TL;DR: Cyber recovery readiness is not the same as resilience, and Commvault’s framing around minimum viable recovery argues that organisations must restore critical business functions first, then validate that recovery works under pressure. The practical issue is not planning in the abstract, but proving recovery capability before an attack exposes gaps.
NHIMG editorial — based on content published by Commvault: cyber recovery readiness and minimum viable recovery
Questions worth separating out
Q: How should organisations define minimum viable recovery for cyber resilience?
A: Organisations should define minimum viable recovery as the smallest restore state that allows critical operations to continue safely after an attack.
Q: Why do recovery plans fail even when backups exist?
A: Recovery plans fail when they assume restoration is the same as resilience.
Q: What do security teams get wrong about cyber recovery testing?
A: Teams often test infrastructure rebuilds while ignoring access control restoration.
Practitioner guidance
- Define minimum viable recovery for critical services Identify the smallest set of systems, identities, privileges, and data dependencies needed to restore essential business functions after an attack.
- Test recovery with identity dependencies included Run recovery exercises that include IAM, PAM, and secrets restoration, not just server rebuilds.
- Benchmark recovery readiness against business criticality Use a self-assessment model to compare current recovery capability with the operational needs of tier-one services.
What's in the full article
Commvault's full article covers the operational detail this post intentionally leaves for the source:
- The practical framing behind minimum viable recovery and how to translate it into a recovery baseline.
- The self-assessment approach used to benchmark readiness against best-practice recovery expectations.
- The workshop format and scenario-based exercises that help teams rehearse recovery planning.
- The specific readiness messaging used to connect recovery planning with business continuity goals.
👉 Read Commvault's guidance on minimum viable recovery and cyber recovery readiness →
Minimum viable recovery: are your recovery controls actually tested?
Explore further
Minimum viable recovery is an identity governance problem as much as a continuity problem. Organisations often frame cyber recovery as backup validation, but that misses the trust layer that makes systems usable again. If identities, privileges, and secrets are not restored in the right order, the business may be technically online but operationally unsafe. Practitioners should treat recovery sequencing as part of identity architecture, not just disaster recovery planning.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
A question worth separating out:
Q: Who is accountable for recovery readiness when identity systems are involved?
A: Accountability should sit across security, infrastructure, and business owners, because recovery readiness depends on all three. Identity teams own the trust layer, infrastructure teams restore the platforms, and business leaders define what functional means. If any of those owners are missing, resilience becomes a claim rather than a tested capability.
👉 Read our full editorial: Cyber recovery readiness needs minimum viable recovery, not assumptions