Fidelity National Financial’s Ward Balcerzak on Navigating Data Security in a Cloud-First World

In this episode of The Future of Data Security Show, Jean speaks with Ward Balcerzak, AVP and Director of Data Security & Insider Risk at Fidelity National Financial, who shares his expertise on the evolving challenges of data security in today’s cloud-first landscape. Ward discusses the critical importance of establishing a comprehensive data inventory and discovery process to effectively manage sensitive information. 

Ward also offers his insights into the implications of generative AI on data protection, highlighting the need for robust governance strategies to mitigate risks. With a focus on collaboration across departments, this episode offers valuable insights for organizations looking to enhance their data security practices in an increasingly complex environment. Here are the top 3 takeaways from the interview. 

#1: Adapt Data Security Strategies for the Cloud Era

“Not all risk is the same across various data types or repository locations. I think once upon a time with before cloud and before SaaS, our jobs are a little bit easier from a data security perspective. We could kind of assume that the perimeter was the perimeter and your wildcard was your endpoint. Your endpoint was leaving. If it was a laptop, it was leaving your office location, it could get stolen, it could get connected to kind of a risky network location. And yeah, your data could leave, but your perimeter hopefully was relatively rigid and not squishy and it wasn’t really exposed again. 

“Now with cloud — and when I say cloud, I’m not just talking about Azure AWS, I’m talking about SaaS applications, Servicenow, Salesforce, Box.com, dot, you name it — it gets really, really tricky. And it gets really really tricky because the discovery or security capabilities are not uniform across all those solutions. You are kind of in some cases hamstringed by what is available to you.” 

Actionable Takeaway: With cloud and SaaS applications, data security has become more complex. Organizations must recognize that different data types and repository locations carry varied risks and adapt security measures accordingly, leveraging available tools while remaining flexible to account for cloud-specific challenges.

#2: Monitor First to Manage GenAI and Data Risks

“It’s still trial and error. I think a lot of companies would agree that we’re all struggling trying to figure this out. Being in the data protection industry for quite a while, when I think prevention, fortunately/unfortunately, my mind always starts to gravitate towards data loss prevention technologies. Which we all know, there’s plenty of ways around it. They’re not perfect, but really no tool is. 

“So where I always, where I always try to start, and here at FNF, with GenAI has been no different. I try to start with monitoring first. That is, how the heck are people using these things? And back a year and a half ago, when my leadership was concerned, that’s where we started, we said, ‘okay, I hear you, there’s a concern, let’s block certain things. Let’s allow access to others. Let’s just watch. Let’s watch to see how people are using it because we’ll have assumptions on how people are using it, but that might not be accurate.’ And we found just that. We saw certain assumptions that, oh yeah, people are going to use it to craft emails or people were using it to craft checklists for maybe operational processes. All the good things that again, GenAI is good at and should be used for. 

“However, we did start to see some other usage where people weren’t really thinking about, ‘hey, I’m looking to craft this email, but shoot, there’s some customer data in it and that shouldn’t go into the GenAI platforms.’ So what we did after that learning, we were able to come together, we do have a whole digital group within FNF. We were able to sit down and say, awesome, here’s the good ways the business is using it, here’s the maybe risky ways. And look to, again, put in some governance, look to build something internally, and then look to have some controls to prevent some of that risky stuff.”

Actionable Takeaway: Before implementing preventive measures for new technologies like GenAI, start with monitoring how these tools are used within the organization. Observing usage patterns helps identify potential risks and opportunities for governance, allowing companies to implement effective, data-driven controls for safe and productive use.

#3: Establish a Strategic Approach to Problem-Solving in Security

“I think the biggest advice, and I give this to a lot of my team members today, is try to bring your head above the issue, the incident, that whatever in question that’s right in front of your nose, because in security, data security or otherwise, there’s always a fire. There’s always a fire going. There’s always something we’re trying to accomplish. 

“And the biggest issue I see is, as folks see the issue, they sprint to solve the issue instead of think about a little bit higher — strategically, if you will — bring your head above the trees a little bit, look at the problem and say, am I solving for a little piece of the problem, i.e., what I see. Or is there something bigger I’m looking to solve for here? I wish I would have known that way back because I can’t tell you how many times I would see something, I would sprint to fix that something, and then I’d see something similar but it wasn’t fixed because it was slightly different. I didn’t have a solution for that. 

“And I could have saved myself a lot of time, the company a lot of money and a lot of heartache, by just bringing myself out of the problem a little bit to say, all right, am I solving for something tactically or am I solving for it strategically? And sometimes you have to go tactically, right? Sometimes you gotta plug that hole, but think of it like a sinking ship. If I got a lot of holes, am I literally just sticking my finger in one hole and it’s coming out another, or am I actually putting tar or whatever to plug all the holes at the same time?”

Actionable Takeaway: Security teams often react quickly to solve immediate issues. However, taking a strategic approach — looking at the bigger picture — can prevent recurring problems. Elevate your perspective to identify overarching solutions instead of repeatedly addressing symptoms, ensuring long-term effectiveness and efficiency.

Listen on Apple 
Listen on Spotify 
Watch on YouTube