Arlan McMillan is the Chief Security Officer for Kirkland & Ellis, the world’s largest law firm by revenue. In addition to his time at Kirkland & Ellis, Arlan has held top security roles at industry-leading banks, airlines, and professional services firms. So to say he knows a little bit about information security in critical environments would be an understatement.
Having lived through five different deployments of DLP, Arlan also has a wealth of experience in data protection along with the many challenges and limitations of traditional DLP. In his recent
LinkedIn post, he declared that “DLP is dead. Data Lineage is the new king.” In the video below, we dive into his experiences with DLP and how he sees data lineage changing data protection going forward.
If you have the time, I recommend watching the full video. But if you’re in a rush, I’ve also summarized some of the key quotes and takeaways below.
On the fall of DLP
People have been wanting to kill it off for a long time, but we haven’t had an alternative.
It is a bear to manage and maintain… I don’t think I’ll ever have to deploy it again — I sure don’t want to.
The false positive rate of using regex finds and hits is through the roof. We ended up turning it off.
I didn’t want to have to hire 10 people just to manage my DLP, which is what you’ll need if you really want to maximize DLP.
– Arlan McMillan
These quotes are just the tip of the iceberg from our discussion, and it is clear that Arlan has the battle scars from his many experiences with DLP. Many other CISOs, CSOs, and practitioners have told me similar things. However, what really stood out for me was that Arlan is really focused on the bigger concept of data protection, and DLP has been a placeholder simply because there weren’t better alternatives. When new approaches like Cyberhaven became available, he was able to not only ditch the problems of the old way but also take a much more thoughtful and complete approach to how he protects his organization’s data.
On the power of data lineage and “ah-ha” moment
[DLP] tries to solve the problem in a backward way…The problem is, you don’t know what you don’t know, and DLP is reactive, not proactive. This is where data lineage comes in. Let’s say I saw something come from this repository… you didn’t tag the document, you have no classification of it. The system is able to see it from start to finish, and take action on it, and prevent it from going to the Internet or prevent it from going from Jane to Joe. This is a level of control and visibility that hasn’t existed until very very recently.
His “ah-ha” moment when an architect found a sensitive file being shared:
He wasn’t looking for that document. He didn’t set up rules…he just saw it. When you can have that visibility without setting up all these rules, without doing all this groundwork, that’s pretty cool.
It allows us to see things that we didn’t know about before…How is my business actually using data? There is power in learning what you don’t know.
– Arlan McMillan
Arlan hammered home a very important concept in our discussions — namely, that even if you employ an army of engineers and do everything perfectly from a traditional DLP perspective, you are still only managing the data that you already know about. Today, data is everywhere, and there are virtually unlimited ways that it can be shared, copied, and ultimately exposed. You can think of data as a self-spreading, self-replicating entity. It is going to end up in every corner of the enterprise, either in applications or on user devices.
The traditional model assumes that all your data starts in a fully contained, tightly secured box and that it only gets shared in a few predictable ways. Cyberhaven’s approach based on dynamic data tracing and data lineage assumes the complexity of user workflows that is a reality for every modern organization. It tracks the origin of every piece of data and monitors every action performed on it. The result is that instead of performing massive amounts of work for a predefined set of data, Cyberhaven tracks everything automatically and delivers truly omniscient visibility and control of your data.
On protecting law firms and professional services
I have a responsibility to each one of my attorneys to make sure they are highly effective every day. I also have a responsibility to my firm to ensure it’s well protected.
We have a lot of content…It is an absolute requirement that we maintain the confidentiality of this material. That is non-negotiable…There is a lot of data sharing. A lot of cross-communication. It’s one of the reasons that clients hire us…we can work together and leverage our learnings from prior experience to maximize the benefit to the client.
If it is not effective, not only from a security perspective but also from a usability perspective, then they [users] will find a way around it. And in the end, you will have lower security in your environment.
You need to have controls that are elastic and flexible that reflect the needs of our attorneys, as well as protecting it at a very high bar. That’s difficult to do. That’s a hard problem to solve. We think we have.
– Arlan McMillan
Law firms — and in fact, many professional services organizations — share a common set of challenges. For many of them, the majority of their data is sensitive, and it is critical that team members are able to collaborate on that data while ensuring that data isn’t overshared or misused.
Arlan made a great point that clients often choose Kirkland & Ellis due to the shared experience of its attorneys. Being able to share and work with data safely in many ways is the business. Once again, the old ways of data protection actively work against this. Typically, the more DLP rules you add, the more user friction you introduce. And this can quickly end up hurting the business and the quality of security.
At the same time, law firms also have many clients, and each client’s data must remain strictly separated to ensure it is not intentionally or accidentally exposed. And this is not something that is exclusive to law firms or professional services. Many organizations will have different customers and partners that need to have their data and secrets protected. Likewise, almost every organization has a wide range of internal intellectual property — things like financials, discussions about company strategy, product plans, partner negotiations, and many other items that would be highly damaging if they were to be exposed publicly. By building data protections that understand the ways that users need to work without losing sight of the risks, organizations can actually empower their users without losing control of their data.
Again, these are just some of the topics we were able to delve into. Definitely check out the full video if you want to hear more from Arlan, including some additional best practices for keeping your data safe. Of course, if you would like to learn more about Cyberhaven’s DDR and how data lineage can help protect your data and enable users, just contact us at https://www.cyberhaven.com/contact-us/.