Commvault presents a new paradigm in cyber resilience: it’s not just about recovery, but knowing exactly what minimum operations your organization can sustain after a crisis.
In today’s world, where cyberattacks are a matter of when, not if, disaster recovery strategies must evolve. This is the premise guiding the emerging concept of Minimum Viable Company (MVC), as introduced by Darren Thomson, director of cyber resilience at Commvault, during the latest episode of the STRIVE podcast.
In contrast to traditional strategies focused on fully restoring technological infrastructure after an incident, the MVC offers a more realistic and urgent perspective: What is the minimum set of functions, processes, data, and people you need to keep your business running?
From Total Recovery to Essential Continuity
Most recovery plans remain anchored in the physical disaster model: it’s assumed that data is intact and that restoration is just a matter of time. However, modern attacks, like advanced ransomware, can completely compromise networks, servers, backups, and work environments, leading to prolonged operational paralysis.
This is where the MVC comes in. This model suggests prioritizing the essentials, activating only what is absolutely necessary to continue operating, even with partially damaged systems.
Three Key Pillars to Define an MVC
1. Critical Business Functions:
Each organization must identify the processes it cannot operate without. In retail, this may be the point of sale; in healthcare, patient records; in banking, payment processing. The MVC requires distinguishing between what is urgent and what is important.
2. Minimum but Functional IT Environment:
Not every system needs to be restored immediately. The key is to recover critical services in a clean and secure environment using tools like cloud backups, isolated recovery zones, or cleanrooms.
3. People and Processes:
As important as technology is the human team. It’s essential to identify who can operate in a reduced scenario, what access they need, and what communication plans or manual alternatives can be implemented if systems are still down.
MVC: A Continuous Process, Not a Static Solution
Designing an MVC is not a one-time exercise. It requires:
- Business Impact Analysis to determine which assets are truly critical.
- Tabletop Simulation Exercises to prepare teams for real incidents.
- Documented Playbooks, with clear instructions accessible even under pressure.
- Thorough Testing, not just on paper, but in real or simulated environments.
The message is clear: the true goal of cyber resilience is not to return to 100% immediately, but to keep the business operational with what is necessary while rebuilding the rest.
Beyond Backup: A New Way to Think About Continuity
Commvault argues that the MVC concept can be crucial for a company to survive a severe attack. Because every hour of downtime incurs economic losses, reputational damage, and potential legal penalties.
Thomson summarizes it succinctly: “The MVC could be the difference between your company’s survival and collapse after a cyber attack.”
Is your company prepared to operate on minimal resources if it suffers an attack tomorrow? Do your teams know what the priorities are? Which systems to recover first? Who needs to act?
Conclusion
The concept of Minimum Viable Company redefines preparedness for cyber incidents. It’s not enough to have backups or general protocols. Companies must know precisely what they need to recover first, who should do it, and how to maintain activity, even if limited, until full recovery occurs.
In a world of constant cyber threats, anticipating is not an option; it’s a necessity. The MVC is a practical and actionable roadmap to achieve this.
