 Hi everybody, welcome back to Navigating the Road to Cyber Resiliency, the summit made possible by Dell Technologies. This is the power analyst panel. I've been looking forward to this. Rob Streche with theCUBE Research, Christoph Bertrand is here, he's the practice director and senior analyst at ESG and Zius Caravalla of ZK Research, principal at that company. Great to see you guys. Thanks for coming on. Welcome to our Palo Alto studio. Great to be here. Great, yeah. So we're going to talk about the state of cybersecurity. Christoph, you gave us some data. It's from a survey, 600N, so it's a big number. All right, so you guys don't mess around, you do your surveys, set it up for us. When was the survey? Give us the basic overview. Essentially, a few months ago, we decided to survey again, the market for ransomware preparedness. Talked to a bunch of folks, IT professionals, IT executives, cyber executives, all end user. So it's not a vendor survey to be clear. Around the world, primarily North America and Western Europe. And what we did was essentially a state of the market. We built in a little maturity model and asked a lot of questions about what's going on when it comes to ransomware preparedness. And we loosely followed the NIST model to cover all of the angles. So I partnered with one of my colleagues on the cybersecurity practice and by coming together with the various angles who are able to really determine what's going on. And because it's the second time we've done this, we also have some historical perspective. We got a little time series data in there and ZSU and I have talked about this for a while. I don't know if you guys heard Gil Hecht just now, but I mean, he was talking about how ransomware has evolved from, okay, we used to be, we're just going to encrypt and then we're going to extort you. Now, they're like exfiltrating, right? So you've seen that evolution of ransomware, haven't you? Oh yeah, it's gotten a lot more advanced, right? They're able to get a lot more data now. I think the way, you know, work from home and all these other trends has opened up the attack surface so it's much bigger. So they're able to, the bad guys are able to get in now and low and slow, you know, is the way they work and so they're able to access a lot more data than they have in the past. And I also think the type of data they're going after has changed as well, where it used to be financial data, credit cards, that's not as valuable anymore, right? Cause you can shut that stuff off pretty quick. It's a lot of medical records, HR records, things like that, that's really what pays the big bucks cause that gives you an insight as to the person's personality and things like that. So you're going after reputation, right? And so Andrew, bring up the first slide. This is one from the ESG study. 89% rank ransomware as a top five threat to the viability of the organization. You see 52% say it's one of the top three threats to the organization's viability. I don't know Rob, what the other two would be if it's not, there it is. Yeah, no, I mean, I think this is, I think again, the way that, and I'll let Christophe talk to it, I think the way that really this plays out is that it shows how people don't have this solved yet in a big way. And what was it that you were seeing in this as well, in the data? Well, so a few things. Number one, the fact that this is an existential question. It's not an IT question, it's not a cyber ops or a response question. It's a business level, business viability question. First thing, so it's a big deal. The other thing we saw in the data is the fact that it seems to be a never ending problem and people are struggling today to even protect their mission critical applications against ransomware. People have, I think, realized and are agreeing that it's a very different animal. We used to talk about DR and, you know, you can see the hurricane come and you can fail over, you can, that's easy, right? Compared to something that can happen at any time and really change the workflows for recovery. So the biggest issue is recoverability in a timely fashion. And you can only do that if you've really thought through all of the possibilities and have all the right technologies in place. Yeah, and we'll bring that slide up again, if you would, because I want to get, I want to look at that, Zia, look at the right hand side here. 25% basically say that they can, they can confidently recover more than 80% of their mission critical applications. So there's automatic, already a 20% gap there, but only 25%. 75% say they can't cover more than 80%. I actually don't believe that number in actuality is 25%. You think it's way lower? I think it's lower than that. I believe you're right. I think organizations are in preparedness, because you don't know until you don't know, right? And that's the problem. And I think one of the other challenges is the cyber side of it is different than the recovery side, which tends to be more backup and recovery, right? Do you have good practices? Are you airgapping your data? Do you know where to recover to? If you recover to infected, right? If you're not always cleaning your data and inspecting your data and you recover and that data is infected, then you're just in a position that you're going to get hit with ransom again. And so there's a lot of, there's a lot that goes into both sides of that and somewhere along the line, the world of backup and recovery and cyber need to come together in order to create kind of a single resilient cyber chain here, because I think the two worlds are largely separate right now. So you're a product guy, Rob, but this is not just a product problem, is it? It's not. And I don't think, there's the processes and the people that go along with this. And I think some of the guests that we've already had on have talked about that. That's a big problem, I think. And I think it is a big piece of it where the partners have to be involved, the companies that sell the technology. And I think we've heard some of that about how Dell is really bringing that to bear with through their partners and through their consulting services. I think that's a huge piece of it is that it's got to be a full-on press because what Zeus was saying and Kristoff, I think you start to look at the attack surface constantly growing and how can you really confidently say that you can, 80% of the time you can recover 80% of your mission critical applications. I think that is without testing it. Right. The other side of this too is the cloud, right? People have gotten pretty good at backing up their on-prem data. There's a bit of a misconception in the industry that if you're in the cloud, the cloud provider will help you with that there. You look at AWS, GCP Azure, they all have shared responsibility, right? And so one of the big emerging markets right now is moving to SaaS backups and cloud backups, right? So that's a part of it, I think that's largely been left out of it, but that data is just as likely to get breached as any other data. So it's like the cloud's like the first line of defense, right, Kristoff? But to Zeus's point, those guys made to a great job of security but you as the customer still have work to do. Still your data, right? It's always your data. And by the way, you talk about SaaS, what about SaaS data itself? So it becomes very complicated. I think the key is about the first line of defense is having that plan that really integrates essentially the people, the processes and the technology across and beyond traditional boundaries. Whether you're talking about security, posture management, whether you're talking about cyber, just response. By the time the cyber guy is called the backup guys, well, it's kind of too late. So you never want to be in that position and you want also to be really, really strong in preparedness. Have air-gapped, immutable backup solutions in place so that you can recover quickly. Have training in place and have the ability to really test the recovery. You mentioned that earlier, Rob, and I think that's the fundamental thing that has to change. Practice makes perfect. If you do not practice, there's no way you're going to be able to respond at the worst possible time. Typically when it happens, when you get hit. And I think that's where technologies like ML and AI embedded in the various processes can actually help with automating some of these processes at scale. And maybe, you know, it used to be a lot of companies wouldn't test their DR because it was too dangerous. They were afraid to lose all their data. You know, they have this, we've been having conversations about synthetic data. We can actually create synthetic data and then test against that. That's another sort of new trend. I wonder, Andrew, can you bring up the second slide here, please? If you could, of course I, here we go. So, more is expected from data protection solution providers. Christophe, what is this telling us? Set this up for us. What are we looking at here? Well, you know, essentially, if you are selecting a data protection solution, you're going to have some RFP, some expectations and you're looking to the earlier points that were made at the breadth and depth of expertise and technologies. You can't do it alone. And really what this is saying is, it used to be that you were focused on supporting platform A, B, or C, or cloud A, B, or C. Now, it's about partnering with a much different ecosystem. So, a lot of it is also about the ecosystem integration and about having the right partners, the right alliances, the right API integrations in place. So, all of this will take time, obviously, but this is where having a full view or 360 view of the problem is critical. So, you can use models like NIST, for example, to prepare and there are new versions of it coming out. There's also regulation that helps maybe provide some incentives, but it's really a governance question that has to be based on understanding the ecosystem and really your data lifecycle. If you can take a look at it from this prism, this perspective, you get to a point where in a sense it doesn't really matter what hits you, you have a recovery process that will work or at least you've done enough that you can really shield your data from being affected or extorted or excerpts rated. I want to double click on this. Bring that same data up again, if you would. So, you've got cloud security, network security, DLP, endpoint vendors, manage the MDR, manage MSSP, which is taken on. This is the security problem, right? This is it right here, right? You've got to work with all the XDR, you've got to work with all these guys. I mean, elaborate, Z. This is the problem with security. We have too many tools. Every time there's a new threat, we roll on another tool and then you get to a point where you just can't keep policies straight and all the management's different and so you don't have consistency across them, right? And I was talking with Cesar earlier this year who said he finally understands that trying to roll up best to breed everywhere doesn't lead to best in class threat protection, right? And so I think there has been a big pivot this year trying to move more from a cyber side anyways to platforms that doesn't really address the data backup side and the recovery piece of it because that's a whole separate discipline. But I do think the more we can consolidate down the number of vendors we have and you look at NDR, XDR, endpoint, if we're managing those separately then all we're doing is we have silos of information, silos of policy and nobody wins with that. You and I have talked about this, Cesar, where you really shouldn't even try, companies shouldn't try to be best to breed and have a big broad portfolio. In fact, maybe best to breed means you have a broad portfolio but each individual component is not necessarily the best to breed. It actually works together and is integrated. As somebody who's worked on this challenge you would start ups who have to be best to breed but you've worked with big companies. How do you think about, how should companies think about addressing that problem? Yeah, I mean, I think companies need to look at that list and say how do I partner up? As Christophe was saying, what are the right APIs? What are the right integration points? Because on average, ransomware is in your environment for like 300 days or something like that. And when you start to look at the extent for ransomware and other things is how are you going to respond and going through it? I would take a little bit of a bone to pick because in the early 2000s when I ran storage in DR for our financial services we tested our DR twice a year. And that was with capabilities that were far less from what is provided by the vendors today. Well, you had to in financial services, right? That was a requirement. More or less had to. The one industry. But it wasn't twice a year you had to do it. So you start to look at it and go, testing makes perfect but it also gives you an opportunity to use some of those other tools to then go back and look at that data protection, look at what you've backed up. Is it the right data? Have you, do you have stuff that's sitting there that may not be a good place to go and restore back to? And I think that's probably what you're seeing in some of that data. I came out of that industry too and the one big takeaway I have from that is in the world of backup and recovery everyone's an expert in backup no one's an expert in recovery. Yeah, you have to have that. You have to have that. Backup's one thing. Recovery is everything. It is. But you have to have that clean. Even if you test there's always things you forget. So I think this is a very good point. It's not the, as I said before, it's not the hurricane is coming and you know exactly how you're going to shut down gracefully and how you're going to restart fell over to the cloud, whatever. Doesn't matter how you do it. This is where, when people are running with their hair on fire, okay? Not a good thing. So what you're looking at is really the ability to have multiple paths to resolution and that's why it's very, very difficult to do at scale and that's why you need to integrate the teams and really revisit all the processes and this is why I like to say that DR is dead. Now it's cyber DR, cyber resiliency. That's the new standard. It's a lot more complex. IT professionals agree. They think DR is a different or cyber recovery is a different animal. It's a multi-headed beast and what it does that it fundamentally changes a number of things. On the end user side, how you organize, how you train, what technologies you buy and we can talk about too many, not too many. That's a complex conversation and then on the vendor side, it changes the nature of how you look at your market, your personas, who you talk to, with whom you partner. So all of this has to work in unison which means that it's going to take a while to resolve because the cyber attackers are not waiting. Even on the data side though, think of what's happened in the world, right? We have hot storage, cold storage, job deck storage, we have stuff in Kubernetes now, right? Stuff in the cloud, stuff on-prem. That world itself, like when you and I were doing it, I don't know how long ago, but it was pretty easy. Like, well, not easy. It was straightforward. Well, it was straightforward. Not easy, but, and now to Kristoff's point, you don't have the warning of the storm coming. All of a sudden, your data is locked and you got to make a decision, do I pay the ransom or not? If you pay the ransom, there's no guarantee you're getting the data back, but at least there's a shot at it. And if you don't have that path to recovery, I mean, your company could be crippled. But I think also what it goes to is the fact and you're talking, okay, so I have Kubernetes, I still have to go to where the data lives and I still need to protect the data, air gap the data as we've been talking about most of this day and be able to bring it back to a safe place, a clean place. And I think that's part of it is that the attacks have gotten so sophisticated, it's how do you know what's a good place to actually go recover? And to Kristoff's point about hair on fire, I've been in those situations where things have gone bump in the middle of the night and you have to recover to somewhere else and everybody, all hands on deck and you gotta look at, okay, do you have the processes? Do you have the people? Do you have the partners? Because I think those are the three P's that go into it that are going to be that and who are those partners and who are they gonna really help you because it's so complex to know, am I recovering to a known good? Am I recovering to a known good place? And can I get up and running so that financial services can keep running because I can't be out for more than 48 hours or if I'm at, in a lot of companies nowadays, you have to, if you're out for 24 hours, your company could be down and gone. That's how rapid this stuff happens. Yeah, bring that next slide up. I think this sort of speaks to it, which is 52%, I just kind of screwed up the order before 89% ranked ransomware as the top five threat. You're right, it could take you out, right? Absolutely, and I think that's what I was saying. That's why for the first time ever, when you talk about storage or backup and recovery, you can actually walk into the boardroom and they'll listen to you. Never happened to me before. I've been in this business for a couple of minutes. So I think that shows you the nature of the problem. But it's also an incentive, right? It's an opportunity to change as other investments are made across the infrastructure. So yeah, we talked about storage, we talked about, we could talk about any component if you think about the reward and sort of the stick and carrot here. Clearly this is the stick, ransomware is. But the carrot is, whatever you do will be an opportunity to improve your environment and very likely it will allow you to then be even more digitally sound if that makes sense as you move forward. So of course it's not ideal to think that you have to improve because otherwise you'll die. But at the same time, what better incentive for executives to really embrace technology even further and support the efforts to fix the problem. The scary part too is if you get hit once, you're statistically much more likely to get hit again. It's not like lightning. No, it's not like lightning. It's the opposite, yeah. Because say, whoa, there's an infrastructure that's not resilient, let's keep hammering it. I do think one of the things that's missing here too is from a lot of the investments in this do need to come from business leader down. I was talking with the CIO, one of the city organizations down South, I won't say which one. And she said they knew it was coming because the state had got hit, some schools had got hit and it was just a matter of time before they got hit and she tried to get funding for it at a city level and it kept getting pushed, kept getting pushed, they got hit. There were no city services available for an entire week while they tried, while they recovered all their systems. And it's one of those things where, you know, it's like buying life insurance and things. You don't really think about it until you get hit and it's the thing that might happen but might not happen. But this is where I think, you know, this has to be considered part of, you know, critical infrastructure for all companies and I don't think a lot of business leaders think of it that way. Our last guest today is Dr. Tony Bryson who is the CISO of the town of Gilbert in Arizona but it's actually the size of a city. I mean, it's basically, it's an organizational, I mean, mid-sized, a large organization. Yeah, but I think it goes back to something you also said earlier where it's, because it's become a boardroom discussion because I could end up as somebody in the Wall Street Journal because I get read it out to the SEC by the attackers and the hackers. So I thought, you know, that brings up, do you really wanna be in the Wall Street Journal because you were ill-prepared for something or you're gonna, you know, an ounce of profession, you know, more than a pound of medication at the end, other side of things, how do you balance that out? Dezeus' point, I think government, especially in the small government side, it has to lean on their partners. I mean, I think that's the big thing and probably what we'll hear later on today is that you gotta look for those partners that are gonna help you get across to de-risk what you have. What's the right organizational regime and is it evolving? In other words, I always felt like the backup and recovery function was part of the infrastructure team. Should it be, is that the case and should it be part of the SECOPS team? What do you guys think about that? It's an open question. I think depending on who you ask, you'll get different answers. I think at the end of the day, it doesn't really matter, it's very academic. What matters is that you really combine the recovery operations from a cyber standpoint which means that every part of the infrastructure can send signals to different people and then when the time comes to declare a problem and start the recovery, you know what to do. Now whether it's SECOPS that's doing it or some other entity, who cares, right? I think we'll see, the market will decide but for sure what I'm seeing is that for any data protection decision that's being made now, there is a veto power from the security organization from the CISO. So CISOs have become probably the most important executive in many organizations based on the data we've seen. And I think, you know, and as far as the backup and recovery guys well there and guys, they're IT ops, they're cloud ops. There's no more backup and recovery PhD. The problem with having standalone SECOPS teams though is this change has been a foot for a long time where security needs to become distributed across all IT organizations. Right, we've been talking about the coming together in networking and security for a while, you know, DevOps and security. The thing with security is it's changed. It's no longer a game of signatures where you're trying to roll out reactively a patch to a security system that'll take care of a known threat. It's using analytics and the data that you have which spans applications, security, networking, right? And compute and storage, using that data to try and infer breaches. And because of that, security now almost becomes a distributed function across all of IT versus a standalone. Yeah, I think it goes back. Last word, why don't we go around the horn? You start and we'll go clockwise. I think, you know, building off of that, I think you have to bring, it has to be a whole, everybody likes, it has to be part of security, has to be part of, you know, cyber resilience. It's an organizational top-down mantra that there's none of this shift left, shift right kind of thing. It's everybody has to be involved because the signals are very specific to, exactly, you're not looking for signatures anymore, you're looking for different signals. And those signals can be very minute signals within application performance data and things of that nature. So that brings in observability. And I think that's going to be really a key is drawing it across organizationally in through, if you call it platform engineering and bringing that through the entire organization. Right. And Kristoff, thank you for bringing some quality survey data from ESG to the session today. Really appreciate that. What's your last word? Well, we looked, as I said, at the market in terms of maturity. Here's the sobering news. We ranked organizations and had four stages and the leaders, stage one are only a fraction of the market, less than 20%. So there's a- It's good and bad, guys. Yeah, and the VCs, I guess. Yeah. Exactly. See us? I think this is a fight, fire with fire. The bad guys are using the cloud to leverage in AI. They're leveraging machine learning and they're able to create such sophisticated attacks today that you cannot fight back with traditional old school security methods. And so I don't care how good a security engineer you are, you cannot manually look at data and infer what it's saying anymore. You have to embrace AI because the bad guys are and you're never going to be able to catch up otherwise. Guys, it's such a pleasure working with top analysts like yourselves. Thank you so much for spending some time with us today. Really appreciate it. Okay, keep it right there. You're watching Navigating the Road to Cyber Resiliency, the summit, which is made possible by Dell Technologies. We have so much more to learn today so don't go anywhere. Rob Emsley is up next, the sort of visionary behind this whole program. Keep it right there.