Skip to content

TechChannels Network:      Whitepaper Library      Webinars         Virtual Events      Research & Reports

×
Artificial Intelligence (AI) Cybersecurity

Q&A: Cohesity Vice President James Blake Talks From Recovery to Resilience: Rethinking Cyber Preparedness

Teri Robinson

Jul 09, 2026

As ransomware and destructive cyberattacks become an operational certainty rather than a remote possibility, organizations are beginning to recognize that backups alone are not enough. True cyber resilience requires more than technology—it demands operational readiness, cross-functional coordination, and the ability to restore trust in systems after an attack.

Drawing on years of experience leading global cyber risk programs, building security operations centers, and supporting organizations through hundreds of ransomware incidents, James Blake, Vice President, Global Cyber Resiliency Strategy, Consulting & Response Services at Cohesity, discusses why resilience has become the new objective for security leaders. Throughout the conversation, he emphasizes that organizations must move beyond disaster recovery, rethink trust, prepare through realistic exercises, and adopt pragmatic, incremental approaches to strengthening security.

Q. What distinguishes cyber recovery from traditional disaster recovery?

A. Having a backup product does not necessarily mean you have a capability to recover. What you need for disaster recovery is very different than what you need for cyber recovery. Business continuity and disaster recovery are all about restoring data. Cyberattacks aren't like that. There are more variables in cyberattacks. The only way to get deterministic recovery is rebuilding trust is really involved and after an incident you have to re-establish that.

Q. How has the concept of trust changed in cybersecurity?

A. Trust starts with identity.

If you need to bring Active Directory back to log into your backup platform, you've already lost. You brought your biggest persistence mechanism back into production without being able to investigate it.

Once you've lost trust in that EDR... how can you rely on that EDR for your response? There's a different recovery point objective to restore trust than there is for data. Most organizations don't understand that.

They treat a cyber incident like business continuity and disaster recovery, throwing the last snapshot back into production. Then they get hit again. That trust restoration is so important. Preparing in advance to systematically layer that trust; that's the most important thing.

Q. Has AI fundamentally changed the nature of cyberattacks?

A. I spent years building security operation centers. AI has revolutionized basic tasks like classification, statistical anomaly detection and things like that. I think security operation centers are going to be less about staring at red consoles and more about prompt engineering.

On the adversary side, I think there's a lot of hype. They haven't changed the nature of ransomware. They are still the same stages. They're still the same tradecraft—identity-based attacks, living off the land, defense evasion. It's just that finding the vulnerabilities is now easier and the likelihood has gone up. But, the impact has stayed the same.

Organizations need to build resilience, do what they were doing before. There's just more of a need to do it now. When people go, “How do I handle AI?” We say “do what we were telling you to do ten years ago. Just do it now."

Q. How should organizations prepare for ransomware before it happens?

A. I'm a great fan of desktop exercises. They're great for educating executives, but they're very theoretical. You've got executives making decisions with almost perfect information. That's never the reality. The best thing to do is use your backup platform. You can clone a production environment and stand it up—a digital twin of a production environment. Then get your pen testers to attack it and go full bore at this copy of your production environment: steal the data encrypt the data. Then you're testing detection, triage, escalation paths, handoffs, decision gates. You're building muscle memory in people so when they actually get hit, they don’t have to dust off their response, it’s already there.

Q. What will the SOC of the future look like?

A. We shouldn't be throwing out the baby with the bath water. Some things are tried and tested. You have to understand the limitations of that technology. SIM suffers from something called the streetlight effect. The only things that sit in your SIM are the things you pushed into it. We don't always know what the adversary has changed. Attacks are going to happen. That's the first reason I moved to a resilience vendor. There are over fifty use cases for backup for a SOC. The amount of people that buy a backup solution and just use it for recovery... “It's our last line of defense." No, it isn't. If your threat intelligence is lagging two days behind... the attack has already happened. But if you've got the backup, you can hunt backwards—you've got the context of history. That's where I think the future of SOC is going.

Q. Who needs to be involved in cyber recovery planning?

A. Resilience requires IT and security to have a shared responsibility model and work in lockstep. Initially, we're still talking to the backup admin and the operational resiliency team. "Then we're talking to the CISO, cyber risk managers, chief data officers. All those people will be involved as stakeholders when the incident happens. They all need to be involved in the decision. A company can't be successful if Bob the backup guy is running the show end to end. It's just not going to work.

Q. Are organizations paying the price for years of neglected security fundamentals?

A. I agree with that. Hygiene isn't sexy and no one likes talking about it. But it is critically important. You have to be pragmatic. We all know we should do asset management. We should do change management. Know what your most critical assets are. Don't boil the ocean. Don't start CMDB projects that look at every asset in the business.

Break off the pieces you can chew on now and continually deliver on those. Cyber resiliency is a chain and every link in that chain that's improved improves resiliency. Focus on your weakest links.

If you can't deliver improvement, move to the next weakest thing. Just chip away at it again and again. Let's target our most important services and do pragmatic small improvements. Repeat that every day.

Blake reframed cyber resilience as an operational discipline rather than a technology problem. While AI is increasing the frequency of attacks and lowering the barrier for adversaries, it has not fundamentally changed the principles of resilience. Organizations still need trusted identities, tested recovery processes, coordinated response teams, and disciplined operational practices.

Perhaps the strongest message is that resilience is built long before an incident occurs. By conducting realistic exercises, restoring trust layer by layer, integrating security and IT operations, and making steady improvements to cyber hygiene, organizations can move beyond simply recovering data toward confidently restoring business operations after an attack. As Speaker 4 emphasizes, resilience is not achieved through a single project or product—it is the result of continuously strengthening every link in the operational chain.



 

 

Share on

More News