CISO Decision Brief: Closing the Resilience Gap at the Data Layer - NetApp

This GigaOm CxO Decision Brief was commissioned by NetApp.

The CISO’s operating environment has shifted in ways that legacy security architectures can’t accommodate. AI-powered exploit kits compress attack timelines from weeks to hours. Hybrid multicloud estates scatter data across environments with inconsistent protection policies and disaggregated management, and the rapid adoption of generative AI introduces new data governance requirements that most organizations haven’t yet addressed. Traditional perimeter-centric security and bolt-on backup solutions were designed for a slower, simpler threat landscape. They remain necessary but are no longer sufficient.

Most recovery architectures still rely on secondary systems for detection and recovery orchestration. The primary storage platform writes data; separate tools monitor for threats; and adjacent to primary storage, backup infrastructure handles recovery. Each handoff introduces latency, coordination overhead, and additional failure points during an incident. NetApp’s approach with ONTAP is to collapse that model. Autonomous Ransomware Protection with AI (ARP/AI) performs real-time behavioral detection and response at the point of data creation rather than relying on network-based analysis or backup-layer detection. NetApp SnapLock Compliance enforces immutability at the storage OS level, creating recovery points via snapshots that can’t be altered through administrative access or vendor support channels. 

The result is an architecture where detection, protection, and recovery are native to the data infrastructure. What differentiates NetApp ONTAP is that this same architecture offers consistent data management and built-in security capabilities across on-premises systems and as a first-party service in AWS, Azure, and Google Cloud. The detection, immutability, and governance policies that answer AI-accelerated attack velocity, inconsistent multicloud protection, and ungoverned AI data pipelines are enforced once and apply everywhere data lives. This shifts responsibility into the storage layer, which must now meet security and operational expectations traditionally handled by separate tools and eliminate the integration complexity and latency penalties that come with a distributed resilience model.

How Cyber Resilience Differs by Approach

The gap between attacker capability and defender response time continues to widen. CISOs face pressure from two directions simultaneously: threat actors leveraging AI to accelerate and automate attacks, and internal stakeholders demanding that security enable AI adoption and cloud migration, rather than constrain it.

Urgency

In sectors like healthcare, energy, financial services, and manufacturing, ransomware recovery routinely extends past a week, with average per-incident recovery costs of $1.53 million excluding ransom payments, according to Sophos's 2025 State of Ransomware report. These numbers reflect the reality that most recovery architectures were designed around daily or hourly backup windows, not the minute-level RPOs that modern threat velocity demands. Simultaneously, organizations building generative AI and retrieval-augmented generation (RAG) pipelines are discovering that unstructured data governance is not optional. Sensitive data that enters a training pipeline without proper classification and redaction creates compliance exposure that compounds with every model iteration. The CISO’s challenge is that these two pressures, faster recovery and governed AI enablement, must be addressed concurrently across on-premises and cloud environments where AI pipelines now run, not sequentially in one environment at a time. 

Risk

The primary risk in any storage-integrated resilience strategy is organizational, not technical. Storage administration and security operations have historically operated as separate domains with separate tooling, metrics, and reporting chains. Bridging that divide requires deliberate change management. On the technical side, architectures that rely on off-box detection introduce network latency into the threat identification process, and solutions that allow administrative override of snapshot immutability create a social engineering attack surface that sophisticated threat actors actively exploit. Organizations evaluating data-layer resilience should scrutinize the administrative access model as carefully as they evaluate detection accuracy.

Embedding security capabilities into the storage layer delivers measurable advantages across detection speed, recovery confidence, operational efficiency, and regulatory posture.

• Faster recovery without network constraints: For primary storage workloads protected by snapshots, NetApp SnapRestore uses pointer-based restoration rather than data movement, removing network bandwidth as the recovery bottleneck. In these scenarios, effective RTOs can shift from days to minutes. This doesn’t address all recovery scenarios; full environment rebuilds and cross-platform recovery still require orchestration beyond the storage layer. But for the subset of incidents where rapid restoration of known-good primary data is sufficient, the impact on recovery time objectives is material.

• On-box detection that reduces SOC noise: ARP/AI performs real-time behavioral analysis at the storage layer, identifying anomalous patterns in file activity as data is written. In independent testing by SE Labs, the capability achieved a AAA rating with greater than 99% recall for ransomware detection on file-based workloads under controlled test conditions. The practical value extends beyond detection accuracy: on-box detection that operates with low false-positive rates in tested scenarios reduces the alert volume that security teams must triage. Organizations should evaluate how ARP/AI alerts integrate with their existing SIEM and SOAR workflows, as on-box detection complements but doesn’t replace broader threat visibility.

• Governed data for AI pipelines: AI adoption is creating a new class of data risk: sensitive information isn’t exfiltrated but embedded into models or exposed through inference. Storage is often the last point where you can inspect, classify, and govern data before AI systems consume it. NetApp Data Classification provides automated categorization and sensitive data identification at the storage layer, supporting PII redaction before data enters training or RAG pipelines. This positions storage as an active enforcement layer in AI risk management rather than a passive repository, addressing a governance gap that many organizations discover only after AI projects are already in production. The ​​companion CIO brief covers these capabilities in detail.

• NSA CSfC validation: ONTAP has been validated under the NSA’s Commercial Solutions for Classified (CSfC) program for specific configurations, making it the only enterprise storage platform to achieve this certification. For organizations operating in classified or highly regulated environments, this provides an independently verified baseline for data protection. As with any certification, applicability depends on deployment architecture and configuration alignment with the validated profile.

• Modern infrastructure combined with hybrid cloud mobility provides data visibility and management across the full data estate, allowing the enforcement of consistent policies for security and compliance and streamlining protection and recoverability regardless of where data lives.

Successful adoption of storage-integrated cyber resilience requires deliberate architectural and organizational decisions. The technology alone does not deliver outcomes; how it is deployed, governed, and operationalized determines whether an organization actually improves its resilience posture. Common failure modes include misconfigured immutability policies that create a false sense of protection, overreliance on on-box detection for attack vectors that originate outside the storage layer, and lack of integration between storage-layer alerts and SOC workflows. These aren’t theoretical risks; they are recurring patterns observed in incident response scenarios.

• Operationalize autonomous detection: Deploy ARP/AI with automated response policies that leverage the technology’s validated detection accuracy for file workloads. The low false-positive rate under tested conditions supports a more aggressive automation posture than most off-box detection tools can sustain without risking business disruption. Ensure that detection events are forwarded into SIEM platforms for correlation with endpoint, identity, and network telemetry. On-box detection is an additional signal and control point within the broader security architecture, not a replacement for it.

• Enforce immutability without administrative override: Implement NetApp SnapLock Compliance (SEC 17a-4 compliant WORM) with Multi-Admin Verification to verify that snapshot integrity can’t be compromised through a single administrative credential or a social engineering attack against vendor support. This is a meaningful differentiator; not all storage platforms enforce this level of administrative separation.

• Validate recovery before restoration: Integrate primary-storage detection with secondary-storage orchestration through partnerships such as the NetApp-Commvault partnership that integrates ARP/AI into the Commvault synthetic recovery process for a closed-loop workflow. Forensic verification in an isolated environment before restoring to production prevents the reinfection loops that plague organizations relying on unverified backup restoration.

• Build governance into AI data pipelines: Integrate data classification into AI data ingestion workflows so that sensitive data identification and redaction occur before data enters training or RAG pipelines, not as a retroactive audit after models are already in production. Because these classification and governance policies run within ONTAP, they apply consistently whether the AI pipeline lives on premises or in AWS, Azure, or Google Cloud. 

• Integrate recovery with security operations: Deploy a guided clean-restore workflow with user behavior detection that feeds into the SOC’s SIEM and SOAR tooling from a single interface. This closes the handoff between storage-layer response and security operations, ensuring that recovery actions are coordinated with, not isolated from, the broader incident response workflow.

The primary barrier to realizing value from storage-integrated resilience isn’t technical. It is organizational. In most enterprises, storage infrastructure and security operations function as separate domains with different leadership, budgets, and success metrics. Moving detection and recovery capabilities into the storage layer creates immediate questions that must be resolved before deployment: Who owns detection logic embedded in storage? Who is accountable for recovery outcomes when the storage platform initiates the response? How are incidents coordinated across storage-layer alerts and SOC workflows? And how do these decisions roll up into the broader organizational resilience posture that CISOs are increasingly expected to defend at the board level? Without clear answers, these models fail in practice regardless of technical capability. 

Successful implementations typically assign joint accountability between infrastructure and security leadership, integrate storage-layer detection into existing SOC workflows rather than bypassing them, and define clear escalation and decision rights for recovery actions. Cloud and development teams provisioning data outside traditional storage governance need to be part of that accountability model as well.

How the Organizational Model Differs by Approach

This is a shift from tool integration to operational integration, and it is the foundation that organizational resilience ultimately rests on. Organizations that treat it as a technology deployment rather than an operating model change consistently under-realize the value. When the organizational model is right, the benefits compound: consistent security policy enforcement across hybrid multicloud environments, a simplified compliance audit surface, and a governed data foundation that removes the bottleneck stalling AI initiatives between proof of concept and production.

People Impact

The most immediate people impact is in the security operations center. Alert fatigue is a well-documented crisis in modern SOCs, and detection tools that generate false positives at scale actively degrade the team’s ability to identify real threats. On-box detection with validated low false-positive rates for file workloads reduces the noise floor, allowing analysts to focus on genuine threat investigation and proactive architecture work rather than alert triage. On the infrastructure side, consolidating detection and recovery into the storage platform reduces the number of discrete tools that teams must maintain, patch, and monitor. Organizations that have deployed unified storage platforms across on-premises and hybrid cloud environments report significant reductions in manual recovery effort, with processes that previously consumed days of staff time completing in minutes. That efficiency gain matters in a market where experienced security and infrastructure professionals are difficult to recruit and expensive to retain. A unified platform lets the existing team cover more ground with less manual effort, which is how most CISOs and infrastructure leaders actually “do more with less” in practice rather than as an aspirational slide.

Investment Outlook

The economic case rests on reducing complexity and dependency, not on replacing the entire security stack, but activating the data layer as an active security surface. Embedding detection and recovery into the storage OS can reduce reliance on network-based detection appliances for certain classes of data-layer attacks and decrease the time and complexity associated with backup-based recovery for primary workloads. This adds to the overall security posture with the SIEM/SOAR platforms, endpoint and identity-based detection, or incident response tooling. The value is a reduction in latency and complexity for a specific, critical segment of the recovery lifecycle.  

Beyond resilience-specific savings, automated storage tiering moves cold data from primary flash to lower-cost object storage, and NetApp reports that this can reduce flash capacity requirements by up to 80% while maintaining consistent security policy enforcement across tiers. The licensing model extends consistently across physical arrays and first-party cloud services in all three major public cloud providers (Amazon FSx for NetApp ONTAP, Azure NetApp Files, and Google Cloud NetApp Volumes), which gives CISOs and infrastructure leaders both cost predictability and the operational flexibility to shift workloads between environments without renegotiating the security and compliance posture that travels with the data. NetApp also offers a Ransomware Recovery Guarantee, a financially backed warranty on data recoverability. For the CISO building the business case, an explicit vendor-backed recovery guarantee strengthens the risk mitigation narrative with the board.

Deployment timelines vary by environment. Cloud-native instances (Amazon FSx for NetApp ONTAP, Azure NetApp Files, and Google Cloud NetApp Volumes) can be provisioned and policy-configured within days. Physical deployments at the edge or core follow standard hardware procurement timelines. The operational advantage is that ONTAP presents a consistent management interface regardless of deployment location, so security policies, snapshot schedules, and detection configurations defined in one environment extend to others without refactoring. Organizations should plan for a phased rollout: establish policy baselines in the primary environment first, then extend to secondary and cloud environments as the operational team builds confidence with the platform.

Future Considerations

Over the next two to three years, the CISO’s scope of responsibility will expand to include AI data governance as a core function. The volume of unstructured data feeding generative AI and RAG pipelines is growing faster than most enterprise data platforms were designed to absorb, and the compliance requirements and governance needs around that data are still being defined by regulators. The CISOs who succeed will be the ones whose data infrastructure can secure and govern data pipelines at the pace of AI adoption rather than behind it. An AI-ready data infrastructure that supports automated data classification and policy-based governance, native security capabilities, and consistent enforcement across on-premises and hybrid cloud environments will become a prerequisite for enterprise AI at scale, not a maturity goal for later. On the threat detection side, NetApp’s approach of continuous model training for ARP/AI positions the platform to adapt as attack techniques evolve, but CISOs should evaluate the training cadence and methodology as part of their ongoing vendor assessment.

The storage industry is moving toward tighter integration between data management and cyber resilience. Multiple vendors are investing in this direction, with varying approaches to detection, immutability, and recovery. Backup-centric platforms such as Commvault, Rubrik, and Cohesity bring strengths in orchestrated recovery across backup environments, air-gapped recovery, and incident workflow management. Storage-first competitors, including Dell Technologies and Everpure, have introduced immutability and snapshot-based protection, though implementation details and administrative access controls vary meaningfully. Both vendors offer some primary-storage detection capabilities, but rely more heavily on third-party integrations for detection at the backup layer, while NetApp has invested in a broader set of on-box detection capabilities as the built-in foundation. Third-party integrations remain a legitimate part of any mature resilience architecture; the differentiator is how much an organization can rely on native capabilities before extending outward. NetApp has a credible claim to leading the data-layer resilience model specifically. The combination of on-box AI detection validated by independent testing, immutability enforcement that resists administrative override, and a consistent operating model across on-premises and cloud deployments addresses the core challenges CISOs face today. 

The recently expanded partnership ecosystem, including deeper Commvault integration, signals that NetApp recognizes the value of complementing strong on-box capabilities with best-of-breed recovery orchestration. This approach is strongest in environments where recovery time objectives for primary data are measured in minutes, where the majority of critical workloads can be protected through snapshot-based recovery, and where reducing dependency on secondary recovery infrastructure is a priority. It is less differentiated in scenarios requiring complex cross-platform recovery orchestration, air-gapped recovery environments mandated by regulation, or full incident response lifecycle management beyond data restoration. 

Most enterprises won’t choose one model exclusively. The practical question isn’t just where resilience controls it, but how much of the data layer is elevated into an active security surface that strengthens detection, protection, and recovery. 

For organizations where primary data recovery speed and consistency across hybrid multicloud environments are the dominant requirements, NetApp’s approach of building detection and recovery into the storage OS represents the more defensible long-term architectural position. NetApp is the only vendor offering the same storage OS as a first-party service across all three major hyperscalers, which means detection, immutability, and governance policies travel with the data rather than having to be reimplemented per environment. That architectural fact matters most in AI data pipelines, where data gravity and mobility tradeoffs have historically forced organizations to choose between consistency and flexibility. CISOs should evaluate NetApp alongside their existing security stack, with particular attention to SIEM/SOAR integration, the administrative access model, and how on-box detection complements their broader threat visibility and ability to recover faster.

This GigaOm CxO Decision Brief analyzes a specific technology and related solution to provide executive decision-makers with the information they need to drive successful IT strategies that align with the business. The report focuses on large impact zones that are often overlooked in technical research, yielding enhanced insights and mitigating risk. The CxO Lite is a result of GigaOm research, commissioned by the vendor. They have no editorial input into the production of the content.

My mission is to deliver innovative and scalable solutions that enable data-driven decision making and business transformation. I have extensive knowledge and skills in big data, data warehousing, Apache Airflow, and Google Cloud Platform, where I hold three professional certifications. I enjoy collaborating with clients and partners, sharing best practices, and mentoring the next generation of data and cloud professionals.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2026 "CISO Decision Brief: Closing the Resilience Gap at the Data Layer - NetApp " is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.