Krag Brotby CISM CGEIT has thirty years’ experience enterprise computer security architecture, governance, risk and metrics including senior positions at Xerox, SWIFT, RAND Corporation and TransactPlus. As a consultant, he has developed policies and standards for the Australian Post Office and several US banks. As a SANS GSLC and CISM trainer, Krag has developed courses in governance, metrics, GRC and risk, and has trained thousands on five continents during the past decade.
Krag has been extensively involved in current and emerging security architectures, IT and information security metrics and governance. He holds a foundation patent for digital rights management and has published a variety of technical and IT security related articles and books. Krag is the principal author and editor of ISACA’s CISM Review Manual, and researcher and author of the widely circulated Information Security Governance: Guidance for Boards of Directors and Executive Management, and Information Security Governance: Guidance for Information Security Managers. Krag’s previous metrics book Information Security Management Metrics was published in 2009, and Information Security Governance; a practical development and implementation approach was published in the same year.
Krag has served on ISACA’s Security Practice Development and Test Enhancement Committees, plus the committee developing BMIS. He received the 2009 ISACA John W. Lainhart IV Common Body of Knowledge Award. He is a member of the California High Tech Task Force Steering Committee, an advisory board for law enforcement. He is a frequent workshop presenter and speaker at conferences globally and lectures on information security governance, metrics, information security management, GRC and CISM.
Dr Gary Hinson PhD MBA CISSP has an abiding interest in human factors - the hunan factors as opposed to the purely technical aspects of information security, governance, compliance and risk management.
Back in the 1980s, Gary was a bacterial geneticist following in the steps of Darwin, Mendel, Pasteur and other legendary biologists (though definitely not in their league!). At the Universities of York and Leicester, he began using, programming and supporting the scientific use of computers. In academia at the time, IT security was the least of our worries - we were absorbed by the challenges of finding ways to share scientific information. The Morris Worm was a wake-up call.
From there, Gary moved into IT systems and network administration supporting R&D scientists for a phamaceuticals company, and thence into information security management and IT auditing. He worked and consulted for multinationals in various sectors in the UK and Europe before emigrating to New Zealand in 2005.
Gary now runs NoticeBored, an innovative information security awareness service. He spends his days researching and writing creative security awareness materials for subscribers covering a different information security topic each month. By the way, one of the regular monthly awareness deliverables from NoticeBored is a management-level awareness briefing proposing and discussing potential metrics associated with the month’s information security topic.
Gary has been a passionate fan of the ISO/IEC 27000-series ISO27k information security management standards, starting with the DTI Code of Practice that pre-dated BS 7799 in the early 1990’s. He remains involved with the ongoing evolution of ISO27k through SC27, the ISO/IEC committee behind the standards, and runs www.ISO27001security.com. Browse the site to keep up with ISO27k developments and join the ISO27k Forum to swap notes with thousands of information security pros busy putting theory into practice every day.
Gary is a member of the editorial board for EDPACS, a long-running journal for IT audit and information security professionals. He contributes to blogs, journals, email reflectors, conferences, websites and books whenever inspiration coincides with the opportunity to write his passing thoughts down before they evaporate forever in the mists of time.