Commvault On Cyber Recovery Why Disaster Plans Fall Short

[00:00:00] I'd like to thank Denodo for supporting the Tech Talks Network and helping us bring so many different stories to life. Because every business needs data that its teams can actually trust. So if you need data your teams can trust, Denodo can help your organisation deliver curated, governed and easy to use data products for analysts, business users and AI applications alike. And you can learn more by simply visiting denodo.com.

[00:00:33] What happens when cyber resilience stops being a technical discussion and starts becoming a boardroom issue with very real economic consequences? Well on today's episode I'm going to be joined by Mark Molyneux, Field CTO for Northern Europe at Commvault. And our conversation today feels for me especially timely.

[00:00:57] Because while regulations don't always make the headlines in the same way as a major breach or ransomware attack, they do often tell us where governments, industries and security leaders believe the biggest risks now sit. And one of the things I'm looking forward to chatting with Mark about is he doesn't treat the bill as some dry legal update that only compliance teams need to care about. Instead, he brings it back to what really matters for business leaders.

[00:01:26] Why is this happening now? What has changed? Will this actually improve resilience? Or are we heading towards another check the box exercise that looks good on paper but changes very little in practice? So today we're going to get into the very real gap between disaster recovery and cyber recovery.

[00:01:44] Understand why resilience now has to mean much more than prevention and what organisations should be doing right now rather than just waiting for legislation to slowly make its way through Parliament. And there's also a big point in here today about the difference between being technically compliant and being genuinely prepared. And I think this is something that every leader needs to hear.

[00:02:12] So if you're trying to make sense of what the UK Cyber Security and Resilience Bill means, and more importantly, what does it mean for you and your organisation, you should find a lot of value in this one. As someone that records 65 plus interviews a month, I've personally seen a huge increase in browser-based attacks over the past year, whether that be phishing, malicious extensions, account takeovers, the list is long.

[00:02:37] And it's all happening where people spend most of their time, inside the browser. So NordLayer's new business browser, that's built to address exactly that. It blocks malicious sites before they load. It limits risky behaviours like uncontrolled downloads or data sharing, and gives you visibility into how your team interacts with web apps. And it also helps you stay compliant by controlling access and enforcing policies

[00:03:05] without the need to rely on multiple disconnected tools. So for anyone listening that is thinking seriously about reducing risk in SaaS-heavy environments, this feels like a smarter and more focused approach. And you can learn more about it by visiting nordlayer.com slash browser. Let me know what you think. But enough from me. Let me introduce you to my guest now. So a massive warm welcome to the show, Mark.

[00:03:33] Can you tell everyone listening a little about who you are and what you do? So I'm Mark Molyneux. I'm the CTO for Northern Europe for Convault. At Convault, I focus primarily on business development, so thought leadership, vision discussions with prospects and customers, focused on outcomes rather than product items. So I do online articles for press, speaking at trade events, media engagements, that kind of thing. I've worked in the IT industry for 35 years, 28 of those.

[00:04:01] I was in financial services companies, started off as a programmer, moved into leading technology groups, and then I jumped over to the vendor side, where I've held CTO roles at two other technology firms before I joined Convault. Excellent. Well, thank you so much for joining me today. There's so much I want to talk about. I mean, I know we will have people listening all around the world. Here in the UK, the Cybersecurity and Resilience Bill is gaining some traction right now.

[00:04:28] But for anyone that's hearing about that bill for the first time on this podcast, can you just give us an overview of what it is, what it's aiming to change, and why it's being introduced now? I'll start with the end. So why is it being introduced now? I think it's long overdue. So the UK hasn't materially updated any of its cybersecurity legislation since NIS came along in 2018, Network and Information Security Regulation.

[00:04:54] And given the speed that cyber threats have evolved, it's a significant gap. So the bill was proposed originally back in 2022 to address the shortcomings of that original NIS 2018. And then there's a gap. And in 2024, the King's speech to Parliament, they went into more detail on cyber resiliency, announced the intention to enshrine capability into law. They created the Cybersecurity and Resiliency Bill outline in September of that year, 24.

[00:05:23] Policy statement was in April 25. Its first reading in Parliament was November 25. Now it's at its second reading, and it's just in committee stage. So I think, why is it being introduced now? It's actually been years in the making and still is. You know, it's expected to move through Parliament, but not at some huge pace. So I think it's long overdue. But what it's designed to do is deliver a fundamental step change in the UK's national security.

[00:05:49] So basically strengthening cyber defences for essential services like healthcare transport, drinking water providers, energy companies. It reforms and adds to the NIS 2018 regulations. So it also learns from the EU's NIS 2 directive. It aligns where it's applicable, but it obviously learns what they've done with NIS 2 and implements that as well. It better protects services that public are relying on to go about their normal lives. But overall, it's regulating to implement stronger cyber resilience,

[00:06:19] improving reporting, application of fines, so very much aligned to GDPR in the way that it does its fines, and increasing scope through designated critical suppliers. Now it does actually reduce the number of in-scope sectors to a more focused list, which could be a bit of a concern. But in a nutshell, that's effectively what the Cybersecurity Resiliency Bill is. I'll call it CSRB for simplicity to go forward.

[00:06:44] And if we look at last year, I think the cyber attack on Jaguar Land Rover, I think it cost an estimated £1.9 billion, not dollars, pounds. It's been called the most economically damaging cyber event in UK history. So completely agree with you. This is long overdue. We've seen so many major incidents recently. So to what extent is this bill maybe a response to the evolving landscape,

[00:07:11] including ransomware and supply chain attacks, etc.? Yeah, I think, I mean, certainly the JLR one is a more recent example of that. We've got some that go back further. So if you think about in 24, when they were putting the King's speech together, just prior to that, they had the Synovus incident, which was effectively ransomware hitting a couple of trusts in the London area, but also supply chain as well. And it was ransomware that didn't just hit systems.

[00:07:40] It cancelled operations. It disrupts blood testing, triggered a national appeal for blood donors, and it had a societal impact. And that's not something that was easily forgotten. And we were also coming off the back of an incident, a fairly major incident with the British Library as well. So the government were reacting to those things when they started looking at the Cybersecurity and Resiliency Bill. Now, I think part of the challenge that we've seen more recently is if you think about the impacts on the retail and the manufacturing sectors,

[00:08:10] you've obviously mentioned JLR, but we've also seen fairly public events happening to others in the retail district. Neither of those manufacturing or retail are included in the CSRB as critical, which is quite interesting, I think, because I wonder if part of what we see now with the delays in Parliament is a reconsideration of what we might actually include in there, because I don't think anybody really expected an impact on a company like JLR,

[00:08:38] for example, to actually impact the economy of a country. Now, if you think about how financial services regulation evolved, that evolved right the way back from the 2008 financial crisis because of the impact on the national financial capability. So they evolved that. They split the regulators. They created a bunch of different regulations

[00:09:04] to ensure that the financial industry could never suffer like that again, including cyber resiliency stuff, which we can talk about later. But I think I do wonder if now we will see some changes into the constructs of the CSRB to include maybe manufacturing and retail and perhaps some other industries that you would actually now classify as critical but would fall between the lines of what CSRB is trying to do and what critical national infrastructure is defined as.

[00:09:33] It's such a great point there. And I'm curious, from your perspective at Convolt, do you see this legislation actually improving resilience or is there a risk it could fall into the trap of becoming just another compliance exercise? Or are you quite optimistic about this? I think I'm more optimistic about this than I've been about other things. We've seen operational resilience. Let's call it operational resilience, sneaking into a lot of regulation across various verticals.

[00:10:01] And that has been more of a tit box exercise. It's, you know, what's the bare minimum that I can do to actually be compliant to this in terms of resiliency? Because we all know we can be resilient. We know we've got a disaster recovery plan. I think cyber took a different angle to that. And even though we've had bad things happen to us in the last couple of years, I think those will now derive a far better take-up of regulation, a far more candid approach to how they do it rather than just treating it as a tit box exercise.

[00:10:31] Because I don't think companies have realised up until we had those major public events that things were so bad. Because a lot of companies keep these things back. You know, they'll talk to the National Cybersecurity Centre. They'll talk to the police, etc. And most things don't get public. You don't really know what's happened until they happen. When you've got an event like JLR that affects the economy and the government are talking about it and it's in the media every day, it really brings it out at the sea level of every company

[00:10:59] wondering, hey, could this happen to us? And the realisation that it will happen to us. And, you know, it's probably, it's not a case of if now, it's when it happens to us, can we recover? So I do think companies will go a lot further with it. But I do worry, as with every other regulation, I mean, I talked through that timeline a minute ago for a reason. You can see just how long it is from a discussion to the reality of it happening. And then there's also adoption times. You know, you think financial services,

[00:11:29] UK operational resiliency, which was called PS21-3, that was talked about in 2018 into 19. It came into life in 2020. It only became, let's call it, fully compliant in 2025. That's five years, six years. Wow, that's phenomenal. I mean, five, six years in today's climate, the speed of technological change. You look at how much has changed in the last, what, two to three years alone. That's a long time, isn't it?

[00:11:57] It's crazy, really, when you think about it. And like I said, you know, if you think about the CSRB, it will almost certainly have an adoption timescale that comes after it. And that could be a year, it could be 18 months, it could be two years, depending on how much they feel that companies have evolved in the meantime. Companies that wait for regulation to come along and then look at how they can be, you know, how they can be compliant to it, are basically looking at the minimum side of things. And that's not how they should be approaching things. They should be really looking at a case of, you know,

[00:12:27] of when we get attacked, how can we recover from it, and can we react super quickly to do that? Can we change now? You know, CSRB is written, you know, what happens to it now is going to be, you know, elements of parliamentary change. And as I say, perhaps some scope increase in terms of what happens with manufacturing and retail, but the lion's share of it's already there. So it's something that can be implemented immediately and also not just looked at by companies that are in that mix of healthcare or, you know, energy companies or whatever.

[00:12:56] Anyone can really pick that up in the same way that they can pick up copies of Dora and do the same thing. 100% with you. And we will have people listening from organisations that maybe already feel stretched by existing frameworks and regulations, trying to keep up to speed with those. So how should they approach this without creating more complexity or duplication of effort? Because it can feel incredibly overwhelming when there's something else that you need to follow. Yeah, of course it can. I think, and that's the challenge with compliance, isn't it?

[00:13:25] You know, where do you stop? You've got so many different laws that are requiring you to do different things, be it the privacy of a person or the security of a company, the safety, et cetera. So where do you start? I mean, probably the best place to start really is select a cybersecurity framework and stick to it. Don't try to run from two or three or four. Pick an industry leader like the NIST cybersecurity framework, for example. I use NIST because NIST was also the basis for DORA,

[00:13:55] the Digital Operational Resiliency Act, which is spanning the EU countries in financial services and supporting companies. That framework gives you a really strong metric in how to implement cybersecurity. So I would say from a start of a 10, pick a framework. There's other things that you can do in terms of training, et cetera, but that's got to be the start of a 10. And I also think if you're in an industry that isn't necessarily as tightly governed,

[00:14:23] say for example, you are in an industry that doesn't have a DORA or it doesn't have the impacts of the CSRB, there's no reason why you can't pick those things up. You haven't got a regulator leaning over your back. You're not going to see those regulatory fines coming your way. So why not pick it up and start looking at it and learning from it and saying, you know what, actually, these are the bare minimum things that we can do. And also educate the C-level of your company and the capability for cyber recovery, cyber resiliency, not just disaster recovery,

[00:14:52] which is where I think a lot of people are at the moment. And I think there's one word we've both mentioned multiple times in our conversation so far, that is resilience. And the bill places a very strong emphasis on resilience, not just prevention. So how does this shift the way businesses think about cybersecurity strategies and investment? It feels like there's a slight pivot there. Yeah, there is. Yeah, yeah. Resiliency is about the ability to maintain operations in the face of any craziness that happens.

[00:15:22] And I think in the past, everybody's been looking at operational resiliency, which is different to cyber resiliency. If you think about how your recovery of your company is usually split into three, it's operational resiliency, it's disaster recovery, and then it's cyber resiliency. And those three things are the things that everyone has, but they have the first two. They don't necessarily have the cyber resiliency aspect. And I think if you think about how people need to look at this in terms of their investment,

[00:15:51] look at the way that your metrics at the moment for disaster recovery, it's usually based on standard metrics like recovery time objective, recovery point objective, mean time to detect, loads of different types of SecOps and IT operations metrics that determine the ability to be able to recover from a disaster. And all your investments gone into that, probably a huge amount of investment because they're usually a mirror copy of production.

[00:16:19] Cyber resiliency is very different to that because the expectation is a cyber threat act has got into the system and none of those capabilities are available. So what do you then do? You have to have a different metric. So you need to look at the mean time to clean recovery rather than the recovery time objective. If you've got a recovery time objective for a tier one application of five seconds or five minutes or five hours, none of those are going to work if you can't even access the system because say, for example,

[00:16:46] your identity system like Active Directory, for example, has been compromised. So how do you, you can't even go to those metrics. So you need, do you need something like cyber recovery time objective, cyber recovery point objective and operate that within mean time to clean recovery. So you've got that whole window that says, if an event happens, this is what we look like and that's your baseline and it will be terrible. You know, it will be north of 30 days probably. You know, you speak to somebody

[00:17:15] and they probably wouldn't have thought that it would have been that long until it happened to them. JLR was the same. You know, and we can, we don't know for certain, but we can guesstimate it with JLR, for example, given the fact that they had manufacturing down for four weeks. So we know that their mean time to clean recovery was really long and their ability to shorten that wasn't there. And that's what companies need to look at now in the way that they're investing it. It's how can we bring those timelines down? How can we look at our data and recover it in a clean manner, forensically check it to make sure that we're not reinfecting ourselves?

[00:17:47] And many companies will be listening or people listening from companies will be listening and they'll still be quite early on that cyber maturity journey that many organisations are on right now. But what would you say are the first practical steps that they should be taking right now to prepare for what's coming? Especially as we're talking about Agenda K. We're adding more things into the mix, but what should they be thinking about now to prepare for the bill? I think it all depends on the size of the company. I would say, you know,

[00:18:15] if you're a small to medium business, you should be looking at something fairly standard like Cyber Essentials, Cyber Essentials Plus. That's recommended by the National Cyber Security Centre as a, let's call it a start off a 10 for improving your capability in cyber, cybersecurity and cyber resiliency. Now, there are negatives to Cyber Essentials Plus in that it's a point in time audit of your capability. So on that given day in the area that the auditors check,

[00:18:44] you might actually be compliant, but in another area, you might not be compliant, but it's better to start somewhere than nowhere. And that's a really good way of being able to, you know, to say, well, okay, this is the government and the NCSC's recommendation. So this is a good investment for a start off a 10. And I think if you're a bigger company, you know, if you're in the enterprise capability, there's a good chance you've already started on this journey anyway. And as I said, I think you need to select a cybersecurity framework to operate too.

[00:19:12] I think you need to recognise that there are capabilities out there in terms of already written material. You know, we've mentioned DORA, for example. I think those are very good, very strong cyber resiliency frameworks that can be picked up and learned from and then take a look at yourself. You've got to do a self-assessment to be realistic and say, can I recover from a cyber event? As I said a minute ago, those metrics that you live by

[00:19:42] that are enshrined in disaster recovery, and they're in there for a reason. You've defined resiliency categories. You've defined impact tolerances. So you know how long you can be without a system before there's a serious problem. You might have defined a manual operation, you know, where you've got 20 people that sit in a room and just do that job for so many days. But what's the longevity of that? Can you do that for two weeks, two months or six months? That's the sort of thing that you've got to look at. You've got to look at yourself and say, what are my capabilities today?

[00:20:12] How can I improve them? What do I need to do as a starter for 10? And as I said, I think certainly Cyber Essentials plus the cybersecurity framework, picking up a copy of an existing material, talking to companies like us, you know, people like me are good to talk to in terms of advice and guidance and areas to look at. You know, trying to pick through the stew of some of the things that are out there, like, you know, why do I need a clean room? Why do I need forensic tools when I've got antivirus installed

[00:20:41] or, you know, I'm really secure on the perimeter? Those kinds of things are great. But when you talk to companies like us and we can give you real life examples that say, well, OK, look at what happened to JLR. They probably had all of those things in place as well, but it still happened. And because it happened, what could they then have done to do things differently? And this is where we're looking at now in terms of the practical steps. And one of the other ongoing challenges in cybersecurity is proving the return on investment to the board. And I think a decade ago,

[00:21:11] the board infamously struggled to understand the value in what might happen. But thankfully, that mindset has largely changed. But how can leaders still connect resilience investments to real business outcomes in a way that gets that executive buy-in? Yeah, so it's a real challenge, isn't it? And I think it's not dissimilar to the challenge that we faced when we were trying to secure funding for disaster recovery environments. You know, why do we need that? It'll never happen. And then we did see events that happened.

[00:21:40] You know, go back 30 years and the cited example of disaster recovery was a plane hit in a building. Well, of course, we've seen that happen in real life. We've seen floods because we've seen what happened in Japan. We've seen fires. We've seen theft. We've seen earthquakes, you know, depending on the region that you're in. All of these things cause chaos for DR, which secured funding. What we've now got is really good examples of cyber incidents where companies that you could say with absolute certainty

[00:22:10] had spent a fortune on defensive perimeter and disaster recovery were still exposed and were still down for a considerable amount of time. I think that's a good example to be able to show to the board. But I think the only way you're going to be able to link it to the ROI is by, first of all, running a tabletop exercise. I found that to be really good. When I've run tabletop exercises with C-level executives, their eyes are opened because they don't realise just what can happen. You know, we're running them

[00:22:40] through a real life event where a threat actor gets into the system irrespective and corrupts everything. They can't do anything. They don't know where to start. You know, they can't even get access to the building in some cases if they've taken out access control. So run them through a tabletop exercise, use their existing metrics, like I said before with RPO and RTO, show them what they've got today in terms of their disaster capabilities for recovery, and then play that cyber over the top of it and say, well, okay, that two hours is now two days.

[00:23:09] What does that mean to your business? And that's how you start to show the ROI because most of these C-level executives will understand what it means for their business to be down for 24 hours. But what happens if it's two weeks? You know, suddenly it's orders of magnitude different. They need to be educated on the requirements for a minimum viable company. And that doesn't mean throwing absolutely everything that you own into a cyber secure vault, an air gout vault. It's defining a minimum viability.

[00:23:40] What is the absolute minimum that I can have online to continue my business? So that's not every single application, every single person's business, maybe even every person logging on. It's the minimum viability. And that includes technology groups as well. So in my MVC, I'm going to have all of my IT stuff. I'm going to have elements of active directory, networking, storage server, et cetera, and then building up through that stack. Like that's minimum viability. And that's another way of being able to show to the board what their return on investment is.

[00:24:09] Because it's saying, well, okay, you might not be able to get all of this other stuff online for two weeks, but if I can bring up minimum viable capability within say six hours, that's a material difference to be able to continue my business. And it might be the difference between staying operational and folding as a company. Wow. So many big takeaways in your answer there. And if we were to dare to look further ahead, do you think regulations like this will keep pace with the speed of cyber threats, the speed of technological change,

[00:24:38] or will organisations still need to go beyond compliance to truly stay protected? How do you see them getting that balance right? I think it's really hard with regulation to keep in lockstep. And I think we've used a really good example earlier with the Cybersecurity Resiliency Bill and the amount of time it's taken to do that. And we can even say with DORA, you know, DORA is an exceptional framework for cybersecurity and financial services, but it was still years in the making and then another two years to become enforceable.

[00:25:08] NIS-2 is another really good one across the EU. You know, it's a directive, so it isn't immediately enshrined into law. It's taken way longer than it should have done to be enshrined into law, and it still isn't in law in many countries. So I think regulation has proven that it can't keep in lockstep. But the frameworks move the needle, and that's all IT security is, is risk management, is moving that needle. And if you don't do anything, you're going to be in a terrible state. So what you've got to do

[00:25:37] is you've got to take a framework and you've got to start implementing these capabilities. You've got to start giving yourself the ability to have a clean room, to be able to do forensic assessment of data, to be able to do recovery, to have a minimum viable company concept, and actually test it. You know, part of these resiliency requirements is continuous testing. It isn't like a once-a-year DR test. It's a test every week if you can, because it gets it ingrained into people's DNA.

[00:26:06] They understand what it is that they've got to do when these things happen. And I think regulation can never keep up with that, but companies can go further. They can say, well, okay, this is what it looks like today. I need to move that needle, because if there is going to be something different, drive a very different way that cyber happens, we've already seen that at the basic level with DDoS attacks, where it was, you know, sometimes it was a kid in a room just firing off DDoS. Now it's AI that just tries and tries and tries and tries and tries until it finds the hit. That's the difference.

[00:26:36] You know, it's going to be quicker to get into a company than ever before. Once they're in there, they can use AI to be able to laterally move in a very different way and to be able to do data collection in a very different way and gain elevated privileges. So drawing all of that back, number one, regulation's never going to keep up with that. And number two, yes, organisations have to go beyond what the compliance requirement is to stay protected, but you're never going to be 100%. But you have to move that needle.

[00:27:05] I think that is a powerful moment to end on. And we did cover a lot there in a short amount of time. And for anyone listening who equally feels somewhat inspired, having listened to you there, it makes more sense now. And they want to talk more about the UK Cybersecurity and Resilience Bill or read more about some of their preparations, some of the things that you're doing at Convolt. I'm sure you guys create a lot of content as well on this. Where can people keep up to speed with anything we've talked about today? Anywhere you want me to point them?

[00:27:35] Yeah, cool. So yeah, a couple of websites. I'd say readyverse.com, which is R-E-A-D-I-V-E-R-S-E, readyverse.com. That's a Convolt website that talks about resiliency operations, which is a capability that we're looking to try and socialize across companies to be more resilient. It talks about AI security, trust, et cetera, how to survive cyber events. And of course, Convolt.com, obviously. And then you can hit me up as well. I'm on LinkedIn. Awesome. I'll have links

[00:28:04] to absolutely everything. And please, wherever you are listening in the world, anything that resonated with you, anything that you're doing, you're doing differently or anything you're having challenges with, please feedback to myself or Mark. And we'd love to hear from you and hear what you're doing at the moment. But more than anything, Mark, thank you for sitting down with me, starting this conversation and putting it in a language everyone can understand. Really appreciate your time today. No, my pleasure, Neil. Thanks for having me. Wow. There is a lot in this conversation

[00:28:34] with Mark that stood out today. But the biggest takeaway for me is probably that compliance might tell you what the minimum looks like. But resilience, that is about whether you can actually keep the business alive when something goes badly wrong. And that is a very different mindset. And I think Mark explained it brilliantly today. Too often, organisations have treated cyber as something to prevent, to monitor, to report on. All while hoping recovery plans will somehow take care of the rest.

[00:29:03] But cyber recovery, it's not the same as disaster recovery. Because if core systems, identities, and trusted environments are compromised, the old assumptions around recovery times and failover plans, they can unravel very quickly. And I also thought his point about tabletop exercises was an important one too. Because it's easy for executives to approve budgets in theory or sign off policies that sound sensible. But it's much, much harder to sit in a room,

[00:29:33] walk through a realistic attack scenario and face the actual consequences of what downtime, uncertainty, and slow recovery actually mean for your business. And this is where resilience stops being abstract. And this is also where the conversation around the UK security and resilience bill becomes much more interesting. Because whatever happens next in Parliament and however long that full process takes, the underlying message here is already clear.

[00:30:02] Waiting for regulation to force action is possibly the slowest and weakest response available. The smarter move is to use this moment as a push to assess your own readiness right now. But I'd love to hear your take on this one. Will legislation like the Cyber Security and Resilience Bill genuinely strengthen organisational resilience? Or will the real difference still come down to which businesses decide to go further than compliance and prepare properly before they have to.

[00:30:32] As always, techtalksnetwork.com Let me know your thoughts on this one and I'll be back again very soon with another guest. Speak to you then. Bye for now.