In a recent episode of Security Square, our cybersecurity-focused podcast, fellow analyst Jo Peterson and I had the pleasure of speaking with Tim Zonca, VP of Portfolio Marketing at Commvault, exploring the what, why, and how of establishing a Minimum Viable Company (MVC). This strategic approach has become increasingly important as organizations focus on business resilience and continuity planning in the face of cyberattacks and other unexpected disruptions.
Watch The What, Why and How of Establishing a Minimum Viable Company here:
What Is a Minimum Viable Company?
The concept of an MVC isn’t new, but its significance has grown substantially in recent years. An MVC represents the minimum set of applications, assets, and operations an organization needs to maintain or quickly restore when facing a cyberattack, natural disaster, or some other unexpected event.
As Tim explained during our conversation, if continuous business is the state of being “always on, always ready” to fight through a cyberattack while remaining operational, the MVC concept helps organizations identify the most critical aspects needed to continue serving their constituents.
For a business, this might mean ensuring it can support customers and process transactions. For healthcare organizations, it’s about maintaining patient care capabilities. Educational institutions focus on continuing to educate students, while government agencies prioritize citizen services. The MVC allows an organization to fulfill its core mission, even under duress.
The True Cost of Downtime
When discussing downtime, it’s essential to understand that the direct financial impact is just one piece of a much larger puzzle. As we explored with Tim, organizations must also consider regulatory issues, customer impact, and reputational damage – all of which can multiply the overall cost significantly. And these conversations are, in my opinion, boardroom level conversations, not conversations and strategies related only to IT and security teams.
One thing I find particularly interesting is that the definition of “minimum viability” varies dramatically between organizations. While some elements might be universal, business leaders need to have serious conversations about what costs or risks they can tolerate temporarily and what they absolutely cannot. These mission-critical elements rise above the watermark and form the core of an organization’s MVC strategy.
To illustrate this, Tim shared an interesting example about payroll systems: while some organizations might not consider payroll part of their MVC, others view it as absolutely critical due to tax implications and other downstream effects. These differences highlight why MVC planning must be a top-down, executive-led initiative rather than simply a bottom-up IT exercise.
Critical Recovery Workflows
Our discussion with Tim revealed four key workflow stages that most organizations need to address. These are:
- Restoring Access: First and foremost, can you access your technology assets? Active Directory restoration is typically the starting point, as it’s often targeted in attacks.
- Re-establishing Secure Communications: Getting email and collaboration platforms back online allows teams to coordinate recovery efforts securely.
- Rebuilding Application Infrastructure: The technology that runs your core business functions must be restored in a clean, secure state.
- Rehydrating Data: Once infrastructure is rebuilt, clean and trusted data must be restored to make systems operational.
Best Practices for MVC Recovery
Tim outlined several best practices that can dramatically reduce recovery time after a cyber incident. He shared that the industry average recovery time is a staggering 24 days – a period most organizations simply cannot survive.
We took a deeper dive into that 24-day period during a recent briefing with the Commvault team. They shared that it is estimated to equate to a cost of $14,056 per minute of downtime, with an average cost of a data breach to the organization as a whole of about $4.88 million. I suspect those figures will go a long way toward getting the board’s attention about the importance of establishing an MVC.
Tim shared his recommendations and best practices for MVC recovery, which include:
- Maintaining copies of critical data in virtually air-gapped locations and third-party clouds
- Implementing processes to verify and identify “clean points” for recovery
- Regularly testing recovery from backups (ideally more frequently than the common annual simulation)
- Establishing automated processes for recovering to clean, isolated locations for forensic analysis
The ability to utilize cloud technology for creating clean room recovery environments has been a game-changer, particularly for organizations that can’t afford expensive isolated recovery environments (IREs). Commvault’s approach allows organizations to deploy recovery environments on-demand, ensuring they’re compromise-free while avoiding the significant expense of maintaining always-on recovery infrastructure.
Final Thoughts
The most important takeaway from our conversation is simple: be prepared. Understand what your organization is currently doing, interrogate those practices, and identify what needs to improve. While many recovery mechanics are largely solved problems, the real challenge lies in ensuring your teams are ready to execute when disaster strikes.
As Tim emphasized in our closing moments, plan, prepare, and test – then do it all over again. This continuous cycle of readiness is what will ultimately determine how quickly your organization can recover when the worst happens.
If this conversation has whetted your appetite for learning more about developing a Minimum Viable Company and getting it back online when chaos happens, check out this on-demand webinar by the Commvault team, which will walk you through that in more detail.
Link to access on-demand webinar here
See more of my coverage here:
MITRE’s CVE Program Funding Set to Expire, Threatening Global Security Infrastructure
The Evolution of Data Loss Prevention in an AI Era