Kavitha Mariappan [00:00:00]:
Don’t hyper focus on 100% secure. Yes, it’s important, but spend some cycles thinking about recoverability. It is important because inadvertently, it could happen and it shouldn’t, but it could. And there’s so much capital being invested in risk mitigation as a bucket where we’re not thinking about cyber resilience as a part of the mitigation bucket. It’s thought about as kind of IT and backup.
Karissa Breen [00:00:45]:
Joining me back on the show is Kavitha Mariapan, the new Chief Transformation Officer at Rubrik. And today we’re discussing the future of data protection. Cav, welcome back and congratulations on your new appointment.
Kavitha Mariappan [00:00:57]:
Thank you, Karissa. And it’s fantastic to be back on your show. Hope all’s well.
Karissa Breen [00:01:02]:
Okay, so I’m really keen to hear from your perspective. Kav now, cyber resilience. Everyone’s talking about it. Everyone’s got different versions. So perhaps let’s start there. I’m keen to hear your version of cyber resiliency or business continuity or what does that look like in your eyes?
Kavitha Mariappan [00:01:17]:
Great question, great question, Chris. At the end of the day, I think we have the majority of the industry really focused on detection and prevention, Right. You know, I spent many years at zscale Apprehension, for example. Most of us in the security world, we’re really focused on making sure we’re identifying or can identify threats and prevent them. But here’s the thing. It’s never 100% foolproof. At the end of the day, one security strategy must encompass resilience and recovery. Right? A comprehensive security strategy that assumes breach in the corner case.
Kavitha Mariappan [00:01:50]:
In the off chance that you do get breached, what happens? Are you prepared?
Podcast Voice-over [00:01:53]:
Right.
Kavitha Mariappan [00:01:54]:
And so resilience is really about assuming breach and preparing to recover quickly. And I’ll give you some statistics.
Podcast Voice-over [00:02:01]:
Right.
Kavitha Mariappan [00:02:01]:
Rubrik Zero Labs, we’ve actually found that only 16% of organizations have actually recovered all of their data after paying a ransom.
Podcast Voice-over [00:02:10]:
Right.
Kavitha Mariappan [00:02:11]:
So what that tells us, and the data tells us a story that recovery cannot be an afterthought and that you cannot secure for peace. You have to secure for chaos. So 90% of global security leaders have reported a cyber attack in the last year. This is from our own Rubrik Zil Labs report. And breaches are not a possibility. I think the reality of it is that we have to understand that they’re inevitable and we have to operate under the pretext that we have to assume breach and be prepared for that. Hence, enter cyber resilience. That’s why cyber resilience has actually become the new strategic imperative.
Kavitha Mariappan [00:02:47]:
And it should be in every boardroom as a boardroom imperative. Because prevention is the cost of entry and recovery is a new differentiator today. And we start with resilience actually by really understanding what is motivating our threat actors.
Podcast Voice-over [00:03:03]:
Right.
Kavitha Mariappan [00:03:03]:
And how will they eventually break through. So the question really comes to how quickly when a nefarious act is perpetrated, can your organization actually react and restart? That really comes back to having immutable air gap backups of critical data and the ability to rapidly assess that blast radius of that exposure and look at what sensitive data has been exposed.
Podcast Voice-over [00:03:27]:
Right.
Kavitha Mariappan [00:03:28]:
So it really means having rehearsed response plans, having tested recovery procedures, and having RTOs and RPOs that are realistic and reliable. Once you have those things in place and when a ransom note appears, remember what the bad guys are after is those crown jewels. They’re after that data that they’re trying to exfiltrate and trying to actually monetize on the dark web. So once that, you know, if you’ve got these measures in place, if you, if you lead with a cyber resilience mindset, then recovery becomes a known quantity and response kicks in like muscle memory.
Karissa Breen [00:04:02]:
Okay, so there’s a couple of things in there. So as I mentioned, a lot of people starting to talk about it. What about like, for example, you are going to give you an example. So a business, e commerce business, they something happens and their business can’t operate. Just call it like, I don’t know, seven days and it just arbitrary number, it’s $5,000 a day that they were sort of making money from. Do you think companies now are starting to focus on, hey, how much money is this going to lose us potentially if we can’t operate or we can’t keep operating through a breach. Now the reason why that’s important is recently I interviewed the sizo who is working through the Medibank breach here in Australia. It was quite interesting around, hey, BAU function still needs to keep operating while we’re working through this breach.
Karissa Breen [00:04:47]:
So do you think now there’s an inflection point in our industry around, hey, we need to start thinking about this holistically in terms of a business. We gotta keep it operating. We’re gonna lose money. Because nowadays looking at how customers are responding to businesses, something could be down for an hour and people already starting to complain. Plane. So do you have any sort of insight on that cav in terms like from the business perspective on how people are responding to this? So to now their heads are turning to more around this resiliency piece that you’re discussing with me today?
Kavitha Mariappan [00:05:15]:
Yeah, look, I think what the Medibank incident was a couple of years ago, right? A couple of years ago. And we’re still sort of crawling out of that and getting a handle on it. And I actually heard this morning there was another incident, I was just kind of correlating this, that a bunch of PII data had been stolen back back in. I’m going to say probably 20, 21 and four years later there’s a second incident where they’re mapping some of this PII data to that data before and enriching that.
Podcast Voice-over [00:05:43]:
Right.
Kavitha Mariappan [00:05:44]:
So imagine being hit and then some of that, like some of those critical information sitting out there in the wild and then having a second incident where the threat actor is continuing to monopolize or weaponize that. I mean, once it’s out there, it’s out there, Right. So let’s talk about quantification, Chris.
Podcast Voice-over [00:06:02]:
All right.
Kavitha Mariappan [00:06:02]:
Is there monetary loss? Absolutely. Is there reputational loss? Absolutely. How do we quantify the value of a business’s reputation, the viability of a business once they’ve been breached? Especially, you know, you talk about many banks like medical insurance provider. We talk about banks, you know, forget. We’ll park consumer business for a moment. Let’s just talk about like some of these like highly regulated industries where so much of our valuable information is out there. Talk about government, right? Passport control drive, I mean all of these types of things. What value do we put on the critical data of a user, of a citizen or a business?
Podcast Voice-over [00:06:39]:
Right.
Kavitha Mariappan [00:06:39]:
And businesses have to think about this because I think they have to start thinking about what the minimum viable configuration is for them to recover. What is the minimum viable bank? What is their minimum viable ability to recover as taking Medibank as an example, right. They must. Because otherwise there is no recovery at times from some of this. You know, a lot of businesses don’t crawl back to today 0 after an incident like this, to be honest. I mean, just taking a look at how organizations have been doing this in the past, right. I’ll tell you know, let’s just take a little bit of a history, like a look back of like what’s been happening in the industry. Why are we seeing a lot of these one breaches to the ability for organizations not to be able to recover? It’s because a lot of These organizations, from a data protection perspective, are really focused on legacy systems.
Kavitha Mariappan [00:07:29]:
And these legacy systems are not built for today’s threat landscape. And we haven’t even talked about AI, right? We’re just talking about kind of the shifting landscape of how the network infrastructure shifted, the application landscape shifted, and how the security construct has to shift. So we think about how organizations were storing backups. Legacy backups were built for disk failure. That’s really what the premise was not for, with adversarial intent in place, right? And so when we think about this, 74% of backup systems were partially compromised during these ransomware attacks. So if your recovery plan can be encrypted or accessed with an admin credential, it’s not a plan, it’s a liability, right? So you’ve got to start thinking about how we are tackling our data, you know, our data security or data backups. How are we handling that from an identity perspective? How are we handling that for the shifting landscape of AI and mobility and the cloud? Because it becomes absolutely critical for the viability of an organization. So here at Rubrik, like we are the only company that’s sort of sitting at the intersection of AI, data and security.
Kavitha Mariappan [00:08:40]:
And our focus really is to help customers regain control of their data wherever it lives, whether it’s on prem, whether it’s in the cloud or in SaaS. And so that really starts with visibility, who has access, what data is sensitive and what’s exposed. So once we locate and classify this critical data, things like pii, financial, IP security teams can start to prioritize these and sort of preempt these threats. So we move into a workflow where now from there backup and recovery actually becomes part of the security process, right? It’s continuous, it’s automated, and it’s validated across environments rather than somewhere in it. There being a team that’s looking at backup and recovery as a governance and a compliance function, rather than making it an essential part of their security and business continuity strategy. So that’s sort of the shift in thinking, right? As I talk to CISOs and I talk to CIOs, everybody has a backup recovery plan. It’s just that today they’re not thinking about it holistically as part of their security strategies, not part of their cybersecurity and resilience strategy. It’s.
Kavitha Mariappan [00:09:50]:
It’s part of their IT recovery strategy. So as we start thinking about things like AI, where threat actors can actually pull poison LLMs, right? What are you going to do now when you have an Environment where your applications, your data, your, you know, and things are not just kind of static, but you’re starting to introduce by way of AI also other threat vectors into your environment. We have to be able to baseline some of this. We have to be able to get these organizations up and running. We are working with a moving target at the end of the day. And we would like to, you know, the industry to stop thinking about recovery and resilience as a security capability. We needed air gapped. We need it immutable, and we need it recoverable from a specific point in time, ideally before intrusion.
Kavitha Mariappan [00:10:37]:
And that’s how we’re going to minimize data loss. You just talked about how, no, the bad guys are monetizing a lot of this, Right? And we need organizations like Medibank to be up and running.
Karissa Breen [00:10:46]:
Okay, so there’s a couple of things in there. You said we want to give customers that control, like to be able to take control of their data. So data, as you guys would say. So tell me more about what that looks like, how you guys going about this, enabling this for business. Because this is really, this is a point that I’m talking about a lot on this show. And there’s a couple of other things I wanted to ask you off the back of that.
Kavitha Mariappan [00:11:07]:
So, Chris, one of the things we do is we give, you know, it starts with visibility, right? We want to make sure from an organizational perspective, they have complete visibility into who has access to their data. The ability to sort of classify and tag what is sensitive data, the ability to look at what is already exposed or not.
Podcast Voice-over [00:11:26]:
Right.
Kavitha Mariappan [00:11:27]:
Locating all the crown jewel and the critical assets and the data stores, classifying this critical data and prioritizing a lot of this, right? This gives security teams the ability to like, prioritize and preempt these threats. That, that’s a, that’s kind of the first protocol, right? From there, what we’re saying is backup and recovery now starts becoming part of the process. Because we have those configurations, we have an understanding of, of what kind of the source of truth looks like. So should there be an incident, you have the ability to go back to that source of truth quickly.
Podcast Voice-over [00:12:01]:
Right?
Kavitha Mariappan [00:12:01]:
And some of this is, you know, if you’re looking at a large organization, you’re looking at a ton of configurations and data that actually critically across multiple locations that have to get the organization up and running. Now, one other thing. Historically, many organizations were still using backup systems that were built for physical disasters, okay? They were not designed to withstand coordinated, targeted digital attacks. So why are we today still looking at backup and recovery from that perspective.
Podcast Voice-over [00:12:33]:
Right.
Kavitha Mariappan [00:12:34]:
We have to start looking at it as a security imperative. We have to start thinking about it ideally from before an attack occurs so that it is recoverable from a specific point in time. I mean, at the end of the day, the bad guys want to grab what is valuable and they want to monetize it. What we want to do is make that a non issue. First and foremost, let’s make sure, you know, we can minimize data loss. So access to those crown jewels are not easy. Two, we want to make sure that this organization is up and running should something occur.
Karissa Breen [00:13:05]:
Okay. So the reason why that was important is, as you know, with backup and recovery. So there’s a couple of things in there that we’ll get your opinion on. One of which would be people perhaps, do you think they’ve relegated backup in recovery? And the reason why I asked that is we’ve got all these other new things like AI and all these other cool things that perhaps people are bamboozled by. Some would say like, well, backup and recovery is like the basics, right? People say it’s the basics. The basics. I’ve heard that 50 times. But the part that gets me is people still just aren’t even doing that part like backup and recovery.
Karissa Breen [00:13:37]:
They’re not doing it.
Kavitha Mariappan [00:13:38]:
Yeah, I think, look, most organizations will have these storage teams within it are going to have snapshots, right? This is with off their file systems of their configurations. It’s there. But you’re spot on in saying that so much of this has been treated as plumbing.
Podcast Voice-over [00:13:54]:
Right?
Kavitha Mariappan [00:13:55]:
So much of this. An organization, to be viable has to have a lot of this like set up.
Podcast Voice-over [00:14:00]:
Right.
Kavitha Mariappan [00:14:01]:
But it has been a GRC checklist. It has been something that, you know, obviously there should something occur and it’s there. From an audit perspective. Yes, we have, we’ve done it, we’ve got it. And here’s where it is. Very few organizations are making it an integral part of their business strategy and their security strategy. Right. And this is what we’re trying to say.
Kavitha Mariappan [00:14:20]:
What happens should you have an incident? So much goes into planning for your tabletop exercises, your red teaming, your blue teaming, your purple teaming, et cetera. So much goes into like the incident. So little goes into thinking about should there be an incident, how am I going to get up and running? Because historically we were talking about on prem, we were talking about data centers and we were talking about creating snapshots of that. And storage is expensive. We invested in expensive NAS storage and then we obviously you Know, moved a lot of storage to the cloud as well. But here we’re talking about a broad range of workloads, a broad range of modalities, a broad range of devices, and we’re adding AI into the mix at the, you know, here’s the thing. We’re all after data, right? At the end of the day, data is what the bad guys. After that, data is what gives us the insights to actually build kind of the right heat maps and telemetry to understand our business.
Kavitha Mariappan [00:15:18]:
What we’re saying is, let’s make this a first class citizen. Let us not relegate this to grc. And within your organization, every CIO and CISO and board director should be thinking about how they’re going to manage risk. And as part of that calculus, cyber resilience needs to be on top of that checklist. In fact, many organizations actually have the CFO who owns risk.
Podcast Voice-over [00:15:40]:
Right.
Kavitha Mariappan [00:15:40]:
There has to be a certain level of, I would say, awareness within the technical community, the technology community, within the CSO community that, you know, that we’re partnering with our CFOs, we’re partnering with our risk owner in the organization that the risk committee is stood up. If the audit committee is today looking at risk in an organization, typically the audit committee is full up. They have so much on the agenda. Are they getting to risk? We need to make sure that we’re looking at risk from a dedicated perspective and that we’re looking at it by breaking down silos between security and it.
Podcast Voice-over [00:16:12]:
Right.
Kavitha Mariappan [00:16:13]:
We have to come to the table together and look at how and when should there be an incident. We can get you up and running quickly and that we minimize the amount of data that’s lost. Remember, with double extortion and everything else out there, the one incident is not the end of the incident.
Karissa Breen [00:16:30]:
So can I just ask more of a rudimentary question? Everything you’re saying makes sense. So how come we’re getting this point now in 2025 where people are like, oh, wa. Maybe you should really, you know, put to your point, you know, first class citizen for, for data, you know, backup and recovery. So how come like this wasn’t high on the priority list? Maybe historically, like everything you’re saying does make sense and now people are changing their mindset towards it because of the operational side of it. But why do you think that? Why do you think that’s the case?
Kavitha Mariappan [00:16:55]:
If we take a step back and talk about digital transformation, Many of the conversations you and I have had in interviews over the years as well, right? Where we, we talk about sort of democratizing access, you know, across, across the business because security now is so critical to the viability of the business. It is no longer like back office enablement. IT and security propel the direction of the business. You know, innovation is kind of at the heart of all of that. We’ve started to see kind of this massive shift towards digital transformation right where IT and security are coming together and breaking down these silos and grappling with one. Lots of moving pieces around device proliferation, many applications moving to the cloud, you know, the industry as a whole leveraging multiple clouds. The industry as a whole now dealing with not just AI, but as we think about generative AI. And that’s just the tip of the iceberg, right? That’s what we’ve seen.
Kavitha Mariappan [00:17:55]:
Now the other piece of it is where innovation begins in the organization, our ability to actually really innovate. So digital first companies, as we have started to see, you know, companies with digital pioneers are actually thinking about this in a different way. They’re thinking about the business leading and prioritizing business priorities, right? When you prioritize business priorities, IT and security become an enabler to a lot of this, right? We always say you want security to be the department of no K, N, O W rather than no and O.
Podcast Voice-over [00:18:25]:
Right?
Kavitha Mariappan [00:18:25]:
We want security to be able to be permissive in the right ways, build guardrails, understand? So why is this all coming to bear right now? The industry shifting, the landscape has shifted and you know, not only are we sort of dealing with, on a day to day basis in a good way, all these like shifts that allow us to work and play and learn in some of the most innovative ways. And I don’t want to say it’s all a bad thing, but the other side of it is organizations have a lot of inertia. Inertia holds you back, right? You have organizational structures and you have legacy. And it’s what we’ve done for a long time. It’s how our personnel are trained to do what they need to do. And it’s really hard to move the Titanic. I mean, we’re talking about some of these organizations that are 100 years old and have got large organizations across 65 countries, et cetera, and you know, a couple of hundred thousand, you know, strong workforce. It’s pretty hard to shift.
Kavitha Mariappan [00:19:21]:
It’s pretty hard to shift. The other piece of it is how do we enable these, these IT technology security leaders to actually be empowered to drive change. So a lot of this is coming to a head because the Incidents, sadly are driving some of this thinking, right? I mean, last couple of weeks we’ve seen so many CPG organizations, massive brands like get hit, right? We saw Marks and Spencer’s got hit, we saw Harrods get hit, we saw Victoria’s Secrets. Last week we saw one of the, one of the large suppliers to a lot of these companies get hit. So it’s happening. Our CISO, our CIO, our CTO, our Chief Data Officers, CFOs, we’re seeing board directors, everyone come to bear to say we’ve got to do something about this, right? We have to lead digital first. We have to let the business outline what the needs are and we have to build for that, right? And so in the past a lot of this sort of sat where it did, but we’re definitely starting to see kind of that construct change. So from our perspective, as technologies, as influencers, as leaders, we’ve got to help our ciso, cio, CTO peers, right? With the right sort of tools, the right best practices and right sort of peer networking and access to information, such as the type of information you’re providing on your show here, so that they can make decisions quickly because they’re in their day to day, they’re fighting fires, keeping the lights on and they’re having to deal with a ton of vendors and every vendor obviously is going to say that they’ve got the best stuff.
Kavitha Mariappan [00:20:47]:
And this is why standards frame not necessarily standards, but frameworks and creating interoperable ecosystems become really important for us. So we’ve got to get the conversation out there. I was at people starting to talk about this where there’s a high level of interoperability between the ecosystem players and there’s a lot more work to be done, most definitely.
Karissa Breen [00:21:06]:
So you said make decisions faster and this is really interesting. So I’ve done a few interviews recently and you know, if you’re in a large enterprise back in the day, you know, you’d have to go through risk and you’d have to do this whole triage, they would take months. But now we’re started seeing this shift towards we have to make decisions faster because of AI and threats that are evolving faster than ever before and all of these sort of things. So then how does that then play into, given your role as Chief Transformation Officer at Rubric, how does that sort of like go hand in hand now? Because we can’t sort of sit on making a decision. They have to be informed and calculated, but we can’t wait around like we used to back in the Day.
Podcast Voice-over [00:21:43]:
Right.
Kavitha Mariappan [00:21:44]:
And so I’m going to say the best evangelist is a happy customer.
Podcast Voice-over [00:21:48]:
Right?
Kavitha Mariappan [00:21:49]:
The best evangelist, the best group of evangelists are thought leaders that are willing to actually be risk takers.
Podcast Voice-over [00:21:54]:
Right.
Kavitha Mariappan [00:21:54]:
We talked a little bit about inertia in organizations. There are plenty of pioneers out there, CISO, CIOs, CTOs, et cetera, who have actually like embraced the shift. So part of my role here, you know, and here at Rubrik is we’re making an investment here because we feel a responsibility, right? Yes, we’re a for profit company, but we feel a responsibility to actually equip the C suite and the board of directors with best practice, sharing, learning, get ourselves entrenched in like ecosystem development, frameworks, standards, right? It’s really lonely at the top. When you are an executive, when you’re a CISO of a company, you are the one person, right? And there are lots of things there that you cannot definitely know. You can’t disclose to your peers or the market or anyone else, right? It’s lonely at the top. We want to make sure that we build a community and an environment for best practice sharing so that there’s some connective tissue there, right. That we’re sort of gravitating discussions around standardized frameworks and we’re equipping CXOs with board ready narratives. Talked a lot about this in the past.
Kavitha Mariappan [00:22:55]:
These like incredible technologists. The CIO is overnight required to become finance experts, awesome presenters to the board and often to people who don’t understand the technology but have the very responsibility of guiding and providing sort of governance frameworks to these, you know, these leadership teams. So part of that is also like, how do we equip CXOs with lightboard ready narratives?
Podcast Voice-over [00:23:17]:
Right.
Kavitha Mariappan [00:23:18]:
How do we build risk assessments, roi, tco calculators, transformation blueprints, all of the above. But Krista, one of the interesting things you, you touched upon and I wanted to kind of come back to it a little bit, was when you said, why now? Why is this happening?
Podcast Voice-over [00:23:33]:
Right?
Kavitha Mariappan [00:23:33]:
And you know, with AI, I’ll tell you one thing. If we weren’t worried about identity based threats before, we absolutely should be with generative AI because one of the things we, you know, there’s a clear trend that identity infrastructures are being one exposed to, infringed upon, right? In our Rubrik Zero Labs report discovered that non human identities now with agentic AI outnumber human identities 45 to 1.
Podcast Voice-over [00:23:59]:
Right.
Kavitha Mariappan [00:24:00]:
So if we were worried about humans, we should start really being worried about the genetic counterparts that we’re creating. And that’s why we talk about sort of cyber resilience and data resilience. We really need to start talking about identity resilience as well, because that is usually the first place they hit.
Podcast Voice-over [00:24:18]:
Right.
Kavitha Mariappan [00:24:19]:
So identity plus data should give us the full spectrum of resilience. But most companies today treat these as separate domains, right? They treat different tools, different teams, different SLAs. And that’s one of the things that we really want to change. We want to shift from our csos to bring identity and data protection together so they can get a more complete view and have the ability to respond. I just, I know you mentioned AI and I wanted to make sure I kind of threw that in as well.
Karissa Breen [00:24:47]:
Yeah, those are good points. And I think, as you probably know how you said before, they’re treating a separate domains. What we are seeing to your point, interoperability, platformization, now, companies talking more and more about that. So do you think then over time that those two separate domains, people won’t view them as separate or independent? It’s just going to be, this is everything. Now, holistically, do we see that as a shift moving forward?
Kavitha Mariappan [00:25:11]:
I think we have to drive that shift.
Podcast Voice-over [00:25:13]:
Right.
Kavitha Mariappan [00:25:13]:
Because you’re not going to get these systems up, you know, disparate systems. Well, one disparate means your tax efforts wider than it needs to be.
Podcast Voice-over [00:25:22]:
Right.
Kavitha Mariappan [00:25:23]:
Two is disparate systems. In the event of an incident, it’s much harder for you to get back up and running.
Podcast Voice-over [00:25:28]:
Right.
Kavitha Mariappan [00:25:29]:
And I think one of the things identity resilience specifically does, it addresses a huge blind spot in enterprise security.
Podcast Voice-over [00:25:35]:
Right.
Kavitha Mariappan [00:25:36]:
Because a critical part of infrastructure that is utilized today by a vast majority of organizations.
Podcast Voice-over [00:25:42]:
Right.
Kavitha Mariappan [00:25:43]:
Is identity. Identity remains a consistent target for hackers.
Podcast Voice-over [00:25:46]:
Right.
Kavitha Mariappan [00:25:47]:
Once compromised, these identity systems are going to grant your attackers access to the critical data and credentials. So if you are looking at it from a disparate perspective, you’ve got a problem, you’ve got an exposure there.
Karissa Breen [00:25:58]:
Exactly. And I interviewed the size of Tal and he spoke a lot about this. He also mentioned that it’s quite costly. It’s complex, like it’s intricate as well. So it’s not as easy as we think. It’s like not just about turning stuff on and off. Obviously everyone’s talking about platformization, et cetera, to make sense, but obviously that comes with other challenges. So how do you think now, given what you’ve said on the whole identity stuff as well? The whole genic identity is 45 to 1.
Karissa Breen [00:26:25]:
That’s a lot. That’s obviously going to increase as well. So any sort of insight that you can share on that part moving forward or what do you think we’re going to start to see now in the space?
Kavitha Mariappan [00:26:36]:
Let’s take a look at what we’re seeing today.
Podcast Voice-over [00:26:38]:
Right?
Kavitha Mariappan [00:26:38]:
CISOs have got a lot going on.
Podcast Voice-over [00:26:40]:
Okay.
Kavitha Mariappan [00:26:41]:
They’ve got a lot in this. I think if you talk to most security vendors, everybody wants to sell them a tool, an alert or a dashboard.
Podcast Voice-over [00:26:46]:
Right.
Kavitha Mariappan [00:26:46]:
There’s a lot of reporting tools.
Podcast Voice-over [00:26:48]:
Right.
Kavitha Mariappan [00:26:49]:
And at some point, you know, many of them are driving towards a single pane of glass.
Podcast Voice-over [00:26:53]:
Right?
Kavitha Mariappan [00:26:54]:
Because we get to a point where how much is alerting how much of this, these are false positives.
Podcast Voice-over [00:27:00]:
Right.
Kavitha Mariappan [00:27:01]:
And how much of this is actionable, Right. Because we are living a world of intelligence.
Podcast Voice-over [00:27:06]:
Right?
Kavitha Mariappan [00:27:06]:
The access to, you know, the ability to infer a lot of this, ability to correlate a lot of this look at causality is there, but at some point it has to be actionable to the organization.
Podcast Voice-over [00:27:16]:
Right?
Kavitha Mariappan [00:27:17]:
So one of the things we’re going to look at and we should be focusing on for our peers is that we need to stop having these folks think about the fact that don’t hyperfocus on 100% secure.
Podcast Voice-over [00:27:30]:
Right?
Kavitha Mariappan [00:27:31]:
Yes, it’s important, but spend some cycles thinking about recoverability.
Podcast Voice-over [00:27:36]:
Right?
Kavitha Mariappan [00:27:36]:
It is important because inadvertently it could happen and it shouldn’t, but it could. And there’s so much capital being invested in risk mitigation as a bucket, where we’re not thinking about cyber resilience as a part of the mitigation bucket. It’s thought about as kind of IT and backup. So I think we’ve got to get there. And I think the other thing CISOs are asking today is like, how do I keep my business secure? How do I keep the business units, businesses running while I’m scaling cloud, while the organization is leveraging SaaS based applications, while we’re working with IT counterparts in adopting AI and agentic AI and building sort of guardrails around corporate usage of this. At the same time, how do I meet regulatory requirements in this climate and in many cases not do jail time?
Podcast Voice-over [00:28:29]:
Right.
Kavitha Mariappan [00:28:29]:
Because we do have criminal charges. Like we’re seeing that sort of as a precedence here in the US So I think that’s the transformative moment that we’re in.
Podcast Voice-over [00:28:38]:
Right?
Kavitha Mariappan [00:28:38]:
You asked me, Kev, why all this time I say this is, this is the intersection point I think that we have to think about. And I think a question that every CISO should be asking today is do all the good stuff that you’re continuing to do, because you must. But if we are breached today, how long would it take for us to restore clean data, verify identities and keep our business running? Because that’s the most important thing, right? If you’re a government agency or if you’re, you know, a commercial company, all of the above, keeping some of the vital critical infrastructure up and running. Should a compromise occur, these questions must be asked. And if their litmus test is that they cannot be measured in hours, then they are already behind. Because threat adversaries are not waiting. They’re getting smarter and smarter. They’re leveraging the very same technologies that we’re leveraging to build.
Kavitha Mariappan [00:29:29]:
And so if they’re not waiting as adversaries, neither should your recovery plan.
Podcast Voice-over [00:29:34]:
Right?
Kavitha Mariappan [00:29:35]:
And I think that’s one of the most important things. And this isn’t just a technical requirement, it’s actually a regulatory one. In Australia, specifically, the APRA and the Saki both mandate backup and recovery capabilities as a part of their critical infrastructure resilience. But if from a critical infrastructure resilience we are mandating this, why are we not thinking about this from commercial organizations? Sort of takeaway from this is continue to do all the good stuff you’re doing. But it’s not just about protection but about recoverability that you, you know, that’s provable, that’s fast and that’s built preemptively for what’s coming next. Because as we all know, we all haven’t got our arms around what’s the moving target yet, all of us as an industry.
Karissa Breen [00:30:15]:
So what was going to my mind as you were speaking, So I interviewed someone last week. They said they did a bit of a report here. It was 24 days was the average time for someone to come back online and be operational again. 24 days, that’s almost a month.
Kavitha Mariappan [00:30:28]:
So as a all statistic, and I’m sure that statistics shifted, it’s about 10 years old and it said the amount of time it takes somebody to shift from your website to something else is a blink of an eye. So if you’re a commercial business and somebody comes to your website and it’s all up and running and not working properly, it’s a blink of an eye before somebody loses interest and goes to your competitor’s website, that’s one. If you are a business and it’s taking you 24 days to get up and running, I do not know how viable that business is going to be in 24 days. It all sounds doom and gloom and Obviously businesses recover, right? But this is where we start to look at organizations and it’s like how many brick and mortar organizations that still have a lot of digital presence in their point of sales, et cetera, internally versus the same businesses that have complete online presence. How would the both parts of the business functioning should an incident occur? I think one of the interesting things with one of the recent retail incidents that just occurred is the stores were up and running within a couple of days, but the online was not up and running. I would have thought online might have been the ability to like recover faster. But again, this shows how, you know, like you said, it’s very complex. Is a big organizations complex systems and workflows.
Kavitha Mariappan [00:31:44]:
How are we architecting some of this?
Podcast Voice-over [00:31:46]:
Right.
Kavitha Mariappan [00:31:47]:
I think sometimes these exercises, even when we do tabletops, just for detection and prevention and being ready, right. They give us a complete audit of what’s in our environment. We cannot protect what we cannot see and don’t know. We have to have a grasp of kind of what’s in the realm of our sort of responsibility. But some of these organizations and their infrastructures and obviously the businesses get so large, it gets difficult and this in itself makes that attack surface so large. It’s the wild wild west for, for threat actors all the time. This has been kind of the notion of thinking about zero trust security, zero trust architectures, right. Of making sure, never trust, always verify.
Podcast Voice-over [00:32:33]:
Right.
Kavitha Mariappan [00:32:34]:
And at the end of the day that’s, you know, we have to start thinking about things from a very different perspective here.
Karissa Breen [00:32:39]:
And just another thing I want to quickly ask is going back to the whole blink of an eye. So the whole 24 days, that’s crazy. Apparently that’s what the stat was here in Australia, New Zealand. So then do you envision like people are not going to wait 24 days for a business to come up, you know, back up and running?
Podcast Voice-over [00:32:53]:
Right.
Karissa Breen [00:32:53]:
The other thing is if you look on the consumer front, I mean I do a lot of reconnaissance and looking at comments when these breaches happen. Even the other day where I was leaving, the power was out for an hour and I was super annoyed by that because I couldn’t do certain things right. So it’s like imagine 24 days with something not running. So then the other thing is people don’t have brand loyalty to businesses like they used to anymore, like to banks, etc. The bank, one of the top four banks here in Australia, there was an incident and people were just outraged after a few hours. So then you think about 24 days are we going to start to see like these business are just not operational anymore because it’s just too hard in terms of, yeah, reputational damage, also revenue loss, but just, it’s just going to be too hard for them to, to recover from that. When you say, I mean, let’s think.
Kavitha Mariappan [00:33:38]:
About kind of what take an incident and you look at obviously lost critical data, right, that’s being monetized. So you’ve lost some of your intellectual property. You’ve lost PII data which is like credentials of your customers, your end customers and users, kind of making them vulnerable. So there’s that. Then there is obviously productivity and you’re not up and running, so you’re not, you’re not profitable as a business. Then you have reputational loss, regaining your customers that may churn to another organization, all right? Another bank, another anything. I think all of us living in this climate, maybe we get a little complacent by saying there’s another breach every day, right? And so what’s the big deal? But at the end of the day, if you have been impacted, you will understand it’s a big deal. You look at Australia, that period of time where we had like three major breaches where more than 50% of the Australian population’s very, very critical.
Kavitha Mariappan [00:34:30]:
Vital PII information, from driver’s licenses to birth dates to addresses to passport information was found on the dark web. Really hard to get businesses up and running when you’ve trusted. And some of these organizations have a duty of care too because we’re protecting the, protecting minors, right? Education systems, passports and all of these types of health insurance information. I mean, I think Medibank, those threat actors were so nefarious, some of the things they did with that Medibank reach was like unheard of. And so we absolutely have to start thinking about how and when these organizations have to start thinking about how and when. What’s their rto, how are they going to get up and running? What is their recovery time, operations? Because it’s absolutely critical because 24 days. And I feel really sorry for that organization obviously because it’s easy to sit here and say that’s a long time, but that’s business impacting in more ways than one.
Podcast Voice-over [00:35:26]:
Right?
Kavitha Mariappan [00:35:26]:
And we haven’t even talked about lawsuits of like the end users whose credentials have been exposed and like what that would look like when, when the blast radius of what this look looks like downstream.
Karissa Breen [00:35:36]:
So Cav, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?
Kavitha Mariappan [00:35:41]:
Look at the end of the day, we want to make sure, look, all security and IT leaders out there, they think about your security strategy, think about digital transformation and you’re thinking about cyber resilience as part of that strategy. Think about risk mitigation from a broader lens, that it is about detection, it is about prevention, it is about resilience. It is really important to have these three elements kind of built into this. And we have a ton of fantastic technologies out there to leverage right now, right? I mean, as bad as we talk about all these things with AI, there’s so many great things there. All of these technologies afford us the ability to design, build and create an incredible digital first future, right? But for us to all play in that, we have to become digital citizens, right? We can’t think about this as analog citizens trying to play in the future world. What does that look like? And I think it’s a fantastic time for CISOs and CIOs and CTOs to actually really take a seat at the table and do not let regulators, do not let auditors define where the future is. Is your chance to, to really take a seat at the table, join industry frameworks, et cetera, and like create interoperability within the sort of the right ecosystem partners and put the onus back on your technology vendors, right, that, that they’re designing to zero trust principles, that they’re working on interoperable frameworks that actually lends itself to what is right for you. And so that’s kind of my parting thought, right? Like, as in, like, how do we get these execs, you know, taking a broader seat at the table and also really driving public private collaboration between the public sector and the private sector.
Kavitha Mariappan [00:37:31]:
Because a lot of this, as we start looking at what is critical, infrastructure, et cetera, I think is really going to have a bunch of crossover because the last thing we want is regulatory overreach because it’s bad. We’re going to regulate you and we’re going to, you know, you’re going to spend more time doing audits rather than actually putting mitigation plans in place. And I think it’s also a great time to start helping define in Australia and New Zealand some of these standards. For example, the EU AI standard, it’s like regulations are like highly sophisticated. It’s making the rest of the world look at it and think through some of this, right? I think this is where we can leverage a lot of the learnings as well from sort of other markets and industries. But it absolutely is time for Australia and New Zealand operators within Australia and New Zealand to partner and to really sort of start to think about a holistic security Strategy.
