Paychex CISO Discusses Unique Data Protection Challenges
In an interview with The Cyber Express, Bradley J. Schaufenbuel, VP and Chief Information Security Officer at Paychex, shared insights into his nuanced approach to addressing unique data protection challenges.
During the conversation, he discussed the forthcoming cybersecurity trends for 2024, highlighting the significance of generative AI, zero-trust architectures, and the dynamic evolution of ransomware threats.
Renowned for his contributions as the author of ‘For Dummies’ books on cybersecurity, Schaufenbuel distilled key principles for businesses, highlighting continuous improvement, the role of employees, and fostering a security mindset. He also provided valuable perspectives on navigating legal compliance and managing complexities.
Expert Insights Into Unique Data Protection Challenges
Emphasizing a risk-based approach to cybersecurity investments, Schaufenbuel highlighted the immense value of peer collaboration and industry engagement as key strategies for staying informed and effective in the dynamic field of cybersecurity.
How do you leverage your expertise in law, IT, and cybersecurity, spanning legal, financial, and healthcare sectors, to address unique data protection challenges in protecting sensitive data as a CISO?
When it comes to building a cybersecurity program that meets the standard of “due care”, it helps to know how courts have established what activities and controls are encompassed by that term of art (and how that standard is changing over time). When it comes to securing information in a digital form, it helps to understand the technology used to generate, store, and process that information.
When it comes to gaining support for your security program from peer executives, it helps to thoroughly understand the business you are in. Each perspective augments and enhances the other.
What are the upcoming cybersecurity trends expected to gain prominence in 2024, and how should organizations adapt their strategies and defenses to counter evolving cyber threats?
I am not great at predicting the future. If I was, I would be a gambler or an investor, not a cybersecurity practitioner. But here are three safe bets:
- Advances in generative artificial intelligence will continue to drive the evolution of both attacks and defense. We are already seeing attackers leverage large language models to generate more sophisticated phishing attacks and deepfakes. Defenders will need to leverage generative AI to detect and stop these attacks.
- More organizations will attempt to adopt zero trust architectures, but because zero trust solutions are being built on a foundation of immature identity technology stacks, progress will be slow.
- Ransomware attacks will continue to evolve and snare organizations with both mature and immature cybersecurity programs. Double extortion will become standard (if it is not already), with techniques for disruption other than encryption of data becoming more common.
In your ‘For Dummies’ books, you’ve simplified complex cybersecurity concepts. What key principles do you think are essential for businesses to address data protection challenges?
Three key principles I would highlight are:
- Improving and maintaining an organization’s cybersecurity posture is not a “one and done” project. You must continuously evolve your capabilities with the changing threat landscape. The job is never done.
- People can either be the greatest asset to, or the greatest liability of, a cybersecurity program. Well trained employees can serve as a “human firewall”, protecting the organization from cyber attackers. Poorly trained people become the easiest way for an attacker to subvert an organization’s technical controls.
- Cybersecurity is a team sport and culture beats strategy every time. You can have the best information security team and the most advanced tools on the planet, but without a culturally embedded security mindset, you can still get popped.
As a cybersecurity expert with a deep understanding of legal frameworks, how do you navigate and balance the complexities inherent in aligning legal compliance with cybersecurity measures?
There are thousands of legal and regulatory requirements related to cybersecurity and data protection across hundreds of unique jurisdictions and dozens of voluntary security frameworks and standards. Many of the requirements of these sources overlap. The only way I have found to effectively deal with this complexity is to determine which requirements apply to your organization and then map them to your organization’s controls.
Where your controls fall short of meeting one or more legal or regulatory requirements, the gap must be closed. This mapping exercise can be time-consuming but is necessary to make sure that you are addressing data protection challenges holistically.
Additionally, in your experience, what are the key challenges when ensuring that cybersecurity strategies not only meet legal requirements but also effectively protect against evolving digital threats?
Legal and regulatory requirements are nothing more than a baseline that you cannot dip below. All cybersecurity investments that go above and beyond meeting those baseline requirements should be risk-based. What I mean by that is that you should be working with the governing body of your organization to understand its risk appetite and set risk thresholds.
You should then be performing regular (if not continuous) cybersecurity risk assessments. Where cybersecurity risks exceed risk thresholds, you should be investing in controls that mitigate that risk to an acceptable level. A risk-based approach to cybersecurity investment is far more effective (and cost-effective) than buying and deploying every “shiny object” you encounter.
How do you personally stay sharp and continually develop your skills in the rapidly evolving field of cybersecurity? Are there specific resources or practices you find particularly valuable?
Fortunately, I am passionate about what I do. I absolutely love being a cybersecurity professional. When you are passionate about something (whether it is cybersecurity, football, politics, or cost accounting), you tend to have an insatiable curiosity about all things related to that something. The resource I turn to most often is my peers. You can learn a lot from people who are facing the same challenges as you are. That means I attend a lot of CISO roundtables and summits. There is value in the big events (e.g., RSA and Black Hat), but even more value in more intimate venues like local CISO dinners and roundtables.
When there is not time to wait for an event, I turn to blogs and podcasts to stay on top of the latest and greatest developments in the world of cybersecurity. There are far too many to list here, but Dark Reading, Krebs on Security, Schneier on Security, and, of course, The Cyber Express, are a few of my favorites.
Given the interconnected nature of the digital landscape, do you engage in cross-industry collaboration regarding information security, and if so, how has this collaboration shaped your perspectives?
Yes. Fundamentally, information security is not that different from one industry to the next. The “crown jewels” may be different from one industry vertical to the next and different hacking groups may target different industries. That is why there is so much value in belonging to the ISAC and ISAO for your organization’s industry.
However, the fundamental methods that attackers use to go after the crown jewels and the methods that organizations use to defend against those attacks are not that different from one industry to another. Furthermore, collaboration between all defenders is needed to counter the collaboration that already occurs between threat actors. Organizations of all industry verticals must band together for their collective defense. There is nothing to be lost, and much to be gained, by collaborating across industries.
In conclusion, Schaufenbuel’s expertise illuminates the ever-evolving landscape of cybersecurity. His insights on upcoming trends, pragmatic principles for businesses, and the imperative of collaboration highlight the dynamic nature of safeguarding sensitive data in the digital age. As organizations grapple with evolving threats, Schaufenbuel’s holistic approach provides a valuable compass for effective cybersecurity strategies.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
