In an era where cyberattacks are faster, more targeted, and increasingly AI-driven, the difference between business survival and collapse lies in one crucial capability: recovery. CIO&Leader spoke with Balaji Rao, Area Vice President, India & SAARC, Commvault, about how enterprises must redefine cyber resilience for today’s threat landscape. From the launch of Arlie—Commvault’s AI-powered assistant that automates recovery and threat detection—to strategies like “the ‘Minimum Viable Company'” approach for continuity, Rao emphasizes that recovery readiness is no longer an IT function but a boardroom priority. He explains why Indian CIOs must embed resilience into growth strategies to thrive in 2025 and beyond.
Area Vice President, India & SAARC
Commvault
1. How are you leveraging generative AI (e.g., Arlie AI) to bring end-to-end automation in recovery, threat detection, or decision-making for infrastructure teams?
Commvault’s Arlie, in short for “Autonomous Resilience,” is our round-the-clock AI assistant, designed to deliver actionable insights, helping enterprises save time, swiftly resolve threats, tackle complexities and enhance cyber resiliency.
Arlie is designed to automate IT operations and is natively embedded in our platform, Commvault Cloud. It’s available where teams already work – through the console, chatbot, or API workflows. It scales across cloud, on-prem, hybrid, and air-gapped environments without disrupting existing architecture, which means real-time insights, smarter workflows, and fewer errors.
Some of the key capabilities that Arlie delivers are:
- Real-time operational insights-Arlie provides real-time visibility into operational failures, highlighting what matters most to enterprises.Instead of sorting through countless filters and reports, users receive the most pressing, actionable information directly, enabling faster decision-making and response.
- “No-code” integration and automation:Arlie offers a “no-code” experience for building integrations or coding actions. Users simply describe the task they want to perform, and Arlie generates the required code instantly using Commvault APIs, eliminating the need for deep technical expertise.
- Context-sensitive, guided walkthroughs:Setting up and customizing Commvault Cloud is made easier with Arlie’s context-aware, guided product walkthroughs.Users can ask “how to” questions and receive step-by-step documentation, including annotated screenshots tailored to their environment and task.
- Advanced troubleshooting and optimization:Arlie helps identify operational issues and offers real-time fixes along with optimization recommendations.With easy-to-understand resolution summaries and actionable steps, enterprises can resolve problems quickly while strengthening their cyber resilience.
AI in IT needs to be scalable, accurate, adaptive, and designed to be secure – ready to perform under pressure and evolve with complexity. That’s exactly what Commvault’s Arlie delivers.
2. Ransomware has moved from an IT concern to the boardroom agenda. What are CIOs still underestimating about recovery and continuity planning?
Recovery is often the most underestimated and yet the most crucial component of a cyber resilience strategy. Traditional backup solutions can no longer address today’s threat landscape as attackers now compromise data, applications, and configurations, leaving organizations with corrupted restore points.
Inspite of comprehensive planning, we continue to see that organizations are unprepared when it comes to operational complexity of recovery processes. This “preparedness gap” exists largely because recovery planning is typically technology-led rather than business-driven.
What CIOs and CISOs need is to focus on what keeps the business running even when everything else is down. This includes identifying the minimum viable company – a modern approach to disaster recovery that focuses on prioritizing, in advance, the minimum systems, applications, processes, and environments needed to quickly get back to business. Along with MVC, running recovery drills regularly and having the ability to rebuild critical systems in an isolated clean environment is also crucial.
For digital native organizations and startups, even a few hours of disruption in unacceptable. With customer confidence, revenue streams and brand reputation directly dependent on always-on digital services, the ability to recover quickly and keep core services operational has become as critical as protection itself.
Commvault helps enable this through advanced capabilities such as Cleanroom Recovery, Cloud Rewind and immutable storage so organizations can recover fast and confidently across hybrid and multi cloud environments. These technologies transform recoveries by, in part, helping to not only rapidly recover the data, but recover the cloud applications that power that data. All of this helps digital-native companies stay resilient.
3. Despite massive investments in backup and DR, many CIOs find their actual recovery readiness is poor. Where is the disconnect – in architecture, culture, or testing?
Many organizations only discover gaps in their recovery strategy when faced with a real incident. There’s often an assumption that simply having backups and disaster recovery tools in place is enough for business continuity. In reality, that’s not the case. Recovering from a natural disaster is very different than recovering from a cyber incident where data is infected.
Following a cyberattack, instead of asking, do we have a backup,’ the question that should be asked is ‘how quickly can we cleanly recover?’. Without clean, isolated recovery environments and validated restore points, traditional backups can’t be fully trusted in the aftermath of an attack.
Just as critical is the culture around recovery. Often recovery planning is seen as a tabletop exercise dedicated to IT rather than a business priority. Conducting regular recovery drills and real-world simulations that bring cross functional IT and security teams together help ensure that processes and decision-making stand firm when it matters most.
Developing a cyber resilient mindset is critical to successful recoveries in this AI and cyber era. Built on the Minimum Viable Company (MVC) model, this mindset emphasizes the ability to maintain critical operations, protect brand reputation, and sustain strategic direction, even in the event of a cyberattack.
Equally important is having the right tools in hand at the time of recovery. For instance, Commvault’s Cloud Rewind allows organizations to dynamically rebuild cloud environments from clean copies of data and application images within minutes, rather than relying on pre-created landing zones. This not only accelerates recovery but also ensures the restored environments are up-to-date and free from configuration drift, enhancing both agility and confidence in recovery outcomes.
Ultimately, the ability to continue functioning, even in a limited capacity during an attack, can be the decisive factor between business survival and failure.
4. Shadow IT and cloud sprawl continue to be a challenge. What’s your take on the most overlooked risks in decentralized IT ecosystems?
The shift to cloud and SaaS has created highly decentralized IT ecosystems where data and workloads are spread across multiple platforms. In these environments, one of the most overlooked risks is the lack of visibility. When teams adopt services outside central IT governance, critical data often resides in silos with inconsistent security, backup and compliance controls.
Another risk is assuming that cloud providers are responsible for all aspects of protection. The shared responsibility model means that organizations must ensure data resilience, retention and recovery even when applications run on third-party platforms.
Gaps in configuration, access controls and recovery planning often surface only during an outage or cyberattack.These blind spots can then lead to compliance exposure, higher cost of recovery and operational disruption. Addressing them requires stronger alignment between IT and business teams so that shadow IT is brought under a unified governance and resilience framework.
Commvault helps to address these risks by providing a unified platform – Commvault Cloud- that delivers a single pane of glass view for organizational data across all applications, clouds and workloads. It also delivers consistent protection and recovery across on-premises, hybrid and multi cloud environments. With built-in automation, policy-based protection and continuous testing, organizations can eliminate blind spots and strengthen resilience even in distributed IT environments.
5. How can startups view cyber resilience as a growth enabler, rather than just a safeguard?
AI driven attacks are making cyber threats faster, more targeted and harder to predict. Startups often run lean, move fast, and operate entirely on digital platforms, which means that they can’t afford prolonged downtime or reputational damage. Resilience becomes the foundation that allows them to recover quickly, maintain continuity, and keep delivering to customers, even under attack.
Embedding resilience from the start not only allows startups to scale confidently but also reduces the risk of downtime, protects intellectual property and strengthens credibility with customers, partners and investors. A strong resilience posture helps open doors to newer markets, especially in regulated industries where security and compliance are prerequisites for growth.
Commvault Clumio is a cloud native cyber resilience solution built on AWS that enables rapid backup and recovery of Amazon S3 buckets and DynamoDB at petabyte-scale. Advanced capabilities like Cloud Rewind enable application rebuild and rapid roll back to a safe point in time after an attack, while Cleanroom environments provide a secure space to test, recover and validate recovery strategies during good times, helping startups stay prepared for the bad times.
This excellent combination of simplicity, security, and scalability turns resilience for digital natives into a growth enabler, helping them move faster, enter new markets, and build lasting trust with customers.
6. How should enterprises redefine business continuity amid today’s evolving threat landscape?
Today, business continuity needs to evolve beyond static recovery plans. The increasing speed and complexity of threats means continuity now depends on how quickly a business can identify what really matters, protect it, and bring it back online without chaos when an incident happens. This is why instead of just focusing on business continuity, Commvault is focused on helping organizations remain in a state of continuous business.
A key element of continuous business is embracing a Minimum Viable Company (MVC) approach. This approach provides a blueprint for sustaining critical functions under pressure, enabling organizations to operate through disruption and aligning business and IT on what must remain operational to prevent paralysis. We work, with our partners, to help customers think through this and prepare.
Given the pervasive nature of modern IT across hybrid, multi-cloud, and edge environments, it is also important to prepare for future cryptographic threats with post-quantum encryption. Technology on its own is not enough, it is equally important to strengthen readiness across the organization through clearly defined roles, cross functional drills and shared decision making.
7. How are CIOs in India shifting their data protection priorities for 2025?
CIOs in India are moving away from treating data protection as a purely technical exercise. The focus has shifted to embedding resilience, compliance, and privacy into the way the organization operates. With rising cyber threats and the enforcement of the DPDP Act, priorities are expanding beyond backups to include privacy by design, stronger data governance, and clear accountability.
There is a clear emphasis on building zero trust architectures, using automation and AI driven threat detection to help ensure that recovery can be fast, verified, and secure across hybrid and multi cloud environments. CIOs are also making operational readiness a priority, with regular simulations, defined roles and closer alignment between IT, business and compliance teams. This shift reflects a broader recognition that data protection is now a core part of maintaining trust, enabling business continuity, and supporting growth in an increasingly complex digital environment.