Transcript
at the Hudson Yards, I'm Krista Case and I have the pleasure of sitting down today with Emily Telles field CTO with Veeam, as well as Ray Umurely, a field CSO with Colfer by Veeam. Emily and Ray, thanks so much for sitting down with me today. Thank you for having us. Excited to be here. Yeah. So we're here, obviously, you know, we just had kind of the closing keynote here at Veeam on 2026. There's been a lot of hubbub today about sort of this, you know, new resilience model and kind of the era of AI. I understand that you both just had a breakout session. So I thought we could start there and kind of talk about your breakout session, the topics that you covered and some of the feedback. Absolutely. And it was titled When Attackers Use AI Too, which we thought was very convenient for today's overall agenda and keynote, right? Obviously, a lot of organizations are preparing themselves for different AI initiatives. And Ray and I sit at the forefront of having those conversations when it comes to operational resilience, cyber resilience, and now AI resilience as part of this new era. So, you know, we thought it'd be a great little opportunity for us to share what you kind of see, you know, in the field of working with organizations that have been impacted by ransomware or impacted by cyber extortion and what you see specifically around threat actors having access to AI tooling as well. Yeah. And I think the interesting component of it is if we look at the foundations of cyber extortion, encryption, exfiltration, identity compromise, they still persist. But AI has really enabled this at such rapidity and scale, it's hard for organizations to keep up. So what we were really focusing on was AI as an accelerant and an enabler for many of these attacks, not only increasing the complexity for the organizations in terms of response, but also lowering the barrier of entry for a lot of threat actors coming into this landscape. Absolutely. It's certainly two sides of that coin. Like you say, it's enabling attackers to move faster, be more innovative. And then at the same time, it's sort of, you know, shortening the time that teams have to be able to respond to incidents, you know, so maybe we could talk about that a little bit. I know in both of your roles, you're very much on the front lines. So maybe let's talk about sort of what might the North Star be for customers? What should they be kind of striving for? Sure. So from the operational lens, you know, a lot of organizations that I started to have conversations with, it's around, you know, what is your overall business SLAs and what do those look like in terms of your RTOs, your RPOs? Do you know what your most critical data is? And then when we think about something like a cyber incident or a crisis that comes into play, we have those conversations of, well, are your strategies built to sustain or be able to help you in the time where you're going to need to be have operational resilience the most, right? Which is during that time of crisis. And I think for a lot of organizations, there's essentially a reality gap between what a C-level executive or what a board thinks that they are versus somebody who has hands on keyboard. And so we talked about that today in our session with like the age old, you know, do we have backups? Yes. Is that enough? Not necessarily. Because, you know, the proof is that Ray and his team, right, from Cobra is they could show and they could share the statistics of the organizations that weren't successful in being able to recover because they weren't doing the due diligence. They weren't doing the processes. They didn't have the right people in place during that crisis. I think it's a combination. Like we were talking about time to compromise, obviously speed matters. We are no longer talking about dwell times of months and weeks. We're talking about hours. And some of our more prolific threat actors, less than 24 hours from the point of entry to the point of impact. And then it goes into, well, how quickly can I detect, respond, and also ascertain what are my paths forward from this? Can I recover? And are my backups actually recoverable? And that may be something, depending on the fog of war, some organizations can't determine for dates. And what do you do in the meantime? So there's a lot that goes into this where an organization has to really have practice, discipline, and understanding to make choices within perfect information. And I think, Ray, that's a great segue into something I'd love to kind of talk about. So I know, you know, Emily mentioned RPO, RTO, these concepts that in the world of data protection we're obviously very familiar with and that are foundational to business continuity. But then at the same time, on the incidence response side, that's where we start to bridge these teams that we've been talking about and these silos, and we need to have those proper processes in place. So maybe we could talk a little bit about what does an organization look like that is truly operationally resilient, especially in this AI era that's moving at machine speed? I think it's a combination of things. First and foremost, it starts with the organizational posture. So it's really a combination of when you think about these events, and I've often said this to our clients, it's a combination of crisis management, incidence response, and business continuity coming together at the same time. You don't want that first time to be during the event itself. And so there's a lot of constituents that have to know how to work together and how to lean on each other during the event. And that also translates into sometimes the confidence gap with those RTOs and RPOs, where in isolation, that four-hour recovery window probably makes perfect sense, but when you factor in all the other dependencies and so forth, now that extends that duration considerably. And so I'd love to understand as well, what does this look like? So again, we talked sort of the adversarial perspective of AI, but what about even within the organization if they have an AI agent or just an AI model that may have touched or impacted data? What does the resilience look like from that standpoint? You want to go first? I was going to let you go. So I think the challenge with it comes back to kind of the visibility and observability. What was the data, what was the identity associated with that data, and what do they actually have access to? And I think that's a challenge for a lot of organizations today, and it's actually a challenge that's been consistent and persistent for decades. When you just think about data management in general, who had access to a file in a SharePoint or a OneDrive or a FileShare, well, now you have agents moving at machine speeds that are accessing that same information, and how well do you know? So I think one of the things that we've been talking about a lot today is how can we give better visibility, connect that dot around access and identity with the data itself and make data the true anchor point. So one of the sessions that I covered today was around AI agents, and it was all around this concept that in the future, we're going to start seeing 82 to 1 in terms of AI agents to human identity, but then we also start digging into more of the data, and you start seeing over-permissioned AI agents compared to the roles that their human users have, right? Because you have organizations that are so excited to move fast on innovation and receive productivity gains, receive competitive advantages and whatever it is, that a lot of the security, the cybersecurity strategies and metrics and the posture kind of fall to the wayside, right? And so we see that act out in news. We see organizations that have failed to have better mitigation strategies, that had exposed themselves by misconfigurations or from access uses that have been utilized from different adversaries. So, you know, for a lot of organizations, it doesn't go back to the non-human identity isn't someone that you can point blame to, right? There's still going to be a human in the loop. So you're still going to be at fault no matter what the crisis ends up being. And so it just becomes another conversation of you still need to understand your data, you still need to have a practice or strategy in place to protect it, and you still need to have a defensible posture where you can prove without a doubt, this is what happened, this is why it took place, and this is what we did to mitigate it. But the new piece for Veeam, and Emily, I'd love your take on this. I know you have a very rich history at Veeam. And today I've had a number of conversations around the role of identity, you know, in this context. And for Veeam, again, traditionally very much in kind of the data security, data protection side of things. You know, there's a natural correlation there to be able to facilitate secure access. But, you know, what does that mean for Veeam and your customers? I'm sure you're getting a lot of questions about how to facilitate that secure governance over access. Sure. So Veeam has always been rooted in resilience, right? It's always been something we've been focused in on, even going back to how we look to protect customers' identity environments today, Active Directory. What are some things that we could do around the users, the roles, the group policy objects, in-tune policies, right? Protecting all of those different assets and attributes within an organization's identity, and then being able to recover that, or even just change tracks and track any changes that are happening between what was in backup versus what's in production. That was kind of the core piece of our resilience story. And now with the acquisition of security AI, right, we're leaning more into the let's understand, let's provide context, let's make sure that, you know, that whatever we are doing around the identity for a recovery aspect, it actually matches what the governance structure should look like, right? And so we're trying to provide that context back to the organization, because, and I'm sure Ray will speak a lot to this, right? Identity is the crown jewels for a lot of organizations, especially from a threat actor perspective. They know that that's the one thing that they should go after and go target, right? So having a good access and governance policy is critical, but also having a good resilience strategy where you can prove that you've contained, you've eradicated to lead to a clean recovery is so much more important, too, when we talk about it in terms of cyber threats. I think what I would add to that is identity quietly became the central nervous system of everything we do. I think it's an oversimplification to just call it identity, because then we equate it to like credentials. But it's every secret, token, integration, privilege, access. And so when we look at exploitation by threat actors, every breach that I see starts with a compromise of identity, and every successful recovery gets back to getting safe and confident with identity, again, so you can actually proceed. And so that becomes a cornerstone to all these organizations navigating these events. Yes. Yeah, and Ray, I know Cofare does some research every quarter. We were talking about that off camera before we kind of started rolling today. So certainly we're seeing as well that identity is the new perimeter, and I love the way you describe it as a central nervous system. Can you talk to how that's playing out in the quarterly research that you do on threat actors? So what we've been finding is actually, we used to report kind of like, and we still do to some degree, individual attack factors, remote access compromise, software vulnerabilities, social engineering. The reality is these have all collapsed, because many of these become predicate activities that lead to the compromise of identity that allows access to the system itself. And so I think when you think about it, it's easy to say it's this one attack factor, and I can prevent that. I'm good. But it's a multifaceted attack path all focused on that identity piece. And the way we're seeing sophisticated organizations most likely compromise is through those social engineering attempts through things like IT support impersonation, and not necessarily just stealing the credential, but more so stealing the authorization and access associated with it. So if I can get you to do something on my behalf, that's just as good as me having that credential myself. Absolutely. Absolutely. So maybe we could also talk to kind of the role that incidence response plays in resilience, right? Because I know there's kind of, we talk about resilience, recovery, incident response, right? And I know we talked a little bit earlier about the fact that incident response is going to involve people and processes and things like that. But now that it's been two years since the Cobra acquisition, I'd love to kind of understand how that's all coming together, and the role that you see Cobra and incident response playing in this new era for AI resilience. So there's a couple of different components to this, and I think when you think about actual recovery resilience, there's people, process, and technology. And I think Veeam has been a rock star in terms of providing the technology to allow for recovery. But some organizations have struggled on the people and the process side. I think Cobra's primary benefit has been adding in kind of that decision discipline, that understanding, that preparation of how do these individuals work together, and what are the thought processes and decision calculus that I apply in these events to make the right decision for my organization to stand back up that may not lead to paying a cyber criminal at the end of the day to do so. And so that's been a key component of our contribution, which is extended to thought leadership, it's extended to client conversations, resiliency workshops, a whole host of things that we've done with Veeam post-acquisition. But I think as we look at AI, the same process applies. AI hasn't necessarily created new risks, going back to what Emily said, it's accelerated and exacerbated existing ones. And it still goes back to what we see on the front lines translates into, okay, data theft, well a lot of that data theft is driven about not understanding the data and who has access to it. Same thing with encryption-based attacks and how likely are we to recover, do we have validated backups, and so on and so forth. So it's really turning that frontline threat intelligence into real risk indicators that help organizations make the right decisions. And that's where, like we've been talking about, that context aware becomes very important because it really helps to tell that story of where the key points of risk are. And McMurray, especially given your role as sort of a CISO, I'm sure that you're feeling that pain that you need to be able to sort of find those needles in the haystack and understand where those critical points of vulnerability are. Well, and that's one of the ongoing challenges. I was CISO, sitting CISO for 20 years in different private enterprises, and of course being at Cove where I see this all the time talking to my clients, and the challenge goes into there is so much noise. And how do I identify where I should be focusing my lenses and my prioritization and my resources? And I go back to, at the end of the day, the biggest thing is focusing as data as the anchor point, which is one of the things we've been focused on here. Because regardless of endpoint or network device or whatever, what's traversing across that is the crown jewel. And that's where data comes into play. And so the better you can understand where it is and how important it is to the organization and applying that context, context is absolutely king, the better you can actually prioritize your defenses to protect that critical information. Because not everything is created equal in this space, but that is what the attackers are going after. And that's where the security acquisition is going to come into play in providing that visibility and the security posture. Absolutely. And even from like, take a step from what you just mentioned, right? The technology is always going to be there in terms of what's going to help customers better understand risk, quantify it. But even what we talked about today, the new data AI trust maturity model, right? A way in which we can gather and capture all those stakeholders into the room and do self-assessments and kind of guide us on where are we at today in our operational resilience journey, in our cyber resilience practice, in our AI initiatives, and what is happening there inside of each one of these projects. Well, a good way to do that is by capturing all those key stakeholders, capturing anybody that's a data custodian and actually having those frontline conversations of where are we at? Who has access? What is critical? Do we have pathways to recover? Do we not? Are we missing different checks within the systems? How old is the processes? Have they been tested, right? So it uncovers a lot of these conversations, which it's an opportunity to build that muscle memory that maybe they wouldn't have done until a crisis would have hit. Well, and the other thing about that, and I see this with tabletop exercises too, but this is why I love the maturity model, is it forces you to answer questions you probably have not asked yourself. Because a lot of the overconfidence that we see is because we're asking ourselves the questions we know the answers to. We don't want to look bad in front of our executives and our board. But when you have to actually have an introspective look with a candid lens and say, am I really prepared for this? It changes the conversation completely and really helps to identify those opportunities to improve. Yep. Absolutely. And maybe we could talk a little bit about sort of the development of the AI resilience model that being kind of announced today. I know, Emily, you've done a lot of kind of roundtables with customers. I know that you've had a lot of engagement here. One thing I'm interested in is, again, how do we really unpack what makes this an operational reality? And maybe you could talk about that process of customers and where customers sort of feel like they're at these days. Oh, absolutely. So when we first announced this, this was at VeeamON last year, which was the first version, which really took a big focus into the overall data resilience, right? And now as we move into the world of AI, we know organizations are trying to, they're either fast moving, depending on the state that you're in or the country that you're in. You'll probably find that some organizations are moving fast and acting on different types of AI initiatives, whereas some organizations are still kind of like, well, let's kind of wait and see. We have to really kind of think about how we're going to measure this process. What's the ROI benefit, right? So what the data, what this maturity model is going to do is actually help to surface any of those risks, any of those gaps, any opportunity in which an organization can be better. But the best part is that it is self-assessment, right? So you are answering based off of your data and what you understand about it, right? But then it's also going to others that have more access, those that have hands-on keyboards, those that are more familiar with the regulations and the other compliance rules that they'll have to adhere to, right? Because for some organizations, maybe they're not aware of the different regulation policies or the penalties or the fines that they have to go and they have to report. And now all of a sudden, they're, you know, rushing to recovery. They're destroying forensic evidence that is putting them in a worse situation than what they need to be. So the maturity model process that we do to raise point gives us an opportunity for those organizations to sit down, have those full-on conversations about where they truly are and assess that risk and assess that value. And majority of the times, it does turn around into, well, we are missing very critical data and very critical assets. And so then it almost turns into an opportunity to do something as simple as business impact analysis. Let's go ahead and let's start that process. And then we're looking at our partners and GSIs and other vendors to come in and help provide that value for those customers so that way they're not doing it, you know, themselves or in silos. So the DRM, it is an opportunity just to have really great conversations. But then the outcomes to actually put together based off of that and have all the stakeholders agree to those metrics is one of the biggest successes that we've seen so far. And if I could add one thing to that. With the DRMM and any sort of assessment like this, the intention is go in expecting not to have all the answers. Yes. This isn't a pass-fail scenario. This is the opportunity, again, identify those gaps early and often because it's better to do that in peacetime than during an active incident itself. And can you talk to how it might adapt over time? I know AI is kind of changing the risk landscape very quickly. So maybe just a comment on how you might envision that evolving working with customers and partners over time. From my perspective, I think part of it, and again, this goes back to the data and AI trust convergence that we're talking about here today, is just understanding the velocity and scale at which this is being adopted, being utilized, and the data sprawl that already exists. The toothpaste is out of the tube. Now what we have to do is try to put together the technology and the processes to try to identify what's there in our estate, what risk we've already exposed ourselves to, and what potential ways do we have to claw back, recover, and so forth. So I think the reality of this is helping organizations to realize, I need to move faster than I am today. I'm not ready for this problem. And any existing backlog or debt I was carrying, well, the payments are going to come due very, very soon. No, no. I agree with that 100%. I think for a lot of organizations, they're uncovering, or they're finding out the hard way that they didn't do the due diligence, that they didn't put best practices in place. And so they're uncovering all of these other gaps that they're now having to try to patch on the fly in order to continue to drive forward, when the reality is, though, you need a strong foundation. Absolutely. And so what Veeam is building today, and what we've talked about around the Veeam data AI command platform, is having that strong foundation. A strong foundation that's built on resilience from a 20-year organization that's been through multiple types of crises for organizations to help them recover, and then adding on those additional pillars in terms of adding on security, adding on governance, privacy, compliance. Those are all going to be symptoms in which that help an organization get to the outcome of data and AI trust. And it will also break down those silos that traditionally exist, because that shared visibility cutting across the organization, across all those different departments, that's going to be hugely beneficial for organizations. Absolutely. Well, Emily Ray, it's been a jam-packed day. We've covered a lot. Any closing remarks before I let you go here for the evening? Yeah. The only closing remark is that if you haven't had the opportunity to take the data trust and resilience maturity model right, definitely go and do that. It is a free assessment, so that is an opportunity for you to have that conversation with all stakeholders. You can just reach out to your Veeam account manager or whatever it may be, and they can help you with finding it. But thank you so much for having us today. I appreciate it. Yes. And my only closing thought is going back to what we were talking about with the overconfidence. Recognize that it exists, and the best way to really overcome that is to have a realistic conversation with all your stakeholders about where are we truly, whether that's the maturity model or someplace else. But do that now. Don't wait for the crisis to emerge to really evaluate your capabilities. Absolutely. Well, Emily, Ray, such a great conversation. Thank you so much. And stick with us. Dave and I will be right back in just a couple minutes with some closing remarks from the overall VeeamON. And again, this is VeeamON 2026 from the Convene here at Hudson Yards in New York City. Thanks so much.
