今後の侵害に備えて、CISOがストレージチームに確認するべき4つの質問

多くのCISOは、データストレージをあまり重視していません。アイデンティティ管理、アクセス制御、検知、ガバナンスを同時に管理する立場では、何かしらの問題が起きない限り、背後で働くインフラにまで目が届かないのです。そのため、サイバー脅威が発生したり、最悪のタイミングでバックアップが失敗したりして初めて、ストレージに意識が向けられることになります。

実のところ、レジリエンスは単にバックアップ頻度だけの問題ではありません。重要なのは、データがどれだけ適切に保護されているか、そして問題が発生した場合にどれだけ迅速に復旧できるかという点です。そのためストレージの保存先は、ファイアウォール、エンドポイント、アクセス制御と同じく非常に重要です。

ストレージが不変性、アクセス性、そして手頃なコストでテストを行える状態を考慮して構築されていない場合、想像以上のリスクを負うことになります。今こそ一歩下がって、全体的なレジリエンス計画におけるストレージの役割を見直すチャンスです。以下の質問をチームに投げかけることで、重要なタイミングで組織が効果的に回復できる状態かどうかを確認することができます。

１．自社のストレージは本当にビジネスリスクを下げているか？

バックアップは、ただ作成するだけで評価される傾向にあります。チェックリストを満たして監査に対応することで、安心感が生み出されるためです。しかし、その安心感がレジリエンスになるわけではありません。本質的なポイントは、バックアップがどこに保存されてどのように保護され、問題が発生した際にどれだけ確実に復旧できるかということです。

つまり、ストレージをリカバリ戦略の基盤として考えてみてください。あらゆるバックアップの保存先となるストレージの復元力が不十分だった場合、データ保護計画も脆弱になります。真にサイバーレジリエントなストレージは、攻撃者、内部関係者、さらには運用コストに足を引っ張られず、クリーンな復元を可能にする安全性と耐久性を兼ね備えています。

まず、バックアップデータが主要な運用システムから分離されたセカンダリストレージに保存されているかどうかを確認しましょう。次に、アーキテクチャ自体を詳しく調べます。イミュータブル機能によって、データの保存期間が終了するまで変更や削除ができない状態になっていますか？AES-256などの最新標準を使用して、転送中および保存中のデータが暗号化されるようになっていますか？多要素認証（MFA）によって、アカウントへのアクセスが安全に管理されていますか？単一の認証情報でバケットやアカウントを独自に削除されないように、マルチユーザー認証（MUA）などの機能を導入していますか？

こういった制御があるかどうかで、レジリエンスが迅速で検証可能なものになるか、高額な割に不確実なものになるかが分かれます。また、依然としてゴールドスタンダードとして挙げられるのが3-2-1-1-0ルールです。これは、3つのデータコピーを2種類の媒体に保存し、そのうち1つはオフサイトに、もう1つは不変の状態に保つ手法で、復旧後のエラーをゼロにすることを目的としています。

ストレージがこれらの条件を満たしていない場合、ダウンタイムのリスクがあるだけではありません。この状態では単にレジリエンス戦略を夢見ているだけで、実際には何も整っていないことを意味します。

2. Are we building resilience that’s testable, not theoretical? 

Not all storage is built for resilience, and that’s where risk creeps in. Most environments can back up data without issue; it’s the “getting it back” part that’s far more complicated. A few critical features determine whether recovery is routine or a race against the clock.

Start with the foundation: cloud object storage. It’s designed for durability, scalability, and redundancy across regions, ensuring a single outage can’t take everything down with it. It’s the backbone that keeps operations steady when disruption hits.

From there, make sure the essentials are in place:

• Immutability. Once data is written, it should stay that way until its retention period ends. That safeguard keeps your clean copies out of reach from ransomware or accidental deletion.

• Encryption everywhere. Data should be encrypted in transit and at rest using strong, current standards like AES-256. Don’t forget to rotate the keys regularly; it’s the simplest way to limit exposure.

• Zero Trust access. Storage should follow the same principles as the rest of your environment: no implicit trust, and no single person with the power to delete everything. Multi-user authentication enforces this by requiring more than one approval for potentially destructive actions.

• Affordable recovery testing. If API calls and egress fees make testing expensive, it won’t happen often enough. Recovery only works when it’s practiced regularly and without hesitation, and those tests reveal more than speed. They confirm two fundamentals: that you’re backing up what you think you are, and that what you’re backing up is what you’d need to recover in a real incident.

Each of these controls protects a different link in the recovery chain. Together they make sure your data stays intact, accessible, and recoverable, the three outcomes every resilient organization should be able to count on.

3. Can we recover without breaking the budget or SLAs?

Even the best defenses assume failure at some point. When that happens, recovery speed determines whether the business experiences a minor disruption or a major outage. A well-documented recovery plan is only as strong as your ability to execute on it, not to mention test it often enough to trust the results.

Start by asking how your storage and backup systems handle failover. Can the team restore critical applications quickly, or do recovery times depend on which cloud tier your data happens to live in? Be honest about cost structure: cold storage looks cheap on paper until your first large-scale recovery proves otherwise. Those savings disappear fast when you’re hit with egress fees or stuck waiting hours to retrieve data during an incident.

Ask what service-level agreements your storage provider guarantees for access and recovery times, and whether those metrics align with your internal RTO (recovery time objective) goals. RTO is all about speed, or how quickly systems and data can be brought back online after an incident. That speed determines how long operations stay down, how much trust or revenue might be lost, and how fast you can prove the situation is under control.

Then consider your RPOs (recovery point objectives). Here the focus shifts to data, or more specifically, how far back you can recover since the last backup. This depends entirely on how often those backups occur. The more economical and predictable your storage costs, the more frequently you can back up, shrinking that window of potential loss. If costs force you to stretch out the interval between backups, every extra hour increases your exposure to risk.

Finally, look at your testing cadence and cost. Recovery drills should happen at least quarterly, more often for systems that are business-critical or frequently updated. If your storage provider charges egress or API fees every time you validate a restore, testing will fall off the schedule. When testing stops, so does confidence.

A plan that’s too expensive to test or too slow to execute is just a document. Regular, affordable testing is how you validate every other aspect of your cyber-resilience strategy.

4. Are we confident our storage meets compliance and audit requirements?

Compliance isn’t just a formality. It’s the accountability layer that proves your controls work. Storage plays a bigger role in that story than most people realize.

Review which regulations and internal policies apply to your organization. Frameworks like HIPAA, FERPA, GDPR, SOX, or sector-specific standards such as PCI DSS, CJIS, or FedRAMP often overlap around data retention, privacy, and security. That overlap means every storage decision, from where data lives to how it’s encrypted and accessed, has compliance implications.

New EU regulations are adding another layer of scrutiny. The Cyber Resilience Act and the EU Data Act introduce fresh obligations around cybersecurity, data governance, and transparency. They reflect a broader global shift, not just raising the bar for how organizations store and protect their data, but how they demonstrate resilience and trust.

Your storage architecture should support those mandates with features that make compliance practical. Confirm these compliance requirements with your storage team:

• Retention and immutability. Can you prove that regulated data is stored for the full retention period and that it can’t be altered or deleted before then? Immutability and versioning provide the assurance auditors expect.

• Encryption and key management. Is sensitive data encrypted in transit and at rest using strong, current standards like AES-256? Are keys rotated regularly and managed through a dedicated key management service (KMS), separate from storage credentials?

• Zero Trust principles. Does your storage environment enforce least privilege, continuous verification, and separation of duties for administrative actions? Features like MUA help close the insider-risk gap.

• Audit readiness and visibility. How quickly can your team produce evidence of data access, retention, or recovery for an audit? Do logs and metadata provide the tamper-evident trail regulators expect?

If any of these answers are uncertain, it’s time to dig deeper. Storage that supports encryption, immutability, dedicated key management, and transparent audit logging doesn’t just fulfill regulatory requirements. It strengthens confidence across your entire security and compliance posture.

Bringing it all together

No organization gets resilience right by accident. It’s a product of intent: how well your teams plan, test, and adapt when things inevitably go wrong.

Storage isn’t the most visible piece of that puzzle, but it’s often the one that decides how quickly the rest can recover. The questions you ask today about immutability, access, testing, and compliance set the tone for how prepared you’ll be tomorrow.

If these questions raised any uncertainty, you know where to start. Resilience isn’t built on intent; it’s built in verification. Every tested restore is a statement of confidence that your organization can keep running, even when the worst happens.