Unlocking Cyber Security Excellence: Insider Tips from a Leading CISO

Quorum Cyber’s Chief Information Security Officer (CISO), John Bruce, discusses balancing compliance with Quorum Cyber’s relentless drive to innovate to protect as many customers as possible from cyber-attacks. He talks about data governance strategies, and overcoming the challenges of adhering to new regulations. John also shares his advice for Chief Information Officers (CIOs) and IT teams who are beginning to build a global privacy compliance roadmap.

Q: Organisations need to innovate and be operationally agile, while complying with the law in the various countries they do business in. Quorum Cyber is present in the UK, the US, Canada and the Middle East, so how do you balance innovation with compliance?

John: The tension between compliance and innovation is real, but I have developed and adopted several approaches that help:

Privacy champions embedded within product teams who understand both compliance requirements and business objectives
Compliance-as-code initiatives that automate routine privacy controls, freeing resources for innovation, continually shift left privacy and security by design methodology
Risk-based prioritisation framework that focuses intensive controls on high-risk data while enabling greater flexibility with less sensitive information
Data minimisation strategies that reduce compliance burden by limiting unnecessary data collection.

When faced with conflicting regulations, I apply the concept of ‘progressive enhancement’ for software development – start with a baseline that works everywhere, then add jurisdiction-specific features as needed, rather than building multiple siloed systems.

Q: Privacy laws change quickly and can be different in different regions. How are you adapting your data governance strategies to keep up to date with them?

John: As a CISO managing global operations, I have found that adaptive data governance is no longer optional – it’s essential. We’ve moved from static annual policy reviews to a dynamic approach based on and embedding these key components:

Modular privacy framework that separates core principles (which rarely change) from implementation details (which frequently change)
Regional/local privacy partnerships empowered to make local decisions while maintaining alignment with global standards
Privacy-by-design templates built into our development lifecycle that incorporate the strictest requirements across jurisdictions
Automated compliance scanning with tools that flag potential issues before data processing begins.

The days of ‘one policy fits all’ are long gone. Instead, I am developing a baseline global standard that incorporates the most stringent requirements across regions, then apply jurisdiction-specific modifications where necessary.

Q: How do you ensure Quorum Cyber stays ahead of new regulations instead of responding when they come in force?

John: To avoid scrambling when new regulations appear, I have implemented various process and policy including some of the following approaches:

Regulatory intelligence programme with dedicated resources tracking proposed legislation in key markets including horizon scanning
Relationship building with industry associations and regulatory bodies to gain early insights
Scenario planning exercises  where we simulate potential regulatory changes and test response capabilities
Privacy impact assessments that anticipate future requirements, not just current ones.

Perhaps most importantly, we’ve shifted our mindset from viewing compliance as a checkbox exercise to seeing it as a competitive advantage. By building systems that can adapt quickly to new requirements, we can enter new markets faster than competitors who treat each regulatory change as a one-off project.

Q: Does cross-functional collaboration play a role in your privacy strategy. If so, how has that evolved over the last few years?

John: Cross-functional collaboration has become the cornerstone of effective privacy governance. Five years ago, privacy was primarily a legal concern with IT implementation. Today, our approach includes:

Privacy governance framework committees with representatives from legal, IT, product, marketing, and customer service
Regular tabletop exercises that bring teams together to solve complex privacy scenarios
Shared key performance indicators (KPIs) that align privacy goals across departments
Privacy Champion & Business Partnering programmes where team members from various functions receive specialised training.

The most significant evolution has been the shift from legal driving requirements to a collaborative model where product teams help shape privacy solutions that protect data while enabling business objectives.

Q: What advice would you give to CIOs and IT teams who are thinking about building a global privacy compliance roadmap?

John: For CIOs and IT teams building a global privacy compliance roadmap, I would recommend:

Start with asset management and data discovery - you can’t protect what you don’t know you have
Build for flexibility - design systems that can adapt to changing requirements without complete rebuilds
Invest in automation - manual compliance processes don’t scale globally
Focus on principles over point solutions – solve for the underlying privacy concerns rather than specific regulatory text
Leverage privacy-enhancing technologies – encryption, tokenisation, and anonymisation can reduce risk and compliance burden.

Remember that privacy compliance is ultimately about trust. Technical solutions matter, but equally important is building a culture where everyone understands their role in protecting personal data. The most successful programs I’ve seen treat privacy as a business enabler rather than a regulatory burden.