Veeam debuts data resilience maturity model to help enterprises reduce cyber risk exposure – News

As Veeam Software Group GmbH, the market leader in data resiliency, holds its annual user event VeeamON in San Diego this week, it’s on a roll, continuing to stretch its lead over the legacy vendors.

Recently IDC released its Data Protection Software Tracker and Veeam grew 12%, outpacing IBM Corp.’s 5% growth and well ahead of Dell Technologies Inc. and Veritas Technologies LLC, which shrank 10% and 15%, respectively, allowing Veeam to stretch its share lead.

At VeeamON, the company made several announcements, including a partnership with CrowdStrike Holdings Inc., protection for Entra ID, ransomware updates, a new Linux-based appliance and more. One of the more interesting announcements, to help companies understand where they are with their data protection was the unveiling of the Data Resilience Maturity Model, or DRMM.

This era of information technology is driven by data, and that has raised the stakes on cyberattacks and IT outages. During his keynote, Chief Executive Anand Eswaran (pictured) laid out the truth when he said, “Cybercrime is a business, and that business is booming.”

The DRMM is a framework which enables organizations to objectively assess their true resilience posture and take decisive, strategic action to close the gap between perception and reality to improve data resiliency against proliferating cyberattacks.

Veeam led the creation of a consortium of industry experts, which includes MIT and McKinsey, tasked with identifying the state of enterprise data resilience and providing recommendations for improving it. During his presentation, Eswaran showed some data that highlighted a significant disconnect between how chief information officers see their organizations’ data resilience and the reality.

The study found that 70% of organizations believe they have the necessary levels of data resilience to protect their company. In fact, 30% consider themselves “above average” in this area. However, once customers went through the DRMM exercise, the model found that fewer than 10% had an acceptable level of data resiliency to react to an event without disrupting the business.

The fact there is a gap isn’t a surprise shouldn’t be a shock. In every example of a maturity model I have seen, businesses overestimate their capabilities. Rarely have I seen a gap this large and it’s something business and IT leaders need to take seriously. It has been well-documented that the artificial intelligence era is fueled by data and if there’s one thing events such as CrowdStrike’s have taught, it’s that most companies can’t recover quickly from a disruptive event.

The report quantified the impact of downtime as it highlighted that IT outages costs Global 2000 companies more than $400 billion annually, with $200 million in losses per company from outages, reputational damage and operational disruption.

Other key findings include:

• 74% of organizations fail to meet best practices, operate at the two lowest maturity levels, and have data recovery risk exposure.
• Organizations at the highest maturity level recover from outages seven times faster, experience three times less downtime, and suffer four times less data loss than their less mature peers.

Data resiliency has always been important but is now critical to survival. Eswaran expressed some urgency for companies to get a handle on their data when he stated, “Most companies are operating in the dark. The Veeam DRMM is more than just a model; it’s a wakeup call that equips leaders with the tools and insights necessary to transform wishful thinking into actionable, radical resilience, enabling them to start protecting their data with the same urgency as they protect their revenue, employees, customers and brand.”

Through a series of questions, the DRMM provides an empirical framework for organizations to assess their current resilience posture, identify gaps, and implement targeted improvements. Insights MIT and cybersecurity companies Palo Alto Networks Inc. and Splunk Inc. contributed to the research. The DRMM categorizes organizations across four data resilience maturity horizons:

• Basic: Reactive and manual, highly exposed
• Intermediate: Reliable but fragmented, lacking automation
• Advanced: Strategic and proactive, yet missing full integration
• Best-in-class: Autonomous, AI-optimized, fully resilient

Resilience goes beyond data

“Data resilience isn’t just about protecting data, it’s about protecting the entire business,” said Eswaran. I agree with this sentiment, as improving in this area can be the difference between shutting down operations during an outage or keeping the company running.

For many organizations, it can be the difference between paying a ransom or being able to quickly recover. Also, with the world moving into the AI era, a best-in-class data resiliency model should be considered a foundational component of companies’ AI strategy.

A rigorous, vendor-agnostic framework

To develop the DRMM, Veeam worked with experts in operational efficiency. McKinsey and Dr. George Westerman, principal research scientist at the MIT Sloan School of Management, led the effort to create a rigorous, vendor-agnostic framework. The model was designed to assess an organization’s ability to ensure data resilience across three core dimensions:

• Aligning business and risk: A data strategy that integrates business goals with resilience planning, ensuring organizations can anticipate threats, enforce governance, and maintain compliance.
• Empowering resilience through alignment and action: True resilience is driven by empowered teams and standardized execution. Organizations can respond decisively during a disruption by investing in skilled talent, aligned leadership and clear cross-functional protocols. Defined workflows and governance ensure continuity, while collaboration and training enable teams to adapt and recover quickly and confidently.
• Technology supports resilience across six key areas:
• Backup: Secure protection of data that’s located on-premises or across clouds.
• Recovery: Agile restoration of critical systems, even at scale.
• Architecture and portability: Scalability across heterogeneous and often hybrid environments.
• Security: Prevention and anticipated remediation against cyberthreats.
• Reporting and intelligence: Real-time visibility and insights to support compliance, improve recovery, and optimize operations.

Key benefits of DRMM

During his presentation, Eswaran highlighted several benefits:

• Revenue protection
• Cost optimization
• Compliance and risk management
• Brand integrity and consumer trust

Veeam cited the example of a global bank that followed the maturity model and improved revenue protection by improving reliance. By reducing mean time to resolution for vital IT systems, the bank achieved 99.99% uptime for critical applications, no cybersecurity-related outages for the past three years, and $300,000 in savings per outage.

Closing the gap between the boardroom and budgets

At VeeamON, I talked with several IT professionals about the DRMM. Though the technical folks found the information interesting, CIOs and chief information security officers look at it as a way of closing the gap between the boardroom and deployments. One CISO I had talked to discussed how she tried to get budget for Veeam as she were worried about ransomware, but the budget kept getting denied. And then the organization got hit, leaving it unable to transact business for about a week while everything was getting restored.

The CISO told me if she had access to this, it would have armed her better to more accurately quantify the risks at a board level, which would have given her a better opportunity to have the budget approved before they were hit with ransomware.

Copies of the report are available at https://go.veeam.com/wp-data-resilience-maturity-model.

Zeus Kerravala is a principal analyst at ZK Research, a division of Kerravala Consulting. He wrote this article for News.

Photo: Zeus Kerravala