Startups cannot loosen-up on resilience

While start-ups have the advantage of having no legacy burdens and being equipped with automation, secure-by-design practices, and scalable cloud environments, they can also put security on the back-burner of compliance or deferred action. Balaji Rao, Area Vice President, India & SAARC, Commvault, decodes the inevitable emphasis on resilience – with a special lens on start-ups.

How do you define cyber-resilience in the year 2025 and forward?

Cyber-resilience is now a boardroom priority, central to how businesses operate, compete, and survive in a high-risk digital environment. It defines an organisation’s ability to continue delivering critical outcomes under pressure from cyber threats, regulatory shifts, and operational disruption.

Is it operational, regulatory or financial?

Operational resilience forms the technical backbone of cyber resiliency. Organisations must build intelligent, automated systems that enable early threat detection, rapid recovery, and minimise downtime. Technologies like cleanroom recovery, automated workflows, and immutable backups are essential to protect critical assets and restore operations securely.

Resilience, however, extends well beyond infrastructure; aligning with regulatory norms is now inseparable from cyber resilience. As data protection and sovereignty laws evolve, embedding compliance into daily operations reduces legal exposure and reinforces accountability across the enterprise. Financial resilience is another layer as cyber incidents disrupt revenue streams, increase recovery costs, and erode stakeholder confidence. By leveraging the Minimum Viable Company (MVC) approach, organisations can now identify their core processes and assets required to keep the business running, prioritise recovery efforts and limit financial fallouts.

Can it also be communication-related or psychological?

Communication under pressure is equally vital. Coordinated, timely messaging to employees, customers, and stakeholders is vital to maintaining trust during a crisis. Resilience also depends on people. Regular simulations, defined roles, and cross-functional preparedness ensure organisations can respond decisively when it matters most.

Thus, cyber resilience today is multidimensional, driven by technology, compliance, financial strategy, communication, and culture to keep organisations prepared, in control, and operational.

What new threats make resilience difficult for enterprises now?

Resilience has become significantly crucial to maintain as cyber threats are becoming more intelligent, scalable, and unpredictable. One of the most disruptive shifts is the use of AI by threat actors to amplify the speed, precision, and impact of attacks. These AI-driven assaults, ranging from hyper-targeted phishing to automated identity theft and zero-day exploitation, can outpace traditional detection tools and overwhelm response systems.

The rise of Ransomware-as-a-Service has further lowered the barrier to entry for attackers. Pre-built toolkits enable even low-skill actors to launch enterprise-grade attacks at scale. This has led to a sharp increase in attack frequency and complexity, often resulting in prolonged downtime and operational disruption.

What’s on the software side?

Organisations accelerating SaaS adoption face another layer of vulnerability. Many struggle to manage configuration risks or clearly define roles under shared responsibility models, leaving sensitive data exposed, especially in fast-moving, cloud-first environments where security oversight lags behind deployment.

These challenges are compounded by the fact that India is seeing a significant rise in data breaches, with the average cost reaching a record ₹19.5 crore in 2024. Resilience, today, requires early threat detection, rapid, secure recovery, and deep visibility across workloads.

Which side do AI and Quantum Computing stand—defence or offence?

AI and quantum computing are reshaping the future of cyber resilience, making it difficult to define them strictly as tools of offence or defence. Their dual nature presents both a growing threat and a powerful opportunity, depending on who controls them and how they are applied.

AI is already embedded in the offensive playbook of threat actors. AI agents can independently scan environments, uncover vulnerabilities, and adapt in real time, reducing the window defenders must react to. These autonomous, self-optimising threats represent a fundamental shift, rendering traditional rule-based defences inadequate. On the other hand, AI is also strengthening cyber resilience by enhancing threat detection, streamlining incident response, and driving automation across recovery processes. The key question is not which side AI serves, but whether enterprises are prepared to deploy it securely, responsibly, and effectively.

Meanwhile, quantum computing poses a long-term risk. Its ability to break current encryption standards threatens data confidentiality, particularly for sectors that manage long-term sensitive information. Platforms supporting post-quantum encryption, such as Kyber and HQC, paired with AI-driven threat detection, are helping businesses stay ahead. Commvault, for instance, has integrated post-quantum readiness into its data protection architecture while boosting proactive threat visibility through tools like ThreatWise.

Why does resilience matter so much for start-ups? What are they doing right/wrong here?

Startups operate in a space that offers both a head start and harsh realities. Built to move fast and scale quickly, they are typically digital-first, cloud-native, and heavily reliant on SaaS platforms to power everything from operations to customer experience. While this fuels agility, it also leaves little margin for error.

Elaborate.

In today’s cloud-powered world, where data underpins every function, resilience must be built in from the start and not treated as an afterthought. Many startups are on the right track here. Free from legacy infrastructure, they have the advantage of embedding cyber resilience directly into modern architectures using automation, secure-by-design practices, and scalable cloud environments.

The challenge lies in prioritisation. Too often, resilience is treated as a compliance task or deferred until an incident forces action. Unlike large enterprises, startups rarely get a second chance. A ransomware attack or prolonged downtime can derail business continuity and destroy customer trust completely.

Going forward, what strategies should enterprises adopt to embed resilience into their core operating model?

Rising digital complexity demands that resilience evolve from a technical function to a core business capability. Recovery cannot remain a reactive function, it must be designed into how the organisation operates, enabling a proactive and coordinated response to disruption.

A fundamental shift involves moving from full-environment recovery to adopting an MVC strategy. MVC enables organisations to operate through disruption, with a blueprint to sustain critical functions under pressure. It drives alignment between business and IT on what must stay running to prevent paralysis. In a landscape where downtime is costly and reputational risk is high, MVC provides a tested framework to maintain continuity and control.

Additionally, resilience must be sustained and proactive. Organisations, particularly digital-native enterprises, must institutionalise recovery testing, automation, and threat-informed preparedness. Capabilities such as Cleanroom Recovery, immutable storage, and SaaS-native protection are essential, given the distributed nature of modern IT across hybrid, multi-cloud, and edge environments.