Do you have a question? Want to learn more about our products and solutions, the latest career opportunities, or our events? We're here to help. Get in touch with us.
Datacom's Cybersecurity Index 2026 shows 76% of AU/NZ security leaders are confident in their risk visibility, but only 31% have a business continuity or incident response plan in place
The data resilience threat landscape has shifted from platform failure to ransomware to data exfiltration, while critical data has sprawled across environments organisations don't own or control
Three practical steps to close the confidence-capability gap: engage an experienced partner, validate recovery assumptions under real-world pressure, and embed data resilience into your broader digital strategy
Most organisations back up their data. Far fewer have tested whether they can actually recover it at the speed and scale the business expects. With Datacom's Cybersecurity Index 2026 revealing a significant gap between confidence and capability across Australia and New Zealand, we spoke to General Manager, Cloud Solutions Advisory Peter van Grinsven, about what data resilience really requires, how the landscape has shifted, and the practical steps leaders can take to turn assumptions into evidence.
Talking to tech leaders across Australia and New Zealand, it is clear they are generally confident about their cyber risk exposure. But when I probe a bit deeper about their data resilience, it often becomes clear that their capability isn’t where they think it is.
That confidence-capability gap is well illustrated in Datacom’s Cybersecurity Index 2026, which reveals that 76% of security leaders say they have sufficient visibility of cyber risks, yet only 31% have a business continuity or cyber incident response plan in place.
At the same time, around 40% expect to be fully recovered within one to three days after a major incident, while global experience suggests minimum operational recovery after a significant incident typically takes closer to four weeks.
A complex mix of factors determines your ability to recover from a cyber incident quickly. There may be technical, legal, regulatory and communications issues to work through. But one factor more than all others determines your ability to get back to business – can you restore trustworthy data into operational systems in a systematic way and in a reasonable timeframe to avoid or minimise business disruption?
In many of my conversations, the assumption is that “we’re backing everything up, so we’re fine.”
But have you actually proven you can recover at the speed the business believes you can?
True data resilience is about maintaining the availability and integrity of your critical data so the business can keep operating when something goes wrong. There is no single product that “does” data resiliency. It’s an ecosystem of capabilities working together.
In practice, that usually includes a combination of:
Immutable backups for untampered recovery points.
Recovery services and tested runbooks to bring systems back in the right order.
Replication services to keep critical workloads highly available.
Offsite data retention so a single site or platform issue doesn’t take everything down.
Data resiliency sits at the base of a chain: data resiliency → disaster recovery → business continuity. If your data protection is weak, disaster recovery will be slow and uncertain, and that quickly cascades into lost revenue, reputational damage and regulatory exposure.
Immutability – the property of data that prevents it from being modified, overwritten, or deleted after it is initially written – is a good example of where confusion creeps in. Immutability is an attribute, not a solution. You can have beautifully immutable data that’s corrupt, in the wrong place, or impossible to restore quickly enough to meet your business objectives. On its own, that doesn’t make you resilient.
A decade ago, the dominant concern was platform failure. CIOs fretted about what would happen if the organisation’s data centre went down or a storage array died.
Then ransomware became the main story, with attackers encrypting data and demanding payment to unlock it.
Today, exfiltration and data exposure are front and centre. Attackers are increasingly extracting data and threatening to publish, targeting organisations in specific sectors where that data is most valuable. In many cases, the platform never went down, but the business impact is just as severe.
Nation-state actors operate differently to opportunistic attackers. They tend to gain access quietly and maintain it over long periods, which means backups taken during that window may already contain compromised data. Restoring from what appears to be a clean recovery point can reintroduce the very access you're trying to remove. Where those backups are stored matters too – if it’s in a jurisdiction where a foreign government can compel access or withhold your data, recovery options become more limited.
At the same time, data has sprawled across private cloud, multiple public clouds and a growing number of SaaS platforms. Critical information now lives in systems you don’t own or directly control, like SaaS customer relationship management (CRM) or collaboration tools.
As organisations rush to give AI agents access to that same production data, from CRMs and knowledge bases to operational systems, they're widening the surface area where data can be altered, corrupted, or mishandled. Not by an external attacker, but by systems they've deliberately invited in. Most data resilience frameworks haven't caught up with that shift yet.
When we assess a customer’s data resiliency posture, the biggest gaps usually aren’t where people expect. The recurring issues include:
Unvalidated assumptions: Backups exist, but no one has run realistic recovery tests at the scale and pressure of a real incident. Teams assume they can “just hit restore” without understanding the integration dependencies, data order, or the ripple effects of rolling back certain systems.
Visibility and ownership: Organisations often don’t have a clear view of which data really matters most, where it lives, and who is responsible for protecting it across on-prem, cloud and SaaS. Shadow IT and “shadow AI” only amplify that blind spot.
Immutability gaps: Some workloads have short‑term immutable backups but not long‑term coverage, or vice versa, leaving important windows of exposure. Others rely on offshore immutable storage that is cheap but painfully slow to retrieve in a crisis.
Sovereignty and partners: Data that should be sovereign is backed up offshore, sometimes in platforms that may be subject to foreign nation policy. And while incident response plans mention “the partner,” the organisation and provider have never practised a full recovery together.
Runaway data growth: Near‑exponential data growth is pushing backup storage and licensing costs up, which tempts teams to quietly compromise on retention or scope. That often happens without reassessing which data is truly critical to the business.
Organisations with a mature approach to cybersecurity do regular, large‑scale disaster recovery exercises and “lessons learned” reviews involving both internal teams and partners. For most, testing is limited to a few core systems or not done at all, simply because it feels too disruptive. None of these gaps are unusual. But left unaddressed, they compound.
If you’re a CEO or CIO who’s just realised your confidence may not match your actual capability, the first step is not to panic. You don’t need to fix everything at once, but you do need a structured way to get from assumption to evidence.
1. Engage an experienced partner.
It’s very easy to burn time and budget trying to design your own approach from scratch. Working with a partner that lives and breathes data resiliency, cloud and security means you can start with proven methodologies and platforms, then tailor them to your organisation instead of reinventing the wheel.
2. Start with awareness and validation.
Map your most critical data sets, understand where they live (including SaaS), and identify which ones truly need “gold-plated” protection. Then design and run recovery tests that reflect real‑world pressure, including your partners, incident management team and business stakeholders.
3. Build resilience into your digital strategy.
Data resiliency should be treated as a central pillar within your broader cyber and digital resilience frameworks, not an afterthought. That means aligning your cyber teams with your data protection teams, factoring sovereignty and retrieval speed into architectural decisions,and ensuring your approach evolves as your environment does.
If you suspect there’s a gap between how resilient you think you are and how resilient you actually are, that’s a healthy place to start. The next step is to turn that suspicion into clarity – and then into a plan you can test, refine and trust when the worst happens.
