Armed with data-driven techniques like these, companies can get ahead of the regulators by readying themselves for disruption rather than simply reacting to it, says Troskie. It's something that Veeam helps with by covering what he calls the resilience platform.

"That includes governance, documentation, automated testing, secure recovery, and role-based reporting. This is not just about backup; it's about building confidence in your ability to recover," he explains. He's positioning Veeam as a full resilience enabler rather than as an infrastructure backup company, using the DRMM as a framework to map out the journey.

Veeam applies its resilience principles across five pillars. The first and second, data backup and data recovery, are where the organization started out.

"Then we add value with data portability," he says. The ability to recover into a different destination (including another vendor's hypervisor infrastructure) gives companies the freedom to move their data where they wish. Next is data security, crucial for ensuring data is secure, immutable, and recoverable. By integrating with a broad range of security partners, businesses can enhance their security infrastructure using existing investments. Central to this strategy is a robust data security framework, featuring advanced encryption, immutability, and threat detection, supported by a zero-trust architecture and a network of over 65 security vendors.

The last on the list is data intelligence. Advanced reporting using Veeam's dashboard gives customers a view of a data set's resilience. They can use it to answer questions such as whether it's stored in an immutable form to protect against ransomware, whether it is tested for recovery, and whether it is stored under a service level agreement. This intelligence ties directly to auditability, regulatory communication, and board-level reporting.

Measuring resilience, building trust

One sign of true data resilience maturity is that you're able to measure yourself objectively. Mean time to recover (MTTR) is one metric that Veeam's maturity research examined. The most mature respondents were able to recover their data seven times faster than the least.

"That's a huge delta. It's not just a tech difference, it's an organizational maturity difference," says Weijdema. "It shows up in real impact: less revenue loss, less customer disruption, less time spent firefighting."

MTTR is a clean, measurable indicator of resilience maturity that CFOs and CEOs can immediately understand. Another metric is downtime. The most mature organizations saw three times less downtime than the least.

For him, though, it all comes down to whether you trust your own organization to recover from an incident.

"That's a tough question for a lot of organizations to answer, and that's what we're working to change," he concludes.

Cyber resilience is about building that trust with your team, with your leadership, with your regulators, and most importantly, with your customers. When customers trust you to recover quickly from whatever storm is coming, you can turn that to your competitive advantage. Suddenly, resilience is more than just a regulatory requirement; it's something you can take to the bank.

Sponsored by Veeam.