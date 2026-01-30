Too often, zero trust and cyber resiliency plans fall short when it comes to including data, backup and recovery, Rubrik public sector CTO says.

Components of the Defense Department all expend a lot of effort on cybersecurity. But not all of them realize that resilience in the face of cyberattacks boosts not just defense but also deterrence.

That’s the contention of Travis Rosiek, public sector chief technology officer at Rubrik.

“My soapbox is trying to drive the military leadership policymakers to see cyber resilience as one of the key pillars of military strength,” Rosiek said during Federal News Network’s Industry Exchange Cyber 2026.

“Denying the cyber success of an adversary is a strong cyber deterrent strategy.” He said that if attackers, even those using the latest artificial intelligence-powered hacking tools, know their efforts will come to naught, that would constitute strong deterrence.

“The ability for organizations to bounce back within minutes, seconds, hours, is going to be a tremendous deterrent strategy,” Rosiek said, “but also ultimately drive to military dominance because we can still be successful in delivering our mission.”

Making resilience a priority

For deterrence, agencies must make resilience after cyberattacks a higher priority than even the detection and denial strategies aimed at preventing them, he said. One reason: Resilience supports the zero trust architecture DoD is striving to put in place.

That some attacks will get through “is one of the underlying zero trust premises,” Rosiek said. “Zero trust architecture and cyber resilience go hand in hand. I don’t think you can divorce the two.”

The rise of artificial intelligence has only increased the need for resilience, he pointed out. AI has spawned an industry providing low-cost “attacking as a service” products to anyone that wants to use them. That, Rosiek said, means agencies must reevaluate the effectiveness of their active response strategies.

“Now, an unsophisticated threat actor with a little bit of money or Bitcoin can obtain very sophisticated cyber weapons and capabilities,” he said, “such that you can’t know who all potential threats are or where they’re coming from.”

What’s more, it makes initiating preemptive strikes difficult because “some of those adversaries could be AI agents that spin up in milliseconds,” Rosiek noted.

Setting a route to cyber resilience

If resilience, the ability to recover quickly from an attack and minimize damage, is important, how do you actually get to resilience?

Sometimes, Rosiek said, efforts don’t quite go far enough. That’s true even for the armed services and other military components that, more than most organizations, train and exercise their cybersecurity training.

“They’re always practicing and drilling in the cyber domain,” he said. “but more often than not, the primary focus is on that attack — the attack methodologies, attack detection, attack prevention. They essentially kind of stop there.”

What they should do beyond that, he advised, is “emulate or go through the process for organizations to survive a cyberattack and actually work among themselves to rebuild and recover.” Rosiek said that activity would activate a muscle not exercised enough.

He said that muscle is somewhat more developed at the state and local government level and in certain parts of the civilian federal government.

Everyone must train “to initiate and have cyber recovery — not just the tools and technologies that enable it, but also the people, the training and the processes,” Rosiek said

Governments must prevent business discontinuity at all costs, he said, adding that the volume and potential of attacks render rebuilding from scratch or manually validating each file not just impractical, but impossible.

Rosiek said that zero trust and resilience training should extend to data backups, which organizations sometimes also overlook.

“If you just blindly trust your backups, recover your backup, and you don’t actually know what’s in the backup, then you’re implicitly trusting it, which goes against every zero trust architecture principle,” he said. “I would say that nine out of 10 organizations I’ve talked to, the cyber security team doesn’t know what backup capabilities are in the environment or the enterprise. And that’s deeply concerning.”

Inventorying critical data assets

Rosiek emphasized that last point: shared knowledge within the organization.

“Communication and collaboration among teams is going to be paramount to your future success and resilience,” he said.

Resilience also demands that people know the extent of their critical data and where it is.

“Data is pervasive,” Rosiek said. “It’s in the cloud, software as a service applications, it’s in on-premise data centers.” That means you need comprehensive visibility of data — another tenet of zero trust, he said.

Beyond visibility, organizations should maintain good data hygiene, including weeding out unnecessary data files, he said.

“A lot of organizations struggle with the data,” Rosiek said. “They’re data hoarders. They’ve been collecting data for decades. They don’t really clean it up.”

Those data pools make large targets for malicious actors, whether their motivation is disruption or grabbing data for ransom.

Perhaps surprisingly, some state and local governments are more prepared than federal on the resilience front, Rosiek said. Because the federal government won’t pay ransom for data, attacks against agencies tend to have disruption as their motive. But state and local entities have in fact paid ransom, Rosiek said, and that’s forced them to become more resilient with respect to data recovery.

“What’s driving more cyber resilience and maturity is that those organizations are constantly feeling that pain, and they’re being forced to adapt,” he said. Another factor comes from the cyber insurance that state and local entities purchase. Insurers, Rosiek said, tend to apply compliance requirements.

“To get cyber insurance, [state and local governments] have to have security controls like cyber recovery capabilities, in order to even get or maintain cyber insurance,” he said.

Regardless of level, government agencies should stay on top of data and data recovery. Rosiek said Rubrik, which started as a provider of backup utilities, has steadily added ease of use and architectural improvements to keep up with cloud and changing storage technologies.

Most recently, he said, the company added AI-enabled analytics that “bridge the gaps between the security operations centers and the IT operators, including the backup admins.” For instance, the forthcoming Rubrik Agent Cloud will focus AI on the client’s data and enable faster response and recovery, Rosiek said.

