 We're back navigating the road to cyber resiliency. This is episode two, and Michael M. Bruzzo is here with Worldwide Technology. Michael is a systems engineer with WWT, deeply understands data protection, DR, cyber recovery, architecture, and much more on Michael, thanks for coming up. Well, the rest of it. Yeah, good to be here. So what's your role? Well, first of all, a little bit about WWT and what's your role there? So we're a large privately held, value-added reseller across the market. We were Dell's partner the year last year, and really we like to engage with our OEMs and our customers to obviously facilitate, add value and bring our expertise to bear to help customers deploy the best data protection solutions that we can. And large as an understatement, I think it's known that you guys are like 17 billion dollar company. Yeah. Very substantial player in the market. And really working to double every five years and just very focused on growing the business. This is a second scene objective. I love it. So simplification is a big theme in tech generally, but specifically in cyber security. When you work with customers, what are you hearing? Where do you help them start? How do you help them get started? And how do you set expectations so they're not trying to get too far out over their skis? Well, that's the important thing is setting good expectations, right? I mean, the first thing we need to do is look at what applications need to be protected, get a firm understanding of what needs to be protected, where the customer's crown jewels help them understand what their RPOs and RTOs need to look like to ensure that they're going to be able to recover the data appropriately. And then develop a plan to execute on that and understand what those timelines need to look like so that when we do get into deployment, nobody's surprised. Okay, so you start with sort of, is it a discussion? Is it an assessment? And what's the starting point? Definitely start out with a discussion because you always want to have a conversation, but then we can perform assessment. We do app rationalization studies, help understand the dependencies. Obviously, if you're protecting a large application, you want to make sure we'll complete some parts that go in there are protected together, things of that nature. And then make sure you're engaging the right stakeholders as well in those early discussions. Okay, so you've been at this for a while. I'm interested in the lessons learned from two perspectives. One is from the many, many years of experience you've had. And then the second is post COVID because pre COVID, people talked about zero trust, but they really weren't serious about it. It was kind of a buzzword. Now everybody's on the path. And I think they're realizing, wow, this is going to take a while. All this hybrid work, remote work. And I know people are coming back to the office, but still a lot of people working remotely. So there's sort of lessons learned, pre and post. And maybe you can share those with us. The lessons learned pre, I think the biggest thing again is that especially in large organizations, this needs to be a top down scenario. If you try and work it from the bottom up, it becomes very difficult because the first thing you do is walk in and tell everybody that what they're doing is not sufficient. When it's a top down perspective, you have to make sure that you engage both the security and the information teams. And generally at the C-suite, so it's the CTO, CIO and the CISO all have to be on board to make sure that that's going to work in a coordinated fashion. And then the other big overall lesson learned is don't try to boil the ocean from day one because that's gonna result in a project nobody's gonna be able to swallow. Post COVID really, what we're encountering is that there's a much greater awareness in organizations on the need to manage that data and protect it. So what we're seeing is more awareness of security out to the edge. And the fact that data is not just always going to be sitting in the middle of that big data center in some centralized location. Also, we're really seeing post COVID, a lot of customers have moved a lot of solutions to cloud-based and incorporating the cloud solution and understanding how to protect the data that's in the cloud as well as the data that's sitting inside the four walls. So that's interesting as it relates to stakeholders. As cloud has like now become the first line of defense for a lot of companies. And yet, you know, cloud has codes where you get application developers that are actually being asked to secure the infrastructure. And that's not their... Oh, that's AppDev, it doesn't need to be backed up. No, no, no. Right? So in terms of the stakeholders, how do you connect? You got the infrastructure, you got apps, you got business processes, are you bringing in the line of business people? Is it the AppDev heads? How do you deal with that? I think is eventually what needs to be happening. But again, at the beginning of the day, the C-suite has to have a full understanding and then push that down from the top. This is where we're going in order to save the business. Because you have to remember when we're talking about cyber resiliency, these are existential threats to customers' businesses. You may not be there tomorrow. You know, this is an, oh, we're down for two weeks because hurricane. This is, oh, all of our data's been encrypted. Oh, all of our data's been ex-filtrated. And that is, you know, it's a threat to the business that everybody has to be on board. And often, to that point, it often comes down from the board because they have the fiduciary obligation to ensure that the business is gonna be there. They're very much aware of these threats. And the board and the CEO come to the teams and say, this is what we need to do to make sure we're here tomorrow. How much education do you have to do at the C-suite level? Because, I mean, there used to be this mentality of, oh, you failed, you're fired. And I think that's gone away, has it? And how much education goes on? Less now, which is great. And in fact, at WWT, we're really starting to lean into tabletop exercises for that. It's really nice, we're developing a script that essentially puts you in the room when a cyber attack occurs and walks you through a typical response so that you kind of get a day in the life. And we've found that when we do these kinds of tabletop exercises, especially with folks in the C-suite, they walk out with a much better understanding of the potential downsides of doing nothing and of what mitigation would look like. So it's like the empathy exercise. And you put the C-suite in the sec ops shoes. Yeah, and oh, by the way, what do you do when your operations officer is backpacking in Maine when the cyber attack occurs? Raw, raw. Yeah. Well, and how do you permeate that? So you got top down and then I guess that trickles up. And then you got the middle out meeting. You've got all these, let's face it, bad user behavior is going to beat good security every time. So how do you create that security culture? Is that part of what you see organizations doing? Do you work that into this? Doesn't quite fit into the data protection value. I mean, the good news is that, from a data protection side, I think for the last 23 years or so, everybody's kind of understood that you have to have your backup. So if we can get the information, technology and security organizations on board, the end user behavior of protecting the data is generally already there, which is very helpful. Do you think people, I mean, do they typically, they must underestimate the scope of the problem and what it's gonna take in terms of human capital and budget, et cetera. Right, and that's really important to start setting those expectations early, understand what the budgeting looks like and more importantly, what the timeline looks like because if you underestimate the amount of time you're gonna need to spend to do app rationalization and understand what you need to protect, the whole timeline goes down like a bunch of dominoes. So getting those expectations set up front and that's something that we do a lot of with our customers at WWT. It goes out of scope expectations that may be in the executive's mind that, what's it gonna take for me to solve this problem, right? How much, give me a number. And scary, scary, boil the ocean conversations. And what we tend to do in those cases is really start small. So what do you need to rebuild your shop, Mr. Customer? Start with putting that in a safe location, tertiary copy offline, and then expand to what's the data that the business will be going tomorrow if you lose it. And then move on from there. So it's generally kind of a better, best, good, better, best approach. So as watchers of the Siri know, a major focus has been the adjacency between data protection and cyber resiliency. So we've been asking all of our guests, where does data protection fit into that mosaic of cyber security? Well if you look at it, and we've been doing it this way for a little while from the pillars of the NIST cyber resiliency model, obviously we're recovery, right? We're the guys that you go to to get that data back. And that's the key feature functionality where we play in. And one of the biggest changes there is now we're going from a small scale recovery anticipation to a large scale recovery anticipation. We gotta get the whole business back as fast as possible. But we also fit into some of those other pillars, right? Anticipate. One of the key things about backup is it touches every bit of data in the organization. And if you can start to do analytics against that backup data, you can understand things like blast radius and infection time a lot faster. So we definitely see a lot of our OEMs developing capabilities around that that we're then evangelizing to our customers. And then on the back end of that whole NIST cyber security model of being agile and learning to respond and kind of skate to where the puck is going. The bad guys are not sitting still. They're learning, they're developing constantly. This is a constantly changing threat landscape. And if you're not every time going through and analyzing where could we make this better? What's changed? That final pillar is I think really important to make sure that the data protection teams are engaged in. So I do a lot of these types of interviews and people will often say, look at the NIST framework and begin to implement that. And that's obviously good advice. And there are other frameworks as well, but the customer sometimes have a trouble operationalizing it actually, driving it through the business so that it can be continuously improved. Do you find that as a challenge and how do you address that? It's definitely a challenge because I mean, organizations don't like to go, they like to go, okay, this is in the done pile. We're through. Check, we have a disaster recovery plan. We have a cyber recovery plan. And when you come back in and tell them, yeah, and you have to test it, that costs money, and you have to then sit back and, well, how has the threat landscape changed and how do we need to change it? There's always gonna be resistance to that because it costs money and it gets things out of the done pile and back into the to pile and nobody wants to do that. So yeah, working with customers to help them understand that that needs to be done and modeling good behavior. When we first met, we were using this sort of football analogy. You've got two teams that are pretty equal. And you're not gonna get a first down on every play. You're not gonna not punt. Right. And you use an analogy about watching film. What was that? They're gonna watch your film. They're gonna watch your highlight reels from your previous games and understand, what are you doing? And that's the thing. The bad guys are looking at all of the stuff that we look at. They're evolving their strategies and solutions. You have to stay ahead of that. You have to keep working and understanding and getting educated. And that is really, really huge because again, hurricanes are not out there looking for soft targets. Right. The disaster recovery and cyber recovery are related but very, very different in that respect that you're dealing with an active opponent who's evolving, who's changing, who's looking at your highlight reels who's studying your plays. And sometimes it goes all the way up to state level actors. You know, I mean, as the time of recording this, we've got a lot of health systems in Connecticut that are just have no information technology right now. This is a scary, scary landscape and we're not just spread and fought. So taking that metaphor and sort of applying it as well, I like the sports metaphor because, you know, a coach will come up with some new, whatever, like the West Coast offense when it first came out and then, you know, the defense had to respond to that. You see it now with AI. I feel like when you work with a company like a large company like Dell, they had a lot of AI, they still have a lot of AI, but they maybe had AI access to AI that the adversaries didn't have. Now, all of a sudden, chatGPT comes out, the adversaries have, you know, they start to, the light bulb goes off. Do you think that in the near term that all this AI buzz helps the adversaries more than maybe the defenders? It certainly makes it easier, it lowers the barrier of entry, right? Because if you're really clever, you can trick chatGPT into telling you how to hack a system. And you don't have to have a lot of technical knowledge to do that. It used to be, you know, you at least had to understand the technology really well. Now you can have this, you know, AI spit out a script that will help you to subvert a system, and if you can subvert a system, you can subvert multiple systems, et cetera. So that's really the scary thing for me right now is it lowers the barrier of entry and makes this significantly easier to repeat and to deploy these attacks. And we kind of saw this with ransomware for a while where, you know, you could go on the dark web and you still can and get ransomware as a service and outsource your ransomware. It's a business, it's a volume business. And that's still my biggest concern is ransomware for service or ransomware for state actors because, you know, all they have to do is succeed once. And that's why we tell our customers, you know, you have to operate under the basis, not a matter of if you're going to get attacked, it's a matter of when you're going to get attacked, it's not a matter of if they're going to get through, it's a matter of when they're going to get through because the good guys have to win every time and the bad guys only have to win once. So what's the one thing that you would ask customers to not do and or do? The one thing that I would ask them to do is to really take this seriously and make sure that at the very least, you have a tertiary offline copy of the information systems and things like that, switch records, DNS, I don't want to get too technical, but the stuff you need to rebuild your shop, that's square one, that's the important thing. And the one thing that I would tell customers to not do is to not don't make the ostrich play. Don't stick your head in the sand and hope this thing passes you by because hope is not going to be a solution for this problem. And that recovery is not so simple, right? You got multiple databases, you got multiple tools, you got it to affect different business processes. So you really got to think that through. Yeah, planning, planning, planning. Michael, thanks so much. No, appreciate it. Thank you. Great having you. All right, keep it right there. I'll be right back to wrap up and share some news with you. You're watching episode two of Navigating the Road to Cyber Resiliency.