Transcript
I'm your host, Rick Vanover, the Rickertron. And with fresh perspectives to wake up to, I'm joined by Alan Downes. Thanks for joining us today, Alan. Rick, it's a pleasure. And thank you for having me. So take a moment and introduce yourself and your role. Rick, I'm the Vice President of Incident Recovery for Kindrall Services globally. So I look after the part of the business that takes care of clients' ability to recover from an incident, whether that's naturally or man-made incident. We're all about ensuring that clients can be resilient across the enterprise. Love it. And the planning and the rehearsing, those, in my experience, are probably some of the more impactful parts of that. We'll get into that, I'm sure. So I'm sure you agree, based on what we see here at Veeam, that organizations simply just do not know what they have. And they don't know that until that wake-up call comes, until that moment at, you know, it's 2.30 in the morning, and the subject matter expert is out, and the organization's left trying to figure out what to do. I'm sure you advise clients, hopefully, in better situations than that, but the reality is without those proper planning, the rehearsing, and more, it can get to that. But I want to start with, like, a broad-stroke question. And this is part in the age of AI, but I think when you talk about this cyber resiliency and the practice you and your colleagues lead, I think it's super important to understand, is data trustworthy from an organization's standpoint, meaning, do they know what they have? Can they build more advanced solutions on it? Do they know what they need to recover? Broadly speaking, do you think the data is trustworthy? And feel free to push back on me on that. It's a really interesting question. And when you first pose the question, it causes a reaction, Rick, if I'm honest with you. Because I've come up through the years of working with clients where the data has had to be trustworthy, and predominantly was trustworthy. I think the onset and the acceleration of agentic AI into the environment, into our lives, let's be honest, has put a question mark over the trustworthiness of what we see, what we get in response to our questions. And I think that's also true of the many clients that we work with, where there is now a big hesitation around how trustworthy is the response I'm getting? How trustworthy is the data that I have? And I think it's really important that we help clients understand how they can put in the right policies, the right frameworks, the right guidelines, to ensure a high degree of trustworthiness. Because without that awareness, and without the trust in that awareness, then it makes it so difficult to ensure an operationally resilient enterprise across all those layers of the enterprise. I think the question mark comment that you brought is actually spot on, because I think there's many answers. Yep. I don't think there's a single path. And I think that one of the aspects that goes into how an organization may sort that really depends on skill set. I think it's reasonable to expect that an organization may have added skill sets around agentic AI to solve business problems of today, or possibly even tomorrow. But adding those skill sets of people who maybe don't have years and years of organizational information and background of their particular company's business, so they may not even have that kind of sense of if that's right. I mean, do you think that could be part of the factor as well? I think it is part of the factor, Rick. My observation is we talk about modernization across the enterprise. And in my experience, there's two forms of modernization. There are those clients who layer a modern layer digitization layer on top of legacy, for sure. There are other clients who will literally replace the legacy. Now those clients that have layered on top of the legacy, there's still a dependency going way back to that legacy core environment. So yeah, you may have introduced new applications, digital front-end, the GUI looks great. This is a modern feel, experience, the user enjoys that. But actually, at the back end, there's still those old legacy systems. I'll tell you with time a quick story where one of our clients experienced an outage. It was unknown, unclear what the root cause of that outage was. It turns out it happened to be some very old assembler language code sitting in the legacy environment whilst the front-end had been modernized, great GUI front-end, good experience. Way down there in the legacy environment, there was code that was written by somebody who was with the firm 30 years ago. Guess what? That skill's gone. It's no longer there. So therefore, that created a challenge and it created an issue for that client in terms of their ability to one, identify, but two, be able to respond and fix that issue to get that operation back up and running. So I think there's a definite kind of trust question mark with regards to do you really know and do you have the awareness and visibility you need in terms of the dependencies that your critical business services have, your critical business processes have, right through the entire end-to-end dependency map, yeah? I think that's a wonderful example and what comes to my mind is one of the newest capabilities in the Veeam portfolio, which is the data command graph, which comes with Data Command Center, which comes from our security AI acquisition in 2025. What I love about that is we can visualize a multi-tiered application and really how it flows. Take this example you had, Alan. I think that's fantastic because you could go from like mobile app at a customer down to mainframe or something like that. You can build these types of really, that's what's being built in this layered approach, which is actually kind of scary and I'll tell you a quick story. One of the clients I work with, their internal development team used to joke about, oh, that's BN code, BN, and they're like, what's that, binary number, what's that mean? Well, we found out, they found out eventually what that was, that was Bob Nichols, so Bob would put in custom code, but Bob retired 12 years ago, so it's like these types of things happen every day and I think that leads to a visibility question that it isn't all what it seems and that assembler language example is a good one, but in your practice, do you think that, and it gets a little bit serious here, but do you think that some of the decision leaders and decision makers might misrepresent how much visibility they truly have? I think that's the case for a large majority of enterprises globally. So Rick, there's three things I passionately believe are needed across any enterprise to help deal with the kind of cyber risk or the operational risk that exists. Those three things are having the right visibility and the awareness, okay, trusted visibility, trusted awareness, and that's not just from the dependency mapping, know where your dependencies exist across the enterprise, but it's also awareness in, okay, so if you're a regulated entity and you're reporting on your current health of how well you are and how mature you are regarding operational resiliency and the ability to recover, what do you actually be reporting on? What are you basing that assumption on? Is it the, my completed backup test? Is it my frequency of doing and executing my policy? And we're finding a lot of clients are still looking at that as the assurance that they trust in, in terms of, are they able to recover? And we know that that's no longer the case. It has to be about actually, does it come back? Can I recover it? How quickly can I get my business process back? And by the way, it's not just about the data. It's about the actual application, the platform, irrespective of where that platform might be. It's about the people. It's about the processes. So therefore, there is a shift in terms of making sure that the recovery is the main priority and focus, not just at the app data platform layer, but also at the business critical services layer so that the business can continue and recover as soon as possible. So visibility, awareness is key. The next piece, to your point, making sure you've got the right controls in place to be able to do something about it. You can have all the awareness and visibility in the world, but if you can't do anything about it, then it's pointless. So therefore, we spend a lot of time helping clients understand what they need to do in terms of what are the right controls we need to be able to execute, to be able to trust in so that when we need it to come back, a verifiable clean point data, for example, when we need it to come back, we know we can bring it back, we can bring it back efficiently and effectively. And there's a third element, and that's the skills. We've touched on it. Skills often gets left behind. It's interesting because as we automate, as we orchestrate, as we modernize, and these are all essential things for a healthy business to do. But as we do that, sometimes we often forget about the skills layer. Do I have, and can I retain, can I attract, can I keep those essential skills that I need in order to maintain that health of the resiliency posture across the enterprise? Yeah. Well, shameless plug. I mean, that's something Kindral can help folks with, the skills part of it here. And you hit on so many things here, Alan. One thing I'll highlight on, I'll start on the resilient side of it. I have a phrase, backup for show, recover for dough. And the thought here is that organizations do not know that what they have is recoverable until they try. And so I, true story, I've been at Veeam, this is my 16th year. That's what made me fall in love with this technology is automated recovery verification. I'm just lazy. I want to save time. Let's automate it. And so that was, you know, 16 years ago, but then where we are now with visibility, and then you talk about the stakeholder alignment and the decision process, you know, your team does a lot of kind of the response and advisory for sure. I have a complimenting piece of perspective that comes out of Veeam support actually. So I, based in central Ohio, I talk to the support team all the time about ransomware recovery. How does it go? What's not working? I'll get that into my stories out to people, okay? I want the good, bad, and the very ugly. Anyways, they told me about one of their observed trends, which was shocking to me. They didn't know who's in charge. I mean, the client has their data. They are ready to recover, but they don't know what to do. They don't know who's in charge. Do we declare a disaster? How do we do that? I'll put one little asterisk on that, that usually public sector kind of has chain of command incident response kind of buttoned up a little bit better than some parts of the commercial sectors. But I think when you talk about how you consult people, you've got to really hit all three of those. A skills gap, knowing that it works, and a process around it. I mean, that's gold advice for sure. Yeah, for sure. Yeah. What would you think when it comes to any blind spots in some of these discoveries? I mean, a couple good examples here, but what are those things that will make people wake up to a real surprise? You touched on a blind spot that I see quite often, and that's who's accountable, who owns it. And then there's the element of accountability, but who can actually do something about it. We find that's evolving across the enterprise. Who's actually got accountability to own this? Who owns the cyber resilience, the operational resiliency across the enterprise? I was with a client some weeks back, and I sat in the room. We had the head of business. We had the chief risk officer there in an advisory capacity, an audit capacity. We had the CISO there, the CIO there, and it was an interesting dynamic because we posed the question on a critical business process. How certain are you that you can bring that process back if you have a man-made design cyber attack, whether that's ransomware or malicious malware? Whatever that institution may be, how confident are you can bring it back? The CIO turned around and said, I can bring back the platform. I can bring back the data. I have my backups, so I can bring that back. The CISO said, okay, but how can you tell me if it's not infected from a backup perspective? Is it verifiable from that perspective? The head of business said, that's all very interesting, but I need to get my business process back online ASAP. Here's the dynamic, Rick. They're all doing this in the room. Often, sadly, that scenario happens when the system is down and they're out of business as opposed to figuring it out, designing it, rehearsing it so that they can identify where there is that lack of clear accountability and decision-making delegation that needs to happen to ensure that they can recover, they can restore, or they are protected in the enterprise. For me, that's a wake-up call for a lot of clients. We find ourselves being asked more and more, come in and help us role-play the scenario, the crisis, put us into our positions of being taken outside of the comfort zone, and put us through the whole experience of experiencing a critical breakdown in the business process. We can't serve our clients anymore. We can't give access to their accounts anymore. We can't allow them to book an airline ticket or pay for the airline ticket. You know the many examples that exist. That awareness is critical. I think a lot of people are banking their confidence in their ability to recover on something that needs to evolve and modernize in terms of test, in terms of rehearse. That is something to wake up to, that you are speaking the pure Veeam truth here. I love it. So Alan, one thing I want to gravitate on when it comes to that, I've seen scenarios where organizations have a different blind spot show up. I've seen many memes with, I think you've seen the three superheroes pointing at each other, which is basically what you're describing there, business manager, CISO, CIO. But what about cybersecurity law enforcement? Sometimes organizations can be in an incident, and out of nowhere, they take control of the scenario. It's evidence. It's something that organizations may not have planned on. I've debriefed of scenarios where, again, they have the data, but think of their source infrastructure, you know, theoretically wrapped up with police tape. They can't get in there, right? So you've got to have a plan A, a plan B, a plan C. Is that something you advise your clients on as well? Absolutely. So, you know, it goes beyond creating a verifiable point of time of reliable, trusted data to recover from. It goes beyond bringing back the platform and the application to run it on and the communications to enable it to be used by their clients. It goes beyond that because, yeah, you may have a 12-hour capability to recover from a man-made cyber attack. You may have that, but your production environment is a crime scene, to your point. It's taped off. You can't get access. So what do you do then? So think through the scenario, understand what will happen in terms of what actually needs to occur to ensure that that critical process can get back online when you've got no production environment or access to production environment. This is why we look at models and strategies, Rick, around, okay, give me an alternate environment to go run my production from when that's happening. Give me an environment that I can be assured it's clean from infection or an environment that allows me to use that while my main production environment is down. This is why we have centers across the world, here in the U.S., on the East Coast, in Raleigh, for example. We have a very critical center there that allows clients to not just protect their data in a vault, but not just to verify that data, but also to restore it and run it from that center while they sort out their production environment. Yeah? And that's the business manager coming through, because I have a business to run, and having a center to activate. And I'll give some advice to the listeners here, because in Veeam, it's like, we've talked, especially in our resilient side of the portfolio, about being able to recover data anywhere. And I'll tell you another good story of potentially a problem avoided, Alan, but basically there was a scenario where it's like, hey, my plan B is just recover to the cloud. And the practical advice I'll give to that is, that's great, but don't just run into the cloud, because if you don't sort out billing, cloud security, cloud networking, and account management, and things like that, you're going to have new problems if you rush into the cloud just in a hurry, going and borrowing the CFO's credit card, right? That's probably the worst practice. But whether you take the Raleigh example, or an intentional move to the cloud with the proper preparation, I think what's also important from a resilient standpoint is the moment you make that decision, okay, we're running in the Raleigh center, we're running in the cloud, we're running on our DR center, or such, we got to protect that, because that is now protection or production, that is now in scope of audits, that is now a source of truth. And that is, again, one of those blind spots, I think, that comes up sometimes. Yeah. And Rick, just to add to your blind spot theme, I find as well, a lot of clients aren't testing to the extent to which they need to test. Sometimes that's because they don't have the ability to do that. But often I find a test today doesn't really fully test the client's capability to restore the business critical process, yeah? And I think that's a really important message, you know, don't just put business resiliency into your design from the outset of your modernization journey, or your transformational journey, but make sure you're building the capability to be able to test, test frequently, test reliably, that's a really important thing. And the tests that you're doing aren't your siloed tick box test, but they are truly tests that satisfy the business, that the organization is able to withstand and recover from any of those types of events, yeah? Yeah, and I think what's really valuable about getting that right, Alan, is that organizations can really unlock additional capabilities that you might not have ever expected, much less from Veeam, or a joint with Kindral as well. One example I'll highlight is if organizations really get that recovery verification right, then they're in the business of, well, now I have an analytics environment, and that's a benefit. Now I have an environment to test this very fiddlesome application going from version, you know, 95 to 96, or testing a security update that could be disruptive in production. I'm going to give you a really quick example. This is actually, I want to say, a 15-year-old example. But there is an insurance organization here in the United States. And they had a very sensitive, like, breaks a lot type of application, but it was critical. Back to your example of layering, there's probably some legacy technical debt behind it all. But they had this application get hit by, or not hit, but indicated by an internal security team scan that it was at risk of a SQL injection type of virus, or risk. And they were really, oh man, that thing breaks every time we do anything to it. And they were like, what are we going to do? How are we going to test this? How are we going to fix it? And then, like, in the, you know, back of the room, the Veeam administrator raises his hand and says, well, we have this data lab. We can test it in there and see if it is actually at risk. And then give you an estimate of the steps to do this update. And it turns out it did have that risk. And it turns out they did simulate the update to fix that vulnerability. And then they go back to the business and say, hey, we've simulated the correction of this. It's going to take about an hour. These steps are going to happen. And we expect that this issue will be resolved. I mean, that's the type of confidence I think that the market really needs. Because, you know, call it digital transformation realized, when things go wrong, you know, that game's going to come back on us. Yeah. And let's face it, the impacts of things going wrong today, Rick, are way broader and more severe than they've ever been. Our dependency on that technology layer, the way just everyone here in this building lives their lives, it's fully dependent upon it. And you're at a point now where clients get that wrong, it can affect the GDP performance of a country. And without being too over the top, because it's reality now, get this wrong, you can stop the distribution of some critical infrastructure capabilities, healthcare capabilities, not just about the bank. It's about the critical infrastructure. It's about the healthcare provider. If you get this wrong, you're facing an issue now with you can impact human life, social unrest, et cetera, et cetera. And it's not an exaggeration. There are examples that we've seen in Europe, in the U.S., where that's a reality. So I feel very passionate about this topic, because there are ways to get it right. There are methodologies and frameworks that can be used to improve the health and the posture of the resilient enterprise. I just encourage organizations to step back, think, make sure, in the light of what we see going on around the world today, your organization is resilient. You can continue to serve your client, your customer. And this is why I love what I do, and I'm sure it's why you love what you do, Rick. Because we're in the business of helping clients at their worst moment. We're in the business of helping clients avoid their worst moment. And we're now in the business of stopping clients from going out of business, right? So it's an incredible position we find ourselves in. And I feel very passionate about this, because there is no reason not to get this right. And therefore, making sure you've got the right level of awareness, the right level of visibility, adopting the right capability to give you that, maintaining the right skills and posture across the enterprise is so essential. Yeah. I love it. I love it. I'm going to sum this up, and I've got one final question for you, Alan. Bill Siegel, CEO of Coveware by Veeam, one of the business units here at Veeam, he has a saying, he likes to say, that he can tell in the first 15 minutes of an initial phone call how well or how poorly an incident response is going to go, simply based on how an organization presents themselves on the initial phone call. Does that check out with you? Absolutely. Oh, and by the way, if it goes well for the organization, you typically find that that organization is growing, it's healthy, it's agile, it's outperforming its competition. Because these things aren't just there to provide resiliency across the enterprise. One of the best side effects for many organizations, it makes them more agile, quicker to respond, and more in control of business. I think it's a good outcome, not just for protecting the enterprise, but helping the enterprise grow, and grow profitably. One question for you here, last question. You're walking into a C-suite type meeting, board level meeting. What questions are you asking, and what are you looking to not find? I'm asking about their awareness of how recoverable they believe that their critical business processes are. I'm not asking about the DR and DR tests, and backup, and backup policy. I'm asking, if you lost your core business process now, and it was done by a design to cause maximum impact, how confident are you that you can bring that back? We know organizations recently who have suffered this, and it's eye-watering the amount of money that those companies have lost, reputational loss. Some companies have had to look for funding and help to recover. Some have gone out of business. When I walk in there, it's really about hand on heart, and often to the business owner. It's often to the head of business. Do you really believe you can bring back that critical business service to support your critical business process that you are reliant upon to keep serving your clients the way you want to serve them, and keep protecting your business? You'd probably be a very good poker player, because you can read those answers pretty well, I take it. Yeah. Well, hey, this is fantastic. Thank you so much for being on with me today. It's a pleasure. Yeah. All right. That wraps this episode of The Wake Up Podcast, powered by Veeam. Join this episode and more at a podcast platform near you, and more information at veeam.com.
