DaVita (2025) confronted the double-extortion nightmare — 1.5 TB of affected person information stolen and techniques encrypted. The Interlock group demanded ransom for each threats. A complete zero-trust structure instantly counters this: perimeter controls make information exfiltration more durable to attain undetected, whereas immutable backups take away the leverage from encryption-based calls for.
Trying by means of the governance lens
Once I current these rules to govt groups, I deal with three clear outcomes for leaders: threat discount, resilience and compliance. Executives ought to make sure the assault floor on the information layer is shrinking, that restoration factors will survive if upstream defenses fail, and that retention and entry insurance policies are mapped to key laws, similar to SEC 17a-4(f) or HIPAA.
Coverage as code has been a game-changer right here — not as a result of it’s “DevOps-cool,” however as a result of it gives leaders with an auditable and reviewable change historical past for each essential management. For the board, this implies we will reply questions like, “How have you learnt the backups are locked?” by pointing on to the coverage commit log, demonstrating transparency and accountability.
