In this episode, we feature Tony Buenger to discuss his journey from an Air Force ROTC scholarship that turned into 22 years of Air Force service, to his multiple information security/cybersecurity leadership roles which ultimately led him to the Redspin team. All of this while producing music videos and running a recording studio on the side. Listen as we get to know Tony’s passion for what he does and understand what cybersecurity, compliance, and privacy mean to him.
Subscribe to CyberSpin:
LAUREN FRICKLE, HOST: Welcome to Cyberspin, the podcast that brings you expert insights to today’s hot topics in cybersecurity, privacy, and compliance for highly regulated industries, including the tech industry, defense industrial base, contractors, financial institutions, and more. Each episode features an inside.
Listen in to the conversations between Redspin thought leaders, subject matter experts, and industry guest speakers who share insights into the latest in cybersecurity. Subscribe to Cyberspin on Apple iTunes, Spotify, or your preferred podcast platform. New episodes are released weekly, and a transcript of each episode can be found at redspin.com.
LAUREN FRICKLE: Hello and welcome back to Cyberspin. I’m Lauren Frickle. This week, I’m here exclusively with Tony Bunger, Redspin’s CMMC Provisional Assessor. Hi, Tony, how’s it going?
TONY BUEGER: Hi, it’s going pretty good.
LAUREN FRICKLE: Good, so this week’s episode is going to be a little bit unique. We’re going to focus primarily on you. How do you feel about that?
TONY BUENGER: Oh, I think I can handle it.
LAUREN FRICKLE: So, let’s get right into figuring out who you are, what makes you tick. My first question is where are you from? Tell us a little bit about your professional journey that led you to become a CMMC strategist and your position here at Redspin.
TONY BUENGER: Sure, sure I can do that. I’m originally from Baltimore, so go Baltimore Colts and go Baltimore Ravens!
I received my Bachelor of Science degree in electrical engineering from the University of Maryland via an Air Force ROTC scholarship. So, Air Force sent me to school in my hometown and I was able to get an Air Force Commission out of that.
I spent 22 years in the Air Force, retired from the Air Force as a Lieutenant Colonel in 2007. My last five to seven years in the Air Force, I was heavily involved with information security, and after I retired from the Air Force, I became a full-time information security professional, fulfilling various roles as an Information Security Officer, Information System Security Manager, NIST Certifying Authority, Security Controls Assessor, Chief Information Security Officer a Cybersecurity Consultant, and the list goes on…
LAUREN FRICKLE: Yeah, that’s awesome, it sounds like you’re kind of a perfect fit for the CMMC service.
TONY BUENGER: Yes. CMMC is known as a Cybersecurity Maturity Model Certification (CMMC) where DoD contractors must be certified.
LAUREN FRICKLE: Yeah, let’s hear you say C3PAO five times fast.
TONY BUENGER: Haha, oh yeah, it goes into C3PAO, R2D2, and anything else.
LAUREN FRICKLE: It’s a mouthful, but thanks for that Tony. So, moving right along, what do you do in your current role as a CMMC Provisional Assessor at Redspin?
TONY BUENGER: Yes. In my current role as a CMMCC Provisional Assessor at Redspin, I’m currently providing consulting services to DoD contractors who will need to be certified either at Level 1 or Level 3. We don’t need to get into the details of the difference between Level 1 and Level 3, but let’s just say it requires a lot of work for these DoD contractors to get ready to be certified at either Level, 1 or Level 3.
I’m also working with these DoD contractors who happen to be ready for the CMMC assessment for certification and just waiting until we’re all authorized to start conducting those certifications assessments.
I’m also involved in ensuring that Redspin itself maintains its status as a CMMC Third Party Assessment Organization or also known as C3PAO. So, we can be authorized to conduct CMMC assessments for DoD contractors, so as a C3PAO within CMMC we need to be certified ourselves and so we’re preparing.
We’re coming down to the wire to where we’re about, ready to be scheduled to have an assessment done on Redspin so we can be authorized to conduct CMMC assessments.
LAUREN FRICKLE: Awesome, so kind of you’ve got to be certified yourself to be able to certify well. I think it’s that something kind of helpful for our clients and our listeners is to explain Redspin is a division of CynergisTek, and CynergisTek is a healthcare cybersecurity compliance data privacy organization.
TONY BUENGER: Yes, that’s correct. So Redspin as a C3PAO, we’re actually expanding out into the federal government. But primarily it’s the Department of Defense. They’re the ones who actually developed a CMMC framework and the model in which we have to follow to ensure that DoD contractors are certified.
So, and then also, we’re finding out that the CMMC model will be branching out beyond the Department of Defense to other federal agencies, so it’s a good opportunity for Redspin to really get its feet dirty, hands dirty, and just dive in and expand beyond the healthcare industry.
LAUREN FRICKLE: Yeah, that’s cool. Ok, so what drew you to Redspin?
TONY BUENGER: What drew me to Redspin is the fact that I previously worked with CynergisTek, as an interim CISO for Augusta University in Augusta, GA, under contract with CynergisTek, so doing a lot of remediation work, as CynergisTek is well known for. And it mostly was for the healthcare portion of Augusta University. After that contract ended, I eventually came back to CynergisTek but this time in Redspin heading up the CMMC program. So, I was drawn back to CynergisTek and Redspin since I was familiar with the organization’s strong standing within the healthcare sector along with its strong values and commitment to doing the right thing for its customers.
So, I’ve been there, done that you could say.
I previously worked with many of the security consultants within CynergisTek who are well respected in the consulting community. So, I’ve come back to the old team. I knew Redspin was well suited to expand its service delivery capability for the federal government sector, and I’m happy to be here to help them get into that sector and be very successful.
LAUREN FRICKLE: Ok, I want to ask, in your opinion, what are the top two issues the cybersecurity industry is facing today?
TONY BUENGER: For me that the top two issues or challenges that these organizations are facing number one is they just don’t have enough resources to protect everything that needs to be protected.
Number two is the biggest target, the employee. The employee is targeted through good social engineering tactics. You know email phishing, things like that. The bad guy can get information from the employee. You know the bad guy will ask the employee “hey give me the keys to the Kingdom” and the employee will say “OK because I think you’re validating person. I’ll give you the keys”, so those are the two issues not having enough resources and really combatting increased social engineering attacks on its own.
You are only as strong as your weakest link and many times the employee is the weakest link and the bad guys know that. So, they are taking advantage of that.
So, what the organizations need to do is have a good or mature risk management program to manage those risks associated with those cybercrimes and attacks.
Organizations do not have the resources to fix this. As I said, they need to make discipline risk-based decisions on where to apply, resources to mitigate or remediate those risks.
LAUREN FRICKLE: So, Tony. You’re leading CMMC assessment services at Redspin. From what you’ve seen so far, what do you think will be the biggest hurdles or challenges for contractors who will need compliance?
TONY BUENGER: Ah, yes, that’s a good question. First of all, many DoD contractors are surprised at how fast the CMMC has involved and they’re realizing that, oh, this is for real and we really have to become certified from an independent entity and that independent entity is a C3PAO. So, prior to CMMC coming online DoD contractors, were required to self-assess to a set of security standards known as NIST SP 800-171. You don’t need to know that that number there, but just for those contractors out there, they know what it is. SP 800-171 that self-attestation did not work. The DoD found that self-administration was not effective. So in 2018 to DoD developed a CMMC framework that mandates independent verification by C3PAOs. So, the CMMC model includes additional requirements that these DoD contractors are no used to performing or meeting, or complying with, so they’re finding that it’s requiring resources on their end to become compliant with CMMC to become certified.
So, going back to the previous question of having enough resources, they are also finding that it takes many resources to become compliant with CMMC requirements.
LAUREN FRICKLE: OK, so where do you see the state of CMMC in 5, 10, 15 years?
TONY BUENGER: Sure, we’ve previously mentioned this. We’re already seeing the DoD CMMC framework expand beyond just the Department of Defense, but it’s also beginning to expand to other federal agencies, such as the General Services Administration and possibly the Department of Homeland Security, so we expect to see that within five years that this will not be a DoD only endeavor.
In the longer run, I believe will see the merging of compliance bodies such as potentially HIPAA and CMMC. We’re starting to hear about, for example, maybe the Defense Health Agency HIPAA compliance requirements. Now you know in the future will they also need to deal with or comply with CMMC at the same time.
So, we’re starting to see that here, and I would suspect that’s more in the 5-to-10-year range where we’re going to see that where health agencies who have federal contracts especially DoD contracts may find themselves under HIPAA and CMMC compliance mandates. Once again, that could go back to the resources issue that organizations are running into. Do we have enough resources to really handle this?
LAUREN FRICKLE: Ok, well moving away from the fun CMMC stuff. I know just from my conversations with you that you’ve got your toe in a lot of stuff. You’re a technical guy, but you’re also creative. So, what do you do on the weekends and outside of work?
TONY BUENGER: Yeah, and I sometimes get myself in over my head, but I find that having a vibrant lifestyle outside of work can actually help you while you’re at work. So, you have to really have something to look forward to when you get off of work and also have something to look forward to when you’re going into work.
So basically, you know everyone needs an outlet or two or three, so for me, I go jogging and hiking as much as I can. Fortunately, I live down in the southeast corner of the United States so I can get outdoor a lot and jog, run, hike, and do those outdoor things. Fortunately, I have time with my job here with our company that I can get out. I can take an hour from work most of the time and in the middle of the day get out and get some exercise, but I do like to get outside.
Also, from a creative perspective, as you mentioned, I’m an audio engineer, I have a recording studio that I have people come in and out of all the time. I have other audio engineers and producers come in and rent it out and so that keeps me busy as well. From the creative person’s perspective, I love to see young artists come in and help to really bring their songs to life.
Also, I’m a professional videographer which is closely related to audio engineering, because I do produce a lot of music videos, things like that and I also provide videography services for weddings and other live events, so I do keep pretty busy, but I think that keeps you healthy and young.
LAUREN FRICKLE: So on to the next question, earlier in our conversation, you kind of let us know that the consulting team and some of the people at CynergisTek and Redspin are what drew you to your current position. Following up with that, describe the team you work within just one word.
TONY BUENGER: In just one word, I would say sharp. And the reason I say that is because they are always on top of the latest cybersecurity trends. And if you are in the cybersecurity profession, you need to keep up on the latest trends and those trends can come. From what are the latest cyber-attacks, what are the latest attack vectors, what are the new technologies out there that can combat those attack vectors and threats, and what are the technologies out there that the cyber attackers are actually exploiting vulnerabilities? So, there’s a lot going on, a lot changing out there, and they’re really good about keeping up on that.
But yeah, you know more, but to me more importantly is they’ll take those complex topics, cybersecurity subjects, and they relay them to the customers in terms that they can understand. Because, you know, this is a very technical oriented profession that we are in. And really, it’s important to take that technical mumbo jumbo and put it into business-speak and the CynergisTek and Redspin teams
they do a great job of turning that technical jargon into business-speak.
LAUREN FRICKLE: OK, do you hear that guys? That the one-word Tony uses is sharp. I honestly couldn’t agree more, Tony. Last but not least, what do you think is important about the cybersecurity, privacy, and compliance industry?
TONY BUENGER: What I see most importantly, and we saw this in 9/11. It’s hard to believe how long ago that the 9/11 terrorist attack was. But the government found out that we couldn’t connect the dots. All the dots were out there, and we just didn’t connect the dots. We didn’t know all the dots that were out there, what dot 1 was and how it related to other dots. So, to me, the most important criteria with respect to cybersecurity, privacy, and compliance are that all industrial sectors with compliance frameworks and specialties must work together. So, I kind of touched on this earlier about how the CMMC compliance framework in the HIPAA compliance may have to work together here in the future. So, it’s not unlike what we learned about connecting the dots after 9/11. So, we’re looking at everyone who is virtually linked. Linked in cyberspace, and you know I mentioned this before, we’re only as strong as the weakest link in the chain, so when it comes to cybersecurity, privacy, and compliance, they all work together across all industrial sectors.
LAUREN FRICKLE: There you have it, folks, in the words of Tony himself, we’re only as strong as the weakest link in the chain.
TONY BUENGER: And the bad guys know it.
LAUREN FRICKLE: And the bad guys know it. Yep. Thanks, so much Tony. Thank you so much for your time, it’s been wonderful to get to know you.
TONY BUENGER: Everyone’s head probably hurts. Now go take some aspirin.
LAUREN FRICKLE: Haha, Doubt it. I love it. Well, thanks so much, Tony. Happy to work with you. Thanks so much for listening.
TONY BUENGER: I enjoyed it!