Two CISOs On How to Manage Data Loss in the WFH World
Miss last month's CISO series chat? Tim Bandos, CISO at Digital Guardian, and David Tyburski, CISO at Wynn Resorts sat down to discuss the latest issues in DLP. We break down the chat in this blog.
After a speed round, addressing topics in DLP, David Spark, the host of the weekly video chat, asked Tim if DLP is still effective with everyone working from home.
In response, Tim stressed how the assumption that DLP is ineffective with the rise of employees working from home is incorrect. He also went on to highlight how in Digital Guardian’s latest Data Trends Report, it was discovered that the amount of attempted data egress dramatically increased since the beginning of the pandemic, proving that it’s more important than ever to have visibility into data movement. David Tyburski, Wynn Resorts' VP of Information Security and Chief Information Security Officer (CISO) added that the challenges of work from home (WFH) have further exacerbated the tension between users trying to get their work done and the need for robust security controls.
Both CISOs also discussed how the key to a successful DLP program is working with users to educate them on how to be smart with their data, such as making sure that they’re not sending data to places where it shouldn’t be. They also highlighted how important it is to work collaboratively with all parts of an organization to attain the business' collective goals.
There were also questions from the audience on advice for DLP governance. In response, Tim stressed the need to incorporate DLP as a part of a data governance program and how priority one in data governance is finding where the most critical data resides and then using DLP to set up guardrails in order to protect it. In addition, David Tyburski addressed how important it is to get rid of data that doesn’t have value anymore. Sometimes, there's a tendency to avoid deleting old data in case it might be needed one day and because storage is cheap. Though you shouldn’t delete data that would interfere with regulatory compliance, deleting non-essential data after a predetermined period of time is often the best decision for security.
One of the most interesting parts of the chat came from someone who remarked “Change my opinion, DLP only protects honest users against unconscious mistakes, but it doesn’t have a major impact against motivated malicious users.”
In response, Tim highlighted how when someone leaves DG or one of their customers, Digital Guardian runs a six-month background check on their devices to see what data has egressed off that machine. This process ultimately prevents most data from being lost to competitors. Recording that behavior also allows an organization to get their data back or prove in court that it was taken, so even if the exfiltration of data is not stopped initially, the data’s value will ultimately be protected.
At one point, David Tyburski was asked how he can justify the cost of DLP. David argued that DLP is worth the cost because it reduces the risk of losing valuable data and is especially useful in the heavily regulated hospitality industry. Further, with Wynn Resorts, a DLP solution helps protect valuable data like architectural documents or a high value player list. He concluded by explaining that the cost of losing one of these major pieces of data far outweigh the price of the program.
At one point, a member of the chat asked Tim how much heavy lifting is needed to start a DLP program. While Tim acknowledged that implementing a DLP program has historically been a heavy lift, Digital Guardian has developed a Managed Service Program to solve that problem.
Over the rest of the hour, Tim and David also discussed the difference between Enterprise DLP and Integrated DLP, the importance and challenge of including lawyers in DLP policy, why you should have a DLP champion in each department of the company, and how to explain the value of DLP to the C-suite.