Tierney - stock.adobe.com

Data management, backup becoming the CISO's responsibility

More and more CISOs are taking on responsibility for wider data management strategies, and this trend looks set to grow next year

While data management strategies, including disaster recovery and backup, have historically tended to be the domain of the chief technology officer (CTO) and IT teams, some of these functions are becoming the domain of the chief information security officer (CISO) and cyber security teams, a trend that is likely to accelerate during the coming months.

With the IT stack in a state of constant flux thanks to the emergence of hybrid cloud architectures, microservices and cloud native applications, many CTOs are looking to hand off responsibility for overall data management to the security specialists who are already tasked with protecting it, according to Yorkshire-based data management specialist Assured Data Protection (ADP).

Looking ahead to 2023, Simon Chappell, co-founder and CEO of ADP, said: “The role of the CISO has developed over the last couple of years, as budgets and teams have grown to help protect company data, assets and infrastructure.

“At the same time, many players in the backup space have repositioned as complementary providers of security solutions, which in turn has attracted the attention of CISOs. We’ve had interesting discussions with CISOs ourselves.”

Chappell said CISOs are “genuinely interested” in solutions that can bridge the gap between IT and security, and as such are looking for immutable backup solutions that they can fall back on should they be unfortunate enough to be hit by a ransomware attack, or other form of data breach.

Chappell argued that it would “make sense” for CISOs to own the disaster recovery and backup functions to strengthen their defensive security posture.

“They could expand their role to support business continuity besides threat mitigation and prevention. Knowing they had a reliable backup in place to host company data while they track down and isolate threat actors would be reassuring to the CISO and the wider organisation.

“Although, this policy would be specific to the needs of the business. It would depend entirely on the culture of the organisation. But expect to see instances of it happening over the next 12 months,” he added.

At the same time, as more organisations have turned to cyber insurance policies to mitigate the risks of a cyber incident, insurers have responded by increasing premiums and in some cases, reducing the scale and scope of the policies they offer to mitigate some of the risks that they face.

As a result of this, said ADP, enterprises are starting to reach out to data protection service providers to gain or retain access to appropriate levels of insurance cover.

ADP Europe, Middle East and Africa (EMEA) CTO Stewart Parkin said: “We’re already seeing a shift with more customers coming to us to request audit reports or insurance questionnaires to provide validation to insurers that their backups are immutable. Businesses are looking to vendors and MSPs as trusted third parties that can guarantee their data protection and security.”

Parkin said it was understandable that insurance providers would look to try to mitigate their risk exposure, but even so end-users still needed to have confidence that they had reliable resources in place to protect their data, and recover it in the event of a breach or incidence, as an insurance guarantor.

He suggested this approach of turning to trusted third parties in this way would become more prevalent in 2023, potentially opening up new opportunities for managed security services providers (MSSPs).

Read more about backups and data protection

  • Unstructured data backup requires the management and protection of vast amounts of data while keeping it available and secure. Is your backup strategy up to the challenge?
  • Following strict compliance regulations can result in high storage costs. Use data classification for backup retention to sift through affected data without breaking the bank.

Read more on Privacy and data protection