Building Resilience: The Board's Role in Cyber Preparedness - Six Five On The Road

In the high-stakes game of cybersecurity, agility and adaptability are no longer optional. 🙅

At RSAC 2025, hosts Patrick Moorhead and Daniel Newman speak with Veeam Software's Dave Russell, SVP, Head of Strategy and Emilee Tellez, Field CTO, about the critical shifts in security strategy, emphasizing the growing importance of cyber incident preparedness and response in today's evolving digital landscape.

Key takeaways include:

‍

🔹Beyond the Perimeter: The traditional approach of simply keeping bad actors out is no longer sufficient. Organizations must embrace a strategy that assumes breaches are inevitable and prioritizes rapid remediation.

‍

🔹The Need for Agile Infrastructure: As technology evolves at breakneck speed, businesses need security solutions that offer flexibility and data portability, enabling them to adapt to future disruptions and avoid vendor lock-in.

‍

🔹Proactive Resilience: The focus is shifting from reactive recovery to proactive resilience, with a growing emphasis on continuous testing, simulated attacks, and comprehensive incident response planning.

‍

🔹Human Expertise Remains Crucial: While automation is key, human expertise and clear communication remain essential for effective security operations.

‍

Learn more at Veeam Software.

‍

Watch the full video at Six Five Media, and be sure to subscribe to our YouTube channel, so you never miss an episode.

‍

Or listen to the audio here:

Disclaimer: Six Five On The Road is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded, and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors, and we ask that you do not treat us as such.

‍

Patrick Moorhead: The Six Five is On The Road here in San Francisco. We are at the RSA Conference in the Veeam Suite. This is a beautiful place, Dan. I'm glad we're here. A lot of discussions. I mean, obviously this is a security event, but it's different every single year. And as the AI discussion, AI workloads come out, there's more conversations than ever on the threats, but also the remediations. But sometimes we do forget that it's not all AI at this point.

‍

Daniel Newman: Well, these things are all tied together, right? We know the tech is proliferating very quickly. We know that data and the volume of data is growing. We can obviously see the investment in infrastructure. And as all these things happen, you're going to see more applications, more endpoints, more devices. And if you're in the security space, if you're in that posture, you are thinking immediately as you see all these things come online, how do we secure it?

‍

Patrick Moorhead: Yeah, that's right. And at least we are beyond the point. Do you remember perimeter security when, you know, we would pretend that nobody would get in and as long as we put up enough walls there, nobody would get in. But the industry has matured and we're at a point now where we know that people are going to get in and they're going to have to remediate that issue. And it's very important to have a strategy to be prepared for that. And I'm excited to have Dave and Emilee to talk us through this. Great to see you. First time on The Six Five. We're glad to have you thank you for having us.

‍

Dave Russell: Good to be here.

‍

Patrick Moorhead: Absolutely. Great, great event place here. I love it.

‍

Daniel Newman: It's a great venue. You know, San Francisco is obviously one of the big hubs of all things technology, but you just kind of. You come down here and of course you got the Moscone. But so much of the eclectic experience are these kinds of suites and these experiences, experiences that come off of the main event, which we've spent a good amount of time on. Dave, let's start with you. Talk a little bit about alignment. You know, you lead strategy. Your focus here at Veeam Security is one of those things. We've talked about this so much on the show that it sits somewhere between this cool next wave of technology and life insurance. And what I mean is, like, people that are in the tech understand how sophisticated, how exciting, how interesting the convergence AI, all this stuff is going on on the other side of it, at the board level, for instance, it's always been like, well, how much do we have to spend on this, like, to reduce our risk? And it's like that much? Can we do less? You're one of those companies that's really focused on helping the boards, helping leadership get on a kind of consistent view on the investment, on how to deal with incidents. How are you doing that? How are you creating that difficult alignment when you know that you've got to have that wide aperture, how people prepare, perceive cybersecurity.

‍

Dave Russell: Yeah. You know, I think it's all in the context of what business you're in and making sure that your ability to stay in that business. Right. So to your point about, you know, something that you might want to defer, kick the can down the road systemically under, invest in. I think we're beyond that now in part because of some of the cyber threats recently, where the worst case scenario can happen to every single company. And by the way, it can happen again next week. Right. It's not like the traditional weather patterns. We're in hurricane season, earthquake season, whatever the case may be. It just is now an issue every company has to face up to the eventuality of they could get compromised. So that awareness sometimes is curative, but I think it's also understanding how we can do more with the investments we've already made? And that's really at Veeam, what we want to do is help people maximize what they're doing to maximize their data, because they're in the business of doing something else.

‍

Patrick Moorhead: Yeah. So I love these group interviews here. I like group therapy, too. I'm just kidding. 

‍

Daniel Newman: You all right?

‍

Patrick Moorhead: Yeah, I'm good, thank you. But it's great to have the strategic arm here, but also where the rubber meets the road is in the field. And Emilee, you're a field CTO, and I'm curious, what are the metrics that are set in place that says,I have a good strategy? I mean, is it as simple as, yeah, we got the data back, speed? I mean, I think it's a little bit more complex than that, isn't it?

‍

Emilee Tellez: Oh, it is. And it also depends on who you're speaking to, right?

‍

Patrick Moorhead: Yeah.

‍

Emilee Tellez: Because if you're speaking to your board members, they don't want to hear about speeds and feeds. And what does that look like right now? Are we going to lose revenue because we had an outage and if so, how much? So it's really forcing our technical teams to actually start thinking about what are going to be those key metrics and then how to turn that back into those business outcomes so that way they can voice those concerns to the board and have those items be taken more seriously. But then on a technical side, it's doing all the basics. Right. So if we look at just incident response life cycle, okay, what are we doing to prepare for how bad the damage could possibly be if we were to be hit? What are we doing around detection and analysis? How fast can we detect that? What does it look like for our containment, eradication strategy? And then we finally get into recovery where Veeam plays a big part. But if you haven't tested your backups, if you haven't guaranteed that they're viable, how long of a process is that going to take? And then how do you roll that all up into an incident response playbook and then afterwards, not just test it, but then go through the process of doing a post mortem to say what we could have done to be better in order to increase our mean time to recovery or our mean time to detect whatever it may be. So there's key metrics in there that we can look at from a technical side, but as a business side.

‍

Patrick Moorhead: Does that strategy apply to technical and non technical? I mean, you talked about the board that pretty much, you know, the buck stops with them and they're actually held accountable now for cybersecurity, at least here in the US and then you've got the super duper technical people. That's a technical term, Daniel. Super duper, yeah. Does it change based on the audience that you're communicating to?

‍

Emilee Tellez: It just kind of depends. Right. I mean, I sat in on our future CISO boot camp yesterday and majority of the conversations was having that piece of information of, okay, we're all technical, you know, at heart, but when it comes to having conversations with our boards, with our CEO, with our CRO, we have to know how to speak their language and how to be able to convey to them. Right. If we don't invest in infrastructure and backups and immutability and doctor planning and testing, you know, this is what could possibly happen to us. This could be our impact from a brand perspective, from a loss of revenue even for some companies. Right. Unfortunately, it could be just, they just don't exist anymore. Right. After a really bad incident that could occur. So it's having those types of conversations and being able to convey that.

‍

Daniel Newman: Which opens the door for training. Because education seems to be a gap here. We sort of started talking a little bit about having overcome the history of looking at this as sort of a worst case scenario protection plan. And now they're proactively investing. We know that they're measuring it down to revenue per second that can be lost when they're brought down. Ransomware, attack, whatever it is that brings them down, bringing them back up. And then of course, the reputational damage, which is often, you can't really even calculate it. It's ephemeral in many ways and it can be determined over a long period of time. So, Dave, you think about prep and training a lot, right? So how are you addressing that part? How do you address education, how frequently, how often? In order to get your stakeholders to really understand, buy in and make sure they're staying ahead of this curve.

‍

Dave Russell: Yeah. The main thing is to try to take some action, get awareness before you really need to. One of the products that Emilee is really key in is that we actually proactively can go and do testing and make sure ahead of time that you've got an automated way to know am I really going to be secure or not before an incident arises. Make sure that you know you're not going to suffer from configuration drift or that your plan still works. But you know, in the past there's been kind of a concern, do I need to bother with testing? You know, if a disaster hasn't happened, if the incident hasn't taken place, if we haven't been compromised recently, can I go a little longer without having to go through that drill? And the short answer is no, you can't. Because you have to be able to understand in advance to know what it's going to take to go and remediate against that. Right. I like to use the phrase there's no such thing as a failed test. You learn something from that. You want to do the learning when the stakes are lower. So one of the things that we like to do in addition to being able to get people out of a situation, meaning bring good data back, is to make sure they're never in that situation in the first place. Or in the case of testing, how can we make that painless, how can we automate that? How can we even do simulated tests to prove that you're actually going to be recoverable, that you're auditable, that you've got a runbook that can be executed and not just executed, but maybe doesn't require the same skill to be in place. Right. You can do that in an automated fashion.

‍

Patrick Moorhead: You know, technology, it's funny, a lot of debates for a long time, is technology perfect or imperfect? Or is it really the people that have the challenge? And I think when it comes to cybersecurity, cyber resiliency, there is a huge element in humans. Until we get to the point where we can press a button and AI is going to do everything for us, humans are going to be in the loop here. I'm curious, what are some of the pitfalls, some of the challenges, and mistakes that customers are making in incident planning that they can learn from and get better at?

‍

Emilee Tellez: Absolutely. So one of our strategies for this year was actually hosting these workshop events. So we do them for different cities all across the US and that's now a global program that we do called the Be Connective. It's an executive roundtable series where we invite C level executives from large accounts to come in and do the three hour tabletop. And the tabletop isn't focused on hands-on technology. At the end of the day, technology is technology. You could have the best recovery response time possible out there from a technology perspective. But if you have a user that doesn't know how to leverage it, doesn't even know how to log in, then you're going to fail in your incident response planning. So we focus on just what you mentioned, your people, your process and your overall strategy. And then how do you bring everybody together to have open communication? And I've done about 20 of these so far this year across, you know, all different parts of the United States, from meeting with financial services customers to large enterprise customers that are in the automotive industry and oil and gas. And each one is different. You know, I had one user that shared with me, it took them over a year just to figure out whether they were going to pay or not to pay. Because to them it was like, well, what would be the circumstances? Is it possibly a life and death situation? How low could the payment be? When do we bring in our insurance? What do we have from a legal standpoint? So just having those very basic conversations is taking them quite a while to do so. And then on the flip side, you also have some customers that experience their users that want to be heroes, they want to save the day, they don't want to have an outage. Well, maybe they rush to recovery and it ends up reinfecting their environment or causing more damage than what should have been. So then they're having to work through those types of scenarios as well. So those workshops have been really, really key and kind of underlying what's currently missing in your incident response planning and for like your point, most of the time it's who are the people that we all need to have communication with? How do we communicate with them, especially if we have teams or anything that's been compromised from our corporate channels, what is the out of band communications that we utilize and then vice versa. Right. How do we go through the process of executing to get from point A to point B? So those have been very successful, but we're offering and we do those with one to one customers and that usually highlights any gaps in our current strategy.

‍

Patrick Moorhead: Yeah, so funny. Things seem so straightforward, but it's the storytelling, it's kind of making it real for people. Like Dan said in the intro, I mean, is it insurance?I mean, but you're, you could shut down the entire hospital, right, because they can't get access to their records. You talked about life and death situations and that's not, you know, being alarmist. That's just an absolute reality. You know, people can't get their surgeries that they need and they've got to go completely paper and it takes them too long. So yeah, it sounds like a very good service. I don't know if it's an add on or something like that, but I would sign up for it for sure.

‍

Daniel Newman: You two can meet after and go through it. Write a contract up.

‍

Patrick Moorhead: Exactly. I'm going to give her the credit card that doesn’t work.

‍

Daniel Newman: So we're here at RSA and a lot of this event is also not just kind of about litigating how security has been done, but it's really about how do we move forward. The luminaries of the industry, the biggest vendors and companies are all here paying a lot of attention to what we do going forward. We know there's massive macro forces. We've got global trade wars, we've got global conflicts that are going on every day of the week. And of course, data security and one of the big fronts, AI, and that all this is going to be fought on. So, Dave, I'm just kind of curious, like, what do you sort of see in the bigger picture for how companies can prepare, how companies can plan, how to deal with kind of all the cultural influence that's going on right now to basically make sure that you do everything you can to mitigate, limit your risk and set yourself up for a secure business future?

‍

Dave Russell: Yeah, I think it goes back to what you said right at the top. Right. At one point, security was all around perimeter security, like keeping all the bad people out. But if that was your only strategy, right. It wasn't going to last for very long or be very effective. I think the same is true now. You have to actually come up with a plan and mechanisms to enable that that aren't dependent upon what you know today. Right. That is extensible going forward. So one of the things that we worry a lot about and how to facilitate is overcoming data gravity. Be able to have a concept of data portability where you can be on one hyperscaler today, move data to another hyperscaler tomorrow, potentially change hypervisors, kubernetes, and physical. All of those things can be in play. You don't want the implementation or the location to dictate where and how you're doing business. So overcome data gravity. Make sure you've got options with data portability. Make sure you have a plan that can transcend whatever the current environment may be and open yourself up for the future. You know, I like to say in 2020, it was okay to say you're surprised by the pandemic. We don't get to play that card in IT anymore. We have to be able to support the business and whatever tomorrow's plan may be as well.

‍

Daniel Newman: Yeah, we absolutely have to accept how fast things move and that the next big change. Right. We know that the disruption to disruption, those periods get shorter and shorter. So it's, you know, field leaders, it's strategy leaders that need to make sure you're building out those products. And of course, us as analysts that make sure we tell that to the world. Dave. Emilee, thank you so much for joining us. It's been a lot of fun having you on The Six Five.

‍

Dave Russell: Thank you.

‍

Emilee Tellez: Thank you.

‍

Daniel Newman: And thank you, everybody, for tuning in. We really appreciate you being part of our Six Five On The Road here at RSA Conference 2025 in San Francisco. But for this episode, for Patrick Moorhead and myself, it is time to say goodbye. Subscribe. We'll see you all later.

‍