Speed Data: The Benefits of Simplicity With Mark Bruns

Welcome to Speed Data: Quick Conversations With Cybersecurity Leaders. Like speed dating, our goal is to capture the hearts of CISOs with intriguing, unique insight in a rapid format for security professionals pressed for time.

This week, we welcome Mark Bruns, Chief Information Security Officer for FirstBank. Mark shares the cybersecurity knowledge he has amassed over the past 25 years at Deloitte, Gulfstream Aerospace, and the United States Marine Corps. He gives his take on the pros and cons of gen AI, the best way to protect sensitive data, and why compromise is the key to success.

Simplicity is king.

Mark Bruns, the Chief Information Security Officer for FirstBank, follows the KISS rule (“Keep it Simple…”) daily.

One of the biggest things I've always believed in is to simplify.

Mark’s responsibilities at the Tennessee-based bank include communicating the need for a strong security posture to fellow executives.

“We’ve made the topic way too complex. I have a rule that whenever I’m presenting to the board, I make the narrative count. Find a story that will engage them and give them a level of understanding for what you’re trying to do and what your vision is.”

As a board member himself for the Cyber Risk Institute, Mark knows what’s most important to executives — combating risk. Because his org is 100% SaaS, data is spread out across third-party providers, making it harder for threat actors to cause a detrimental breach.

“The good thing is our data is everywhere, so that’s harder. The bad thing is our data is everywhere,” Mark said. “So I have more opportunities to have an issue, but they’re probably individually smaller.”

He laughed, adding, “Third-party risk keeps me up at night, and because of that, they made it report to me.”

Securing sensitive data

To remediate these risks, Mark and his team have set strict rules banning any cloud storage. “You cannot get to Dropbox or Google Drive; none of that’s allowed,” he said. “We block it all.”

Additionally, Mark relies on the leading automated security platform to keep his org secure.

We own a lot of Varonis; we use it extensively to track where our data is.

“The ability to run scans over data inside of Exchange will be massive for us," Mark said. "Way too many people today use Exchange and email as a document repository.”

As more and more businesses begin using generative AI, Mark cautions against haphazardly using the technology without safeguards in place.

“It is fascinating the things you can do with AI, but how do you use it and keep your corporate data within your own realm? That’s the fun part,” he said.

Cybersecurity is a conversation.

Balancing the benefits of artificial intelligence and weighing the pros and cons of AI comes naturally to Mark, who admits in another life, may have been known as Mark Bruns, Esquire.

“I would have loved to have been a lawyer,” he said. “My daughter’s in law school, and we get into some fun conversations. She’s like, ‘You actually get this stuff!’ and I say, ‘Do you understand what I do for a living? I spend my whole day with lawyers!’”

“I’m looking forward to some of the stuff she will get into. I think it’s fascinating.”

That desire to argue both sides of a topic and come to a mutually acceptable agreement is one reason why Mark has a mind for legal. However, it’s in cybersecurity that he practices the principle of compromise.

Everything we do is a risk conversation.

“So when do you know when and to what level to compromise? Because you’re going to have to at some point," Mark said. "But most of the time, it’s more of a true risk conversation with compromise and discussion on both sides.”

“The ability to have those conversations and have them be constructive is incredibly important, and it’s a big part of what this job is.”