All insights

Beyond Recovery: Exploring the Problem - Part 2b of 2

Greg van der Gaast Greg van der Gaast
Independent Security Strategist

August 14, 2024

Unveiling Hidden Security Threats

"In Part 2a: Beyond Recovery: Exploring the Problem , I started to elaborate on the problem we are actually trying to solve, or should be, when it comes to security."

Beyond Recovery: Exploring the Problem - Part 2b of 2

Welcome back to the second part of our deep dive into the often ignored but crucial reasons behind worrying security trends. In this installment I want to introduce a couple of more concepts to shape your thinking and start diving into how to turn things around. It’s at this point where the unleveraged potential of storage and recovery as a powerful agent of change will start to emerge.

We previously covered three key concepts to keep in mind in order to achieve meaningful security outcomes:

1. Security Isn’t Security’s Job (we must shape business process)

2. Risk Management Is a Bad Idea (quality management is the only way to sustainably reduce vulnerability)

3. Vulnerabilities Are Quality Issues (and fixing them can have positive business implications)

Security is Everyone’s Responsibility

To continue, I want to add two more concepts to this list:

4. Security is not an IT function

This point is in many ways related to our first, which was that security isn’t “security’s job.” But it’s from a different perspective. While it may be up to the business to ensure they operate securely, it is security’s job to help all parts of the business operate that way.

It is no longer acceptable for security functions to live inside an IT function; it must proactively help all departments define what good looks like in order for them not to introduce risk to the business.

This means that a security program must ultimately systematically go through your business processes. Firstly, to reshape them where possible so the business does not produce more risks than it needs to and, secondly, so that the security function is aware of the business risks present in other departments in order to not be blind to them and be able to anticipate and mitigate them.

This is increasingly critical as more and more breaches occur outside the scope of what security departments are not covering in their traditional scope. Issues with helpdesk processes, within the legal department, sales data, HR and more, all resulting in sensitive data or credentials being exposed.

We must know what happens in the business, streamline those processes as much as possible to reduce risk, and implement out security operations accordingly to be sure to capture any residual risk.

Read Our Blog: Rolling NIST’s Cybersecurity Framework into Action

5. Your threats are your own

One of the most frequently repeated claims from security vendors is about the evolving, and growing, threat landscape.

There is no denying that the actors out there looking to do harm to organizations are growing dramatically. But why?

The reality is a threat is only a threat if you are vulnerable to what they are exploiting. I recently read that more than 99% of complex breaches last year involved known vulnerabilities with available patches and fixes, and that nearly two thirds of these had fixes published more than 18-months prior.

The fact is that we are responsible for the threat ecosystem’s growth in the same way we’d be responsible for having mice if we kept big canvas bags of grain in our garden. The solution wouldn’t be to buy 10,000 mouse traps, it would be to not have the exposed grain. I could also point out that a bag of grain stored in a metal tin won’t attract mice, whereas one surrounded by 10,000 mouse traps still will, and eventually some of those mice will get through.

We can do better, and when we do, we find that the threats that apply to us are significantly fewer. This means we not only need to do less detection and response to residual risks, but that their scope will be narrower allowing us to focus on them more accurately.

Learn how Virtual Storage Platform One provides a solid data foundation for mission-critical
applications, including mitigation of risks and security threats .

So, let’s recap these concepts.

You can’t be hit if you’re not vulnerable to the attack, and it’s easier and a lot more sustainable to work on being less vulnerable than constantly mitigating ever more risk. Doing so requires addressing the root causes that lead to our vulnerabilities, and/or our inability to remediate them quickly in an automated manner.

The reasons why this isn’t being done today are several. First and foremost, most security practitioners are focused on security technology, rather than the outcome of secure business. We rely on technology to try and manage the risks, rather than addressing their sources so that we don’t have those risks in the first place.

So, how do go from the unsustainable situation that we are currently into one where exponential improvements can be achieved?

First and foremost, every organization needs a security strategy that honors these principles.

“Strategy” is a word I hear a lot in security, but something I rarely see in practice. And no, buying a list of tools or implementing technical capabilities is not a strategy by itself.

(Imagine a CEO asking their CMO what the marketing strategy was, and they responded with only a list of tools. They would be fired immediately!)

A strategy should be a plan to understand our current situation (because many security functions have little visibility into their organization’s IT function, let alone the whole business!), our ideal situation and the roadmap to get from the former to the latter.

This typically includes a program to garner support from senior management, establish the structures needed to drive holistic change, present the financial models to justify it all to the business, define the lowest-risk way for each of your department to operate and more.

What such a program looks like can be found in the appendices of my book, What We Call Security (also graciously sponsored by Hitachi Vantara).

Such a program can drive dramatic change to the quality (and security is an aspect of quality here) of your business and IT processes so that your organization becomes more inherently secure, leaving you to need only the smallest of bilge pumps to handle the rest.

The Illusion of Control

There are one or two issues with this approach though.

The first is time. Building out a program requires time.

There is no way around this, redefining your business and IT processes to make them inherently more secure and ensuring that future ones are even more so takes time. I tell clients to expect it to take 3-5 years to reach a high level of maturity depending on the size and complexity of the organization.

The second is related to the first: fire. One of the main reasons transforming security into a proactive quality-led approach is the sheer number of fires security teams have to contend with due to us going down the wrong road for so long. This means only a very small percentage of resource, if any, can be allocated to working on strategic initiatives like a holistic security program as mentioned above. And the resources doing so are often frequently interrupted by or called back to fight fires.

On one hand, this state of affairs is why recovery capabilities are so important. We have reached a point that even with 100% of resources fighting to detect and respond to every single attack, the number of vulnerabilities (again, in the broadest sense of the word) in our environments means that it is indeed just a matter of time before we are breached and needing to recover quickly.

Visit Our Ransomware Recovery Solution Page to learn how to: Harness Rapid Recovery at Scale.

But there is a far bigger value proposition for storage and recovery solutions than just being able to recover from a successful attack: “derisking” and refocusing.

If you are able to recover your systems and data in, say, a quarter of the time, then you have effectively reduced the would-be costs of a breach due to downtime by 75%. (Incidentally, Hitachi Vantara offers the fastest recovery solution on the market, amplifying this effect.)

That means I could hypothetically take up to 75% of the mitigating resource away from an issue and keep the same or better risk figures (such as Annualized Loss Expectancy).

I can then reallocate that resource towards my proactive program that will drive lasting reductions in how much risk my organization will generate and which the security will then need to manage.

As an aside, I want to say that some people will note a “flaw” in this thinking. While recovery can help you guarantee the return of the integrity and availability of your data after a breach, it cannot restore the confidentiality of data once it’s disclosed.

This is true, but what percentage of systems in most organisations actually store such sensitive data? In my experience it’s usually within less than 10%, and rarely more than 20%. This means that some of the freed resource taken from fighting/mitigating all fires/risks can be focused on those systems where recovery can’t offer full protection in such a way that the overall outcome is still superior. It simply gives us better options in terms of prioritization.

As someone who thinks strategically about achieving an overall outcome of a more secure organization, this is what I call the Freedom of Recovery effect. And it’s huge.

It allows me to shortcut my journey to a more secure organization. To reduce risk, free up resource, allow me to focus more of that resource, time and attention on the things causing the fires in the first place. It can dramatically shorten the time it takes to implement a program, in some cases by years, accelerating risk reduction and bringing forward the point in time where I start seeing security OpEx savings, as well as all the other tangible benefits of a quality-management-led security (some of which we’ll highlight in an upcoming instalment.

This impact is significant enough that it can offset the entire cost of the recovery solution, making it a direct investment in the bottom line rather than a tentative one against some arbitrary risk. Better still, that investment will drive greater reductions in risk, and reduce the likelihood of you ever needing your recovery solution to actually recover.

I’d much rather you use it to make your business better. And that’s what we’ll explore in our next instalment. See you then.

Read Part 1:  Beyond Recovery: Beyond Technology

Additional Resources


Greg van der Gaast

Greg van der Gaast

Greg van der Gaast started his career as a teenage hacker and undercover FBI and DoD operative but has progressed to be one of the most strategic and business-oriented voices in the industry with thought-provoking ideas often at odds with the status quo.
He is a frequent public speaker on security strategy, the author of Rethinking Security and What We Call Security, a former CISO, and currently Managing Director of Sequoia Consulting which helps organizations fix business problems so that they have fewer security ones.