Trewstar Corporate Board Services

What’s all the fuss about the number 9?

May 11, 2026



Dear Friends of Trewstar,

A few weeks ago, I read this lead-in paragraph to a LinkedIn post by Francis deSouza, COO of Google Cloud and President of Security Products:

The window for defense is collapsing from hours to just 22 seconds.⏳ We just released the M-Trends 2026 report, which reinforces that we are at an inflection point. Bad actors are no longer just stealing data; they are operating as highly efficient businesses designed to dismantle an organization’s recovery capability. (The full post is here.)

I, like many of you, could not fully evaluate the meaning or impact of the message, so I "phoned a friend,” Aimee Cardwell, former CISO of United Health, now a board member at Wex, and technology advisor to private equity companies.

I found our email exchange enlightening, and understandable!

Here is a lightly edited transcript:

Aimee:
Hi Beth, Happy Spring!
 
I don’t know Francis personally, but I do know of him. And yes, he’s right, that many attacks take place very quickly. The hope is that your defensive software catches it (which happens 99% of the time) but then what about that 1% that gets through? We’ve been hearing about the uneven landscape between offense and defense in the Strait of Hormuz in that the defenders need to catch *every single missile* and the offense only needs to get one good one through. Good for Google for making the landscape harder for the attackers.
 
But what Francis isn’t saying is that *even once someone gets through* the real trick is to not let them have access to anything important or interesting. One of my clients had a few machines compromised the other day, and the attackers got nothing, because everything they would have wanted to see was protected by simple multi-factor authentication, plus role-based access control. It’s like the attackers got into the garage, but they don't have the keys to the car. 
  
Beth:
Is there something a director could ask (and what’s the right the answer) to know whether the company’s tech team has fully protected whatever is relevant to protect?
 
Aimee:
There are two main ways to attack a company from a cyber perspective:

  1. Steal a company’s data (for ransom or for intelligence)
  2. Make a company’s systems inaccessible by taking down the systems, encrypting them, etc.


If the tech team can cover those two use cases (which is a lot), you’re most of the way there. Other things, like third party security issues, can also be made better if you follow the principles below:

 
If you don’t want your company’s data stolen or tampered with, you need to:

  • Restrict access so that almost nobody in the company can see more than a tiny bit of data at a time and those few that can have to go through a few tough authentication hoops (role-based access control and multi-factor authentication are both in this bucket)
  • Ensure that all data is encrypted, and that decryption keys are rotated regularly
  • Have excellent backups that are well protected and can be brought online rapidly in the event that the first two items fail.

The best defense against the second attack path, i.e. when an attacker makes a company's systems inaccessible, is the ability to stand up a backup of the critical systems rapidly, within an hour, or even less. This can be expensive and complicated, but it’s also enormously satisfying to be able to spin up another copy of your critical systems if the originals are impacted by a cyber threat or some other business continuity problem. There are services that can help companies do this, and many companies that are cloud-native can do this themselves.

Beth:
I keep hearing about something called Zero Trust. Is that what you are talking about when you say restrict access so that almost nobody has access to all the data and software for a company's various departments (i.e. legal, accounting, finance, HR, etc.)? 

Aimee: 
Yes. Zero Trust requires the company to organize all employee titles and roles so that you can map (and restrict) access permission to hundreds or thousands of services. Some people warn that this is an enormous task and can set up an annoying set of barriers for employees who are trying to get their work done. But well devised plans do not require constant re-authentication. Nevertheless, many companies decide to use Zero Trust programs selectively with the focus on the company's "crown jewels."

Beth: 
One last thing. What about the Nines: 5 nines, and 3 nines, and then one of my adult children mentioned 9-9-6? 

Aimee:
I can help with 5 nines, (99.999%) and 3 nines (99.9%). This is about risk tolerance around up-time performance of the company's systems. Amazon would want to have 5 nines because it would be so expensive and disruptive if their systems went offline for even a short period of time. Companies who can accept a 3 nines level can give themselves the opportunity to do maintenance on their systems during the night. Then there are the 9 nines. That would be an electric utility who cannot accept any downtime (except what might occur through problems created by nature).

The 9-9-6 is something I have heard about too, but this is an HR term, not a cyber concept. It means a company's team is working from 9 am to 9 pm, 6 days a week! 

Beth: 
Aimee, thank you very much.
 ________________________________________________________________________________________________________________________________________________                                                  
Aimee is part of our core group of advisors working with us to develop our new service: Trewtech. Trewtech is being designed to support non-tech directors with their oversight responsibilities related to AI, cyber, and technology infrastructure. 
 
More on Trewtech to come.
 
All the best,

Beth Stewart & The Trewstar Team