Rebalancing NIST: Why 'Recovery' Can't Stand Alone

The missing ingredient in NIST's newest cybersecurity framework? Recovery.

Alex Janas, Field Chief Technology Officer, Commvault

April 18, 2024

5 Min Read
"NIST" in white type on a black stripe, over a digital background
Source: Borka Kiss via Alamy Stock Photo


As the digital landscape grows more treacherous, companies are finally beginning to treat cybersecurity as a top operational risk. And for enterprises revising their data security strategies, the updated guidance from the National Institute of Standards and Technology (NIST), the US government's key technical standards adviser, is a good starting point. NIST's cybersecurity framework, first released in 2014, has functioned as the leading educational and academic guide. The newest version includes important updates, like the addition of data governance as one of the core pillars. Unfortunately, it falls short in a significant way. It doesn't say nearly enough about the most crucial ingredient of any comprehensive and contemporary cybersecurity plan: the ability to recover from a cyberattack. 

It's important to keep in mind that recovering from an attack is not the same as disaster recovery or business continuity. It's not enough to simply tack the recovery function onto a broader incident response plan. Recovery must be ingrained into the security stack and into your response plans. And even outside a crisis scenario, there must be a continual feedback loop established, where all parts of the cybersecurity function — including recovery — are always sharing information and are a part of the same workflow. 

Given the persistent threat landscape and the growing number of mandatory regulations, such as the EU's Digital Operational Resilience Act (DORA), companies must urgently address the gaps in their cybersecurity preparedness plans.

Shifting From a Frontline Mentality 

While NIST is a comprehensive framework, the cybersecurity industry (and, by proxy, most companies) put far more attention on the part that focuses on preventing cyberattacks. That's important, but prevention can never be assured and should not be done at the expense of a comprehensive security plan. 

A company that only uses the NIST Cybersecurity Framework will put that company in a position where they are underinvested in responding to current and future cyberattack scenarios. That's a risk no organization can afford to take. You will be breached. In fact, you are breached, you just don't know it yet. This means the restoration platform must be integrated with the security stack to help protect itself and the business environment to ensure the company can get back to business — which is one of the main goals of this work.

Vendors and customers alike must put resources toward returning to a post-attack state: How to get there, and how to test and verify that capability. The secret to a robust recovery is planning. To truly be safe, businesses must take steps now to integrate the technology and people responsible for recovery into the rest of their cybersecurity function. 

Once that happens, although recovery teams can still operate independently, there's a continual feedback loop. So, all the different parts of the security teams can still easily send and receive information to and from the other functions. 

Test, Test, Test

While companies often have time frames in mind of how quickly systems must be back online, far fewer have fully considered what it takes to get to that safe state following an attack. 

Testing helps inform how long each step in the identification and remediation of a breach should take, so companies have a benchmark to use when an actual incident occurs. And without adequately testing backup environments, the recovery function becomes much more difficult — and potentially more dangerous. When restoring from an untested backup environment, the company might inadvertently restore implanted malicious code, provide attacker access, or return to a vulnerable state. 

Companies must actively run simulated or real-world drills that test all facets of their cyber resilience to uncover the weak points, including any issues that could impact a company's ability to get their IT systems operational again. 

Linking the Steps  

Integrating recovery tools into the larger incident response arsenal can yield valuable intelligence, both in preparing for and responding to an attack. 

These days, modern recovery systems can actively monitor backup repositories and regularly send feeds back to the security teams to detect any abnormal behavior far quicker than in the past — a vital capability as attackers increasingly aim their efforts at the last-mile data centers. And as a cyber-resilient restoration platform becomes integrated into the modern security stack, it must connect with the systems that transform the intelligence from the various systems and services to provide security teams with better context about the events that are happening in their environment as well as better auditing required under the various compliance and regulations around the globe. 

Aligning the People to the Process 

While many organizations have experts attached to every other process in the NIST framework, few have teams or even individuals dedicated to managing recovery. 

Often, the function falls between the domain of the chief information security officer (CISO) and chief information officers (CIO), which leads to both assuming the other owns it. The overworked security team typically views recovery as tedious — and something that occurs only at the tail end of a chaotic process that should be handled by the IT team. 

Meanwhile, the IT team, unless steeped in security, may not even know what the NIST framework is. Facing a deluge of complaints, their focus is on simply getting the environment back online as quickly as possible, and they may not recognize how perilous an unplanned, hasty recovery can be. 

Taking this seriously involves dedicating resources to oversee recovery, making sure this step doesn't get overlooked in the ongoing planning and testing — let alone in the chaos that often accompanies a breach. 

When given strategic direction from the C-suite, and assigned the right ongoing responsibilities, the recovery individual or team can ensure that the response protocols are regularly tested, as well as serve as the bridge to connecting recovery with the rest of the cybersecurity function.  

The Most Vital Step

In this era when every business should assume they are breached, recovery must be recognized as just as important as the other steps in the NIST framework. Or maybe even more important.

Companies that only play cyber defense will eventually lose. They are playing a game where they think the score matters. Defenders can have 1,000 points but will lose to an attacker who scores once. There's simply no way to guarantee victory against an opponent who plays outside the rules and controls when and how the game is played.

Businesses must allocate resources to prepare for cyberattacks. Without a tested response plan to resume operations safely and securely, companies will have no choice but to capitulate to attackers' demands, pay the ransom, and thereby embolden an attacker.

About the Author(s)

Alex Janas

Field Chief Technology Officer, Commvault

As the Field Chief Technology Officer for Commvault, Alex Janas is responsible for overseeing cybersecurity. He is a distinguished cybersecurity expert with over 20 years of diverse experience, spanning the private sector and the Department of Defense (DOD). 

In his work within the private sector, Alex has excelled in a wide range of security responsibilities; Cyber and Physical Security Penetration Assessments, Incident Response and Forensics, Virtual Chief Information Security Officer (vCISO), Cyber Executive Protection and Technical Surveillance Countermeasures (TSCM).

Alex’s government experience is highlighted by his tenure at the National Security Agency (NSA), where he served for 11 years in the Tailored Access Operations as an Analyst, Operator, and Division Technical Director. Alex is a proud recipient of the Master Operator designation, a prestigious honor bestowed upon a highly select cadre of Computer Network Operations personnel. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights