[00:00:00] Speaker A: What we're seeing is that it's no longer really a matter of if you get breached nowadays, it's a matter of you're going to get breached and then what you really need to consider is how bad, and then how long does it take me to recover.
[00:00:17] Speaker B: This is KBCZ as a primary target for ransomware.
[00:00:22] Speaker A: Campaigns, as security and testing and performance, risk and compliance. We can actually automate those, take that data and use it.
[00:00:32] Speaker B: Joining me now is Martin Cregan, Vice President, Asia Pacific at Commvault. And today we're discussing the critical move towards a cyber resilient future. So, Martin, thanks for joining and welcome.
[00:00:43] Speaker A: It's a pleasure.
[00:00:44] Speaker B: Okay, so Martin, I'm really curious to sort of start with your definition of a cyber resilient future. Now, I ask this because there's so many people talking online on social media, LinkedIn, talking about cyber resilient future. So I'm really keen to understand from your perspective, how do you sort of see. See that?
[00:01:01] Speaker A: Yeah. Thanks, Chris. I agree cyber resilience, and especially over the last 12 to 18 months has really been the rage in regards to our cybersecurity community. But the way we define cyber resilience is an enterprise or an organization's ability to continue to operate whilst under cyber attack. And what that basically means is they actually have the capability to enable their business to continue to function specifically in central areas when their IT infrastructure might be compromised.
[00:01:30] Speaker B: Yeah.
[00:01:30] Speaker A: Okay.
[00:01:31] Speaker B: This is interesting because I ran an interview with a global siso of a manufacturing company, I think two weeks ago, spoke all about this. So I'm starting to see a bit of a, I hate to call it like a resurgence in the whole, you know, operating, you know, under a cyber attack, you know, resiliency. So for a while it was all, you know, to your point, the rage on other sort of areas. But now I'm sort of seeing the real basic sort of stuff come back. What would you say is a big indicator that then for that is it just the sheer volume of breaches and incidents that we're seeing? Or, you know, it just seems from a media perspective this is really the focal point at the moment.
[00:02:08] Speaker A: Yeah, I think there's a couple of driving forces that are really pushing the cyber resiliency capability into the market.
The first one is rapid data growth. We are seeing data growing in places like Australia and New Zealand at 27% year on year. And this might not seem like too much because it's kind of stagnant from the year before in 2023 as well, but what it does indicate is that we continue to see a significant expansion or explosion in regards to data volume and data growth. So that's one aspect of it. The second aspect is in today's cloud first world and many organizations in Australia and New Zealand, both being countries that are cloud first countries, meaning that many enterprises and organizations either have moved their workloads to the cloud or are in the process of moving many of their workloads to the cloud in that cloud first world. Because of that move, their environment, the IT environment and their overall environment is really complex. We start introducing, you know, the concepts around multi cloud, et cetera, a blended IT environment.
And in fact we actually just did our State of Debt readiness report. It's a survey that we commission every year with Tech Research Asia. We're in our fifth year of commissioning that research.
That research has given us visibility across a thousand enterprise organizations across Australia and New Zealand. And what we're finding, Carissa, is that data spread across multi clouds and multi environments and multi geographies are causing complexities that a lot of IT operators and IT companies, or IT departments I should say, are struggling with. But what it also means is because of that complexity, what we're doing is opening up more threat vectors for threat activity to enter into our environment. So what organizations are doing is looking at that and saying, okay, with the explosion of data growth as well as the complexity around multi cloud, multi geography and multi environment, we're opening up more opportunities for threat vectors. We better ensure that we are cyber resilient in the case of an attack.
[00:04:15] Speaker B: Okay, I want to stay on the point around data growth. So you would have seen, given your experience and your tenure in the game would be for a while we collected as much data as we can about people like you and I, because I worked in a bank and you know, our goal, you know, this going back more than 10 years plus to gather all that information so we could sell to people like myself on home loan, etc. Right? Then we sort of gone through the phase where we've freaked out when especially new laws like GDPR and Europe and places like that. And, and now with all of these, you know, data breaches that we've seen and people getting fined, et cetera, people, organizations, branding sort of going a little bit down the drain because a breach has happened.
So with this whole influx of the data, would you say from your experience, companies now are trying to sort of shed themselves in this data because like, no one really wants to hold data if they don't really have to.
So what's your understanding then of that? Are businesses now trying to get rid of things they don't need? I've spoken to other companies like NetApp who believe your strategic partners with and they're saying like a lot of people have got all this data that they're not even using and it costs a lot. Right, so what are your thoughts then on that?
[00:05:23] Speaker A: Yeah, I think people are getting much more and organizations and enterprises are getting much better and much more, I suppose, organized around their data management, data classification and getting in line with their requirements in regards to the rules around data retention. So I think that's absolutely the case and the reason being is really twofold. Number one, we actually already talked about the fact that a lot of organizations specifically across Australia and New Zealand are moving to cloud. So we actually are seeing a 70% increase in regards to organizations moving their workloads either from a private data center or on premise into a cloud based environment, whether that be a public cloud or a private cloud. What we're also seeing though is in that move and with all of the ways to actually create data, we have more than 50 billion connected devices through IoT and we have a more connected enterprise than ever. And that means we have more data, we have more sensors out in that environment, we have more ways to correlate and collect that data than ever before. So what we're seeing is that steady growth of data and what organizations are looking at is they're saying that data is actually my ip and if that's my ip, what I need to do is be very aware of what's contained in that data and then most importantly, how do I manage that data, how do I classify that data and then how do I protect that data? So over the last three to five years we've actually seen a significant increase in regards to organizations that are more prepared in regards to classifying, managing and of course protecting that data overall.
[00:06:58] Speaker B: Okay, so would you say now with everything in the industry, you know, AI and all these sort of new things that, that we're hearing about and we're seeing about new companies being launched, doing all these more exciting sort of things like you and I probably both know, Martin, like, you know, storage and all these sort of things, like data isn't the most exciting, but it's really important.
So how do you get people to get to the point where it's like, hey, maybe all these other cool things that are happening out there are fine, but you've got to really focus on like the fundamentals. So how do you Sort of get people on that journey on. Let's not get too carried away. We need to really start here, to your point. We need to manage it, classify it, protect it, all of those sort of things. Things because, I mean, we've been talking about doing this right for years, and yet companies still haven't managed this effectively. So what would be your advice, given your position, to make sure that businesses are sort of on board at the fundamental level, like you're discussing here.
[00:07:54] Speaker A: That's a great point, Carissa. So, first of all, as we mentioned, because of that continued data growth that we're seeing out there and because of the accelerated threat. Threat landscape that we operate in today, we actually have to accept that cyber attacks are going to continue and accelerate globally. And what we're finding, specifically through our State of Data Readiness Report, we've actually had more than 70% of our respondents acknowledge that they've been subjected to a ransomware demand. In addition to that, we're actually seeing that over 70% of the organizations that we've actually worked with have also indicated that they have an incident response plan in the case of a cyber incident or a cyber attack. But what was really interesting is about 57%, and this is a mixture between Australia and New Zealand. It's probably closer to about 55% in Australia and 63% in New Zealand. Of the organizations that we surveyed said they're not confident at all and understanding the relationships between metadata, the configurations that they have, and how they would go about restoring their business or getting back to operations if they were breached. And that's what's really important is how prepared is your enterprise or organization in the case of a breach. And that refers back exactly to what you're talking about, Chris. It's the basic blocking and tackling of making sure that we're prepared in case something happens. It's the insurance policies, are they in place and are we actually ready in the case of an event?
[00:09:23] Speaker B: So in terms of the ingredients that would define confident versus not confident, what would you say those ingredients are or the driving indicators?
[00:09:31] Speaker A: We actually, through the State of Data Readiness Report, have actually uncovered a couple of really, really, I think fundamental key challenges that enterprises are facing. The first one is in that report, we asked the executive team of those organizations, so the CEOs, the CFOs, the COOs, we asked them, in the case of an incident, what is your expectation or more importantly, what is your requirement in regards to recovery? Like, how fast do you need to be able to recover? And more than 95%. Almost. You know, almost everybody clicked. I have to recover at that level, at the CEO level, they said we need to be back online within 24 to 48 hours. We can't afford to be out any longer than that. We need to continue to operate. What was so interesting, Chris, is when we asked IT operations and security operations and the infrastructure folks, etcetera, when we asked them that same question, they said, oh, yeah, it'll take us about five to seven days.
Now, that alone is really interesting because if you look at the huge gap between what the executive team is saying that we need to continue to operate as a business compared to what the IT and security operations and infrastructure teams are saying we can deliver, there's a big gap. And I'm going to come back to that in one second. The most alarming part of the statistic, though, is the global average to recover. In the case of a cyber incident in global enterprises, the Global average is 24 days.
[00:10:55] Speaker B: That's ages.
[00:10:56] Speaker A: You're correct. Right. And so when we sat there and we looked at that and we've seen these stats coming back across, we were like, hang on a second. That's like that discrepancy or that disparity, if you will, between what the executive team wants and reality is, is crazy. And by the way, we have absolutely been able to validate the reality because in the last six months alone, Commvault has helped literally hundreds of of our customers recover from cyber incidents in their environment and bringing them back to life and giving them the capability to continue to operate. So we have validated on a global average that that 24 days is, in fact, you know, is in fact correct. Once again, it is a huge gap. So what we did is we said, okay, this is really good data. We need to help our customers and we need to help enterprises and organizations across Australia, New Zealand. So let's dig into that a little bit. Why are we seeing such a big. A big gap? So as we started digging into what's taking so long and why the gap in perceptions, we found out a couple of things. The first thing that we found out is that when organizations are breached, when there is a cyber incident, it can take them up to two weeks to find what we call the RPO or the recovery point of operation. And what that means is that as they start to recover their data from backup sources or, or from tertiary immutable backups, storage, et cetera, when they start doing that, they need to know, where do I back up from? In order for them to know where Do I back up from they need to know where did the bad guys get in? So in the state of data readiness report, another alarming statistic that came out and was presented to us, which was once again a little bit scary, but not surprising, is that the average dwell time of a bad guy operating in your environment is almost 200, 200 days. It's 199 days to be exact. So what that really means is that when these threat actors are getting into your environment, in many cases the enterprise or the organization is not detecting that for at least 199 days. So they're not either A, detecting it or B, they just don't know about it. And they only find out about it when they get the phone call. And they, you know, here comes the ask for the ransom. Now that alone 200 days, I mean, you're talking well over, you know, a half of a year. You're going to seven months of dwell time of time that I'm operating in your environment. And what the threat actors are doing is they're going left and right and up and down, and they're looking for all the different information that they need, ppi, et cetera, in regards to making that ransomware request even more effective. So the first thing to actually think about is, geez, 199 days is average dwell time. That's a pretty alarming statistic. However, once they hit the button and I know that I've actually been impacted and I know there's been an incident, that's when we start hitting the timeline on how long does it take to recover. And that average, as I mentioned, is 24 days, where the CEO and the CFO, et cetera, are saying, I need it back in 24 to 48 hours. So when we look at that second part of what we call the recovery chain, we look at what has taken that 24 days. The first part, as I mentioned, is finding that rpo, it could take up to a week to two weeks. The reason why, on average that's taking so long is because most enterprises or organizations need to bring in some type of a forensics team or run forensic software, et cetera, to find out where did the bad guys get in. So that's the first part. The second reason that we found it takes so long to recover is because most enterprise organizations aren't actually testing or preparing themselves in a proper manner. And what we mean by that is we went out and we did the survey and as we go out and we talked to customers, specifically the customers that we Help were cover. So who have been breached and we say, why haven't you tested? And they said, well, we have tested. And we said, explain that to us. When you say tested, what do you mean? What they mean by test is I had, I have a check sheet and I'm going checkbox, you know, tick box by tick box. You know, do I have a server? Yes. Is the server on? Is it connected to the network? And they're ticking off items on their tick box. They call that a test. Or when they're saying testing, they're saying I have a primary and a backup of the primary is off. The backup came online.
Yes, it worked. Which is more of a disaster recovery type test versus a cyber recovery type test. Now the reason why that's so important is because when the actual incident hits the fan and the actual incident actually happens, what we're finding is that the application and the workload and the data are actually down. You don't have access to it. If you are now going through the process of going through step by step trying to identify what are the, the necessary steps to get online and you haven't tested to that prescriptive level before, you're going to be in a lot of trouble because most organizations find through that process, oh geez, I forgot that this application was connected to that network or that this schema, I was connected to that, or it's connected to my active directory, my active directory is down, or whatever scenario is. So what they're doing is finding out at the time of recovery what the requirements were and that delays how long it takes them to get back online and get to recovery. And then the third piece, which tends to be the longest piece in the actual recovery chain, is the actual rebuild of the application. So there's three primary parts. Where do I recover from, which is the rpo? Have I been doing my testing and has my testing been prescriptive enough and detailed enough to give me a detailed runbook and a step by step process to get my services back online? And then the third piece is then I have to rebuild my applications and that's what takes the time.
[00:16:41] Speaker B: In fintech, trust is everything and proving it shouldn't slow you down. Whether you're dealing with ISO 27001, SOC2, CPS234 or GDPR, Vanta helps you demonstrate security and compliance without derailing your roadmap. Used by thousands of fast moving regulated companies, Vanta automates the hard part so your team can focus on shipping features, not gathering screenshots.
Visit vanta.comkbcast that's V A N T A.com kbcast to learn more.
Okay, this is interesting. I really want to get into a couple of things and press on this a little bit more. I want to, I want to go back just a second to the 24 days. So I want to give you maybe just what was coming up my mind as you were speaking there, Martin, would be people nowadays, they're so impatient, right? So I'll give you an example. The other day I was at home, electricity, there was some outage in my area. A lot of people were impacted. And then like after an hour I'm like, well, I need sort of the, my electricity to come back on. It's cold. That was only one hour in terms of pain. Eventually it came back after two hours. So that was good. But even after one hour, I was annoyed. So if I take that annoyance, that and that feeling that I had in a business that's offline for 24 days, how does that then impact in terms of how annoyed customers are going to be? You're going to have all the Twitter trolls going ballistic online.
I'd also curious to see how much revenue these businesses are losing. I mean, I've spoken to people that have run these e commerce businesses. Something's happened. They've lost substantial amount of revenue. So that number doesn't surprise me. I mean, it's a long time. But in terms of where we are in today's day and age, with how impatient people are, everyone's everything now. People are so quick to, you know, get on the phone and start contacting these businesses on the front line. Ten to call centers and online and social media.
Help me make sense of that because this, that's just, that's just going to wipe businesses out, wouldn't you say?
[00:18:45] Speaker A: 100. And that's, you know, once again, depending on the criticality of the industry. I mean, like, could you imagine a hospital organization that couldn't, you know, do emergency surgeries? Or could you imagine, of course, in banking and finance where, you know, we're trying to transfer money and the global economy keeps going and you're not able to transact. So this is why it's so important for enterprises and organizations to take a look at nowadays. It's probably even more important than just the preventative security measures. So if you look at the NIST framework of identify, protect, defend and so on, on the right hand side of that NIST framework was, you know, backup and recovery, right? So the NIST framework, which is probably one of the most common frameworks of, of cybersecurity globally stipulates that, you know, the best thing that organizations can do is they can protect, defend and identify from a cyber threat point of view, you know, where the threat is, et cetera. Nowadays, Krista, what we're seeing is that it's no longer really a matter of if you get breached nowadays, it's a matter of you're going to get breached and then what you really need to consider is how bad and then how long does it take me to recover? And so about two years ago, as Commvault started launching all the new capability and innovation around our platform, and part of the reason why we're considered a leader in cyber resilience today is because we really focused on the recovery piece. So are we there and can we protect your data and do we have the capability to do it? Yes, we've been doing that for 28 years. But where we've really accelerated over the last couple of years is investing in the rapid recovery piece to help our customers and these organizations get online as fast as possible.
So to your point, that is the real important part and what really is the meat of getting back to recovery or getting back online is how prepared are you from an organizational or an enterprise point of you. So once again, have you tested, once again, when you're looking at your environment, have you identified that these are the critical applications and this is the critical data that my environment, that my organization needs to run to keep going in what we call an MVC or a minimum viable company? What are those data assets, applications, network configurations, et cetera, that are absolutely essential for me to continue to operate?
And then once you identify that, do you have those stored in a, you know, a third party or tertiary copy that's immutable, not connected to your network that you could get access to in the case of an emergency? And then if that emergency or that cyber incident does happen, then do you have the practice, techniques and procedures to recover that in a timely manner? And then finally, are you working with partners and do you have a platform that's capable of delivering that to you in a timely manner? These are all the considerations that executives, as well as IT and operations and security operations organizations need to be considering today.
[00:21:43] Speaker B: And would you say, in terms of their maturity towards considering these factors that they're there or they're sort of getting there because they're aware of what's happening and to your point, like they've got to get back up and running as quickly as possible, right? Because that 24 days, that's going to bankrupt people.
[00:21:58] Speaker A: Absolutely. And to your point, we're getting better. We're definitely getting better. So are we better today in 2025 than we were in June of 2024? The answer to that question is absolutely. And the reason why we're better is twofold. Number one, the practices around recovery and specifically cyber resiliency have become more prominent over the last 24 months. And that's, you know, because of, of companies like commvault who have been out there, you know, helping our customers, as I mentioned, for 28 years. And, and really over the last couple of years, helping them identify what are the critical data assets, applications, the data sets, et cetera, that make up your mvc and that can help you get back online. Number two, we've actually really been driving, and organizations, enterprises have been driving more and more and more around things like testing and recovery and making sure that they have run scripts and playbooks, et cetera, to get back online. And then third is making sure they have the applications and the platforms to do that, like the commvault platform. And I can share with you, you know, some of the innovation that we have in our platform to help our customers do that in an automated way. And if they're doing those things, then they're going to really dramatically reduce that timeframe. So if I can give you one example, we talked about that recovery chain and we talked about there's three primary parts of making up that recovery chain. The first part was identifying the rpo. If companies and organizations are using platforms like commvaults to help them recover in that organization, we have intelligence and AI built into our platform to help our customers identify that RPO or that recovery point in the matter of minutes versus the matter of days. So using anomaly detection in our AI, machine learning capabilities, et cetera, built into the platform, understanding our customers environments, we understand why these capabilities are there and we understand that environment and therefore we can help them. So we built a AI engine in our platform called arli. And ARLI actually is a little nickname for us. We call it Autonomous resilience. And ARLE is our AI capability to help us identify and pinpoint what we call a clean point of recovery for our customers. And we can do that in the matter of minutes. So that covers off the first part of that recovery chain. So instead of taking days or weeks to find the recovery point, we can help you do that in a matter of minutes. The second part was the testing part that I talked about. And as we started talking to our customers and we said, hey, why aren't you testing? Because if, if you do get hit with a cyber incident, it's going to be huge damage to your reputation. On average, by the way, global average or global average cost of a cyber incident or breach is US$4.8 million. So we're finding that's going to cost you millions of dollars, it's going to cost you some reputational damage, et cetera. So why aren't you testing to the point you should be testing on our customers in the State of Data Readiness Report has come back to us that there's three primary reasons why we're not testing to that, to that level. The first one is we don't have the people with the skills and experiences to do the testing. The second reason why we're doing it is because we don't have the spare infrastructure sitting on the floor. And then the third reason why we're not doing that deep level of testing is because we don't have the money. We don't, we don't have the capital expenditure to lay out to do it. So commvault took that away. Last February, we launched a new platform that we call commvault Clean Room Recovery. And what we did is to help our customers in regards to this testing, in regards to how we can help them get back online and recover faster. What we did is we launched our platform, Commvault Clean Room Recovery. And the platform is an on demand platform that we have available in Azure, which was the original platform we launched on. It's now available in AWS and Google will be released very soon. So your three big cloud providers providing on demand infrastructure, we bookend that infrastructure with the commvault cloud platform, I. E. We do threat scanning, we transfer and move data in and out to make sure that it is a clean environment and that you're moving your data into a clean environment. And because that environment's on demand, we take away the deed for capex. So we're helping our customers with the money part. So you only pay for how long you need to test. You turn it up, you do your testing, you turn it back down. So we're helping with the CapEx side, it's OpEx instead of CapEx and you only pay for what you need. We're helping our customers with. They say we don't have the spare infrastructure on the floor. That's okay, it's on demand, it's in the cloud. And we have, our cloud partners are helping us provide that service. And finally, we're helping in the people, skills and experience piece by working with our ecosystem of partners around the world that can really help us dramatically in regards to providing the resources that go into our customers, that go into those enterprises and organizations and then help them write that playbook or that run script to get back online asap.
So the first part of that recovery chain, clean point recovery from Commvault, we're helping them reduce from days or weeks into minutes. The second part, which is the long part around testing, we help them with clean room recovery. And then the final piece, which we actually think is very clever, is how do we help our customers automate this? Like, how do we help them recover in an automated fashion? So we eliminate as much as possible, we eliminate the human error side of what can happen, et cetera. And what we did over the last year is we actually purchased two companies. One was a company called Appranix and we renamed that technology to Cloud Rewind. And what Appranix does is lets us automate the rebuild of cloud based applications. We can rebuild the applications, those cloud based applications. We can literally rebuild very large enterprise based cloud based applications in a matter of minutes or hours versus once again days or weeks. And we also purchased another technology last year called Clumio. And Clumio actually specializes in AWS automation around rebuild and backup and recovery. So for very large customers that are using very, very large AWS S3 and DynamoDB implementations, we can actually help our customers automate the rebuild of literally billions of objects that might sit in that type of an environment. And they can do that once again in a matter of minutes or hours versus days or weeks. So what you can see here, Carissa, is we've taken the information and all the dialogue, et cetera, that we've had with our customers and we really went out there and tried to understand what are the problems they're facing when it comes to their environment. They all realize they're probably going to be attacked at some point. They still need to have and still need to invest in, protect, defend and identify the the first few elements within this framework. But they also all will now recognize that recovery is a major part of that. And what Commvault's done is invested in people, process and technology over the last two years to really help our customers reduce that 24 days to the matter of minutes or hours so that we can meet the requirements of the executive suite, the CEOs and the CEOs in regards to getting their MVC or that minimum viability company back up within 24.
[00:28:57] Speaker B: Hours, would you say then? So this is the part that I find really interesting when I'm talking to people like yourself, Martin, would be, I'm running an E commerce business. Something happens, don't have operate my business because whole E commerce stores offline, can't access anything.
And that happens for five days. And just say, I'll give you an arbitrary number. $5,000 a day I was, I was making, right. $25,000 in terms of revenue. Do you think companies out there are starting to quantify and really get a number to these people, these businesses around? Yes, you're going to lose this X business, but also you're going to lose, I think we touched on before, reputational damage and all these other ancillary factors that people may not have distilled down.
Because, I mean, as you're getting up the chain, right, like a lot of people in our space about technology and all that, and we get all that. But when you're seeing to a cfo, like, they're gonna be like, okay, well, I need to have this business up at all time because we need to make money. Right. So do you think there are people out there that's really crafting that narrative? And yes, a lot of things that we're doing is underpinned by the technology.
The technology is there to enable businesses and cybersecurity there is to enable businesses. I think sometimes the industry loses focus of that.
So what I'm keen to understand is our businesses aware that if they don't have a business that's operating, how much money they could lose past all the other things we've just listed out as well. Is that sort of really. I haven't seen a lot of that from businesses. I see them more focus on the tech can do this and that, but less so on the business outcomes.
[00:30:28] Speaker A: No, 100%. And they're actually getting down to the point of breaking it down and saying, like a cyber incident or cyber breach is not only on average costing, you know, 4.8 million doll, but they're breaking it down to, this is costing me X amount of dollars for my type of an enterprise or my size of an enterprise per hour or per day. So they are absolutely getting maniacal about how much could this potentially cost me. And then because of that cost, how do I make sure that I have the mitigating processes and platforms and and tech in place to make sure that I can mitigate against that risk? So it is absolutely becoming a big piece of what CFOs and executives are looking at the other piece that's really important. And I know a lot of folks are talking about it and we're seeing it more and more and more, which is the regulatory environment now globally. So whether we're talking about, you know, Dora over in Europe or whether we're talking about Saki here in Australia, New Zealand or APRA, who have released two new controls with CPS 230 and 234, whether we're talking about NZ Privacy act or we're talking about, you know, STDV in Hong Kong or MAS in Singapore and so on, it doesn't matter where you go or what geography you're operating in. The global regulators, and specifically in big industries like critical infrastructure, like we have Saki here or APRA for our banking and finance industries, the regulators are also now saying, hey, this is really important.
You folks, you companies, you organizations and enterprises are the backbone of our economy.
And we have to ensure, no matter what, if we're under a cyber incident or cyber attack, that you folks can continue to operate. So in order for you to do that, we're now changing some regulation and we're writing new regulation that says that you not only have to show us that you can back up your data. As an example, in both Sochi as well as in the new APRA regulations with 230, CPS, 230 and 234, they're now stipulating that you also must now show us that you can recover. And that's a pretty big shift. And to be honest, it's a great shift. And the reason why is, once again, it comes back to now, even the regulators in our industries are saying to the executives in our industries that you're a really important enterprise or an organization that's really the backbone of our economy. We need to make sure that you can continue to operate. So here's some industry best practices and industry standards that we're expecting you all to adhere to. So can you please make sure that you live up to these standards and these practices? So we have just seen over the last year here in Australia and New Zealand alone with Saki, as well as apra, new legislation and new regulation being introduced into the environment to make sure that our enterprise organizations can continue to operate.
[00:33:06] Speaker B: So you mentioned the word prepared. I mean, a lot of people says, you know, are we prepared? Get prepared. What's interesting to me would be, what does that mean? Now, I asked that question because no incident is the same. So it's not like, oh, I had an incident last week. Oh, it's the exact same team in terms of the blueprint. Right. So every, there's going to be subtle changes if stuff were to keep happening in terms of incidents. But in terms of best practices, how do you, how do you get the most prepared for something that you can be.
[00:33:31] Speaker A: This is really researching data that really stands out. And the survey that we, we just did, I think what it comes down to is using frameworks and using industry best practice and industry standards as a guideline and then working with, you know, the best and brightest out there, whether it's consultancy firms or whether it's ISV partners like ourselves that have been through this and have helped literally hundreds of customers, as I mentioned, in just the last six months recover. And just talking to us and saying what does good look like, what is best practice? So if you look at things like what I spoke about earlier, which is the NIST framework, you know, on the right hand side of that framework, you always have backup and recovery. And I started talking about this a little bit earlier, but over the last two years we launched a, a global conference that we took on the road. We did a global roadshow that we called Shift. And the reason why we called that Shift is because we're saying that commvault's platform is shifting from the right hand side of the NEST framework over to the left hand side. Because now we can give an all encompassing view across the entire framework end to end on what organizations should be doing to protect their data, the data assets, the applications, et cetera, that they need to get back to a minimum viable company, company. So we called our roadshow shift. So I think things like roadshows like that, which are educating the industries in the markets and a combination of then, you know, the regulators who are putting new regulation out there saying that hey, these are things that we need our organizations and enterprises who are regulated under us, we need them to adhere to. Because this once again starts to actually lay down the rules and the foundations of what is best practice. And then like in Australia, we have Essential eight as well. So, so having those frameworks in place I think are foundational elements of what this looks like. And then working with your ecosystem and working with your ISV partners, your GSI partners, et cetera, to say what does good look like, what is best practice and how do we stay ahead of it? That's how you ultimately become prepared. If I give you one last example there, Carissa, last year we actually commissioned some research with GigaOM Global Analyst and what we did is we worked with gigaom on understanding what we call the cyber resilience or cybersecurity maturity capability of organizations. And we specifically focused around cyber resilience. We actually came up with GigaOM of five key markers and what actually would classify an organization as cyber mature. And all of that or most of it is around their preparedness, what they would do. Like do they have an incident response plan, have they been attacked, are they testing their response plan, are they testing recovery end to end, are they doing more than just tabletop exercises, are they doing more than just tick box exercises, what kind of testing are they, what depth are they going to, et cetera? And it'll give you a ranking. We even have a model that can give you a ranking of how cyber resilient mature. Are you in that model? One to five. And what we're finding through that study, which was really interesting is of course the companies who have been breached. Once again, over 70% of our respondents in Australia said they experienced some sort of a ransomware attack. Right? So we're seeing more and more breaches these days. The threat vectors are increasing, the attack vectors are increasing. We're seeing that on a regular basis. So what was really interesting in the GigaOM research was that the customers that have actually put their hands up and said yes, we experienced, they were either breached or they, they were close to being breached, they experienced a number of attacks, they was able to withhold, et cetera. Those organizations in regards to cyber resilience maturity tend to be up to two times more mature than organizations that either a, haven't been breached or don't realize that they've been breached. It's kind of the old philosophy of if you haven't been breached, our customers or those enterprises or organizations are thinking, oh yeah, you know, that'll never happen to me. But the ones where it has happened are the ones who are much more, are much more mature. They're the ones that are, that are much more prepared. They're the ones that have a plan, are testing the plan, are well rehearsed, Red team, blue teams, penetration testing, the whole gamut across that cybersecurity chain of things that we need to have in line to make sure that we're protecting ourselves and mitigating the risk as much as possible.
[00:37:38] Speaker B: So then, do you envision now moving forward, given everything that you mentioned, even saying we're better than we were a year ago? People are considering these other things, factors that perhaps they weren't traditionally or historically would you say companies are now or the goal is to that, that reduction in that recovery time, we're going to start to see that really reduce. So, you know, maybe in a year's time you come back and say, hey, like that, 24 days. It's 20 days now. It's not exactly where we'd like it to be, but it's still, it's on the right path. Will you start to see this become more the focal point for businesses now? And would you also say that perhaps companies out there are bamboozled by other like, you know, AI and all these other cool things that are out there, but they forget just about the, you know, the fundamentals. You can't operate your business well, then everything else doesn't matter at that point. How do you start to see the shift now, as we look forward with the report, everything that you've mentioned, what you're seeing, what you're hearing with customers out there, anything you can share?
[00:38:34] Speaker A: Yeah, we're absolutely seeing that. The cyber recovery specifically. But what we'd say cyber resilience or resilience in general is becoming a much broader and much more important topic at the board level, never mind just within the IT infrastructure shop. But at the board level, organizations are talking much more about how do I ensure that I can continue to operate. At commvault, we actually coined a new phrase called we want to work with our customers on this philosophy of continuous business. So it's kind of taken the concept of what we were, you know, applying 20 years ago in business continuity and saying I have to have a backup in primary and a secondary, et cetera, and to continue my business operations in the case of, you know, an earthquake or natural event and so on, we're kind of taking that concept and saying in the cyber world or in the, in the world of being resilient, we as businesses and organizations need to have the opportunity to continually operate or to have our, our businesses continue to operate. So we coined the actual phrase of continuous business. And that basically runs us right back into the definition of cyber resilience. You know, the ability to operate whilst under attack or the ability to operate whilst some natural disaster happens. And I'll come back to that one second, if you don't mind, but to answer your question, yes, we're seeing it. The conversations are elevating and that is actually resonating even within my own team. My team across Asia Pacific is having many, many more conversations now at the executive team level or board level in the organization compared to just three years ago, five years ago, where our conversations in those organizations usually resided, in the infrastructure teams, et cetera. So more Personas. We're getting into the CISOs, we're getting into, you know, the CIOs, of course, and now we're getting into the executive teams in a boardroom, having conversations about how important it is to make sure that your business is resilient and that you can continue to operate. So 100%, we're seeing an uptick there, and I think that'll continue to operate. However you just mentioned it, there's a lot of really cool shiny toys and things that are happening in the industry that can actually take not only time and attention, but also can take away investment focus like AI.
So, you know, there's no way in the world any one of us is going to get away with not talking about AI. The actual acceleration of AI, whether it's gen AI or agentic AI in our environments and enterprises and organizations are starting to use it more. And with that, we're creating more data, and with that, we're creating more opportunities to introduce more threat vectors, et cetera. But also with that, I. E. With using technology and with using AI as an example, we're also coming up with, with really clever ways to help combat the threat. So I like to call it fighting AI with AI, right? Using the technology, et cetera, that is creating some of these threat vectors or creating some of the data or the exponential acceleration of the data and threats, utilizing that technology to also help combat it is something that we're seeing. So that is something that's also very exciting. So making sure that we're using the tech that's creating these potential complexities for an enterprise organization, but using that tech to also help us get in front of the threats or the problems is certainly there. I did want to mention just quickly as well, Carissa. We, we of course focus on cyber resilience. And there is a big, big difference between cyber recovery and disaster recovery. And we. I talk to a lot of executives about that as well, because executive say, Martin, what's the difference? You know, and in a disaster recovery situation, you weren't expecting it because it was a. It was a flood or it was an earthquake or something of that nature. So you weren't expecting it, but you had planned for it. You have a plan. You had a primary data center, that data center was impacted or affected. It's okay, because you have a secondary data center that you automatically failed over to. That is a planned recovery situation. In the case of an incident like, you know, a Natural disaster. The major difference between disaster recovery and cyber recovery is in cyber recovery you have an active threat actor in your environment and you don't know what their next move is. So how do you stay ahead of that? It's very, very difficult to stay ahead of that. So what you need to do in a cyber recovery environment is basically draw up or spin up a production based environment that's not impacted by the way many of our customers are using our Clean Room to do that. Instead of testing, they're spinning up Clean Room, rehydrating their data from their immutable sources and their applications. We're helping them automate and rebuild them and they're running their production environment out of commvault clean room until they can get to the point of identifying where did the thread in, where did the threat get in, how bad is it, how big is it, you know, all those things. That's the major difference between cyber recovery and disaster recovery. But the idea of being resilient and the idea of being able to operate under any condition is something that all boards, all executives and all enterprises and organizations should be keeping under consideration.
[00:43:23] Speaker B: So, Martin, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:43:29] Speaker A: Yeah. Chris, first of all, thank you so much. It's been awesome to spend this time with you. The one thing that I want to leave you all with is test, test, test or practice Practice, practice. You know, the old adage practice makes perfect. And the reason why I say that is still to this day, being at Commvault for the last two years, having the absolute unarmed privileges covering the entire region and specifically Australia, New Zealand, where I've lived for the last 30 years, and talking to our customers, even though many of our customers know that they need to test and they need to prepare, and even though we are seeing a shift in regards to the number of customers that are testing and are being prepared, it is still very, very, very surprising to me how many organizations aren't putting this as one of their top priorities and are not doing the testing the way they should be. We were with one of our biggest partners last week being Microsoft. Microsoft. And between us, we actually were talking about, you know, getting out into the marketplace and talking to CISOs. As an example, on the top three items of the largest organizations globally, the top 150. Microsoft was sharing with us that the CISOs of the top 150 organizations globally, data protection, or more importantly, cyber resiliency, is now in the top three globally. So that is very comforting to know that we've gone from a place of not so important and maybe thinking about testing, recovery and all those things as an afterthought when you're building applications or when you're protecting your data and enterprise. We've gone now into the top three priorities globally for the biggest organizations and enterprises. What we now need to do is collectively continue that work to make sure that every single enterprise and every single organization has this on their mind and that they're taking testing seriously.
[00:45:14] Speaker B: This is KBCast, the voice of Cyber. Thanks for tuning in. For more industry leading news, news and thought provoking articles visit KBI Media to get access today.
This episode is brought to you by MercSec. Your smarter route to security talent Mercset's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently.
Find out
[email protected] today.
