Case Study

Flexibility in identification of highly sensitive data and ability to quickly remediate leads global retailer to choose Spirion for their data security needs

“Spirion’s product is a great tool upfront to perform a discovery, and the ongoing and continuous protections really drive home the value of the product. You need an entire process in place, a strategy built around how you’re going to protect the data going forward, including anything new that’s created.”

-Jonathan Trillos, Senior Manager, Protiviti Security & Privacy Solutions

For over three years, Spirion and Protiviti have partnered to deliver clients best in class data protection solutions and services. A global consulting firm that has served more than 60 percent of Fortune 1000 companies, Protiviti excels at providing consulting solutions for governance, risk and internal audits. During a project with a large retail client, the Protiviti team identified data discovery and classification as a key need.

The retailer believed that sensitive data was scattered about their environment. Using homegrown technology, they were able to validate this assumption. Their security team was confident that their efforts identified the problematic file shares. After locating the data, they planned to add additional security protocol to protect these areas. Through their work with overall governance strategy, Protiviti expressed concern about vulnerabilities that went unaccounted for in the initial pass to identify sensitive data.

The Protiviti team contacted Spirion and they worked quickly to scope out a basic data discovery scan on the same locations that the client already scanned. To the surprise of the security project manager and the Protiviti team, the Spirion scan produced a litany of sensitive data in the first two days. It was so much data that the retailer paused the scan to confirm these were not false positives coming back. Upon realizing the data in the results was both highly accurate and sensitive, they continued the scan to collect data to present to the CISO for a budgetary request to remediate their environment’s sensitive data using Spirion’s Sensitive Data Manager.

The Challenge: Manual scans and loss of worker productivity

Over the years, the retailer built out a tool set to help them evaluate and identify data within their network. Through these efforts, they saw a high number of ‘hits’ come back on about 400 terabytes of data located in fileshares. Given that the company knew where the data was, they attempted to manually remediate to help limit risk tied to the data. Imagine attempting to go through three years of email to find and delete sensitive data to understand the monumental task for one person or a team of people to manually remediate 400 terabytes of data.

Regardless of the magnitude of the challenge, the retailer attempted this project, but then decided to budget for additional security to protect the data set. This strategy didn’t account for the fact that this sensitive data was fluid and was moved through thousands of employees all around the globe. It was at this stage that the retailer notified Protiviti and Spirion was engaged.

Project detail and results

Following the initial scan that provided the results needed to validate budget, the retailer moved forward quickly with the purchase of Spirion for a multi-year contract. Working closely with Spirion professional services in phase one, the retailer outlined their need to scan the 400 terabytes of data in the file shares. However, after realizing the full functionality that Spirion’s Sensitive Data Platform provided, the retailer included discovery and classification at the endpoint of their workforce as well. As part of phase two, they chose to begin deploying Spirion to find sensitive data in their databases and mapped out their strategy to find unstructured data in pockets of their cloud-based infrastructure.

In addition to Spirion’s proven ability to identify sensitive data, the retailer was impressed with the flexibility of the solution’s discovery capabilities. They were also happy to see how easy it was to feed the scan results into automated workflows mapped directly to classification policy defined at the corporate level.


One of the immediate outcomes of the retailer’s project with Protiviti was that their use of Spirion as a one-time scan would not be enough. The amount of sensitive data copied, modified, emailed, saved, and created every day among their global workforce was enough to warrant an ongoing investment. The primary objective in the first phase of the project soon dovetailed into looking at larger swaths of both unstructured and structured data, at the endpoint, on premise and in their cloud applications. Working together with Protiviti and Spirion, the retailer has outlined a multi-layered approach to catch sensitive data and then course correct according to the rules that were defined during the project. The ongoing and continuous protections afforded by their Spirion investment drove home the value for the client.

Related Resources

Practitioner’s Guide to Meeting PCI DSS Audit Deadlines at Rapid Speed
Automate Your NIST Security Framework with Context-Rich Data Classification
How Spirion advances compliance with the new GLBA safeguards rule
Dark Data Infographic
Control your data threat surface with Spirion SDV³™ Sensitive Data Risk Dashboard
Spirion and filerskeepers