Introduction
Today, cyber threats are sophisticated, they are evolving and they are relentless. While traditional cybersecurity measures focus on preventing attacks, the inevitability of a data breach necessitates a robust cyber resilience strategy. This approach emphasises not only prevention, but also the ability to respond to, recover from, and learn from cyber incidents. Achieving true cyber resilience requires a collaborative effort across various departments, particularly between storage and security teams.
The Shift from Cybersecurity to Cyber Resilience
Historically, organisations have concentrated on building their defences to prevent cyber breaches. However, recent trends and regulatory requirements underscore the importance of accepting that breaches will occur and preparing accordingly. This shift moves organisations from a purely preventive stance to one that also prioritises response and recovery.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework exemplifies this approach. The framework outlines five core functions:
1. Identify: Understand and manage cybersecurity risks.
2. Protect: Implement safeguards to ensure service continuity.
3. Detect: Develop activities to identify cybersecurity events.
4. Respond: Take action regarding detected cybersecurity incidents.
5. Recover: Maintain plans for resilience and restore impaired capabilities.
Traditionally, organisations have focused heavily on the first three functions. However, the increasing complexity of cyber threats and regulatory mandates necessitate a stronger emphasis on the Respond and Recover functions—a shift known as ‘shifting to the right.’
The Cyber Resilience Gap
Cybersecurity teams meticulously monitor metrics including patch rates, incidents raised, and mean time to fix. Meanwhile, IT operations and storage teams prioritise system availability and downtime reduction. Yet, few firms rigorously track recovery metrics, creating a cyber resilience gap.
Predatar’s data reveals that organisations recover less than 1% of their data annually, and 1 in 14 backup recoveries is compromised. This stark reality highlights the gap between firms’ cybersecurity measures and their actual ability to recover from cyber incidents.
Barriers to Closing the Cyber Resilience Gap
Security officers and organisations may not conduct extensive data storage recovery testing due to:
1. Resource Constraints: Recovery testing requires time, manpower, and budget, which may be deprioritised.
2. Perceived Low Risk: Many organisations assume their backup processes are sufficient without rigorous testing.
3. Complexity: Recovery testing is intricate and requires simulated disaster scenarios.
4. Responsibility Challenges: Coordination between IT, security, and management can be difficult, hindering testing efforts.
Whose Role is Cyber Resilience?
Cyber resilience is a team effort, requiring coordination across departments. Here’s how different roles contribute:
| Role | Responsibility |
| CISO | Oversees cybersecurity strategy and ensures response plans are in place. |
| IT Security Team | Develops technical recovery strategies and validates system integrity. |
| Storage & IT Operations | Manages backup systems, ensures redundancy, and restores data. |
| Incident Response Team | Coordinates containment and investigation efforts post-breach. |
| Legal & Compliance | Ensures regulatory alignment and manages compliance issues. |
| Communications & PR | Handles external communication in case of breaches. |
Closing the Gap: A Cyber Resilience Framework
To enhance cyber resilience, organisations should focus on two key areas: Recovery Speed and Data Integrity.
1. Recovery Speed
Prioritisation
Organisations should identify the critical business systems that make up their Minimum Viable Business —those essential for operational continuity. Recovery Assurance software can automate recoveries based on prioritisation and reduce resource waste.
Early Detection
Security teams should integrate data storage systems into Security Orchestration, Automation, and Response (SOAR) systems to improve recovery speed. AI-powered metadata analysis and storage scanning enhance threat detection.
Example: IBM FlashSystem In-line Threat Detection observes data behaviour and alerts administrators about ransomware threats.
Storage Methods
Storage speed affects recovery time. Below is a breakdown of typical recovery times per 1TB of data:
| Storage Medium | Estimated Recovery Time |
| Storage Class Memory (SCM) | ~7 min |
| Solid State Drives (SSD) | ~17 min |
| Nearline SAS Drive Array | ~35 min |
| Object Storage (1Gb connection) | ~1 hr 30 min |
| LTO9 Tape Drive | ~30 min – 4 hrs (Data Dependent) |
A cyber resilience strategy must include both primary and secondary storage solutions, as:
- Primary storage snapshots don’t cover all workloads.
- Secondary backups allow granular recovery (VM, folder, file level).
- Offline secondary backups provide air-gapped protection against ransomware.
2. Data Integrity
Storage Architecture Design
A resilient storage architecture follows five key principles:
1. Data Encryption: Protects data from unauthorised access, reducing its value to attackers.
2. Access Controls: Enforce MFA, quorum approvals, and complex passwords.
3. Three Plus Copies: Follow the 3-2-1-1-0 rule: three copies, two media types, one off-site copy, one offline, and zero errors.
4. Immutability: Prevents data tampering but requires proper implementation.
5. Air-Gap Solutions: Isolate critical data from the network to prevent malware spread.
Recovery Planning & Testing
Recovery plans should be frequently tested. New Recovery Assurance technologies including Cyber Recovery Cleanrooms with AI and automation built-in are making this achievable at scale. These solutions provide:
- Randomised Testing – Periodically tests a subset of systems.
- Scheduled Testing – Ensures all systems undergo recovery trials.
- Event-Based Testing – Triggers tests based on security alerts or anomaly detection.
To further ensure data integrity, storage volumes should be scanned for malware during recovery.
Reporting for Continuous Improvement
Cyber resilience is an ongoing effort. Organisations should track key metrics beyond just backup success rates, including:
- Recovery Time Objectives (RTOs) & Recovery Point Objectives (RPOs)
- Cyber Incident Metrics (frequency, severity, response time)
- Downtime & Service Availability Reports
- Cyber Resilience Index – A custom benchmark tracking overall recovery capabilities.
5 Questions to Ask Your Data Storage Manager
1. How are encryption and access controls managed?
2. What is our recovery testing frequency?
3. Are backups segregated and protected against cross-contamination?
4. Do we have an offline or air-gapped backup solution?
5. Can we measure our cyber resilience effectively?
Conclusion
Cyber resilience is not just an IT problem—it’s a business imperative. Organisations must bridge the cyber resilience gap by:
- Shifting focus from cybersecurity to cyber resilience.
- Encouraging collaboration between security and storage teams.
- Implementing faster, more secure recovery solutions.
- Regularly testing backup and recovery plans.
- Leveraging AI and automation to improve detection and response.
By adopting these strategies, organisations can not only survive cyberattacks but emerge stronger and more resilient in the face of evolving threats.
How can Predatar help?
Predatar’s Recovery Assurance platform uses AI and Automation to make data resilience achievable. Discover how…
