Cyber resilience has become central to mission success as federal systems integrators (FSIs) support government operations in an increasingly volatile threat environment. As cyberattacks grow more disruptive and adversaries target not only production systems but also recovery environments, organizations need great confidence in their visibility and their ability to restore operations quickly.
MeriTalk recently sat down with Travis Rosiek, public sector chief technology officer at Rubrik, to discuss how cyber preparedness is changing for FSIs supporting government missions and why resilient backup and recovery capabilities are now essential to mission continuity.
MeriTalk: For FSIs supporting high-stakes government missions, resilience is no longer just an IT issue. It is a mission imperative. How is that reshaping the way organizations think about cyber preparedness today?
Rosiek: Resilience requires a fundamental mindset shift. For too long, many federal programs have operated against cyber requirements that were written years ago and are still geared toward check-the-box compliance. The problem is that threat actors are not evolving on a five-year cycle, or even a yearly one. They are evolving weekly and sometimes daily, especially as they adopt AI and move faster than traditional government processes can keep up.
That creates a dangerous disconnect between cyber risk and mission risk. Many programs have become too big to fail, too old to change, and too important to the mission to take offline, so organizations are carrying risk forward instead of modernizing how they protect critical systems and recover operations. The problem is that just because a cyber event has not caused a mission failure does not mean that it won’t. Mission resilience now requires treating cyber risk as a direct threat to mission success.
MeriTalk: From AI-driven data risks to nation-state campaigns, the threat landscape is expanding on multiple fronts at once. What new pressures does that create for organizations charged with protecting sensitive federal data and sustaining operations?
Rosiek: The scale of the AI challenge is hard to overstate. AI creates opportunity, but it also creates risk at a pace most organizations are not prepared for. To me, this is the biggest challenge of our lifetime. Unlike earlier large-scale IT concerns – Y2K comes to mind – this one has not yet inspired the same level of coordinated urgency, even though the long-term consequences could be far greater.
Part of the issue is internal. Organizations have to think about shadow AI and autonomous agents as potential insider threats because of the access they may have to sensitive data and systems. Part of the issue is external. Adversaries are going to be able to weaponize and use AI against us significantly faster than we can use it to defend ourselves. That paradigm shift is already underway, and it is escalating. That means the mindset around risk management has to be completely different today than it was even a year ago.
MeriTalk: Attackers are increasingly targeting backup and recovery environments, not just production systems. Why is that such an important shift, and what does it tell us about the limits of traditional resilience planning?
Rosiek: It tells us that adversaries understand exactly where the real leverage is. If an organization is backing up its data, it is effectively signaling what matters most. Backups become the crown jewels. For espionage or intellectual property theft, they provide a centralized source of high-value information. For disruptive attacks, they represent the victim’s ability to recover and reconstitute operations.
If an attacker can deny recovery, they gain a tremendous advantage. That is why backup systems have become prime targets. According to the 2024 Rubrik Zero Labs report, adversaries target backup data in 96% of cyberattacks, and in 74% of those cases, they are at least partially successful. Traditional resilience planning has not caught up to that reality.
MeriTalk: Before a cyber incident puts operations at risk, how can FSI leaders tell whether they have the visibility needed to respond with confidence?
Rosiek: The only reliable way to know whether visibility is sufficient is to test for it. That means running cyber exercises that go beyond detection and alerting. It means asking what happens if critical systems are encrypted, deleted, or made untrustworthy, and then working through how teams would rebuild the environment, validate backups, hunt for threats inside backup data, and coordinate recovery across security operations, incident response, infrastructure, and application teams. In many organizations, those functions are still siloed. Until leaders rehearse those steps, they do not really know whether they can respond with confidence.
Many organizations believe they are more prepared than they are. They may have disaster recovery plans or continuity of operations plans, but those plans are often built around outages, infrastructure failures, or natural disasters, not around destructive cyberattacks. From a military mission perspective, for example, that is the Achilles’ heel. Cyber risk can creep into a program over time, go unaccounted for, and create a false sense of security until something breaks catastrophically.
MeriTalk: As organizations move beyond traditional security models, what does a modern resilience strategy look like when the goal is not only to defend data, but also to recover operations quickly and confidently?
Rosiek: Traditional security models still matter. Hygiene, governance, compliance, and controls are all important. But adversaries know those benchmarks, and they design attacks to work around predictable defenses. A modern resilience strategy has to go further by making it harder and more expensive for attackers to succeed.
That starts with dynamic requirements that evolve as threats evolve. It also means avoiding overdependence on any single vendor or data source for detection and response. Diversity in telemetry and tooling improves resilience. On the recovery side, organizations need backup and recovery solutions with native security capabilities, immutable backups, and encryption that can’t be turned off by an attacker with administrative access.
The key question is this: If an adversary gains admin credentials to your most critical systems, what is the worst they can do? Organizations need to plan for that scenario and make sure their last line of defense can hold. Teams should be able to analyze data, conduct threat hunting, and recover quickly to a known good state without tipping off the adversary.
MeriTalk: For organizations looking to modernize their resilience strategy, what should they prioritize now to reduce uncertainty and recover faster when disruptions occur?
Rosiek: From a system integrator perspective, the goal is to deliver capabilities that are differentiated and cost-effective. With that in mind, the first priority is to stop bolting security on at the end, because that’s exponentially more expensive than building it in from the start and introduces tremendous risks to the programs they support.
The second priority is to evaluate whether backups are resilient under attack. If an adversary encrypts or deletes backups, can those systems survive? Are the backup tools regularly exploited in commercial environments? If they cannot stand up there, they will not stand up in a federal civilian or national security setting.
That same standard should apply not only to the systems integrators’ programs for government customers, but also to their own internal IT environments. FSIs are part of the defense industrial base, and hacktivists, terrorist groups, and other adversaries often view them like they view the government. That means the same criteria that FSIs use to assess resilience in government programs of record should also be applied internally.
The third priority is to test recovery, not just backup completion. Organizations need to know whether a full backup can be restored, how long that process takes, and whether the backup data has been compromised. Too many teams assume the backups are working because jobs are running, but they may not have a usable full backup for weeks or months. In today’s threat environment, backup recovery is one of the most important components of cyber resilience and mission continuity.