In this episode of the Cyberhaven CISO Series, CSO Chris Hodson interviews Prabhath Karanth who leads the Security & Trust team at Navan (formerly TripActions). Prabhath covers the structure of his DLP program at Navan, key considerations that informed how the program was built, and the purpose it serves in the organization.

Building a DLP program begins with understanding business objectives

Prabhath starts off the discussion by getting at the purpose of security—business enablement in a secure manner. And so, for Navan, building the DLP function began by first understanding business objectives in order to correctly map security controls, roles, and functions, to the corresponding business purposes they’re supposed to augment. He then elaborates this by highlighting the scope of DLP at Navan, and the frameworks in place to help manage data exposure risk.

‍

“I think as a security leader, it’s absolutely critical to align yourself to business objectives. Understand what are the key mission critical activities for the business that are driving revenue.”

– Prabhath Karanth, VP and Global Head of Trust & Security, Navan

DLP is inherently cross-functional

Prabhath points out that since DLP’s value comes from being well-mapped to business objectives, a holistic approach thinking about how it fits within the organization is crucial. Using the classic People, Process, Technology framework, Navan has identified the legal, financial, and cross-functional aspects of DLP and the processes that need to be enabled for these stakeholders in order to ensure they can carry out their business functions, and ultimately help keep the organization running and secure.

‍

“We initially understood the needs of each of these different stakeholders, what they were looking for from an overall data loss prevention program and then mapped it out into critical processes.”

–Prabhath Karanth, VP and Global Head of Trust & Security, Navan

Go beyond blocking to prove and provide business value

Here Prabhath speaks to how legacy solutions have trained security practitioners to think of data risk mitigation solely from the perspective of policies and blocking, and how modern DLP adoption needs to go beyond this by providing real insights and acting on real risks rather than false positives. Using tools that help monitor data flows, and the context around how data is being used is essential for this.

‍

“The modern way of doing DLP is to have context related to the identity, have context related to how the data is flowing in organizations. Identifying patterns and high risk behaviors, and then we do some blocking, but it’s totally based on context.”

– Prabhath Karanth, VP and Global Head of Trust & Security, Navan

{{ promo }}

Context is king when it comes to managing data

Finally, Prabhath reiterates the importance of context when it comes to managing data as organizations expand into new environments like cloud workspaces or even public AIs. With context, teams can more effectively identify and remediate data exposure risk in a timely manner.

‍

“Build [your program] based on context, even when it comes to insider risk and DLP.”

– Prabhath Karanth, VP and Global Head of Trust & Security, Navan

Going beyond checkboxes to build a solid DLP program

If you enjoyed this recap, be sure to check out the full session here. Whether you’re building a DLP program from scratch or want to identify tips that can help you improve your existing one, Chris and Prabhath cover a great range of topics that will help you make sense of the role DLP should play in your organization.

We look forward to seeing you at the next CISO Series discussion.