Podcast

Cyber Resilience vs. Data Resilience: Why Backups Alone Won’t Save You

Written by Fed Gov Today | Oct 1, 2025 10:14:59 AM
 

Presented by Cohesity

Subscribe and listen to the Fed Gov Today Podcast anytime on Apple Podcasts, Spotify, or at FedGovToday.com.

Cyber resilience is becoming one of the most urgent priorities for federal agencies. Nation-state attacks like Volt Typhoon highlight the reality that traditional defenses are not enough. Agencies are being pushed to think differently about how they secure systems, protect data, and maintain trust in the face of adversaries actively working against them.

That’s the message from Marlin McFate, Public Sector Chief Technology Officer and Chief Information Security Officer at Cohesity, who joined Francis Rose on Fed Gov Today. McFate says resilience has to go far beyond the decades-old practices of data protection.

“We’ve always been concerned within organizations about how do I recover the operations, the critical systems within my organization, the ability to do the mission, my data, in and of itself,” McFate explains. “But the threat landscape and what we’re dealing with has certainly changed, and it continually changes.”

Data Resilience vs. Cyber Resilience

One of McFate’s central points is that agencies must distinguish between data resiliency and cyber resiliency.

Data resiliency, he says, is the familiar playbook: protecting against natural disasters, fires, or other unexpected disruptions. “These are typically natural disasters, fires, some unforeseen act of God, if you will,” he notes. Organizations have spent decades refining those practices.

But cyber resiliency is different. “We’re probably one of the only people within IT that are always trying to prove a negative,” McFate says. “We’re scared of something happening that hasn’t necessarily happened yet. And second is, we have adversaries that are trying to harm our organizations, actively trying to harm or work against us.”

That adversarial element creates unique challenges. Cyber incidents not only disrupt systems, they also erode trust. “If you don’t go through the proper clean room mitigation steps, bringing in the cybersecurity team, figuring out how the adversary got into the system… you’re just going to continually go through this cycle of reinfection,” McFate warns.

The Problem with Overinvesting in Protection

McFate points out a persistent imbalance in how organizations allocate resources. Agencies often spend the overwhelming majority of their budgets on protection technologies—sometimes more than 80%—and far less on recovery.

“We’re lulled into the sense that if I just do a really good job at protecting my environment, I may never have to actually do a respond and recover,” he says. “But if you take a look at the news, that kind of leads you to believe that’s not necessarily the case.”

The reality is stark: it’s not a matter of if but when. “Organizations are starting to realize that… this is something I need to understand better, this is something I need to do better,” McFate says.

The Cyber Resiliency Model

To help agencies prepare, Cohesity has developed a cyber resiliency model. The very first step is ensuring that backups survive an attack.

“You have to be able to guarantee almost that at least your backups will survive, because they’re going to be the root of everything that you do from that going forward,” McFate explains. Those backups underpin investigations, forensics, mitigation, and recovery.

But backups alone aren’t enough. Agencies need a recovery environment that is trustworthy and secure. “That environment has to have the minimum viable response capability,” McFate says. “So it has to have good, trusted tooling. I have to figure out a way to bring up authentication or Active Directory again, because that’s more than likely going to be toast.”

He cites research showing that nearly 89% of Active Directory instances in cyber incidents are compromised. “You can’t trust that anymore,” McFate stresses. Rebuilding that authentication environment is a prerequisite for any meaningful recovery.

Building Back to a Trusted State

For McFate, true cyber resilience means returning to a trusted state quickly and with as little disruption as possible. “Our intention is to be able to quickly recover to a trusted state with as little, if any, data loss or loss within an operational scope within our systems,” he says.

That requires preparation. Agencies must think through how they will create recovery environments, which tools they will trust, and how they will restore authentication. Without that preparation, they risk restoring infected systems and falling back into a “death spiral” of repeated compromises.

Data, AI, and the Next Step in Resilience

Resilience is also about how agencies use their data once it’s secure. McFate highlights Cohesity’s approach to indexing both structured and unstructured data, enabling new uses of artificial intelligence without exposing sensitive information.

“One of the reasons why I came to Cohesity was very unique, especially in the secondary data market,” he explains. “Typically backup and recovery takes the data and locks it away. What Cohesity did that’s very different is we actually index everything that comes in.”

That indexing makes it possible to use tools like generative AI safely. “Everyone wants to use generative AI, which is a good tool. Unfortunately, it’s a creative tool as opposed to an accurate tool,” McFate says. By combining retrieval-augmented generation with indexed data, agencies can “start having a conversation with their data” for compliance, investigations, law enforcement, and other mission needs.

Preparing for the Inevitable

McFate’s bottom line is clear: resilience is not optional. It’s an evolving requirement that demands preparation, investment, and a mindset shift. Agencies that treat cyber resiliency as distinct from data resiliency—and prepare accordingly—will be able to bend without breaking when the next attack comes.