Bradley Schaufenbuel has over two decades of experience working in information security. He earned his Master of Laws and Juris Doctor degrees from the University of Illinois at Chicago’s John Marshall Law School and is a licensed attorney and a member of the United States Supreme Court Bar. Not only does this provide him with a unique perspective when working through information security challenges, but he is able to leverage law-related skills in his everyday work.
As an avid proponent of continued education, Schaufenbuel also has a Master of Business Administration degree from DePaul University. By combining his undergraduate, masters and law degrees, Schaufenbuel brings a well-rounded business-focused mindset to any role, allowing him to approach his responsibilities from a strategic viewpoint.
Schaufenbuel’s career spans information security roles at banks, insurance companies and professional services firms. He quickly gained a robust set of responsibilities early on in his career, which helped him move into leadership roles with growing responsibilities. Most notably, Schaufenbuel has assembled and led information security teams, built programs from the ground up, aligned security with corporate objectives, and solidified himself as a business-focused, innovative leader.
EXCITING CHALLENGES IN A NEW ROLE
Currently, Schaufenbuel works as Vice President and Chief Information Security Officer at Paychex, a role he began in September of 2019. Founded in 1971, Paychex is a recognized leader in the payroll, human resource, and benefits outsourcing industry, supported by over 14,000 employees. As an industry leader, Paychex serves businesses in the United States, Germany, Denmark, Norway, and Sweden. According to their website, Paychex supports approximately 670,000 payroll clients across more than 100 U.S. locations, and pays one out of every 12 American private-sector employees.
The opportunity to take on the CISO role at Paychex was brought to Schaufenbuel while he was working at a smaller payroll organization in Chicago. While he enjoyed his time at his previous organization, Schaufenbuel felt he was in a comfortable place after building and maintaining a resilient security program and team. He was ready to take on a new challenge at a larger organization.
He felt joining as CISO at Paychex, he would be in a position to execute on his strategic plans in a supported manner from the business entities and organization as a whole.
STRATEGIC GOALS FOCUSED ON BUSINESS ALIGNMENT
Schaufenbuel has four main strategic goals to continue to protect the organization and its customers while aligning with the overall corporate strategy. These include:
Improving the overall maturity of the information security program. Schaufenbuel explains, “We are focused on benchmarking against NIST and measuring the maturity of each of the 108 controls as implemented at Paychex using the CMMI model. Our goal is to get all controls operating at a high-level of effectiveness to eventually achieve the AICPA Cyber Risk Management attestation.”
By focusing on NIST alignment and maturity, Schaufenbuel and his team will continue to improve their management of cybersecurity risk, not only internally within their program, but externally within other business units of the organization. Tangible maturity ratings and methodologies allow Schaufenbuel to communicate risk in a business-oriented manner, strengthening security and the organization.
Enabling the organization to innovate rapidly and safely. In order to address digital transformation in a secure manner that does not impact productivity, Schaufenbuel is focused on a “shift left” mentality.
To help maintain a leadership position in the industry, Schaufenbuel says they are adopting agile development methodologies and DevSecOps practices. Through shifting left, processes are automated and performed earlier in product development lifecycle, something that helps drive innovation faster and more securely.
He comments, “Our goal is to get security involved earlier in the development of new processes, products and strategy. I want to make sure we embed security into that thinking from the very beginning rather than bolting it on at the end. For example, typically, software developers develop code which is placed into production, then security comes in and tests for any issues. When security does find issues, they may be expensive to fix and take time away from pushing out new code. With shifting left, security is baked in at the beginning, which helps avoid costly adjustments.”
Embedding a security mindset into the organization’s culture. According to Schaufenbuel, people can often be the weakest link. He believes an organization is only as strong as their employees, and without investing time and resources into a strong security awareness program, the organization may increase their risk.
Schaufenbuel says, “I am equipping every employee with knowledge to safeguard themselves and the organization from cyber threats. By requiring all employees to go through information security training, they can continue to implement these practices every day.”
Making information security an area of competitive differentiation. Since security is a pivotal area of focus for the organization, in some capacities Schaufenbuel interacts with customers and works with other departments to create customer-facing security messaging.
He explains, “I don’t want to just enable the business. I want us to have such a strong security program that cyber resilience is one of the reasons prospects choose to do business with us. It requires continuous work and I’m focused on making a positive impact in this manner.”
LEADERSHIP AND PERSONAL GROWTH
Schaufenbuel says he is a servant leader with a serve-first mindset, focusing on empowering and uplifting his team. He continually focuses on ways in which he can help enhance the development of his team members to unlock or grow their potential and creativity. He pursues ways to develop and align each team member’s sense of purpose with the company mission.
He comments, “I like to surround myself with people smarter than myself. I focus on hiring people who are problem solvers and critical thinkers. Learning from my team is incredibly valuable.”
For his own personal growth, Schaufenbuel believes in continuous learning and holds over 25 certifications, ranging from information security, ethical hacking, computer forensics, fraud prevention and project management. He also leverages his professional network to help him overcome challenges. He says, “I can send a message to my professional network and get thirty responses. These come from CISOs and security leaders across the U.S. facing the same challenges as myself.”
He is also prolific author and speaker and serves on the advisory boards of multiple venture funds and startups.