Bradley J. Schaufenbuel is currently Vice President and Chief Information Security Officer at Paychex. He has over 28 years of information security experience, the last 19 in leadership roles, at companies within the financial services and technology industries. Bradley has authored multiple books and professional journal articles about information security and IT governance. He is a licensed attorney and a member of the United States Supreme Court Bar. Bradley holds twenty-five professional designations in the areas of information security management, IT compliance, information privacy, fraud examination, IT audit, computer forensics, ethical hacking, business continuity planning, project management, cloud security, and process improvement. He holds an MBA from DePaul University and a JD and an LLM in information technology and privacy law from the University of Illinois at Chicago’s John Marhsall Law School. Bradley has served as a director on several boards, is a frequent speaker at industry conferences, is regularly quoted by the press, and has served numerous clients as a freelance consultant. He was named the Chicago CISO of the Year in 2018 and as one of the Top 100 CISOs for 2023 by Cyber Defense Magazine.
In a recent interview with CIO Magazine, Bradley J. Schaufenbuel discussed his experience with AI and cybersecurity. He shared his views on the cyber intelligence landscape, cybersecurity strategy, technological shifts, and many more.
The role of AI in cybersecurity is growing rapidly. How do you see AI and machine learning reshaping the cyber intelligence landscape today?
Artificial intelligence is being leveraged by attackers and defenders. Attackers are using AI to craft better phishing e-mails and deepfakes that improve the effectiveness of social engineering. Defenders are using AI to improve the efficacy of detection and to automate manual processes in the areas of security operations, vulnerability management, and identity and access management. Like any innovative new technology, a race has ensued to determine who can leverage AI to their advantage faster.
What are some of the most exciting or promising use cases of AI you’ve seen in proactive threat detection and response?
In the area of threat detection, AI models are being leveraged to detect deviations from norms that may indicate the activity of attackers. The efficacy of that technology is improving daily. In the area of response, AI SOC analysts are executing incident response playbooks that once could only be performed by human beings, and at machine speed. These developments are driving down both the mean time to detect cyber attacks and the mean time to respond to those attacks.
With cybercriminals also leveraging AI, how can security teams stay ahead in this intelligence arms race?
Security teams must embrace artificial intelligence (and quickly), as adoption of AI by defenders is the only way to keep up with the adoption of AI by attackers. This means that security teams of all sizes and in all industries must keep themselves educated on developments in AI and invest in AI-powered security solutions where possible. Since attackers focus their efforts on the weakest targets, security teams don’t need to be first in implementing AI capabilities, but they cannot afford to be laggards.
In your experience, what are the biggest misconceptions companies have about integrating AI into their cybersecurity strategy?
In my experience, the biggest misconceptions organizations have about integrating artificial intelligence into their cybersecurity strategy is that it is too difficult or too costly. Almost all cybersecurity solution providers are adding AI capabilities to existing tools. In many cases, a security team merely needs to enable this functionality and leverage the skills they have already acquiring using tools like ChatGPT. There are numerous open-source security-related AI models that, with a little effort, can be leveraged at no cost.
What skills or mindsets do you think are critical for the next generation of cybersecurity professionals working with AI?
The mindset that I believe is always critical for cybersecurity professionals is one that embraces continuous learning. Since artificial intelligence will be a foundational element of most cybersecurity solutions in the future, I would suggest that every cybersecurity professional study how AI models of different types, e.g., machine learning models, foundational models, large language models, small language models, etc. are created, trained, tuned, and inferenced.
How do you ensure your teams stay adaptable and forward-thinking when both the threat landscape and the technology toolkit are constantly shifting?
I ensure my teams stay adaptable and forward-thinking in the face of a constantly changing threat landscape and security toolkit by embracing curiosity, encouraging continuous learning, and by allocating time to “look around corners” and experiment with new technologies. I also like to engage in design partnerships with cybersecurity startups, giving my team access to the most innovative cybersecurity technologies that are being built before they are commercially available.
You’ve seen and led through incredible technological shifts—what leadership lessons have stuck with you the most?
The three leadership lessons that have stuck with me the most are the following. 1) Embrace diversity. Teams composed of people with a variety of perspectives are more innovative and make better decisions. 2) Practice servant leadership. You are there to inspire and support your people and not to tell them what to do. 3) Never stop learning. You are never too old or too experienced to learn something new, especially in a field like cybersecurity that is constantly changing.
What advice would you give to someone just entering the field today, hoping to work at the intersection of AI and cybersecurity?
The advice that I would give to someone just entering the field today is to make sure you have mastered the cybersecurity basics, i.e., the CIA triad, zero trust architecture, the key domains in the field (e.g., cryptography, IAM, security operations, GRC, application security, network security, etc.), and then learn as much about artificial intelligence as you possibly can. Read about or get trained in data science. Download and experiment with open-source models. Etc. Apply the knowledge to help stand out from the crowd.