Q&A with Brad Bussie, Principal Security Strategist at Trace3
Today we feature an interview with between Maurice Gilbert, CCI’s CEO, Founder and Publisher, and Brad Bussie, Principal Security Strategist at Trace3, a provider of IT solutions and consultation services. The company’s thriving security practice helps companies review and manage internal policies and protocols to develop an integrated approach to data security and compliance in a way that supports growth. Brad helps global businesses meet changing regulatory and security compliance standards to mitigate risk and avoid security threats.
Maurice Gilbert: How did you get started on a career in compliance?
Brad Bussie: I decided early on in schooling that a life in information security was for me. There is something about the structure compliance brings that resonates with me. I was fortunate enough to get my start in compliance by working for a military contractor. I am sure you can imagine the level of compliance that exists for the Department of Defense.
MG: Who helped shape your views?
BB: I am lucky enough to have a father that started his own technology company after serving in the Navy. He has been, and continues to be, the one who helps shape my views. I have found over the years that he has a unique way of looking at things and weighing both sides of a problem. His views have helped me better understand problems, challenges and solutions.
MG: How do you stay current on ethics and compliance issues?
BB: I read over 60 books a year on a variety of subjects. I am what you would call a lifelong learner. I also belong to several professional organizations that focus on cybersecurity, risk and compliance. Industry publications are also a staple of mine as well as researching and understanding compliance frameworks that any number of my customers are currently leveraging.
MG: What are some of the significant issues facing CCOs, Risk Managers, etc.?
BB: Organizational speed, scale and complexity are significant issues facing CCOs and Risk Managers. I find three key things are needed for successful compliance and risk programs: the right people, process and technology. Qualified people are becoming scarcer in security disciplines. Because of this, process and technology need to be well designed and utilized to survive the rigors of risk and compliance.
MG: What do you believe is the optimal reporting structure for the CCO and why?
BB: A CCO, much like CISO, must have what I call “juice.” Reporting structure is important only partially; what is really needed is charisma. Most business leaders don’t understand why compliance is necessary and feel like compliance is being done to them specifically as opposed to as an organizational mandate. This misconception leads to resistance and only partial compliance. The CCO needs to report to the right individual within the organization to be recognized as having the power to get things done. I often see a CCO reporting into a board sitting CISO, legal officer or CRO.
MG: How do you effect change within your clients’ environments?
BB: Consulting has given me a great platform to effect change within client environments. Organizations seek out consultants to help them solve specific challenges. I am honored to bring my industry experience and skillset to each client individually. At the end of the day, I am a problem solver. The secret sauce to being effective in an environment is understanding the problem, identifying what is causing the problem, developing a plan of action and executing the plan to solve the problem.
MG: How do you see the CCO role evolving within the next three years?
BB: The CCO role is going to become more important in organization over the next three years. They may not always be called “Chief Compliance Officer,” but the need will be there. I see the CCO taking a more proactive role in making sure that vulnerability management and auditing are part of the overall compliance framework. Ultimately, the CCO will make sure that policies and procedures are being followed using advanced analytic tools that examine the business in an automated fashion.
MG: What do you see as the greatest business risks facing companies today?
BB: Cyberattacks are one of the biggest risks facing companies today. Due to the insidious nature of cyberattacks and the broad target area, companies need to take them seriously. Attacks have traditionally occurred at the perimeter, but we are now seeing most of them coming from malicious insiders. An innocent tap on the wrong email or a forgotten patch on a web server are all that stand between you and the front page of the news. The damage that cyberattacks are having on intangible things like company image and brand presence cannot be ignored.
MG: What do you see as the greatest regulatory risks facing companies today?
BB: The greatest regulatory risks facing companies today are exceptions. I have been in a number of organizations over the years that attempt to follow compliance and regulatory mandates to the letter – until something breaks. Systems or processes that are core to the business suddenly fall over because of a change. Homegrown software platforms generally do not consume compliance as readily as COTS software. What happens next is where the root of the problem lies; exceptions are made for the regulation, there is ample documentation as to why the exceptions are made and we move on. Welcome to your next exploited vulnerability.
MG: How might Chief Compliance Officers, Chief Audit Officers and Chief Risk Officers prepare to face these risks?
BB: The best way to face the risks are to justify the time, talent and treasure needed to update existing processes and systems to comply vs. documentation. Regulatory requirements, while often difficult, exist to make organizations safer.
MG: How does your company help its clients mitigate risk?
BB: We help customers mitigate risk by first identifying what the risks to the business are. An understanding of the risks allows the team to decide how to prioritize the acceptance, control and monitoring of the risks. We develop life cycle mitigation plans that are unique to each client.
MG: What new service offerings do you have in the queue?
BB: Our company is laser focused on transformative information technology, innovation and elite engineering. This focus enables us to rapidly bring to market new service offerings in infrastructure, cloud, security and data intelligence. Look to us for end-to-end multidisciplined service offerings.
MG: Compliance departments are often asked to accomplish their work with limited resources… do you see this situation changing any time soon?
BB: I don’t see the limited resources problems facing compliance departments changing anytime soon. If anything, I see the problem getting worse. The only real hope we have is to embrace automation and machine learning to do more with less.
Brad Bussie is the Principal Security Strategist at Trace3. He is an award-winning 15-year veteran of the information security industry. He holds an undergraduate degree in information systems security and an MBA in technology management. Brad possesses premier certifications from multiple vendors, including the CISSP from ISC2. He has a deep background architecting solutions for identity management, governance, recovery, migration, audit and compliance. Brad has spoken at industry events around the globe and has helped commercial, federal, intelligence and DoD customers solve complex security issues.
