Visit our booth at CANSEC on May 27-28
A CFO recently asked us, “if our detection is this good, can we reduce our backup investment?”
It's a smart question, rooted in sound financial logic: if we're paying for better threat detection and response, shouldn't that reduce our exposure to incidents that require recovery?
The issue is not the question. It is the assumption behind it.
Cybersecurity controls are not interchangeable. They are complementary layers in a system designed with the expectation that failure will occur somewhere.
The reasoning is straightforward: if Control A becomes more effective, we can reduce investment in Control B. That logic only holds when both controls address the same risk in the same dimension, but Managed Detection and Response (MDR) and backup are not.
MDR sits in the detection and response phases, and its objective is to minimize incident risk by detecting and countering attacks upstream, before they cause damage. The more comprehensive and effective your monitoring, the lower your chances of a successful compromise. But zero risk doesn't exist in cybersecurity.
Backup sits in the recovery phase. It addresses what happens when detection fails, or when detection succeeds but damage has already occurred. Backup is your recovery path when systems are corrupted, encrypted, or destroyed. It limits impact severity and makes incidents survivable.
In other words, one reduces the probability of damage, while the other limits the severity when damage occurs. Conflating them is like asking whether better smoke detectors reduce the need for fire insurance.
No detection system offers guarantees. MDR significantly reduces risk, but it operates in a probabilistic domain. Most organizations carry a backlog of unpatched vulnerabilities, misconfigurations, and legacy systems. Attackers only need to succeed once.
Consider scenarios where even excellent detection fails to prevent impact:
In each case, detection reduces the window of exposure. But it doesn't erase the damage that occurred before containment. That's where recovery controls become essential.
Ransomware makes the distinction brutally clear. Modern ransomware operators specifically target backup infrastructure. They know that organizations with intact, accessible backups won't pay ransoms. So, they hunt for backup systems and corrupt them before deploying encryption.
Sophisticated attackers spend weeks inside networks, mapping data stores, locating backups, and positioning themselves to strike everything simultaneously. Your recovery options depend entirely on whether your backups are intact, immutable, and isolated from the compromised network. Detection tells you what happened. Backup determines whether you can recover.
This is why backup architecture matters. Air-gapped or immutable backups that attackers cannot reach become your last line of defense. Better detection doesn't change this equation.
Not all risk reduction arguments are flawed. Optimization is valid, but only within the same risk dimension.
A clearer way to evaluate this is to separate controls by what they influence: probability, impact, or recovery time. You can rationalize spend within one of these dimensions, but you should not remove an entire dimension.
For example, consolidating multiple endpoint or telemetry tools into a unified platform can reduce cost and complexity without reducing coverage. Streamlining detection pipelines or centralizing response workflows can improve both efficiency and effectiveness. These are optimizations because they preserve the function while improving execution.
By contrast, reducing backup because detection is strong removes an entire layer of protection. It does not optimize but reallocates risk toward higher impact outcomes. A simple test applies: if removing a control increases the probability of an incident, the impact of an incident, or the time required to recover, you are not optimizing. You are accepting more risk.
For CFOs accustomed to expected loss frameworks, the relationship becomes clearer when mapped to risk components:
Expected Loss = Probability × Impact
MDR reduces probability. It makes successful attacks less likely by shrinking the window attackers have to operate undetected. But probability never reaches zero. You're managing a risk distribution, not eliminating the threat.
Backup reduces impact. When incidents occur despite detection, backup determines the severity of business disruption and data loss. Without reliable backups, even a contained incident can be catastrophic.
The two controls are mathematically independent. Improving detection doesn't change the impact of incidents that slip through. Strengthening backup doesn't reduce the likelihood of attacks occurring.
More importantly, cybersecurity risk has extreme tail exposure. The distribution is heavily skewed toward rare but devastating events. Expected loss calculations using averages miss this. A single catastrophic incident can be existential, regardless of how unlikely it is.
Backup insurance protects against worst-case scenarios, not average cases. The question isn't whether detection reduces typical incident costs. It's whether you can survive the worst incident that still has reasonable probability.
If budget pressure requires tradeoffs, there are more effective ways to find efficiency. Most organizations are not over-invested in core capabilities like detection or recovery. They are over-invested in complexity.
Redundant tools that solve similar problems increase cost without improving outcomes. Disconnected systems slow down response and create operational drag, and in many environments, the issue is not insufficient tooling but poor integration and execution.
There is also a tendency to invest in capacity rather than capability, which for backup often means more storage without sufficient attention to immutability, isolation, or recovery speed. Reallocating spend toward architecture and validation yields far greater risk reduction.
Finally, some controls exist primarily to satisfy compliance requirements rather than materially reduce risk. Identifying and removing low-impact controls can free budget without increasing exposure.
The goal is not to spend less on security. It is to ensure that each dollar reduces a distinct and meaningful component of risk.
MDR makes incidents smaller. Backup makes them survivable.
Strong detection reduces the damage attacks can inflict before you contain them. Reliable backup ensures you can restore operations when damage occurs despite detection. Both are essential. Neither replaces the other.
The organizations that navigate cybersecurity risk successfully treat their defenses as complementary layers, not interchangeable parts. They invest in detection to shrink the probability and window of successful attacks. They invest in recovery to ensure incidents don't become extinction events.
