I work sysadmin/infra engineering, so I don't have any formal cybersec training, but I'm involved with implementing some of these controls upon direction by my workplace's cybersecurity team.
Burning CDs, DVDs, etc and writing to flash drives should be restricted to only approved individuals or allowed temporarily for a documented business purpose for a limited time period.
IT personnel should not be allowed those rights during notice period, or depending on job duties, IT personnel should not have direct access to the data which was exfiltrated.
If they don't have direct access, but have a level of access such that they could grant themselves access: changes to security on folders or storage containing "risky" data should be tracked at bare minimum, and ideally fire a warning if there is no associated access request/ticket. The check for associated ticket would require a pretty mature environment, with ticketing and access management controlled by systems integrated with each other.
There's also a number of various data exfiltration protection/detection systems on the market, so modern environments should probably have something to fulfill that role.
No solution is perfect, that's why there's multiple layers to my suggestion. Ultimately, training people to have a security mindset and report things that look strange (as what happened in this example) is the final line of defense. There just should have been more hurdles before that point too.