Member Spotlight: Bradley Schaufenbuel

Bradley Schaufenbuel passed the bar exam. He has no plans to practice law.

He is the CISO of Paychex. He is almost certainly part of a very small group of security leaders in the country who are also licensed attorneys. Among that group, he may be the only one who never planned to practice.

He didn't do it to switch careers. His wife had watched him spend years working alongside general counsels, fascinated by the way lawyers approached problems analytically, and fascinated by the intersection of technology and law. He was so interested that in 2007 he wrote a book on electronic discovery. She encouraged him to apply to law school, not to advance his career, but to satisfy his intellectual curiosity and learn something unlike anything he'd learned before.

He did. And then came the hard part.

For four years, Bradley worked full time as the Chief Information Security and Privacy Officer of Midwest Banc Holdings, a $4.5 billion financial institution, while earning a law degree, a master's in IT and privacy law, and passing the Illinois bar. Nine-hour days. Three hours of class every night. Every weekend in the law library.

Today he works more closely with Paychex's Chief Legal Officer than most CISOs ever work with their legal teams. Their CLO already knows he understands attorney-client privilege, work-product doctrine, and the rules of evidence, so they skip the education and go straight to the collaboration. He approaches problems with the analytical method lawyers use, which he says works better for business problems than the methods he previously used for fixing technology issues.

None of this was the original plan. He went to college studying criminal justice, set on becoming a police officer.

His father was in the military. Growing up, Bradley watched his dad serve. Someone who put the interests of others before his own. That became the template. But he also had a passion for computers. In college he realized the two didn't have to be separate: he could protect people from bad guys through technology instead of a badge. He changed his major to management information systems, started as a network engineer, and took the first opening on the security team.

"The information security profession is a noble one," he says. He thought that then. He still thinks it now.

The role that accelerated everything came early: Business Information Security Officer for the second-largest business unit at Experian. For the first time, he reported to a business leader rather than a technologist. He was, in his words, the CISO for a business within a business. He learned to link his objectives to those of the business, to speak to senior leaders in the language of business, and to understand what actually makes an organization tick. Two years. He calls it his PhD in executive leadership.

That's the frame he leads from. Here's what it looks like in practice: the review of AI use cases by Paychex's AI Governance Committee was taking an average of eight weeks. Bradley stepped in, streamlined the process, and got it to two weeks. The faster process carries more risk: some security issues might get missed. But when he assessed that the market risk of slowing innovation exceeded the security risk of a faster review, he went with the course of action that gave the whole leadership team the best chance to succeed.

He is also thinking about what comes next. Models like Anthropic's Mythos Preview are changing the threat landscape, accelerating zero-day vulnerabilities and compressing the time between discovery and exploit. His team is preparing for that now.

Security leader making a business call. That's Team One.

His advice to anyone ten years behind him:

This has been a DoGood Member Spotlight.