What Are the Five Pillars of Data Resilience?

BIZTECH: What’s your definition of data resilience, and how is it distinct from cybersecurity?

Cybersecurity is really just a subset of data resilience, and that’s for a very simple reason: In today’s world, every business is a software business. It doesn’t matter which industry you’re in or how you’re regulated. Business models change based on how the business leverages data, and making sure that data is available — whenever you need it, however you need it — becomes life itself.

Cybersecurity, which is about how you secure the data, is one aspect of data resilience, but there are many other dimensions to it that are critical. The end goal is, do you have access to your data at every point in time?

BIZTECH: What characterizes a data-resilient organization?

We approach data resilience according to five pillars. The first is the most basic one: Do you have data backed up in the right way? That seems very straightforward, but you’d be shocked by how many companies don’t have the right backup strategy in place. And that’s vital because our research tells us that 93% of ransomware attackers go for the backups first. 

Our research also tells us that about 85% of companies have had at least one successful ransomware attack against them, and 26% had four or more. So, the second pillar is, can you recover quickly from a breach? What’s your recovery strategy, and can you get to your recovery time objective and recovery point objective?

Third is data freedom, which is not often talked about. There are many instances where you’ll just need to change your tech stack. You may see a better tech solution, or companies may just change their posture. No matter what choice you make, you need your data to travel with you with minimal fuss.

Anand Eswaran, CEO of Veeam. 

BIZTECH: We haven’t even talked about security yet. Where does that come in?

Security is fourth. Do you have the right malware protection? Are you able to detect changing patterns, even of your own employees to mitigate insider threats? And there’s obviously table stakes, like multifactor authentication, end-to-end security, etc.

And then the last pillar we look at is data intelligence. I look at that in three different ways: First, how do you use artificial intelligence to make your own products better? In Veeam’s case, for example, we’ve created AI-based malware and ransomware threat detection. Second, how are you using AI to make your products easier to use? That’s where you see Microsoft Copilot and all the digital assistants. Third, how do you use AI on your data to get insights that help you run your business?

So, we look at data resilience across these five pillars of data backup, recovery, freedom, security and intelligence.

BIZTECH: Do you think organizations pay enough attention to data resilience?

It’s a good question. If you look at what’s happening, 25% of the time that a company gets breached, they lose access to their data even when they pay the ransom. You would take a step a back and look at these numbers and say, “Hmm, maybe companies are not focused enough.” But that’s now how we look at it. We realize that the sophistication of these cybercrimes are evolving every single day. It’s a constantly shifting goalpost.

BIZTECH: What’s missing from organizations’ strategies? What’s not in place that they need?

Data resilience is not just processes and tools. It starts with culture. Do you have the right cultural tone in your company? Resilience starts in the boardroom and the C-suite, not in a data center. There’s also a massive disconnect between how IT teams and security teams work together.

The next thing is, even when people understand what they need to do across backup, recovery and the other principles, there are too many conflicting strategies. Organizations have a long way to go before they get to maturity across the pillars of data resilience.

Third, companies are not doing enough to protect their Software as a Service applications because they’re saying things like, “Oh, we use Microsoft 365. That will protect it.” But your data is your responsibility.

There’s also recently been a huge movement around modernizing your application stack. We found that 96% of companies have plans to leverage containers or already are. You have to protect your containers.

Finally, businesses need to run attack and breach simulations. You can have the best playbooks in the world, but if you don’t run simulations, you can never be ready. The best phrase I’ve heard that captures this is, “You don’t rise to the occasion; you fall to your level of preparation.”

BIZTECH: Where are organizations on their efforts to achieve all that?

On a scale of 1 to 5, I’d say we’re at 2. The good news is this is a boardroom conversation now. Most boards, like mine, are asking questions: “What is your data resilience posture? What are you doing about it? How are you measuring progress?” Everyone is thinking through it.

But then, people have to get down to it: Organization and culture, which is where I think we’re furthest away from maturity, and technology, like your backup and recovery strategy, where I think we’re a little further down the path. So, we’re still at a 2, but there’s activity and understanding. 

I hope Veeam can be a part of the conversation of helping people understand data resilience. But it’s a shifting goalpost. I don’t think we’ll ever be at 5.