Chris Mierzwa: [00:00:00] We actually put people through a real time event and say, I'm gonna choose a backup restore. I'm gonna choose a restore point. And invariably, of course, that restore point's dirty only to see it reinfected within seconds later drills that point home.

Ashish Rajan: Most people just believe that, Hey, I have a backup that is offsite.

I should be fine in case I was impacted by ransomware.

Chris Mierzwa: Dangerous would be probably almost an understatement. It's an all caps directive.

Ashish Rajan: It's another term that kind of floats The internet is a whole minutes to meltdown. What is that about?

Chris Mierzwa: It is amazing when you ask those folks to play those roles and say, do you know what your job is?

Oh, whoops. The CISO's out on a cruise and not available. Who's that backup?

Ashish Rajan: Do you feel boards should have a ransomware tabletop as well.

Chris Mierzwa: Can you imagine a supply chain? A bad actor doesn't even have to go and worry about all of these diversified things that they used to. If they're smart enough to figure out you have a monolithic model, they can exfiltrate that and query it.

They're like, this job is so

Ashish Rajan: easy. [00:01:00] Ransomware. Every time people hear this word, they always think, I've got my backup. I should be fine. Now, this is probably far from reality in today's complex world where we have on-premise cloud containers now AI as well. So the definition resiliency has changed quite a bit.

I had Chris from Commvault. And he spoke about some of the changes that he's noticing with the customers he's talking to in terms of how they approach resiliency, what change is required, what are some of the challenges, especially in a world where cybersecurity insurances do not want you to pay ransomware.

You have governments who are coming up with policies that makes it illegal for you to pay ransomware. What does resiliency look like in this particular world and how would you use that to build a strong foundation for security strategy that at least has a minimum viable resiliency your architecture, all that, and a lot more in this conversation with Chris from Commvault.

If this is your second or third time enjoying an episode of Cloud Security Podcast, definitely was a follow or subscribe on whatever platform you're listening or watching this on, whether it's Apple, Spotify, YouTube, LinkedIn. I really appreciate the [00:02:00] supporting the work we do and I look forward to talking to you more.

Enjoy this episode with Chris. I'm talk to you soon. Peace. Hello and welcome to another episode of Cloud Security Podcast. I've got Christopher with me. Hey man, thanks for coming on the show. Yeah, you're welcome

Chris Mierzwa: Ashish. Thank you for having me.

Ashish Rajan: I'm excited for this conversation because we haven't covered this topic, at least in detail so far.

So maybe to kick it off, can you tell us a bit about yourself and where you are in your professional background?

Chris Mierzwa: Sure. Yeah. A little, uh, background about me. I've, uh, been in the industry in it for about 30 years. Kind of grew up. First at a couple of large companies in the engineering space, and then realized sales and pre-sales was the real magical, uh, area I wanted to spend my time in.

And was lucky enough to be in the global reseller community for, well, almost 25 years. And, uh, ran sales, pre-sales, post-sales, and spent most of my time over the last decade really being a, a chief technology officer. For a global system integrator. So a lot of opportunity to sit with [00:03:00] customer executives almost four or five days a week, hearing the good, the middle, and all things that need to be improved and, uh, and, and love that, especially hearing that client feedback and, and helping work on opportunities.

So that's just a quick about me.

Ashish Rajan: And thank you for setting that up as well. You're, I think, welcome the topic that I had in mind for our conversation. Uh, I mean, it's top of mind for a lot of people. Ransomware is a big thing. A lot of times people talk about the backups and most times you hear that, Hey, that won't happen to me because we have backups, so we are covered.

You. And usually, uh, and I think you and I were talking about this earlier and how that could be a dangerous assumption by a lot of people. Could you share a bit about why in today's world is that a dangerous. Assumption to be made by people.

Chris Mierzwa: Yeah. Yeah. Dangerous would be probably an almost an understatement.

It's an all caps directive. Uh, just as dangerous as assuming there would never have been a spinal tap two 40 years later. Okay. Just to keep this [00:04:00] really relevant and I'm so excited I just had to say it, you wield back the wheels of time and you think about, Hey, I have backups. I feel confident it didn't matter if you were on tape or back in the day at the bleeding edge of disc clearly for quite a while.

Now, that is not good enough. I mean, you can have all the backups in the world, right? Let's talk about a couple of challenges. One, it doesn't really matter if you have an operationalized executing the restore. I'll make a quick comment there 'cause we're clearly well past this point. But there are those enterprises, Ashish, that you still have conversations and you ask how often do you test your resiliency?

And you'll either get back kind of heads dip. 'cause they're looking somewhere for an answer and they really don't have it from a time perspective. Or they're like, well, we work with Iron Mountain, or We work with Deloitte, or we work with the reseller of our choice and they tell us to do it twice a year, [00:05:00] but we don't have the time for that.

And that was a difficult answer to get behind a decade ago today. It's just not even in the 3D space of acceptable, it's nowhere in the quadrant, right? You cannot permit the double negative test your resilience. And it's not just about the backups, of course, to your question, it's about do I have isolated and.

Copies that are immutable. And if I don't have immutable copies, then I could just be in a mode where I will be perpetually restoring anomalies. And of course we know where that gets folks that the frustration wheel, hamster wheel, if you will, spins till it almost, pops off the bearings. So you have to have.

The right type of copies and you have to do the testing at some appropriate regimen. Look, if you can't do it twice a year, then [00:06:00] figure out a way to do it once a year. But you know, I'll, I'll just stop there. I could go on a whole rant, but you know, I haven't taken all of my medication this morning.

Ashish Rajan: No, I was gonna say, why do you feel there's a barrier?

'cause I mean. Obviously backups have worked for a long time. Yeah. A lot of people have relied on them for a long time. And why or, or is there something missing in the traditional way that we have always backed up? 'cause in, I'm even thinking about the fact that these days we just don't have data centers.

We have data centers cloud and throw some AI data in there as well. If you want to. So is that because things have changed or what's different? I mean, why is it traditional backup not enough?

Chris Mierzwa: Yeah. I mean, there's just too much acceleration of technology as we all know. I mean, we can't even, I mean, look, you do this for a profession.

I've watched a number of your podcasts, they're, they're incredible by the way. You have a incredible mix of people on week to week, and then you just look at the variety of telemetry coming both positive and challenging, right? Co coming at today's IT leaders. It's just [00:07:00] pure speed that's occurring today and all tech is causing this challenge.

And I would say that, you know, if you look at standard backups or even when people thought, wow, I've got this nailed, I, I can, I can back up, I can restore specific things that probably works well for most enterprises. And frankly, most enterprises have automated the, the ability to recover small bits here and there for an end user.

But that's. That's not what we're worried about anymore. We're worried about complete enterprise shutdown. And not to rattle the sare, but Right. I mean, we're talking about our entire enterprise being held hostage, not Sam or John Susan's or John's three files or two directories that need restored.

And if we are not prepared. Having the conversation from the bottom up through the top of the chain that we, it's not a matter of if, it's a matter of when, and I know everybody says that, but I don't feel everybody takes it to heart. [00:08:00] Ashish. I think that's part of the challenge. They just don't actually ingratiate that term.

Look at it in the tough way. You have to allocate the expense and more importantly, allocate the rigor that you need to be able to be ready. So

Ashish Rajan: do you have some numbers on how long does it, because I mean, I guess there is some numbers that float around in terms of if you leave a username password on the internet.

I don't know, less than half an hour. And people have already started tried at least, might tell people on the internet have tried your username password, what's the. Is there some numbers that you have for these kind of impact windows for something like a ransomware or similar why and why backup is important?

Chris Mierzwa: Yeah, I mean that's, it's a great point. Like how long is this happening? What's the dwell time? We hear this term, right? I mean, there's all kinds of stats. Let's talk about dwell time for a minute. The nefarious actor gets in there, deep hunker in to the old cave, doesn't come out because they're just sitting in your enterprise.

I mean, some studies show [00:09:00] that's there's an average of 14, 15 days. We have other studies. Of course, you could whip out a ton of studies. You pick your, your, you know, your, uh, analyst group, if you will, that it could be as high as a couple hundred days. You could debate the number of days in dwell time, whether it's an exposed password, to your point, whether it's inflicting pain upon some particular, firewall.

Or whatever could be the weak point at that particular enterprise or an API that's exposed. I mean, go down the entire list. The point is whether it's 14 days or whether it's 200 days, it's going to happen. Frankly, it's a little scarier when it's longer triple digit days because most likely the reason they've been sitting there is because they've been doing a ton of both vertical and horizontal movement.

Amongst the enterprise, they're looking at everything and if they're spending that much time, there's something worthwhile there for them to wait and execute on. [00:10:00] And so look scary. Yes, but it's about having the right tools. It's about having the right rigor Like we, like we mentioned, but I wouldn't get as hung up.

A lot of people get hung up on, oh, they did the dwell days. It doesn't really matter because when the bad news hits. Yeah, you may want to do forensics and you're probably going to figure out how long they were in there, and that will determine what you have to reach back for to restore resilient enterprise, or at least get the minimum viable company back up and running.

But that's not gonna change the the sheer, anomaly that exists and the all hands on deck maneuver that has to take place, right. Once that happens,

Ashish Rajan: is it, I 'cause another term that kind of floats the internet is a whole minutes to meltdown. What is that about then?

Chris Mierzwa: Well, sometimes, not all the time, but sometimes, you know, the only way I, I look at this both in our personal lives and, and our professional lives, it's tough.

To really instill or, or have a realization of how [00:11:00] rough one of these can be if you don't actually simulate it and actually dig a little into the psyche of, you know, this is days going great, immediately the day. Looks a little a stable, and it's not just a little a stable, your entire enterprise is gonna go down.

So when we do these minutes to meltdown, what we're trying to instill in an hour that we try to keep 'em concise, we give small group tables, they each take a roll on, so ciso, C-I-O-C-T-O, general Counsel, et cetera. And it is amazing when you ask those folks, even if those are not the actual people at the table to play those roles.

Say, do you know what your job is? Do you know what the call is? Oh, whoops. The CISO's out on a cruise and not available. Who's that backup? Who has the authority? Who has access to certain things that should be done? So as you start rolling all of this out, [00:12:00] it is amazing. I don't wanna say the terror, but let's use that for excitement.

All of a sudden you see the faces going. We have not really discussed any of this. We have not prepared for these type of questions, and these aren't the difficult, difficult ones, right? We're not talking yet about restoring systems and actually bringing bits back online. We're just talking about what is the right escalation, who's responsible?

Who takes the ball? What are the outand communication methods? So we try to hit on all of that on minutes to meltdown and make sure that when folks leave. The takeaways when they go back to the enterprise is usually we hear a couple things. Number one, we need to do this with the C-suite in the room because if we had challenges answering some of these things and we're the ones expected to understand the detail, I don't think.

At least they say with a nice voice. I don't think our executive team may [00:13:00] understand all the different roles and responsibilities, and therefore they need to get communicated downstream to the folks like us who are actually running the enterprise from an IT perspective. So anyway, it's a. It's an interesting thing.

It's fun. It's also a little, little nerve wracking, but that's what you want from the day. You want people leaving, going, we need to make some change, some positive change.

Ashish Rajan: As I was researching this particular topic and ransomware thing as well, 'cause obviously AI cloud, all these top mind for a lot of people.

Yeah. One of the things that I came across was the whole notion of at least, uh, that was the first thought, the with first question as well, where most people just believe that, Hey, I have a backup that is offsite, so I should be fine in case I, I was impacted by ransomware. And most people also think ransomware is only on data centers, but it happens in cloud and other places as well.

And. A lot of people rely on their recovery, but I was told, and at least in the research that I did these days a lot of people keep restoring from a dirty [00:14:00] data. That they, without even realizing they're backing up dirty data. Can you share a bit about that as well as to what do you see there?

Chris Mierzwa: Yeah. Not to mention another thing we do, but I just in passing, we, we, we do another version of this called Recovery Range. And in, in that, it's a real live scenario. So unlike, unlike Minutes to Meltdown, which is really just. Exposing what we just spoke about, like who's in charge, how do things have to go, what are the order of events?

We actually put people through a real time non simulated event but the short circuit to where, you know, your question, you look at that. They make a decision in that simulation or that that that real life scenario in this overall simulation, if you will, and say, I'm gonna choose a backup restore. I'm gonna choose a restore point.

And invariably, of course, that restore point's dirty. It still has code fragments that the bad actors can use to move both horizontally and vertically within the enterprise. [00:15:00] Yeah. And it's not that they don't know that. But when they see it in real time, they actually do the restore. They go up the website's up.

This is incredible. We're back online selling whatever we're selling or you know, helping people or whatever it is. The fictitious company does. Only to see it reinfected within seconds later drills that point home. Now there are some actors who will do that, as you could imagine, and not do it Seconds later they'll give you even a false or sense of security and hold off, which is even more challenging.

So you have to combine that with appropriate forensic. And you need a place to do that restore in a penalty free environment because if you don't have a penalty and free environment, how do you really do appropriate forensics on where to bring the enterprise back up. Right.

Ashish Rajan: Yeah, I mean, so I, I'm glad you shared this as well because I think the two workshops that we've been talking about the minutes from meltdown and the recovery one as well, I feel a lot of leaders need to kind of simulate this with [00:16:00] their board.

I mean, they can go with with you and other people as well, but they probably still should think about doing this themselves because. To what you said. A lot of people don't even realize the responsibility they have when things go bad and this is making me even think, how do you even know when data is clean?

Like clean recovery is, is that a word as well? Like, I mean, there's data, dirty data, but is there clean recovery as well?

Chris Mierzwa: Yeah, I mean, you know, it is, in fact, there's some new terms. We won't mention the names, but as you can imagine, all of the analysts are always looking for a new, clean, resilient recovery or something.

Throw a T in there, maybe an R, gimme another vowel. Ashish, I don't know. Let's just try 'em all. It doesn't matter what term you'd wanna use. To your point, if I don't have a plan from beginning to end for full, clean, resilient recovery, or some would say, well. Cleans superfluous because a resilient recovery should mean that implicitly, whatever you'd like to choose.

Yeah. [00:17:00] That is the plan that needs to be executed on, and you need the right tools, but before you even get to the tools, because I, I think we'll probably chat about this, but you over tooling and everything else, my goodness, that's a whole other topic, but. Before you get to the tooling, you hit on it just a second ago.

Who's who in the zoo, if you will, who has the responsibilities? What are the backups? And it's really amazing that even some of the fundamental pieces that have to exist, like we were running one of these, it was a tabletop. Right. The tabletops are fantastic. Again, something you need to do for lots of different parts of the enterprise.

And somebody said, well. Where's our recovery plan? They're like, well, that's, that's a no brainer. We keep the recovery plan on Dropbox or Box or OneDrive. They're like, you do you mean the one that just got corrupted? That's where the copy of the, that's the copy. No, no. Don't worry about it. I keep it in two completely different directories.

Sounds great. Keep it in five. If they're [00:18:00] all, if they're all encrypted, you're not getting a copy of it. And so. It's simple things even, I don't wanna say little because the recovery plan's, not little, but not having a version that's immutable and somewhere that you know is going to be clean. Is going to cause a jumpstart problem right from the beginning.

So just one little example of all of the details that need to be knocked out when you're thinking about one of these resilient recoveries. Just jumpstarting it.

Ashish Rajan: And do you find that people, is this where the barrier maybe comes in between how a CIO or a CEO thinks about recovery? And I guess because for a lot of people just assume they're happy to take the risk.

Because everyone just assumed someone would take care of the backup. Someone is testing the backup, right? Is that where it gets lost? And that's where the barrier for resiliency comes in, because I almost feel like for a regulated company it is kind of like a default. They would have a backup.

Recovery is, I don't know, I how many tested, but they're definitely a backup in most places. And that's kind of where the whole, Hey, I, [00:19:00] I mean, I've got backup. I should be fine. Is that where the resilience comes in as well for our, is that where the barriers are for a CIO or a CISO or a legal team to be able to work in this world?

Chris Mierzwa: Yeah, I'm glad you brought the legal team. You did it. You used the L word, and now we're gonna talk about that because to your point, if you were to interview different individuals in isolation,

Ashish Rajan: yeah,

Chris Mierzwa: there's varying degrees of where they think they are. I mean, it's very possible. If your example, the CIO says, are you kidding me?

Solid recovery plan. We understand how far back we take snaps. We understand immutable, we, we've got this. Let's assume they've even got, and they tested it. Have they vetted all of those plans? With general counsel with sales, right, with operations, teams teams beyond IT. And, and you hit on a magical point.

If you don't have the appropriate coordination across all of the businesses, what [00:20:00] IT may feel, feel is viable recovery or resilient recovery could differ from what other executives running various parts of the company could feel is a resilient recovery. Now, everybody's probably gonna feel their part of the business is the most important to bring up first, but clearly there's somebody who sits at the top of the pyramid who gets to make that call and make the decision as to which pieces come up.

And I think that's another, another big, I'll make a small tangent here, is that if you don't have those priorities set out. And well understood by everybody, right? You have two challenges. You're maybe overreaching on your minimal viable resilience that you're aiming for, and that only leads to frustration.

And a team that's already gonna be highly exerted when one of these events come up. In fact we have an interesting panel coming up at our, [00:21:00] our client event in November where we're tackling the three major components that happen during any of these attacks, right? You've got tools. You've got process and you have people.

Mm-hmm. And they're all critically important, right? The people piece is probably one of the most underlooked. But you can imagine people already are in a stressed mode in one of these resilience recovery mechanisms. Can you imagine if you're overshooting what the CIO really, or I should say the CEO really wants for minimum recovery.

That doesn't mean you're not gonna have to do it all, but if you're trying to do too much with a team that's already gonna be stressed, tired, et cetera, that's where you need to tighten down those minimum parameters. And so that's something we focus with clients on a great deal as well.

Ashish Rajan: Oh, I think, uh, the, the whole legal thing also reminded me of, um, when I was ciso, one of the things that I came across was cybersecurity insurance.

Yes. And the coverage for it. Mm-hmm. How it [00:22:00] relies on the fact that how much backup you have and well. There's an assumption made someone in legal or accounting or somewhere else, not the ciso, someone else is basically filling out the form for insurance, right? For cybersecurity insurance. What is what?

And I think the email that you get as a CISO is that, Hey, by the way, do we do backups? Oh yeah, yeah. Good good. Okay. And then move on and like, yeah, we cover backup for everything and you get cybersecurity insurance for, I don't know if you assets of what? $40 million the insurance. Coverage is only for 10 million because no one wanted to pay the extra premium or whatever for the service.

Like, no, it's only 10 million. George, don't worry about this. Like, right, because I already most cost efficient and I, because that made me I smile as I said that because you were using the word minimum viable recovery. Yeah. And I'm, that to me was like. Is that what you mean by minimal viable recovery?

Or what do you mean by minimal minimum viable recovery? And how do people define that?

Chris Mierzwa: Yeah. Well, that's the thing. I think that's something you have to work with every, everybody's different, [00:23:00] right? I mean, we could, we could even stay in the same vertical.

Ashish Rajan: Yeah.

Chris Mierzwa: Distribution, manufacturing, distribution.

And we could probably line 10 reasonably sized manufacturing distribution companies up. And of course, depending on what they do, what leadership wants. That minimal viable resilience, recovery point, whatever that is on their spectrum, you're gonna find some similarities and you'd be like, wow, there's some big differences.

But that's okay. Maybe the board or the CEO has particular areas that they're like, we can live without this for a little while. We cannot live for more than a day here. And of course, putting numbers on that. In general is difficult enough wrangling the T's and C's of cyber insurance, which I'm no cyber insurance super expert, but I did stay at a Holiday Inn last night, so that you alone makes me qualified to answer this.

The fact is you have to be concerned [00:24:00] about just not the number. But do you actually understand the loss and the loss rate for those particular pieces? That would be down and you'd say, well, Chris, I, I'm assuming you're doing that. If you're signing up for the insurance and you're asking for a premium that's going to execute, set amount of coverage, you would know that, but you'd be amazed.

So just like probably in our personal lives you can overinsure or you can under insure. Yeah. But as, as an overall topic, as she as, as you know, you opened a big can here, there's a lot of folks saying, I don't even know if this is worth it anymore. And that's, I know beyond the scope of where you and I are gonna go today, but that's a.

You could tear out on a whole two hour call there, is it even worth it? There are definitely companies starting to scratch their head and ask themselves whether, you know, whether, whether cyber insurance will exist, period for them. Make sense? Or is this entire industry gonna have to change somewhat because the premiums are getting insane and the [00:25:00] terms and conditions to get them out of pain are beyond insane.

If you talk most people

Ashish Rajan: these days, I think the only reason I brought that up is because a lot of people look at ransomware or uh, being impacted by a security incident. They always look at two things. One is, I have a backup I can recover, which we clearly kind of spoke about the fact that there are blind spots there as well.

And the other part they look at is cybersecurity insurance. I think that's kind of where I was coming from as well, where I wonder now that both foundational pillars of what we used to think makes us resilient. How should people reimagine? Resilient resiliency is, and how should they apply that into, into the strategy?

We, towards the tail end of 2025, now, a lot of people would be planning ahead for 2026 now. Mm-hmm. What, what should strategies in 2026 from a sec cybersecurity perspective? Think from a resiliency perspective, and I, I'm gonna use a word, as you said earlier, from a healthy or from a clean recovery.

If another word from the, uh, analyst over there. Yeah. What [00:26:00] should those considerations be and how can they kind of stage it in terms of what are some of the initial milestones they can look at?

Chris Mierzwa: Uh, it's a, it's a good question because it's it's a little overwhelming, right? I mean, I, I'll go back to a moment ago, I mentioned this panel we have coming up on, tools, process people, and you think about how big of, of a sphere that is to try to wrap your arms around all three of those, because each of them are so deep, right?

But let's, yeah. Let me, let me start at least at the, at the tool side. Every year, probably for more than a decade, I'd have to go back. I mean, it's tough. You get to my age, Ashish, you get the little red scooter

Ashish Rajan: driving

Chris Mierzwa: around. Sometimes you forget things. I mean, it's, you know, it's tough out there. We say, look at your tools, take inventory of what you have.

It is flabbergasting to me the amount that is either still on the shelf. Non implemented, implemented, but if you get people alone, they'll admit poorly implemented or almost implemented to the point where it provides no [00:27:00] particular value because it's not hooked in with the rest of the tool set. And then you have converging ai and of course, so many per day.

It seems new. New SaaS based solutions that nobody could even track 'em, even if you had a dedicated W2 body watching 'em every day. So when you, so my first comment would be on the tool side, take inventory and if AI. Whatever pace your AI strategy is at, you have to look at that from two sides. You have to look at it from the side of what are the tools that you are looking to implement that your C-suite is looking to implement to make things easier, to drive revenue and profitability, and all the amazing things that AI promises.

Then. You have to think of ai, unfortunately, from the lens of the bad actors, and that doesn't mean you need to be an expert in understanding how they do everything, but you have to admit, and I like to use the mirror approach here, if you're [00:28:00] excited about the things you're doing from an AI perspective and tools that your enterprise, imagine if you are in mom's basement having a snack.

Doing nefarious things and all you're doing is going, how can I use this incredible AI to my advantage? And you, you do have to put yourself in the slippers, if you will, of that site. So you've gotta look at the AI piece I feel from both sides that said. Summarizing tool inventory, and you can't be afraid to throw out, which you're not using or has been poorly implemented.

I know that is easy to say and I know some, we, I see it. I see it when I have conversations with CISOs. You'll say they'll admit what's on the shelf for poorly implemented and you say, well have you, have you dumped it? And that's the harder conversation. But you have to have it. So I'll, I won't keep beating on that drum.

You have to have that. And again, take the middle point, the process piece, [00:29:00] even after I've done the tools solicit, do I know who is going to be at this tip of the spear for these tools? Am I communicating between legal operations and core IT and anyone else that I could be leaving out And am I gluing that together?

And do I have the right talent? Right? Do I have the right people? I know this is a tough environment, but I mean, we're recording this almost October 1st, right? I mean, let's just call it what it is, fourth quarter of the calendar year. It is a employer's market right now, at least on a macro side, which means if I can put my, you know, employer shoes on for a moment, I have access.

To great talent. This is a great time to take assessment, just like you're doing on the tools side, on the people side. And I know some will go like, wow, this is the same stuff we've been talking about for 10 years. And I, I say this a little tongue in [00:30:00] cheek. Well, you may be talking about it for 10 years, but talking about it and doing it, or two different things.

So if there's a time to get cracking for 2026 before Santa comes down the chimney. Take these three months, put a Tiger team on it, and, and start working through these with, with the partner of your choice. One step at a time. Yeah. You know?

Ashish Rajan: Yeah. And do you find that, I mean, I guess I'm glad you mentioned AI as well, 'cause I think.

Does the whole world of backup and recovery change with AI in terms of, obviously you mentioned people, process, technology, um, what other impacts is it having, because obviously now there are regulatories coming as well. There's a DORA, NIS2. Where you can, I think the, the wording is that ransomware payments would be considered illegal or like in terms of, there are quite a few regulations coming up in this space as well.

I mean, so with AI or without ai, how is this kind of space evolving?

Chris Mierzwa: Yeah, I, I, if I can, that's the double loaded barrel question right there. 'cause the fir the, [00:31:00] the one part goes back to our discussion of insurance, right? Yeah. So we, should I even have this, oh, a lot of these insurances won't even pay if it's actual ransom or if you decide to pay the ransom.

But we see statistics that people pay it anyway because they're so desperate in the customer sentiment, especially if you're a public company. Oh wow. Private's one thing. Still bad public, whole other level of issue, right. When that happens. So you know, to your point, should you be paying it? It depends on your insurance, depends on, of course, the C-suite.

So that's, that's a whole, whole topic in and of itself. On the AI side, how do you back things up when we talk to clients who are just dabbling, just beginning. I don't think this is a general statement that you have to be overly concerned if you're using, let's say, a public model like Llama, right? And you're like, look, it's good enough for what we're initially doing.

We're gonna bring it in house [00:32:00] and we're gonna experiment with the weights. Mm. Well, if you're using a public model that may be massive. You may not need to back that up initially. You may need to critically back up. And encrypt, of course, and have indelible copies of your weights. And you know, I know we're not gonna go deep here into ai, but those weights are magic.

That is where you are tweaking things in that model for your specific enterprise to get value out of the model. So if you spend on W2 alone, let alone. All the other costs, hundreds and hundreds of thousands of dollars on just the right people who are doing that work. You better make sure you're protecting it appropriately.

Now, that's one side of it. There are people making custom models, and we talk about this. Imagine the classic actor getting inside and causing an event in your enterprise, and they take in a [00:33:00] classic. DBMS database, they exfiltrate it using some type of, you know, looks like H TT PS. They trickle it out. They do it the old fashioned way.

I say old fashioned, it's still pretty high tech stuff, but compared to ai, right? If you are building an AI model at the enterprise level, that mashes up all of the operational databases that you have with customer data, all confidential internal data. Your own financials. Can you imagine a supply chain?

You now don't even, a bad actor doesn't even have to go and worry about all of these diversified things that they used to, if they're smart enough to figure out, you have a monolithic model. What a. Breakthrough. They can exfiltrate that and query it. They're like, this job is so easy. Now I don't even have to go figure out how to go attack the database and then set up appropriate queries and figure out how they structure their data.

Why I could just use English, and [00:34:00] even if English isn't my primary language, who cares? I use whatever language I want and extract the data. So that is just something those more advanced enterprises who are looking at AI need to think about protecting those models. We have ways to do that. We have an enormous amount of development, as you can imagine, as do I think all our peers on making sure.

We can back those models up. We'd like to think we're at the forefront of that, but it's very specific to where you are in that kind of AI journey. And those are conversations we have every time now asking, where are you today? Where do you think you'll be in the, you know, medium term? And where does your C-suite wanna go long term so we can make sure we're appropriately planning for.

Being as resilient as humanly possible with these type of AI directions and architectural decisions, you know, you're making

Ashish Rajan: should the resilient architecture or the way people think of resiliency should change as well. Because I think the geo from, based on what we've spoken about so far, the way we have defined resiliency [00:35:00] so far has been more for the I'm gonna use, I'm gonna say quote unquote, traditional world.

Not for the world. We are moving into where, to your point now, it's a simple English is enough for someone to take a, take your data out. Should resiliency be thought about in a different way? Like what, how people should imagine resiliency to be in 2026?

Chris Mierzwa: Yeah, so you bring up an interest point because I, I'll give you an example.

We are of course talking about somebody buried in deep, causing incredible problems. Whole enterprise is down, right? I mean, bad, worst case scenario type of thing.

Ashish Rajan: Yeah.

Chris Mierzwa: But okay. That could happen and you need to be protected. But there are things that folks are doing that are just, I'd call 'em extensions.

I'll probably get a bunch of phone calls after this, but that are extensions of classic problems. Look, when APIs became highly prevalent. When APIs became highly prevalent, people like us is incredible. I don't have to always do anything anymore. I can talk to anybody. I could use [00:36:00] secure APIs, my supply chain, my partners.

Sure. Until people exploited APIs, right? Yeah. No different. Now as we are exposing these models externally. To general public, right? And you'd say, well, Chris, no but's gonna expose a model and just fence the type of queries that can be done, but they're not gonna have the real model in the back, right? That if it's poisoned or there's some type of nefarious execution through API that they're going to get data that's normally restricted.

They could. And so now. Some of that's beyond the scope, for example, of what we do. But important to your question, these are the things that need to be done. And this is sometimes a different level of talent. It may be taking your security, the software development teams that have forged, a decade plus of understanding how to protect classic [00:37:00] APIs, and now take that and uplevel them.

To be able to do that for the querying for their LLMs that they're building. Yeah, you need to do that. And of course this just means more rigor in the software development process. Very talented people with unique skills. And I do believe, I, I feel good that most enterprises have. Larger ones have people that can uplevel themselves, but if this is something you're taking seriously and you don't think you have it in house, you gotta find a way to build it.

You gotta find a way to start doing that right now, especially if you're on an aggressive path that a board is pushing whether you're private or public. It's just happening too quick. Back to our earlier conversation about just the speed of everything occurring, so yeah.

Ashish Rajan: Do you feel board should have a ransomware tabletop exercise as well,

Chris Mierzwa: would love that.

Now, I'll say two things. I, we would love that and anybody would, because it expo immediately exposes them to [00:38:00] wow. But then of course, I'm sure kind of kid in here. But then soon as they get out, this poor executive team who already gets handed a bunch of to-dos from the board goes, great. They did a tabletop.

And now they come back and they have a 400 page PowerPoint on all the things they'd like to see because they got scared in the tabletop. I do think if it happens, the way it should probably happen is have your C-suite or executive ish team, however you wanna put that together, do the tabletop, get a little scared.

That's okay. Put a plan in place. Working with your partners, right? And your manufacturer partners, your integrator partners. Then have the board do that. And it, you may not catch everything, but you're at least let's shoot for the 80 20 rule and maybe we take that monster PowerPoint down to three pages instead of a 30 blaster.

You know what I mean?

Ashish Rajan: Yeah, fair. I mean, I, after listening to this, if someone actually does get their board to [00:39:00] have a tabletop exercise, I would definitely love to hear from them as well as too. Yeah. Yeah. How that No, if you're looking to drive excitement.

Chris Mierzwa: Uh, heart medication, then you send the board in first before anybody else.

Or, or if just didn't have a

Ashish Rajan: job after all that. Because I imagine every time I proposed it, it was almost like, are you crazy? Why would you do that?

Chris Mierzwa: Yeah. They're like, don't, no, we're not doing that. 'cause, you know, and then the stuff but it's okay. I mean, kid in the site, the board.

The board is there. To be the Overwatch for the executive team, but I do think that it would if you don't need to do six of these, I understand these folks ti that's another thing I hear, oh, you, they're so busy. We can't get 'em to do that. We can't get 'em to look, I'm not saying you don't plan it and you don't optimize it, and you make sure that it's not too long of a day.

You're not there. To have sleeping bags and have 'em there for three days, you're there to have them for a reasonably compressed window to understand the touch points that haven't been connected and to understand [00:40:00] their people. Where the gaps are, and it's okay that the first one may be rough and I, I think there's sometimes this concern of, oh, I'm gonna get a lot of to-dos.

Maybe, but would you rather have that and be ready for that anomaly when the dwell time turns into surprise time? I, you know, I think you'd rather take you, you know, you'd rather have the ladder where you're like, we are ready for this. We prepare. Mm-hmm.

Ashish Rajan: I mean, thank you so much for sharing that.

'cause I, that's all the technical questions I had. I, I do have three, uh, fun questions for you as well. Yeah. Uh, first one being, what do you spend most time on when you're not trying to help save the world from all the ransomware and dirty recovery or dirty data?

Chris Mierzwa: You mean what else am I chatting with clients about?

Ashish Rajan: I mean, it could be professional, could be personal. That it is up to you.

Chris Mierzwa: Well, you know, it is interesting. Drones are a big hobby of mine. Both, uh, both aerial photography and those speedy ones that people race. And it's interesting because there are some [00:41:00] bridges there. As you look at the capabilities that.

Different customers are using in that space. And imagine we haven't even tackled, what are the ramifications of somebody getting access to early data for these folks that are experimenting with drone deliveries or agricultural reconnaissance, or other types of mapping. These all come to, what is Gartner calling it now?

Uh, cyber physical systems. CPS the cool kid term for 2026. Don't leave it out of your vocabulary. Uh, there's a hype curve in everything, but I mean, there is, there's a lot of reality to this, but where autonomous systems. Are connected with the physical world. We have to have a keen eye to, so of course we all hear about this day to day of, you know, the.

The autonomous vehicles and oh my goodness, the whole world of non-driving cars, we [00:42:00] understand that. 'cause we've either been in a Waymo or we see what Tesla's doing. It's coming, but it's not restricted just to vehicles. It's not restricted just to aerial drones. There are many touch points. So I'd say for those unique clients, and, and I look at this because I just have a hobby space in this area.

Ashish Rajan: Yeah.

Chris Mierzwa: Look beyond the standard box boundaries, right. We and this should be organically coming out of a client conversation, and I, I love to have these where I'm like, what are your leading edge things that you're doing, even if they're two or three years out? Because while the tool may not exist, that doesn't mean we can't start thinking about an appropriate.

Encryption resilience plan and how we are gonna weave that into your overall architecture. So I like taking sort of some hobby areas and weaving them into stories where enterprises may touch it directly or be tangential, but uh, I find it useful. You know, there you have

Ashish Rajan: Fair, uh, that's a great answer.

I've got my second question, which [00:43:00] is, what is something that you're proud of that is not on your social media?

Chris Mierzwa: I would say my. Relatively inadequate guitar playing. But that's not a good answer because I'm not in a band and imagine that would be the life I'd wanna, I'd wanna live. But, uh, but I do enjoy music.

And if I could do it all over again, Ashish, that's what it would be. I mean, you and I would just be singing the hits for an hour. Oh, of course. And I gotta tell you. That's Mr. Beast kind of numbers. If we can get that to happen, we're popping 20, 30 million on this thing. Okay. No brainer. I can

Ashish Rajan: imagine. I mean, music does have that capability to go beyond just the technology of it as well.

So hundred percent. You know, something,

Chris Mierzwa: this is just an idea. Yeah. I'm not saying you don't i's for free. You take the same, we start doing these as a, uh, a full, like, what do I wanna say? New York Live music. Yeah. This is something people can get behind, right? So it's gonna take a little more planning and some songwriting, but I think, uh, I think it could be worth it.

Just tell, I mean, [00:44:00] you have AI to write the songs as well.

Ashish Rajan: It can rap, it can do more things as well. Anything you want more far from what can be achieved.

Chris Mierzwa: That's true. You know what? Now, in fact, funny you say that we had, uh, our, our, our CMO Anna, she's amazing. She said, I wanna, I wanna see the teams break into groups, write a little rap, have some fun using ai.

I'm gonna tell you there were some lyrics popping out of the old chat GPT, that were fantastic in the Commvault space and resiliency. They, it was incredibly creative with both the people piece what they did and what the AI did. I know it's kind of tongue in cheek, but it, it was great, but it was fun to see.

What this stuff is all doing and, and people experimenting how they can have fun with it and still deliver a message. Right. Still deliver a message. Yeah.

Ashish Rajan: Yeah, I mean, I, it definitely is possible. So now thank you for sharing that as well. Final question. Yeah. What is your favorite cuisine or restaurant that you can share with us?

Chris Mierzwa: Oh, easy peasy. If I could live one place. It would be Tokyo. And [00:45:00] if you're like, you only get one food for the rest of your life, it's sushi. And if you told me to share all the pins I have in downtown Tokyo, we'd be here for another hour. But let's just say that Metro lock me in there, put a fence around it.

I'm a happy camper. I'm also pushing Oh wow. Possibly three 350 if you leave me there for too long. So you better pull me out before it gets too. Do I?

Ashish Rajan: No, I mean, uh, that's definitely a great choice as well. Thank you so much for sharing that. And thank you for the answers as well. Yeah, you're welcome. Where can people connect with you to know more about the work that you are doing with with obviously the recovery work, the ransomware work, CommVault, and all of that.

Where, where can people connect with you on this to get some more information?

Chris Mierzwa: Yeah, well, could connect on LinkedIn. I'm guessing you'll share that my email, you can email me directly No problem. And, uh, would love that. And you know, again, it's. It's a conversation. You start where you have to start and that's different for everybody.

And you move at the pace that's appropriate with just a [00:46:00] nominal foot on the gas to make sure that you see it through. I think that's the one thing I'd like to end on. If you look back, you and I have seen this over decades. You, you can start a lot of things. Same thing personally, you have to finish it or at least you have to finish it to where it's providing value and in this case, being resilient, you have to finish it.

Ashish Rajan: So yeah. Well, okay, great. Great note to end on as well. Thank you so much for sharing this and I'll put the linkedin link into the show notes as well. But thank you so much for tuning in and well thank you so much for doing the interview and thank you everyone for tuning in as well. We'll see you in the next one.

Thanks so much. No, thank you. Goodbye. Bye-bye. Thank you for listening or watching this episode of Cloud Security Podcast. This was brought to you by Tech riot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on Cloud Security Podcast tv, our website, or on social media platforms like YouTube, LinkedIn, and Apple, Spotify.

In case you are interested in learning about AI security as well, to check out our system [00:47:00] podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, apple as well, where we talk. To other CISOs and practitioners about what's the latest in the world of AI security. Finally, if you're after a newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast.

You can check that out on cloud security newsletter.com. I'll see you in the next episode,

please.

‍