Anthony Buenger

25+ years of success leading IT and cybersecurity solutions for government, private, and commercial entities Performance-driven Vice President with 25 years of experience aligning systems with business requirements, policies and regulatory requirements. Passionate about applying excellent organization and communication skills to manage and lead teams. Results-oriented individual well-versed in interfacing and consulting on business processes to drive results based on sound overall business judgment.

• Certified Chief Information Security Officer (CCISO)
• Certified Information Security Systems Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified in Governance of Enterprise IT (CGEIT)
• Certified CMMC Professional (CCP)
• Certified CMMC Assessor (CCA)
• CMMC Provisional Instructor (CCI)

• Educause
• Information Systems Security Association (ISSA)
• (ISC)2
• ISACA
• EC Council
• Audio Engineer Society (AES)

• SecureStrux, LLC, Virtual (based out of Lancaster, PA), Vice President, Cybersecurity Advisory Services & Director, GRC, 09/2021, Present, Leads and steers the strategic direction of SecureStrux governance, risk, and compliance & advisory lines of business. Responsible for expanding the overall cybersecurity strategy, consulting, assessments, remediation, engineering, vulnerability management, and managed IT and security service offerings for both public and private sectors. Acts as the change agent for SecureStrux's most strategic clients looking to secure their corporate and critical infrastructure environments. Internally, as the Director of GRC, responsible for the company’s overall cybersecurity program. Managed the company’s IT Service Management (ITSM) capabilities based on ITIL principles. Developed and maintained IT and cybersecurity architecture, leveraging Azure Active Directory (AAD) and associated infrastructure for optimized operational efficiency and enhanced security measures. Developed vCISO and Cybersecurity Advisory Services lines of business; led company’s ISO 27001 certification. Leads practice assessments based on DFARS 252-204-7012 and 7019 for DIB contractors and assessments for GDPR and GLBA for the commercial sector. A technical leader and project manager for OT to assess and remediate critical infrastructure sector (DIB, Energy, Water/Waste Water, Health) compliance requirements. Led effort to become an Authorized CMMC 3rd Assessment Organization (C3PAO) for the Department of Defense (DoD).
• Redspin (A Division of Cynergistek, Inc.), Virtual, CMMC Manager, 09/2020, 09/2021, Developed and delivered a comprehensive CMMC program for Redspin. Developed the CMMC strategy and program for Redspin as a C3PAO. Prepared Redspin to become the first Authorized C3PAO in the DoD; passed intensive third-party audit for certification. Incorporated the CMMC Assessment Process into the Redspin assessment processes. Continually worked with marketing to develop and present CMMC news and updates. Provided consulting and gap analyses to assist clients with CMMC certification preparation.
• Auburn University, Auburn, AL, DEPUTY CHIEF INFORMATION SECURITY OFFICER, 07/2019, 09/2020, Led and managed a team of eight cybersecurity engineers and analysts. Responsible for the enterprise information security program university-wide to protect university and regulatory data, including FERPA, GLBA, GDPR, FISMA, CMMC, and HIPAA. Revamped the university’s information security policies to improve alignment with state and federal regulatory requirements (state privacy, FERPA, HIPAA, CMMC, GLBA); NIST SP 800-171. Led the effort to institute the university enterprise architecture program into business processes; developed the architecture review board. Designed and implemented the university’s SOC from the ground up, based on US-CERT guidelines; improved incident response and threat-hunting capabilities two-fold. Improved the university’s cybersecurity training and awareness program with a new capability that tracks employee and faculty onboarding and annual cybersecurity training (KnowBe4). Program manager for implementing CMMC for the university’s R1 research program; prepared explicitly for mandated certification of its DoD research contracts. Partnered with Research Security Compliance to coordinate and respond to intelligence reports to protect the university’s intellectual property and supply chain from cyber and local threats. Monitored activity and analyzed logs at various points in layered security to include SIEM (Splunk) activity, boundary protection (Palo Alto IPS/IDS), and endpoint protection (Cisco AMP). Employed Jira Risk Manager to calculate business and technical risks from known vulnerabilities.
• Augusta University and Health, Augusta, GA, ASSISTANT VICE PRESIDENT, CYBERSECURITY & CISO (INTERIM), 10/2018, 06/30/2019, Led a team of cybersecurity engineers and IT architects in providing remediation support for the university and health campus. Responsible for establishing and maintaining a university-wide cybersecurity strategy and leading multiple cybersecurity programs (academic and health sides) to ensure those information assets are adequately protected. Developed a cybersecurity investment strategy and annual budget in collaboration with the Chief Information Officer (CIO). In coordination with the Chief Compliance Officer (CCO) and Chief Privacy Officer (CPO), developed new cybersecurity policies to include incident response and data retention for the academic, research, and health components of the institution. Developed a university-wide cybersecurity awareness and training program. Developed a “road show” to communicate cybersecurity issues as part of the university’s security training and awareness program. Implemented hands-on training and use of multifactor authentication (MFA), secure email, and secure storage for sensitive data (HIPAA, FERPA, PII). Implemented an ongoing social engineering (phishing) campaign for faculty, staff, & students (KnowBe4). Improved ITSM / ITIL capabilities through migration to ServiceNow. Improved the institution’s disaster recovery capabilities through a comprehensive security risk review and associated disaster recovery exercises involving cyber-attacks and simulated ransomware attacks. Conducted internal cybersecurity assessments and audits with the CCO, CIO, and CPO. Provided monthly cybersecurity updates to the C-suite.
• Universal Service Administrative Company, Washington, DC, DIRECTOR, INFORMATION SECURITY, 02/2018, 09/2018, Provided leadership, direction, and management oversight to a team of information security professionals supporting USAC’s (subsidiary of the Federal Communications Commission (FCC)) information confidentiality, integrity, and availability activities. Led a group of security engineers and administrators in providing 24x7 security operations support by utilizing state-of-the-art cybersecurity SIEM and tracking tools. Managed a $6 million annual cybersecurity program operating budgeting consisting of GRC, security SDLC, professional development, training, and security operations center activities. Ensured business and IT alignment through collaboration with enterprise risk and compliance functions. Developed and implemented a cybersecurity roadmap and successfully oversaw risk management framework (Jira Risk Manager), managing review cycles to ensure all security operations functions were documented. Grew cybersecurity team from 5 security professionals to 8, with expertise in maintaining ATOs per NIST risk management framework, including continuous monitoring and corrective action plans. Pioneered the FCC’s FISMA compliance using NIST guidance and methodologies to gain critical IT systems Authorities to Operate (ATO) within six months; accredited/authorized ServiceNow platform. Established and maintained strong partnerships with USAC’s programs, IT organization, FCC, and vendors. Consistently communicated security and risk status to key stakeholders. Collaborated with the enterprise architecture team to integrate security throughout the SDLC lifecycle, including DevSecOps and Agile frameworks.
• Baptist Health, Montgomery, AL, CHIEF INFORMATION SECURITY OFFICER (CISO), 10/2015, 02/2018, Led central Alabama region cyber security department with accountability for cyber security governance, risk management, strategy, architecture, and cyber operations. Conceptualized, developed, and initiated the hospital’s first cyber security strategy, strategic plan, and enterprise roadmap, and establishing the first-ever monthly executive-level cyber security and privacy committee. Led security awareness and training initiatives, including social engineering exercises, and developed and led a highly effective security incident response team. Developed the hospital’s information security program, including developing and publishing policies, along with formulating documented processes and procedures. Implemented the hospital's first SOC capability, improving governance from 38% to 90% compliance (HIPAA). Improved Meaningful Use compliance two-fold. Achieved Cerner Corporation (now Oracle) maturity validation from CoBit CMMI Level 1 to Level 3 in 18 months. Developed and initiated the hospital's first risk-based cybersecurity framework (NIST SP800-30 / NIST SP 800-37 / NIST SP 800-171), putting people, processes, and technologies into motion to protect data, assets, and patient safety. Based on CIS CSC and HITRUST, led a team of security analysts in performing in-depth analyses of exploits and malicious activity and implemented advanced security tools to monitor external and internal environments, using a combination of CarbonBlack, Tenable/Nessus, and LogRhythm. Developed cybersecurity architecture integrated with IT enterprise architecture, reducing unnecessary expenditures and collaborating with developers and testers to ensure security requirements are built early in the software development lifecycle.
• Civil Service, Chief of Information Assurance Division, Certifying Authority, Air Force Life Cycle Management Center (AFLMC), Montgomery, AL, SENIOR IT SECURITY ENGINEER, 10/2007, 10/2015, Led a team of 15 security professionals to conduct testing, vulnerability analyses, and risk assessments by the NIST risk management framework (RMF) and PCI DSS (payment card industry). Developed USAF-level policies and procedures for web security, application security, and cloud security and provided thought leadership for designing, developing, testing, and implementing secure cloud services. As the Certifying Authority (Security Control Assessor), directly reported to Headquarters United States Air Force, Pentagon, IT, finance, and logistics agencies Authorizing Officials; worked accreditation (authorization) packages throughout the NIST SP 800-37 cycle. Developed USAF-level policies and procedures for web, application, and cloud security (AWS, Azure, FedRAMP, etc.). Critical team lead on the Pentagon’s effort to plan and implement the NIST RMF Air Force-wide. Provided risk-based security assessments to support business/mission decisions for Air Force IT systems, including finance, logistics, personnel, and medical IT systems based on NIST and FedRAMP frameworks, including POA&Ms and risk assessment reports. Provided guidance and direction for designing, developing, testing, and implementing secure cloud services.
• DSD Labs, Montgomery, AL, SENIOR INFORMATION SECURITY ENGINEER (CONSULTANT), 01/2007, 10/2007, Performed and managed a team to conduct penetration testing, vulnerability scanning, vulnerability analyses, risk assessments, and recommended mitigation actions to senior/executive leadership. Led a team of security professionals and auditors in assisting the US Department of Agriculture in achieving the first FISMA accreditation for its infrastructure and IT systems. Leveraged industry cyber security framework models (NIST, ISO 2700x Series) to determine risks associated with known vulnerabilities for Railroad Retirement Board's first accreditation; briefed results to client C-suite for more informed risk mitigation decision-making.
• National Defense University, Washington, DC, MILITARY FACULTY, 06/2005, 07/2007, Taught cyber security courses to senior leadership from federal agencies, including the Department of Defense, Homeland Security, Department of Commerce, and Federal Communications Commission. Instruction included year-round in-resident and distributed learning (DL) courses in information security and global enterprise networking telecommunications courses for an average of 350 contact hours per year; course topics included LAN, WAN, Internet, OT/ICS/SCADA, strategic network security concepts, and federal regulatory compliance requirements, such as FISMA and HIPAA.
• 28th Bomb Wing, USAF, Ellsworth AFB, SD, SQUADRON COMMANDER AND CHIEF INFORMATION OFFICER (CIO), 06/2003, 06/2005, Responsible for 195 civilian and military personnel to install, secure, operate, and maintain over $100 million in IT, communications, network, and air traffic control and landing systems. Spearheaded $1.4 million requirements via corporate IT investment board to replace end-of-life network devices; reduced average cost by approximately 25%; investment significantly improved network security. Developed innovative program to allocate and maintain over 5,000 organizational desktop computers; saved installation over $250,000; other organizations benchmarked innovative program. Chairperson of executive management steering committee providing a corporate approach for IT requirements and solutions; articulated the critical need to senior leadership to replace the obsolete network backbone; innovative approach replaced the backbone at no cost, saving $570,000 and improving security. Led the development of network documentation standards for Ellsworth Air Force Base; Headquarters Pacific adopted as standard; Air Combat Command (Langley AFB, VA) touted as “Ops Blueprint.” Architected and planned $3.8M mobile radio operations to integrate Rapid City’s military, civilian, fire, and police; first integration of emergency responders; improved range by 500 percent.