SecOps Best Practices: Evolve Cyber Recovery to Shore Up Security Operations

September 19, 2022

So, let’s say it’s Monday morning, and even before your first sip of coffee, you find out that somebody on the network opened an email containing ransomware. Meanwhile, your SecOps have isolated the infection to stop its spread as the security operations center (SOC) manager begins investigations and forensic analysis.


You’ve heard about this happening to plenty of other companies, but you’re not panicking because you have backups readily available. You call your system administrator to start recovering data and applications, however, it’s only now realized that drives are at storage capacity, and no new data has been written to them for the past five weeks.


Thoughts flood in… how did this happen? Why were we a target? Weren’t we prepared for this?


If you’ve ever been in this scenario or one like it, please accept our condolences. Often, the most critical incidents take place when we’re least expecting them. Nonetheless, such situations are now increasingly common as businesses lose data or their ability to deliver core services due to ransomware, technological failures, environmental disasters and even human error.


As it turns out, 76% of organizations suffered interruption and data loss in 2021 due to these factors, and in the case of ransomware, those impacted faced an average of 21 days of downtime. Time spent recovering data or functionality can be especially costly due to the need for resource allocation, performing investigations and potentially preparing notice to the public. In 2021, the average total cost of a ransomware breach was $4.54 million, a number that’s been churning steadily upward year over year.


While these statistics are illuminating, examining the “whys” behind them may be best served by considering persistent pain points, such as:


  • Attackers get more sophisticated every day.
  • The data traffic that SOCs ingest grows constantly and exponentially, often resulting in alert fatigue and security tool overload. These exacerbate the risk for unknown threats and malicious actors to exploit vulnerabilities and cause harm.
  • Legacy recovery plans have proven ineffective against new and improved cyberattack methods.
  • It’s challenging to determine which assets and data to prioritize in recovery when SecOps rely on numerous stakeholders across people, processes and technology


The good news: there’s a better way. What if you could build a framework, for instance, that continually honed your ability to quickly recover operations to a secure state? What if this same framework also improved coordination across business units and security operations stakeholders? And what if it drove resilience throughout your people, processes and technology to overcome ransomware and other threats?


Optiv’s Cyber Recovery Solution (CRS) was designed with these questions in mind. Working alongside an organization’s SecOps teams, CRS maps critical systems and applications in the environment to identify and prioritize assets based on their impact and support to overall business operations. These engagements reveal the crown jewels, singular to each organization, that must be protected in order to minimize disruption and ultimately keep the lights on.


By restoring visibility to these essential assets, aligning them with cutting-edge technology recovery and improving their resilience, CRS supports faster, more efficient capabilities across incident response and recovery. This resilient framework integrates security with associated governance procedures while creating customized recovery playbooks to accelerate the process of restoring business operations. Lastly, CRS helps align process owners across both business and technology units, effectively breaking down silos, and hopefully, preventing a scenario like the one outlined at the beginning of this post.


Looking ahead, it’s all but certain that attackers will continue innovating new ways to breach businesses. To remain competitive despite an increasingly uncertain threat landscape, you might consider a solution like CRS to enhance your security operations, especially the response and recovery piece of your SecOps program. Doing so can help you leverage your current people, processes and technology to reduce the risk of breach and data loss, and in that process, create a more sustainable and scalable business.

Jessica Hetrick
Hetrick is Optiv’s chief of staff and a senior cybersecurity leader with more than a decade of experience in crisis management, incident response and security operations. Prior to joining Optiv, she directed global incident response teams at Cisco during crises and provided strategic leadership to reduce risk and improve processes and procedures for global organizations.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit