Krag Brotby has more than twenty five years of experience the area of enterprise computer security architecture, governance, risk and metrics and is certified as a CISM and CGEIT. Experience includes intensive involvement in current and emerging security architectures and is a principle in the SABSA Institute. He holds a foundation patent for digital rights management and has published a variety of technical and IT security related articles and books. Brotby has served as principal author and editor of the ISACA Certified Information Security Manager Review Manual since 2005, and the researcher and author of the widely circulatedInformation Security Governance, A Guide for Directors and Executive Management, 2nd ed., and the Information Security Governance : Guidance for Information Security Managers as well as a new approach to Information Security management metrics to be published in ‘09. He is the author of Information Security Management Metrics; Auerbach ’09 and Information Security Governance; a practical development and implementation approach; Wiley ‘09Brotby has served on the ISACA Security Practice Development Committee, appointed to the Test Enhancement Committee and in 2008 responsible for exam question development, and to a new committee developing a systems approach to information security called the Business Model for Information Security. He is a member of the California High Tech Task Force Steering Committee, an advisory board for law enforcement. Brotby is a frequent workshop presenter and speaker at conferences globally and lectures on information security governance, metrics, information security management and CISM preparation throughout Oceana, Asia, Europe, the Middle East and North America.
As a practitioner in the security industry for over two decades, Brotby was the principal Xerox BASIA enterprise security architect and managed the proof of concept project, pilot and global PKI implementation plan. He was a principal architect of the SWIFT Next Gen PKI security architecture; served as Technical Director at RAND Corporation for the cyber assurance initiative; and as Chief Security Strategist and PKI architect for TransactPlus, a JP Morgan spinoff.
Recent consulting engagements include security governance projects for Australia Post, New Zealand Inland Revenue, and Singapore Infocom Development Agency. Clients have included Microsoft, Unisys, AT&T, BP Alyeska, Countrywide Financial, Informix, VISA, Verisign, Digital Signature Trust, ZANTAZ, Bank Al Bilad, JP Morgan Chase, Key Bank, Certicom, Digital Signature Trust, and Paycom among others. He has served on the board of advisors for Signet Assurance and has been involved in significant trade secret theft cases in the Silicon Valley and in fraud investigation and funds tracking and recovery for several clients.