By Rick Vanover, Vice President of Product Strategy, Veeam

The C-suite has long left data resilience and cybersecurity in the hands of security and IT teams. It’s been a case of ‘leave it to the experts’, and for a long time, that made sense. But as organizations have become increasingly dependent on technology and breaches have become a case of ‘when’ rather than ‘if,’ cybersecurity has become a part of everyone’s day-to-day.

Recent cybersecurity regulations (including NIS2 and DORA) reflect this, enshrining corporate accountability into their requirements. Now, in the event of a breach, not just the CISO can be held responsible, but the entire C-suite. They are directly accountable for management and training on cybersecurity measures and will also face penalties for non-compliance. Most are waking up to the fact that just assuming their security teams and third-party providers have everything covered is now a real risk. If gaps exist, or if they’re not supporting the process enough, it's their reputation on the line. So, it's time for them to step up and engage with the processes themselves. 

Spotlight on the C-suite 

Naturally, it's unreasonable to expect most executives to be cyber security and resilience experts. For many, this could be the first time they truly interrogate their data resilience and incident response plans. With cyber threats mounting and regulations tightening, executives must not only accept that breaches are inevitable but also take proactive steps to strengthen their defenses and ensure regulatory compliance.

Under cybersecurity regulations, NIS2 in particular, the C-suite has gained a new laundry list of responsibilities. For the first time, they must actively and directly manage cybersecurity risks and their organization’s security strategy. They’ll also be responsible for organizational risk management and mitigation, as well as incident reporting measures. In addition, senior leaders who fail to comply face personal liability and the potential for fines of up to £7 million or 1.4% of global annual turnover for important entities, whichever is higher.

So, the pressure’s on. C-levels will need to integrate their organization’s resilience and incident response preparedness. This will mean both investing in security and training, but also holding internal stakeholders to account. And that’s the operative word here, accountability. Regulation like NIS2 includes senior leadership in the accountability bubble not because it should all come down to them, but because they are the people with the weight to ensure everyone who should be responsible is.    

This starts from within but often doesn’t end there. C-suites will be keen to extend this accountability externally to key partners and suppliers. From supply chain partners to IT and security vendors including backup-as-a-service (BaaS) providers, crucial links in the data resilience and recovery chain can’t be ignored. 

Third-party providers in the hot seat

According to EY’s Global Third-Party Risk Management Survey, 44% of organizations expect to increase their work with third parties over the next 5 years. As this trend continues, expect executives to scrutinize their third-party partners more closely, examining every aspect of their data resilience and incident response measures. Previously, an agreement or certification may have given the C-suite adequate confidence. However, with corporate accountability now a factor, there will be a stronger demand for greater accountability from third parties.

This could manifest in several ways, from renegotiations of service level agreements (SLAs) to more in-depth investigations as executive leaders look to secure the chain of custody for their data resilience and investigate every step of the process. While it’s impossible to outsource the risk and accountability to third parties, senior leaders need transparency from their third-party providers. So when a breach does occur, the point of failure can be identified and acted upon promptly to avoid any penalties. 

Diving into the deep end 

These measures will certainly boost overall data resilience but it’s impossible to eliminate the risk of a breach entirely. Besides, regulations like NIS2 and DORA don’t ask you to do this. Instead, it's about mitigating as much risk as possible, and more than anything, being prepared to respond to incidents when they occur, which they will. 

You can have all of the SLA agreements, processes, and technology in the world but it’s impossible you can’t certify them without testing. This is the single most important step in addressing and improving resilience. By all means, the C-suite should do all of the investigating necessary to build confidence in their data chain through suppliers, but they need to put this confidence to the test.  Consistent, comprehensive testing that pushes your measures to the edge, and not just in perfect conditions. A breach can come at any time, so test at the worst time, when security teams are occupied or certain stakeholders are on leave. 

Fundamentally, it's about going beyond plans on paper. You can’t learn to swim by reading a book. The only way to learn is to try. Sure, you might swim through it with no problems. But you might also sink. And it’s better to sink when you’ve got some armbands on hand, rather than during the real thing.