Top of Page

Board Elections

You Control the Future

(ISC)² Board ElectionsThe (ISC)² Board Election will be conducted over the course of two weeks beginning on September 12, 2019 and ending on September 26, 2019 this year. All members in good standing as of the date specified in the election notice are eligible to vote in the election.

The Board puts forth several recommended candidates each year, and members in good standing as of the date specified may petition to have their names added to the ballot.

About Board Elections

  • 2019 Board Candidates 2019 Board Candidates
    Aloysius Cheang, CISSP (Singapore)

    Aloysius Cheang, CISSP (Singapore)
    Aloysius Cheang is a senior corporate executive with extensive experience running global businesses.  In his line of work, he had managed large multi-cultural, multi-disciplinary team spread across 5 continents and 4 major time zones. Time after time, Aloysius has successfully orchestrated a multi-cultural and multi-disciplinary team globally while fulfilling business requirements in a highly heterogeneous and demanding environment, many a time building up the business from scratch.

    Aloysius is Board Director and EVP Asia Pacific for globally respected not-for-profit UK based cyber leadership think tank, the Centre for Strategic Cyberspace + International Studies (CSCIS).  He is also a Director with AC3Labs where he provides his expertise advising companies in emerging technology projects, framework agreements and investment and a Co-Founder of IoT security startups, iSyncGroup Technology Inc and Doqubiz Technology Inc. Aloysius was most recently Co-Founder, EVP and Managing Director for the Cloud Security Alliance Asia Pacific (CSA) and doubled up as the Chief Standards Officer. Prior to CSA, Aloysius held senior regional leadership roles with Vodafone Global Enterprise and PricewaterhouseCoopers, having started his career with DSO National Laboratories.

    As a globally recognised cybersecurity expert and influencer, Aloysius's professional opinions and viewpoints are highly valued by major media globally such as the BBC, Times, Wall Street Journal, ZDNet, CIO-Asia, IDC, BankInfoSecurity, Xinhua News, Phoenix News, CCTV, The Hindu, The Times of India, The Daily Star, China Times, Digitimes, UDN, Economics Daily News, SCMP, The Nation, Bangkok Post, Zaobao, Today, The Straits Times and ChannelNewsAsia.

    Experience in Business Strategy
    Centre for Strategic Cyberspace + International Studies (current)

    • Responsible for building up an Asia-Pacific portfolio
    • Responsible for international expansion and thus rebranding exercise to reflect this new strategic goal
    • Responsible for setting goals to build up portfolio of expertise in emerging technologies such as IoT

    iSyncGroup (current)

    • Develop high-quality business strategies and plans ensuring their alignment with short-term and long-term objectives
    • Build trust with key partners and stakeholders and act as a point of contact for important shareholders especially with the Board and investors
    • Lead and motivate subordinates to advance employee engagement develop a high performing managerial team
    • Oversee all operations and business activities to ensure they produce the desired results and are consistent with the overall strategy and mission
    • Enforce adherence to legal guidelines and in-house policies to maintain the company’s legality and business ethics
    • Review financial and non-financial reports to devise solutions or improvements
    • Source for suitable financial funding that will be synergistic and critical for the further development of the company’s business in line with the company’s strategy

    Cloud Security Alliance (previous)

    • I was Co-Founder, EVP and Managing Director for CSA Asia-Pacific, and the Alliance's Chief Standards Officer. I was instrumental in the expansion of the CSA in APAC, establishing presence in 16 countries with 32 chapters
    • Local adoption of CSA's standards as their regulatory requirement, such as in countries Singapore, Malaysia, Thailand, Hong Kong, Taiwan, Japan and China
    • Hosted an ISO/IEC JTC 1 SC 27 International meeting in 2017 and have led the CSA to own the convenorship for ISO/IEC JTC 1 SC 27/WG 4 with the CSA contributing and co editing more than 5 ISO standards. Also established back to back A.4, A.5 relationship between the CSA and ITU- T
    • Developed and established CCSP with (ISC)². Internal champion that whipped the relationship and the collaboration between CSA and (ISC)² to bear fruit

    Vodafone Enterprise (previous)

    • Global Head of Security, in charge of the business unit and the BU's top- line of £100 million
    • Responsible for establishing 3 SOC across the globe, with a total head count of around 500. The strategy at that point in time was playing the OPEX vs CAPEX game, pushing costs down by 10 20%, with total outsource/managed services on top of traditional MPLS play
    • As a result, owned a few global total outsourced accounts and double up as their global CISO reporting to the Boards of these clients
    • Opened a couple of new markets
    • Grew revenue by 150% year-on-year

    PwC (previous)

    • I helped to reestablished PwC as a player in IT security within the Singapore market as their Practice Leader
    • Started by cornering the local government outsource and consulting program
    • Then started global managed security services program, capturing a global 10 target account in a 2-year deal as a result
    • Grew team size by 300% year-on-year and revenue by 130% year-on-year

    Professional Education
    I graduated with a B.Sc (Honors) in Computer Science and M.Comp from National University of Singapore. The following are professional certifications and technical courses I have attended:

    • Microsoft Most Valuable Professional – Consumer Security by Microsoft
    • Certified Information Systems Security Professional – (ISC)²
    • Certified Information Systems Auditor – ISACA
    • GIAC
    • Certified Advanced Incident Handling Analyst – SANS Institute
    • EnCase Intermediate Computer Forensic Training – Guidance
    • Software Linux Certified Professional – GNU SAIRS IDA
    • Pro Disassembler Training – Data Rescue Application Engine
    • Development and OS Internals Trainings Device Driver Training – Symbian
    • Device Driver Training by Redhat

    Industry Board Experience
    I have contributed to the community and built up the recognition and achieved the targets as a result of the strategies of these organisations during my tenure with them:

    • Board Director and EVP for Asia Pacific, Centre for Strategic Cyberspace + International Studies (formerly known as Centre for Strategic Cyberspace + Security Science), UK
    • Honorary Chairman, Taiwan Cyber Security Alliance, Republic of China
    • Member of School of Infocomm Advisory Committee, Republic Polytechnic, Singapore
    • Member of Industrial Advisory Board, National Cyber Safety and Security Standards, India
    • Member of National Cloud Computing Advisory Council, Singapore
    • Member of Industry Advisory Committee, Faculty of Information and Communication Technology, Mahidol University, Thailand
    • Member of Industry Advisory Committee, Singapore Institute of Technology, Singapore
    • Member of Industry Advisory Board, Cybersecurity Lab, University of Waikato, New Zealand
    • Member of Industry Advisory Committee, College of Electrical Engineering and Computer Science, National Taiwan University of Science and Technology, Republic of China
    • (Former) Board Director and Asia-Pacific Advisor, Cloud Security Alliance
    • (Former) Singapore National Body Head and representative, ISO/IEC JTC 1 SC 27 and contributor to ISO standards ISO/IEC 27001/2, ISO/IEC 13335 and ISO/IEC 24762
    • (Former) Member, Security and Privacy Technical Standards Technical Committee under IT Standards Committee, Singapore
    • (Former) Co- Editor, ISO/IEC 27032 – “Guidelines for Cybersecurity”
    • (Former) Protem President and Co-Founder, Association of Information Security Professionals and its predecessor, Special Interest Group in Security and Information Integrity, Singapore

    Skills and Expertise
    I will bring to the table the following:

    • Expertise in starting and managing community of practice:
      • I have been deeply involved in starting community of practice for the past 18 years, for example SIG^2 (AISP) in Singapore, ISO/IEC JTC 1 SC 27, ITU T SG 13 and SG 17 and CSA globally. I have nurtured, within these groups, further specialization such as research and development, and networking. Hence, I think I can be most useful in
        • Cultivating new research working groups working on solving technical questions to incubating standardization
        • Building up think tank capability
        • Spheres of networking via chapters and other social activities
    • Ability to connect and provide that mindshare to senior decision makers in both governments and corporations worldwide:
      • As a senior executive for my day jobs, I have been a trusted advisor to governments and companies worldwide for the past 12 years.
    • Connect to the professional information security community:
      • As a community leader and a practitioner, I can definitely connect well with the information security communities worldwide, and command a high level of trust and respect because I am one of them and I have went through the entire career ladder ground up and thus can relate to their nuances and concerns

    Your Goals and Objectives
    I enjoyed contributing to the information security community and have been doing that for years. So an opportunity with (ISC)² board will offer me a platform to do much more. I would like to see that more quality content to be delivered to our members. I would like to provide more opportunities for not just networking, but quality networking. I would like to be able to articulate not only the issues and problems that information security will bring to the society amplifying that fear and inhibition to embrace security by design, but what it is necessary to build up this capability and be the voice for our members providing a two-way communications are created for members to come together and demystify information security amidst business and social concerns, providing a clear, consistent and transparent message that will reduce the push back that people have with regard to information security today. Specifically, the constituents in Asia-Pacific has been largely under-represented in (ISC)² even though it is an international organization. As such, I hope to achieve my goals and objectives with additional effort and special attention in bringing this region into (ISC)², with deeper engagement and buy-in.

    (ISC)² Strategic Contribution
    Strategically I say that we need to do the following better:

    • Delivery of quality content to members:
      • This does not mean (ISC)²-generated content or any other paid content, but content that is created within the (ISC)² community, by the community for the community. For example, research working group, focus group discussion, CXO roundtable and think tank establishment, standards and labs
    • Development of quality networking opportunities:
      • Leveraging on the delivery of quality content, one can also provide quality networking opportunities, that is well-matched to the interest and demand of the targeted group
    • Assisting members to translate knowledge from paper to practice:
      • What I like to point out is that research working groups/projects and standardization that codify the knowledge are things that we need to do better as elaborated earlier, but how these codified knowledge can be translated into practical implementation, POC in progress, how to adopt them in real life in our companies. This would be key
    • Providing a clear and well-defined career roadmap that is adopted by governments and corporations worldwide:
      • We like not to see CISSP and other (ISC)² certifications appearing in job descriptions and tender documents, but in internal HR process as well, that will feature prominently as a requirement in their career progression and for continuous education
    • Engaging more deeply the grossly underrepresented region of Asia-Pacific, to be the voice for Asia-Pacific, and to be the voice for (ISC)² in Asia-Pacific

    Regional and Cultural Perspective
    Coming from Singapore and being a regional leader in APAC for the last 7 years with the CSA, I think I will bring a strong regional focus in APAC where I can galvanize this region into action as a leader, especially with the ascension of Asia with the development of emerging markets such as China, India and ASEAN. In particularly for ASEAN there is a great divide, and I see education and professional training as the key to bridge the gap.

    Professional Recognition
    For a list of my accolades, public speaking and media interviews activities, please refer to

    Volunteer Experience

    • Board Director and EVP for Asia Pacific Centre for Strategic Cyberspace + International Studies, UK
    • Honorary Chairman, Taiwan Cyber Security Alliance, Republic of China
    • Member of School of Infocomm Advisory Committee, Republic Polytechnic, Singapore
    • Member of Industrial Advisory Board, National Cyber Safety and Security Standards, India
    • Member of National Cloud Computing Advisory Council, Singapore
    • Member of, Industry Advisory Committee, Faculty of Information and Communication Technology, Mahidol University, Thailand
    • Member of Industry Advisory Committee, Singapore Institute of Technology, Singapore
    • Member of Industry Advisory Board, Cybersecurity Lab, University of Waikato, New Zealand
    • Member of Industry Advisory Committee, College of Electrical Engineering and Computer Science, National Taiwan University of Science and Technology, Republic of China
    • (Former) Board Director and Asia Pacific Advisor, Cloud Security Alliance
    • (Former) Singapore National Body Head and representative, ISO/IEC JTC 1 SC 27 and contributor to ISO standards ISO/IEC 27001/2, ISO/IEC 13335 and ISO/IEC 24762
    • (Former) Member, Security and Privacy Technical Standards Technical Committee under IT Standards Committee, Singapore
    • (Former) Co- Editor, ISO/IEC 27032 – “Guidelines for Cybersecurity”
    • (Former) Protem President and Co-Founder, Association of Information Security Professionals (“AISP”) and its predecessor, Special Interest Group in Security and Information Integrity (“SIG^2”), Singapore
    • (Former) Volunteer, National Volunteer & Philanthropy Centre

    Arthur R. Friedman

    Arthur R. Friedman, Treasurer, CISSP (USA)
    Arthur Friedman has 40 years of diversified technical, national policy, management and teaching experience in the cybersecurity field. He currently supports the Committee on National Security Systems and the National Security Council as a senior Cybersecurity Strategist. He has held various technical and management positions at the National Security Agency supporting the computer network defense mission.

    Arthur also worked in the private sector for The MITRE Corporation and Booz Allen and Hamilton as a systems security engineer. Additionally, he is a Certified Information Systems Security Professional (CISSP) and currently services on the (ISC)² Board of Directors as the Treasurer, and previously served on both the (ISC)² Government Advisory Council and a judge for the Information Security Leadership Awards® - U.S. Government for 13 years.

    Arthur is an adjunct faculty member teaching Network Security and Cybersecurity classes for Towson University. He has an undergraduate degree in Mathematics from Hofstra University and graduate degrees in Business Administration from Boston University and National Security Policy from the United States Army War College.

    He retired from the U.S. Army Reserves as a Colonel with his last assignment with the United States Strategic Command responsible for planning and executing non-kinetic/cyber operations at the strategic level.

    Arthur lives in Maryland and spends his free time sailing on the Chesapeake Bay with his wife.

    Experience in Business Strategy
    I started my career as a U.S. Army Signal Corps officer in 1979 working at the tactical level in Germany and finishing my military career in the Reserves in 2009 as a Colonel assigned to the United States Strategic Command responsible for planning and executing cyber operations at the strategic level.

    After completing the U.S. Army War College in 2005, my assignments at the National Security Agency (NSA) have focused primarily on strategic planning at the highest levels of government. These projects include advising the Cybersecurity Advisor to the U.S. President at the National Security Council, supporting Department of Defense (DoD) leadership to secure its IT infrastructure based on a cyber kill chain threat model and policies regarding Identity Management, to developing policies for National Security Systems and best security practices for the National Institute for Standards and Technology (NIST).

    I was instrumental in developing and influencing national-level Identity Management policy and guidelines, to include Federal Information Security Management Act (FISMA). I was also responsible for leading Departments and Agencies implement Attribute Based Access Control (ABAC) capabilities, while promoting IT efficiencies across the U.S. government, and improving the effectiveness for information sharing. My efforts supported the National Strategy for Trusted Identities in Cyberspace and the Federal Identity, Credential, and Access Management initiatives. I provided leadership and guidance for the development of NIST Special Publication 800-162, Guide to ABAC Definition and Considerations, which represented over two years of policy development. The acknowledgement section references my vision for this endeavor. See:

    Professional Education

    • Hofstra University, B.A. Mathematics, 1979
    • Boston University, Master of Science, Business Administration, 1983
    • U. S. Army War College, Master of Science in Strategic Studies, 2005
    • Certified Information Systems Security Professional (CISSP), 1993
    • Military Schools:
      • U.S. Army War College, Carlisle Barracks, Pennsylvania, 2005
      • U.S. Army Command and General Staff College, Fort Leavenworth, Kansas, 1994
      • U.S. Army War College, National Security Seminar, 1992
      • U.S. Army Combined Arms Service Staff School, Fort Leavenworth, Kansas, 1986
    • 22 years of teaching experience as an adjunct faculty at the graduate level for George Washington University, Johns Hopkins University, and Towson University, 1995 to present. This includes teaching several topics addressing the fundamentals of IT security, network security, risk analysis, cryptography, and current legal, policy, and ethical issues addressing cybersecurity
    • Completed the Mid-Level Leadership Program at NSA in 2013

    Industry Board Experience
    I currently serve on the (ISC)² Board as the Treasurer and chair of the Audit Committee, as well as a member of the Strategy Committee. One of the major outcomes is the development of a Cyber Risk Statement for use by its board members to help the corporation manage risk and protect corporate and member information. I previously chaired the Awards Committee and due to my leadership, there are currently board members on this committee representing all regions which will give its members the opportunity to be recognized for their achievements. Another goal of the strategy committee is growing membership in the LATAM and APAC regions.

    As a representative to the (ISC)² Government Advisory Council (formerly the Government Advisory Board), I have served from 2003 through 2016 to help promote cyber education and training for Federal employees. There have been several initiatives throughout the years; these include helping to obtain input for the Workforce Recommendations for New Federal CISOs, support preparing letters to members of Congress requesting that new cyber legislation be introduced and preparing letters to Federal CIO/CISOs to change policies for training. Many of these efforts resulted in new policies requiring professional certification of DoD and Federal employees, such as DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management.

    Additionally, I served on the (ISC)² Product Development Committee for approximately two years providing technical advice for the development of new credentials. One of the credentials I helped support was the development of the Certified Secure Software Lifecycle Professional (CSSLP) credential. During my tenure as the NSA Information Assurance Directorate's Senior Strategist for Identity Management I formed an internal Identity and Access Management (IdAM) Community of Interest to improve coordination among NSA organizations to raise awareness and ensure essential enterprise authentication and authorization services were incorporated into new capabilities provided to our customers.

    Additionally, I helped project leads gain access to high visibility DoD, Intelligence Community (IC), and Interagency efforts to promote IdAM and digital identity strategies. I was recognized as the Agency’s technical and policy leader for IdAM and was requested to provide recommendations for the development of DoD and other national IdAM strategies. I also served as one of the DoD representatives to the Transglobal Secure Collaboration Program (TSCP) leadership team, comprised of a group of international defense aerospace companies. I leveraged my policy efforts within the Federal government to help TSCP members embrace policy changes that would help these companies securely share proprietary information within the aerospace community.

    Skills and Expertise
    I'm interested in sharing my experience protecting government and commercial systems to protect our critical infrastructure. I would like to promote the development of new credentials to help protect U.S. and international critical infrastructure sectors. I want to influence the development of new credentials that address Cyber Risk to help CIOs/CISOs, CEOs, COOs, and CFOs managing risk. Another goal is helping corporate leader have a better understanding of the Cyber Kill Chain to evaluate risk to make cost effective and efficient investment decisions to protect their IT infrastructures.

    Your Goals and Objectives
    I would like to continue serving on the board to advance our profession in the Cybersecurity field and ensure our members have educational opportunities to help them advance in their careers.

    I served on the (ISC)² GAB/GAC for the past 13 years and would like to continue sharing my knowledge and experiences that would have a greater strategic impact to the its membership and beyond. Helping to promote cybersecurity awareness, training, and promoting a more cyber secure world has been personally satisfying as an IT security professional. As a retired military officer and a member of the U.S. government I would like the opportunity to continue helping create a safer cyberspace for governments,
    businesses and citizens in a global space. Areas of interest include Predicative Analysis, Identity Management and Privacy, Innovation, and Cyber Risk. I would like to leverage my experiences outside the Federal government to promote the goals of (ISC)², such as charitable and social initiatives.

    (ISC)² Strategic Contribution
    Continue to recognize our international members for their contributions, as well as focus on international strategic goals and common security standards. This would help improve training and education to protect our critical infrastructure from cyber-attacks and raise the bar for cyber professionals. Additionally, to help advance the professionalism of the cybersecurity workforce. I believe a priority for the (ISC)² Board of Directors should continue to focus on the fundamentals of training and education, such as the deployment of the Professional Development Institute (PDI).

    Regional and Cultural Perspective
    Listed below are examples enabling me to continue serving on the (ISC)² Board of Directors benefiting the international community:

    During the past 2 ½ years I've had the opportunity to work with several board members from different countries participating with various committees serving (ISC)² members to improve services and promote cyber awareness and education. This experience has helped me have a better appreciation of the challenges for our membership, to include earning CPEs, and ensuring our strategic goals
    are focused on international issues.

    I served in the military stationed in Germany and Italy for four years. During this time, I experienced working with the military from these two countries and had the opportunity to travel extensively in Europe. Additionally, while living in Italy, I traveled throughout Turkey and Greece working with military units from those countries. This gave me the opportunity to work with the military from these two nations and experience unique social settings as part of my military responsibilities.
    In support of an information sharing project I worked with the Australian military for a two-year period as a key contributor responsible for supporting humanitarian exercises in the Pacific region. The capability was put to the test during a humanitarian effort in support of Operation East Timor in 1999.

    During a five-year period while assigned to the Theater Signal Command for the United States Forces in Korea, I supported a number of military exercises working with the South Korean military. This gave me an opportunity to work with and learn about the Asian culture, as well as traveling throughout the country.

    While attending the Army War College I sponsored an Army Colonel from Ghana. During this 11-month school I learned a great deal about this African country and the challenges facing its military, their political system, and economy. A visit to their consulate in New York City was very enlightening. I also interacted with senior military officers from Japan, Spain, Italy, Germany and the U.K. in both social settings and a classroom environment. Learning about their customs firsthand was a great experience. I didn’t know that there was a proper way to exchange business cards with my colleague from Japan. I also spent 3 months studying Southeast Asia while attending this school.

    Earlier in my career I taught a three-week course on cryptography to the Egyptian military. I learned a great deal about their customs and religion. At the conclusion of the training my students honored me with an authentic Egyptian meal.

    Throughout my career I have traveled to several countries in an official capacity and on vacation, these include Australia, Austria, Canada, Chile, England, France, Germany, Greece, Hong Kong, Japan, Panama, South Korea, Spain, Switzerland, and Turkey. I learned a great deal about international customs from my travels.

    Professional Recognition
    I received a letter of appreciation in 2018 from the White House for contributions related to vulnerability disclosure to help government agencies and vendors protect the critical infrastructure.

    I received the National Intelligence Meritorious Unit Citation, which was presented by the Director for National Intelligence for my contributions as a key member of the Intelligence Community Identity and Access Management Steering Committee in April 2012.

    I received the (ISC)² Directors Award for my contributions obtaining sponsorship from several companies in support of an event that recognizes leadership from government and industry personnel.

    Significant publications are listed below:
    While attending the Army War College I published a paper titled “A Way to Operationalize the DoD’s Critical Infrastructure Protection Program Using Information Assurance Policies and Technologies,” dated March 18, 2005. The intent of this paper is to provide a construct to Operationalize the DoD's Critical Infrastructure Protection Program through the use of Information Assurance policies, methodologies, and technologies, and to identify strategic implications of vulnerabilities to the Combatant Commander and supporting agencies. Refer to

    Co-authored a paper titled “The Need for Digital Identity in Cyberspace Operations, dated April 2015. This paper identifies the challenges and opportunities that digital identity technologies introduce for cybersecurity and cyberspace operations. The Journal for Information Warfare was created to provide a forum for academics and practitioners in the broad discipline of information warfare and operations. Its target audience consists of those with a professional interest in the area from the military, government, industry, and academia. It includes the full gambit of topics from physical destruction of systems to the psychological aspects of information use and protection. Refer to

    Co-authored a paper titled “Secure Global Collaboration with Information Labeling and Handing (ILH) Using ILH to Implement a Sustainable Security Framework for Global Collaboration,” dated February 27, 2012. The Transglobal Secure Collaboration Program (TSCP), an international Aerospace and Defense (A&D) consortium, recognized this gap in security solutions and has brought together leading A&D companies, government agencies and technology vendors to collaborate on the ILH specification. The result is an ILH specification with interfaces and good practice processes that bring together digital policy management, document labeling, access control and rights management that will enable consistent enforcement of security policies and regulations.

    NIST SP 800-162, the acknowledgements section cites one of my contributions for this publication that states, “the NIST Computer Security Division would like to thank Mr. Friedman for initiating this effort and having the foresight to anticipate the growing importance of Attribute Based Access Control in government and industry.” Refer to

    Information Security Experience
    I taught as an adjunct faculty member for Johns Hopkins University and George Washington University, and currently teach at Towson University as an adjunct professor. I developed course material and lesson plans and teach a variety of network security/cybersecurity courses since 1996. For Towson University, I’ve taught courses related to cyber risk, and cyber policy and law.

    I’ve taught approximately 1,500 students in the past 22 years. Many students have started careers in the cybersecurity field, to include students from Europe, Asia, and the Middle East. Teaching students from foreign countries have taught me to be patient, learn about their undergraduate experiences, and helped me to better understand security and privacy issues from an international perspective. I was a member of the planning committee for the Annual Computer Security Applications Conference from 1994 to 2016. Our committee consisted of members from academia, industry, and government from several countries. The conference is designed to help Information Security professionals and academia further their understanding and application of technologies in the Cybersecurity field. I supported an Identity Ecosystem Steering Committee as a government representative and established a trusted relationship with commercial/industry partners to focus their efforts on attribute assurance.

    Leadership or Management Experience
    I have led teams of military personnel, Federal government civilians and contractors, and teams of security engineers while employed for the MITRE Corporation, and Booz Allen Hamilton. My leadership skills have evolved over the years to focus on national security issues and strategic challenges. I have managed organizations with up to 75 people and influenced Research and Development budgets exceeding $150 million.

    Volunteer Experience
    I served as a Boy Scout leader helping to guide my son and other boys become responsible citizens and learn life skills. I served from 1993 to 2003.

    I served on the Annual Computer Security Applications Conference Committee from 1994 to 2016 in a variety of capacities. Conference participants are represented by several countries and we have supported student conferences for several years. For more information go to In addition to my involvement with (ISC)² since 1993, I volunteer my time to mentor students to seek a career in the Cybersecurity field and support the Armed Forces Communications and Electronic Association (AFCEA) International Cyber Committee's workforce initiatives.

    Brian Grayek

    Brian Grayek, CISSP (USA)
    Brian Grayek is a 30-year cybersecurity warrior and Fortune 500 executive, who is currently the Director of Applications and Operations at CGI. CGI is the fifth largest Security Consulting and Services company in the United States.

    Brian has also held executive positions as a CTO, a Vice President at CA (formerly Computer Associates), Verizon, the Apollo Group and Motorola. At CA, Brian managed seven worldwide locations to research the latest virus and malware threats and was later responsible for the product development strategy and roadmaps for more than 30 security products. 

    Brian has been a keynote speaker at a White House Town Hall regarding the National Strategy to Secure Cyberspace and in Chicago at the Electronic Cybercrime Task Force Conference. He has been an active member of several FBI investigations into security intrusions, working with the Secret Service, the Attorney General's Office, the Department of Justice and the State Department. He has presented to conferences around the world, including RSA, and has been featured on television and in magazines and newspapers for his expertise in IT security.

    Experience in Business Strategy
    I owned my own business at the ripe age of 15 and ran it for four years until I sold it to go to college. It was a custom upholstery company which turned out custom car interiors, coaches, chairs and even a few sleighs. That was my first lesson in owning my own business and the importance of discipline. My next leap in managing a business unit came in 2005, when the GM and four directors of CA (Computer Associates) were chosen to break off a division from the company, in the first time in corporate history, and run the Internet Security Division as its own business unit. The GM and our team were responsible for all strategic planning, while I managed the roadmap and worked with Sales and Marketing on all delivery plans. Another first occurred in our second year, when CA and HCL entered into a joint partnership and became part of our strategic planning process. This was the first partnership between the two companies and our success would determine if there would be more. The strategic planning became now even more important as it guided how not just one, but two companies, would perform. The next four years were the most challenging, as well as educational, in my career, as I was brought into functions that I'd never been privy to before.

    Professional Education
    Along with college, I had the luxury of getting some world class training during my ten years at Motorola. They were one of the few companies at the time that not only required 40 hours a year, but also urged employees to take even more. I took advantage of the access to courses such as five-year planning, strategy and planning, marketing, benchmarking and a host of others including the series that Motorola brought into mainstream which was Six Sigma. While at Motorola, my organization was chosen to the first one to test a new concept called “High Performance Teaming.” It completely changed my life and the rest of my career with regards to “teams” and how to build them properly. 

    I was one of the first in my company to pass my CISSP exam on the first try, then shortly afterwards I was asked to get certified in ITIL. At that time, not many people in the U.S. had even heard of ITIL, but if you wanted to do business with large corporations in Europe, then many wouldn’t even consider talking to you unless you were ITIL certified. After my certification, not only did I get a whole new level of respect from European companies, but it then started catching on the U.S. The next wave I jumped on was the cloud. I’d been work with the “cloud” before it was a cloud. In the early days, it was called “on demand computing” and we were building tools and software to manage it. I received my Certificate of Cloud Security Knowledge (CCSK) in 2013, where I was working for one of the premier Cloud services companies.

    Industry Board Experience
    I was elected by (ISC)² members as the first President of the brand new, Phoenix area Chapter of (ISC)². I led that organization from concept to becoming a preeminent fixture in the Phoenix Arizona InfoSec community. Being from Arizona, I’ve never been lucky enough to be nominated to any industry, InfoSec Board. Just not a lot of InfoSec companies or Boards that are local.

    However, in many of my roles, I’ve been asked to present to quite a number of Boards as an expert in Information Security and that experience has given me great insight into the typical members of Boards, where they lack knowledge, where they excel, how to talk to and with a Board, and my personal favorite, how to provide value to a Board. If the gauge is being asked back, then I’ve been successful.

    Skills and Expertise
    Having been on a nonprofit Board of Directors previously, I learned how they function different than any business functions. What I learned from those years of experience was that it takes even more leadership to get people to work together that aren’t under your control or that don’t report to you. You really must learn to work in another way, in which; how do we get things done, who will do what function, who will decide what is most important, and how will disagreements be handled? These are not only learned skills; they are also something that not everyone receives with maturity. Getting a Board to work together can be one of the most rewarding experiences in life.

    Your Goals and Objectives
    I’ve been a part of several organizations that have given back to the next generation and I LOVE educating others in something that’s as much a part of me as the air I breathe. I truly live and breathe information security and anyone that has been around me knows that it’s a very important part of who I am. I’d like to bring new ideas and help the Board find ways of attracting that next generation of

    (ISC)² Strategic Contribution
    I believe that in some ways, the certifications have lost their lustier of the past. It used to be that the CISSP was HIGHLY respected, because it was hard to attain, and you had to really be committed to maintain it. I’d like to make sure that the guidelines and rules are respected to maintain the value for both our current and future members of (ISC)².

    Regional and Cultural Perspective
    In two of my positions, I traveled the world extensively, spending time in well over 50 countries. I have been invited into the homes of some of my customers and “new friends” in cultures that don’t typically allow for the overlap of business and personal life.

    In my role as Vice President of Product Management at CA (Computer Associates) I had an office in seven different countries. I was in every office at least twice a year and many of my more senior employees said that it was the first time they’d ever met their VP of the division. I found ways of getting people from very diverse parts of the world to work together.

    I have been asked so often, “Are you sure you’re an American?” For years I wondered why, then it was explained to me that for many people around the world the only Americans they see are loud, smoking, drinking, and boisterous individuals. I’ve endeared myself to so many by setting a new example for Americans to be remembered in the 21st century.

    Professional Recognition
    I’ve been the subject or author of quite a number of stories in InfoSec magazines and news articles. I’ve been on TV and on international podcasts. I was one of the speakers at the Whitehouse Strategy to Secure Cyberspace. Recently I was designated as an ISSA “Fellow” for my industry contributions and received the “TUF” award from ACTRA for my contributions to that organization.

    I received an award while at Motorola for the “Outstanding Contribution to InfoSec”, but recently I received an award for getting “Sh*t done.” In a company in the software development industry and to be from the Information Security group, where most people had previously called us “the people that say No,” to get such an honor shows that we had broken the mold of how other InfoSec teams had worked and were recognized ABOVE ALL others in that we had directly contributed to the success of the company.

    Information Security Experience
    I have been passionate about Information Security since I was in college. Over my 30-year career, I have been an award-winning speaker at many international and US security conferences. Anyone that has ever seen me speak at a conference knows that I speak from the heart about InfoSec. One of the nicest things I’ve even been told is that several people have told me that because of hearing me speak at a conference they changed their career path for one in the InfoSec industry.

    Leadership or Management Experience
    I have been an executive member in three different Fortune 500 companies and in one Fortune 100 company. In my last role, I was acting CISO, fulfilling many of the duties of the CIO that left, and reporting directly to the President of the company as one of the Leadership Team. I was chosen out of over 100 previous CTOs for my first CTO role, though I’d never yet been a CTO. They recognized my passion for the industry. I led that company until it was acquired by McAfee in less than a year in operation. I was the Vice President of Product Management at CA (Computer Associates) for five years in an organization of ~480 personnel and during that time we produced quite a number of award-winning Consumer and Business security solutions.

    Volunteer Experience
    I have volunteered over the years for quite a number of organizations. I was one of the Architects when the Internet was brought into the Phoenix area schools where I not only designed the network and connections, but I physically assisted in running CAT5 cable in three High Schools in the Phoenix metro area. I spent three years as President of the San Marcos Symphony Orchestra Board of Directors.
    With the work we did, we positioned the orchestra to be brought into a full time, dedicated position as the “Chandler Symphony Orchestra.”

    I’ve also been a volunteer in many nonprofit organizations for Veterans, just recently assisting with a golf tournament for wounded veterans.

    Chuck Kesler

    Chuck Kesler, CISSP (USA)
    Chuck Kesler is an experienced and dedicated leader of information security and IT teams with a proven track record of working effectively with both business and technical partners. Chuck has a strong background in budgeting, project management, strategic planning and team building. He is comfortable working in complex organizations where a collaborative and flexible approach to problem solving is required.

    Experience in Business Strategy
    I have been in management roles with increasing levels of responsibilities over the past 20 years. During that time, I have been responsible for developing and implementing business strategies for a variety of organizations, ranging start-ups, universities, nonprofits, and a Fortune 500 firm. In my current role at, I work with the rest of the C-Suite to establish a security program that enables growth into highly regulated and risk averse market sectors. At Symantec, I served as the Sr. Manager for its U.S.-based Security Advisory Services practice and was responsible for developing strategies to achieve corporate goals for profitability and thought leadership. In my role as CISO at Duke Health, I was responsible for developing and implementing our information security strategy, and as well as contributing to the development of our broader IT strategy. While working for a nonprofit internet service provider that served the higher education community in North Carolina, I developed and implemented a business plan for establishing a data center hosting service. In all of these roles, I have been responsible for working with senior executives and boards to gain approval for these strategies, and I have done so by approaching my role as one in which I help the business risks against value in making decisions.

    Professional Education

    • 1985-1989 – BS in Physics and minors in Math and Computer Programming from North Carolina State University
    • 2002-2004 – MBA from North Carolina State University
    • 2017 – CISO Certificate Program from Carnegie Mellon University
    • Certifications: CISSP, CISM, CCSK, PMP, ITIL v3 Foundations, ITIL v3 Intermediate / Service Transitions ITIL v3 Intermediate / Service Offerings and Agreements, PCI QSA (inactive)

    Industry Board Experience

    • Education Director (2014-2015) and Vice President (2016-2018) of the Raleigh ISSA Chapter
      • During my time with Raleigh ISSA, I helped grow chapter membership, increase attendance at monthly chapter meetings from an average of 90 to over 160, deliver education opportunities, and grow our annual conference, Triangle InfoSeCon, from an event that hosted around 700 to over 1,400 attendees and vendors last year
    • Board Member of the North Carolina Health Care Information and Communication Alliance (NCHICA), 2016-2018
      • In addition to serving as a board member, I helped co-lead the Privacy and Security Working Group, and co-chaired one of the organization's major annual events, the Academic Medical Center Security and Privacy Conference, which will be in its 15th year in 2019
    • Board Member of the Association of Healthcare Executives in Information Security (AEHIS), 2018
      • AEHIS provides networking and education opportunities for CISOs and other information security executives in the healthcare industry and had over 500 members at the time I was on the board. I also participated in the AEHIS Public Policy committee. I was elected to a 3-year term in December 2017 but had to depart in December 2018 due to moving to a job outside of healthcare. During my time on the board, I led an initiative to explore developing a certification program for healthcare CISOs

    Skills and Expertise
    As the CISO for Pendo and Duke Health, and the Sr. Manager for Symantec's Security Advisory Services practice, I have had significant experience in strategic planning, as noted above. In my current role at Pendo as well as at Duke Health, at least 50% of my time has been spent on strategic planning and/or execution of our strategic plans. I have learned the importance of ensuring that strategic plans from different parts of the organization are harmonized and aligned with our mission and vision, rather than developing a plan in a vacuum. I'm also adept at budgeting and understanding how to analyze potential projects from a financial perspective.

    Your Goals and Objectives
    Simply put, I am always looking to give back to the information security industry, with a focus on creating meaningful and easy-to-access professional development opportunities for experienced information security professionals, as well as those looking to enter the field. If elected, I would commit to devoting significant energy to listening to the ideas of all (ISC)² stakeholders, including members, leadership, and other members of the board, to help shape my contributions to the board and the organization.

    (ISC)² Strategic Contribution
    With organizations throughout the world struggling to find individuals with the information security skills necessary to secure their infrastructure and applications, (ISC)² sits in a unique position to help grow new information security professionals, as well as to continue growing the skills of those already in the industry. I believe there are opportunities to develop more industry-specific training and certification programs, similar to the HCISPP for healthcare. I would also like to see (ISC)² expand its outreach outside of the information security industry to improve the skills of IT professionals whose job roles are not primarily in the field of information security but who still have critical functions to play. I would also like to support and continue to grow (ISC)²'s existing Safe and Secure Online outreach efforts to help improve security awareness for children and their families.

    Regional and Cultural Perspective
    As a resident of the U.S., I know that it could be easy for me to assume that my perspectives on the information security industry are the most important or correct. However, I have always tried to maintain a global view of the industry. For example, while at Symantec, I worked with information security professionals from our other teams located across the world, and I always enjoyed sharing experiences and learning from them. At Pendo, we have a significant presence in Israel and the UK, and I frequently work with team members in those overseas locations. At both Pendo and Symantec, I've worked with customers from a variety of countries across the world, frequently interacting with members of their security teams. If elected to the (ISC)² board, I would commit to reaching out to our international colleagues to ensure that their perspectives are represented in all discussions and decisions.

    Professional Recognition
    I have spoken at a number of regional and national conferences, including:

    • RSA Conference (2019)
    • MISTI's InfoSec World Conference (2016 and 2018)
    • HIMSS Conference (2016 and 2018)
    • Triangle InfoSeCon in Raleigh, NC (multiple years)
    • Academic Medical Center Security and Privacy Conference (multiple years)
    • NCHICA Annual Conference
    • North Carolina HIMSS Annual Conference

    I have consistently received very positive feedback from speaking engagements. For example, my ratings at InfoSec World and HIMSS were higher than the average ratings in all categories. I also received several peer nominated leadership awards during the five years that I was at Symantec.

    Information Security Experience
    As an information security professional, I have significant experience in risk management, which could be highly relevant to making good decisions at the board level. In addition, although I have served in management roles for most of the past 20 years of my career, I feel I still have a good understanding of the technical side of security and am often called upon to communicate highly technical topics to less technical audiences.

    Leadership or Management Experience
    As noted in my answers above, I have significant management and leadership experience. Although I started my career in a technical role, I quickly grew into a team leader. From there, I was given opportunities to manage teams. Over the years, I've managed teams that have ranged in size from a few people to more than 20.

    Volunteer Experience
    As noted earlier, I have volunteered in the past for a number of local organizations, including the Raleigh ISSA Chapter and NCHICA. I've also volunteered to deliver guest lectures at local universities on a number of occasions in the past, including a series of presentations on information security I've given to an MBA class at North Carolina State University and for the master’s in management of Clinical Informatics at Duke University.

    David Melnick

    David Melnick, CISSP (USA)
    David Melnick, founded and led WebLife as CEO until it was acquired by Proofpoint in 2017.  Since then, as a VP of Isolation Products, I have continued to work at Proofpoint as part of the senior management team. I bring more than 25 years of experience in technology and security, having worked extensively with both U.S. and global companies advising them on setting strategy, developing risk-based priorities and operationalizing effective governance of highly sensitive and regulated data. David’s experience includes implementing security technology and addressing privacy regulatory requirements including global, U.S. Federal and U.S. State privacy requirements.

    As a past two-term board member of (ISC)², David traveled internationally representing the security and privacy profession. David has authored several books through McGraw Hill Publishing and Macmillan Publishing including PDA Security: Incorporating Handhelds into your Enterprise. Currently his books have been translated into four languages including Japanese, Chinese and Italian. David is a Certified Information Privacy Professional (CIPP/E CIPP/US), a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).

    Experience in Business Strategy
    I served as a national partner in Deloitte’s security practice and co-led Deloitte’s national privacy practice advising organizations on setting strategy, developing risk-based priorities, and operationalizing effective governance of highly sensitive and regulated data. I utilized my deep technology background with a risk-based and business-focused approach, to help minimize the risk of noncompliance, information misuse, unauthorized access and loss.

    Highlights of accomplishments included:

    • 5-year global strategic account leadership of key customers
    • 9-year advisory relationship with C-Suite of public company as outsourced IT governance
    • Led national Safe & Secure program delivering cyber education to over 10K students per year
    • Engaged board and C-Suite level executives on risk management topics including cyber threat management, information security governance and privacy & data protection

    Professional Education

    • MBA – University of California, Los Angeles
    • Certified Information Privacy Professional (CIPP/EU CIPP/US) – IAPP
    • Certified Information Systems Security Professional (CISSP) – (ISC)²

    Industry Board Experience

    • Board Member, (ISC)² January 2007-December 2013
    • Board Member, Weblife Balance Inc.
    • Board Member, Medical Missions to Kenya
    • Board Member, Digital Neutrality Administration
    • Board Member, Congregation OrAmi

    Skills and Expertise
    Board governance
    Security Strategy
    IT Management Experience

    Your Goals and Objectives
    Having accomplished my professional goals in the information security profession and having watched so many new professionals join the field, I feel compelled to give back to the community that has given so much to me. The (ISC)² organization is positioned to provide leadership to the profession and I would like to contribute to that leadership.

    (ISC)² Strategic Contribution
    I will seek opportunities for (ISC)² to drive organizations to recognize and elevate security and security professionals to strategic roles in the organization. Aligned with that objective additionally influence businesses to elevated salaries, educational investment, and leadership positions for security professionals.

    Regional and Cultural Perspective
    Having specifically helped organizations deal with the cultural and regulatory differences across regions, I want to drive (ISC)² to support including multiple geographically diverse stakeholders to seek methods of harmonizing our approach to education and standards.

    Professional Recognition

    • PDA Security: Incorporating Handhelds into your Enterprise; McGraw Hill
    • Special Edition Using Microsoft's Commercial Internet System, Macmillan Publishing
    • Web Development with Visual Basic 5.0, Macmillian Publishing
    • Working with Active Server Pages, Macmillan Publishing

    Information Security Experience

    • Founder and CEO, Weblife: Remote Browser/Web Isolation and Privacy Service
    • Principal in Deloitte's National Cyber Risk Services Practices and Co-Led National Privacy Practice
    • President, PDA Defense Enterprise Mobile Device Management Platform
    • GE Capital, Fraud Department Manager

    Leadership or Management Experience
    Founder and CEO (Now Proofpoint),

    • WebLife Balance (WebLife) fundamentally changes how organizations approach employee Internet use by simply providing a separate, private and secure space for employees to conduct personal and high-risk web browsing. The cloud-managed service provides employees a right-to-privacy while at the same time addressing key Legal, HR, and IT business challenges related to employees' use of the Internet. Current employee acceptable web-use policies don't address the fact that employees will continue to spend some portion of their time on personal web browsing. WebLife acknowledges this reality and brings employees back into policy compliance by securely separating personal and business web activity. By doing so, this program provides an additional benefit to employees, improving companies' security posture, reducing their liability, and enhancing their compliance with global privacy obligations

    President, PDA Defense

    • As president of PDA Defense, a division of Asynchrony Solutions, the leading security software provider, integrating end-point security for mobile devices, David managed integration projects with IBM Tivoli, Syncrologic, Xcellenet, Microsoft and Palm, Inc. to incorporate handheld security into their existing infrastructure. Additionally, he worked with financial services clients (Gramm-Leach-Bliley) and medical industry clients (HIPAA) to oversee software product development for multiple computing platforms

    GE Management Development Training Program

    • Recruited and trained in GE Management Development Program within GE Capital companies. Worked with all divisions of major private label credit card issuer on projects including:
      • Fraud/Bankruptcy/Write-Offs: Directed investigation into $500M annual loss for Montgomery Wards developing and executing several loss mitigation strategies ($15B credit portfolio)
      • Risk Management: Partnered with Corporate R&D and Operations Department to develop the first Neural Network Fraud Detection Model. Helped devise credit scoring algorithms
      • Deployed management tracking system for control and reporting within 2000-person organization
      • Conducted system improvement audits for credit and collections departments and remittance facility processing 15M letters/month

    Volunteer Experience

    • Volunteer and Board Member, Medical Missions to Kenya
    • Volunteer and Board Member, Congregation Or Ami
    • Volunteer and Co-Chair Super Sunday, Jewish Federation of Greater Los Angeles
    • Board Member, AISH Planning Committee

    Yiannis Pavlosoglou

    Yiannis Pavlosoglou, CISSP (United Kingdom)
    Yiannis Pavlosoglou has a passion for information security. He completed his Ph.D. on designing secure routing protocols when he was 25. Leaving academia for practical experience, he spent five years working as a penetration tester in London, before setting up his own small information security Ltd Company.

    Joining UBS 9 years ago, he developed extensive skills in managing multi-tier cyber & risk work streams. He is currently UK CISO, reporting into the group CISO. His prior position at UBS was strategic change manager for Operational Resilience.

    Experience in Business Strategy
    Professionally employed full time for 2½ years (Aug 2015 – Mar 2018) in the role of strategic change manager within Operational Resilience at financial services firm UBS. This global role focused on implementing the business strategy for the business unit of operational resilience across three continents for a team of more than 100 specialists from BCM to Outsourcing, Technology and Information Risk. The role successfully concluded with the creation of the CISO function and the Compliance Risk function, both of which are still in operation today.

    Professional Education
    Holds a BEng in computer systems engineering and PhD in information security, designing protocols for mobile ad-hoc network both from the University of Warwick, UK. Currently CISSP certified, also a certified scrum master (CSM) (expired Mar 2015) and served as an OWASP Project leader from Nov 2006 to Mar 2011.

    Industry Board Experience
    Currently co-chair of the (ISC)² EMEA Advisory Council (EAC) (since May 2015) and was an EMEA Advisory Board Member from Sep 2013 to May 2015. It would be unfair to claim the following as individual pieces of work under my sole contribution. Below are some of the key strategic contributions I have assisted with:

    • 2018 – Proposed a set of terms of reference with defined roles and responsibilities for members of the EAC
    • 2017 – Instigated project proposals for any member directly to the EAC, thus empowering members to do more, while giving them a career aspiration to be nominated for the EAC
    • 2016 – New chapter referrals that help life the chapters 2.0 moratorium
    • 2015 – Setup the grassroots program throughout Europe as a framework to guide skills requirements, education and legislation

    Skills and Expertise
    Resilience Modelling, Strategic Planning, Information Security, Application Security, Operational Resilience, Process Maturity, Penetration Testing

    Your Goals and Objectives
    I am interested to bring a more European focus and perspective to the (ISC)² Board of Directors. EMEA has such a diverse membership of information security professionals, constantly displaying a strong commitment to the organization’s mission and values. I would like to help channel that energy back to Clearwater in Florida where the (ISC)² is headquartered.

    My goal is to have five years from now a much more effective (ISC)² global community that is not only highly skilled, but also highly diversified.

    (ISC)² Strategic Contribution
    I would like to see more ideas making a round trip into Europe, before being cast in stone on the other side of the pond. Personally, I would like to help put a consultation framework via EMEA in place, so to enhance truly relevant objectives and performance standards. This would help bring more members with us on the journey of further maturing our profession. If successful, can then be applied to other parts of the world.

    Regional and Cultural Perspective
    I have spent a good part of five years interacting with local chapters of (ISC)² and other organizations in EMEA. Born in Greece, I have lived in the U.K. for over 20 years.

    Professional Recognition
    In 2018 and 2019, have been on the judges panel for the ISLA awards. Some notable speaker events and publications can be found below:

    Information Security Experience
    I have been previously involved with OWASP as a project leader, ISACA as an author and ISF as the U.K. Chapter member, helping organize conference events.

    Leadership or Management Experience
    On leadership, headed up a number of local and off-shore risk assessment teams with a technology focus. On management have exposure to boards and regulators as part of my current role as CISO UK, as well as previous roles.

    Volunteer Experience
    I volunteer my time to a number of information security organisations, including (ISC)² for which I co-chair the EMEA Advisory Council.

    Shuky Peleg

    Shuky Peleg, CISSP (Israel)
    Shuky Peleg has been the Head of Cyber Defense and Information Security (CISO) for the First International Bank of Israel (FIBI) since January 2013. In this position he is responsible for defining and enforcing security policy for the group, building in-house cybersecurity capabilities and meeting compliance requirements of the Bank of Israel and other regulators.

    Prior to his current position, Shuky served as Head of Information Security for e-Gov at the Ministry of Finance. He joined e-Gov after serving as an information security advisor for a government agency, defining the information security technology roadmap for the organization.

    From 1985 to 2008, Shuky held technology positions for IBM Israel and IBM US, and the positions of CTO, CSO, CIO and solution architect for the Israeli branches of global companies. He holds an M. Sc. Degree in Information Technology and several Information Security and Audit certifications.

    Experience in Business Strategy
    As Chief Cyber Defense Officer for the FIBI banking group, Shuky is responsible for the development of the group's Cyber Defense strategy and the multi-year plan of cyber defense roadmap.

    Professional Education

    • 2018: CSX Cybersecurity Fundamentals Certificate (ISACA)
    • 2017: Directors and Officers, College of Management, Institute of Continuing Education (ICE)
    • 2012: Chief Risk Officer, College of Management, Institute of Continuing Education (ICE)
    • 2011: Critical Infrastructure Protection, National Information Security Agency (NISA)
    • 2008: NSA IAM/IEM Methodology, Security Horizons, USA
    • 2007: Master of Science in Information Technology (MSIT) Clark University
    • 2005: Arbitration in IT disputes, Israel Chambre of Information Systems Analysis
    • 2003: Certified Information Systems Auditor (CISA) - ISACA, Certified Information Systems Security Professional (CISSP) - (ISC)²
    • 2000: Managing Computer Center Organization and Technology, John Bryce
    • 1992: Bachelor of Arts in Social Science, Israel Open University
    • 1985: Associate degree in Software Engineering, National Institute for Technological Education in Israel
    • 1979: Systems programming, analysis and design Israel Defense Force – Computer Center

    Industry Board Strategy

    • 2006-2016: Board member of Eshnav (a nonprofit organization for promoting proper use of the internet)
    • 2009-2012: Board member of the Internet Society, Israel Chapter
    • 2015-2019: ISACA, Israel chapter
      • 2015-2016: council member
      • 2017-2018 board member and head of the professional forum
      • 2019 council member and co-head of the professional forum

    Skills and Expertise
    I bring to the board 40 years of ICT experience and 20 years of security experience gained working with clients in a variety of industries (defense, government, high tech, finance) across a number of key IT areas (ICT infrastructure, Information security, project management, solution development and cybersecurity). In the last 12 years I worked on the definition and creation of cybersecurity in a national level and organizational level, creating cyber capabilities for e-Government and recently building cyber capabilities for a banking groups in Israel, including the definition of cyber strategy and organization policy, creation of the Security Operation Center (SOC) and the response capabilities and embedding innovation of cyber start-up companies in the organization by building a Cyber Defense Start-Up Accelerator within the bank.

    I joined the First International Bank of Israel (FIBI) in January 2013 as the Chief Information Security Officer (CISO) and from day one started to re-build the security team and security architecture towards the needs of Cyber Defense. From that day on, I am responsible for the multi-year plan and budget of cyber defense, for handling security of third parties and the supply chain, for ongoing exercises and simulations and for maintain the awareness, involvement and commitment of employees, managers, contractors and suppliers.

    Your Goals and Objectives
    I see (ISC)² as the most influential professional organization in the Information Security community world-wide. I think that there is more to be done to extend the capabilities to the Cyber Defense perspective and the (ISC)² board is the best place to be to influence this direction.
    To be more specific, I want to promote a number of capabilities:

    • Information sharing between Cyber Defense professionals across industries (ISAC capabilities)
    • Strengthen relationships with innovative Cyber Defense start-up companies
    • Cyber Defense automation
    • Emerging Cyber Defense needs: IoT, Automotive, MedTech, FinTech, etc.

    (ISC)² Strategic Contribution

    • Availability of mobile and online tools for accessing security resource, sharing information and consulting with (ISC)² peers
    • Best practices cookbooks and guidelines for different audiences in the organizations, developers, infrastructure and security professionals, Tier1/Tier2 SOC, management, etc.
    • Adaptation of guidelines for known security standards (e.g.; ISO, NIST) and leading regulations
    • Cyber Defense Strategy development and implementation resources and guidelines

    Regional and Cultural Perspective
    I will bring my experience of involving innovative cyber security start-up companies in the organization Cyber Defense strategy and cooperation with Cyber Defense government entities. This type of cooperation is quite successful in Israel.

    Professional Recognition

    Leadership or Management Experience
    2013 – Present: Head of Cyber Defense & Information Security (CISO) – First International Bank of Israel (FIBI) leading the cyber defense organization for the banking group in the areas of strategy, policy, compliance, control, mitigation, response and innovation

    • Define the bank vision for information security and cyber issues, policies, standards, priorities and projects
    • Determine information security resources including budget, staff, training and resources
    • Develop and conduct company-wide cyber security exercises and simulations
    • Identify security protection goals, objectives and metrics consistent with strategic plans
    • Educate management on changes in information security as well as global threats
    • Develop a cyber-security defense and recovery plan which included prevention, detection, remediation and recovery
    • Establish relationships with cybersecurity start-up companies and run an internal Cyber Security accelerator for start-ups
    • Define, establish and run the bank’s Security Operation Center (SOC)

    2010 – 2012: Head of Information Security – Ministry of Finance - eGovernment

    • Define the roadmap for information security and cyber issues, policies, standards and projects
    • Establish Cyber security capabilities and interfaces with other Cyber organizations
    • Reviews standards for information security from multiple sources including National Institute Standards and Technology (NIST), Payment Card Industries (PCI), ISO and government agencies
    • Work in concert with cyber teams at other government agencies, intelligence and defense units
    • Manage CERT, SIEM/SOC, PT, Cyber Security and methodology teams

    2001 – 2008: EDS Israel, CIO / CSO

    • Development and maintenance of BCP / DRP program for EDS Israel
    • Operate the internal infrastructure and support in an "outsourcing" model
    • Security and privacy management for outsourced clients
    • Technologies lead for the Parliament account during the first outsourcing deal

    Volunteer Experience

    • 2006-2016: Eshnav (a nonprofit organization for promoting proper use of the internet)
    • 2009-2012: Internet Society, Israel Chapter
    • 2015-2019: ISACA, Israel chapter

    Zachary Tudor

    Zachary Tudor, CISSP (USA)
    Zachary (Zach) is the Associate Laboratory Director of Idaho National Laboratory’s (INL) National and Homeland Security’s (N&HS) organization. It’s a major center for national security technology development and demonstration, employing 550 scientists and engineers across $300M in programs for the:

    • Department of Defense (DoD)
    • Department of Homeland Security (DHS)
    • The Intelligence Community
    • Department of Energy (DOE)

    N&HS is responsible for INL’s Nuclear Nonproliferation, Critical Infrastructure Protection, Defense Systems and Homeland Security missions that include:

    • Safeguarding and securing vulnerable nuclear material
    • Enhancing the overall security and resilience of the nation’s infrastructure
    • Providing protective system solutions and heavy manufacturing of armor for national defense

    Zach has more than 30 years of experience in IT and cybersecurity management, operations and incident response.

    Past positions include Program Director in the Computer Science Laboratory at SRI International, support to the Control Systems Security Program (CSSP) and the ICS-CERT at DHS, on-site deputy, program manager for the NRO’s world-wide operational network, information security manager for OSD CIO’s Enterprise Operations Support Team and security management support for the Centers for Medicare and Medicaid Services. 

    Zach recently demonstrated his commitment to the highest standards of exemplary board leadership by earning his designation as a National Association of Corporate Directors (NACD) Board Leadership Fellow—The Gold Standard Director Credential®. Zach holds an M.S. in Information Systems from George Mason University concentrating in cybersecurity.

    Experience in Business Strategy
    As an incumbent member of the (ISC)² board, I have worked in the strategy committee (currently the strategy committee chair) to develop concepts and recommendations for (ISC)² leadership regarding the future direction of the organization. (ISC)² has been doing a great job in improving value to members; as a board member and strategy committee member we will continue to offer and assist to find new opportunities to improve and expand the profession.

    Throughout my career I have been engaged in leading and managing teams and organizations. From my first leadership experience on board fast attack submarines with a team of “data system” technicians, I have had to pleasure and good fortune to lead ever larger and more diverse groups. I came up through the ranks to become a Chief Petty Officer, the standard of enlisted leadership in the Navy.

    Later, through the extremely competitive process to become a Navy Limited Duty Officer (LDO), I was selected and promoted as a Submarine Electronics Officer. My assignments included management of submarine manpower and technical training resources on the Navy Staff, developing advanced technologies, and as the Flag (Admiral’s) aide to the Commander of Navy Recruiting. Each of these positions dealt not only with managing present requirements, but also strategic planning for 10 to 20 years in the future. Upon retirement from the Navy, I was the deputy director at Lockheed Martin of the 250-person Computer Systems Branch of the National Reconnaissance Organization and was also a member of the Future Imaging Intelligence Architecture group, developing the strategy for defense imaging requirements. As Vice President at SAIC, I managed a division of over 250 engineers, programmers, and analysts performing projects for 13 U.S. government agencies. I was also the VP of Operations for two small businesses. More recently, I have been an active participant of teams developing the Energy Cybersecurity Roadmap, The DHS Cybersecurity Science and Technology R&D Roadmap, and the Nuclear Cyber Security Roadmap. In 2016, I became the Associate Lab Director (ALD) for National and Homeland Security Science and Technology at the Idaho National Laboratory (INL N&HS), a major center for national security technology development and demonstration, employing 400 scientists and engineers across $370M in programs. As the ALD I direct INL’s Nuclear Nonproliferation, Critical Infrastructure Protection and Defense Systems missions that include heavy manufacturing of armor, application of INL’s unique infrastructure (grid, wireless testbed, explosives range, and a number of research facilities). These missions also support major programs for Department of Defense, Department of Homeland Security, and the Intelligence Community.

    Professional Education
    I received a MS in Information Technology, with a focus on cybersecurity, from George Mason University (GMU), as well as a Graduate Certificate in Information Security. I pursued my PhD in Information Security from GMU, completing all coursework and advancing to candidacy but did not complete my dissertation. I also taught graduate information security courses as an adjunct professor at GMU. Besides being a CISSP, I am a Certified Information Security Manager (CISM) through ISACA, Certified Computing Professional (CCP), and was previously a Project Management Professional (PMP) from 2004 – 2010. I attended training and subsequently certified for the NSA’s Information Assessment Methodology (IAM) and Information Evaluation Methodology (IEM). Other interesting relevant training included the Sandia National Laboratory Red Team training, and the DHS Control Systems Security Program sponsored Control Systems Advanced Red Team/Blue Team Training conducted at the Idaho National Laboratory.

    Industry Board Experience
    I am an incumbent member of the (ISC)² board and have worked in the strategy committee (currently the strategy committee chair) to develop concepts and recommendations for (ISC)² leadership regarding the future direction of the organization. (ISC)² has been doing a great job in improving value to members; as a board member and strategy committee member we will continue to offer and assist to find new opportunities to improve and expand the profession.

    I have been a member of several technical advisory boards including for Core Security (2009 – 2010) and the Cyber Resilient Energy Delivery Systems Consortium (CREDC) executive board (2015 – 2018). I was also a member of (ISC)²’s Application Security Advisor Council (ASAC) from 2014 – 2016. My primary role in each of these boards and councils was to provide insights on industry direction, identifying synergies and potential partners, and recommending courses of action.

    In a community service capacity, I served several positions with the National Naval Officers Association (NNOA), an organization devoting to serving and promoting diversity in the sea services: Navy, Marine Corps, Coast Guard, and National Oceanic and Atmospheric Administration. I served in a variety of positions including chapter president in Pearl Harbor, HI and Annapolis, MD; and on the national board of directors as membership vice-president.

    Skills and Expertise
    In groups (like the (ISC)² board) I like to build a consensus to ensure that all voices and points of view are heard, and that the final decision or direction reflects to the greatest extent possible the broad groups’ opinions. This is especially important for (ISC)², an organization that has to provide member services internationally.

    I think my experiences described above as a technician, manager, and researcher in cybersecurity domains in the commercial, defense, and intelligence community gives me unique insights to contribute in strategic and advisory capacities. I also feel that my experience in participating on key national strategy committees would help me contribute to the board’s strategic goals. I am a passionate advocate for the cause of information security and have the perspectives of both a security service customer as well as a security service provider.

    Your Goals and Objectives
    As a board member, I have worked to ensure that the CISSP credential remains the gold standard for cybersecurity professionals, and to help build the reputation and credibility of our other certifications. As a CISSP and (ISC)² member I have participated in an advisory council, volunteered for JTAs and item writing workshops, and have served on the board of directors because I believe that keeping the (ISC)² certifications strong helps our industry. One way to do that is to help respond both organizationally and
    programmatically to the criticisms that certifications (particularly (ISC)² certifications) are not valuable or indicative of expertise or capability. I believe the (ISC)² leadership working hand and hand with the board is continuing to develop new programs and value to combat those perceptions.

    (ISC)² Strategic Contribution
    I think that one avenue might be to develop strategic partnerships with organizations such as the Association for Computing Machinery (ACM) and IEEE that have strong academic, technical and R&D membership and reputation, but do not compete in the certification arena. We could enlist these and other leading organizations to work with (ISC)² in our ongoing programs that promote STEM education, racial and gender diversity in cybersecurity, and future cybersecurity workforce development. Another key is to help promote all (ISC)² certifications to help them reach the recognition and status of the CISSP certification.

    Regional and Cultural Perspective
    As a current board member and former chairman of the (ISC)² nominations committee I have worked to provide diversity among the candidates for the board, and I think the composition of the board has become more diverse. We must continue to include perspectives from all our diverse communities.
    Working on projects in America and Europe, I have seen firsthand the respect that (ISC)² certifications have internationally.

    However, diversity challenges exist not only in the U.S. but also in other regions, and this limits the pool of available candidates for cybersecurity jobs (and cybersecurity certification). (ISC)² can continue to take a leading role internationally in reaching and educating new populations on the benefits of cyber careers. Cybersecurity research and development is an international community of institutions and individuals. Because cybersecurity and combatting cybercrime are common goals across (most) borders, I have had wonderful working relationships with people from around the globe.

    Professional Recognition
    One “fun” piece of recognition was being featured by (ISC)2 in their video promotion of “A Day in the Life of a CISSP”. This video can be seen at It has been an honor to be recognized by my fellow cybersecurity practitioners as a representative of (ISC)².

    Some recent notable presentations and recognition include:

    • U.S. Senate testimony on October 26, 2017 before the Senate Energy and Natural Resources Committee hearing on efforts to protect the nation’s energy providers from cybersecurity threats, including attacks from abroad - Congressional testimony before the United States House of Representatives Energy and Commerce Committee Subcommittee on Energy, March 14, 2018 on “DOE Modernization: Legislation Addressing Cybersecurity and Emergency Response”
    • Idaho state legislature testimony on February 28, 2017 for issues surrounding critical infrastructure protection and the state’s support for the Idaho National Laboratory
    • Program committee member for the FIRST Cyber Threat Intelligence Symposium, London (U.K.), March 18-20th, 2019
    • A workshop panel member in August 2018 for the HPI Studies Board of National Academy of Science, discussing human computer interaction for cyber security of next generation infrastructure systems
    • Appointed in 2017 for a 6-year term to the Air Force Studies Board (AFSB) of the National Academy of Engineering
    • Joint appointment as Professor of Practice in the Computer Science department of the University of Idaho
    • Honorary Commander of the 224th Cyber Operations Squadron of the Air National Guard

    Over the years I have been fortunate to be invited to speak at numerous industry and academic forums. I generally give approximately 6 to 10 talks or presentations per year. Notable among them are:

    • Participate in the closing panel of control system cybersecurity “grey beards” at the SCADA Scientific Security Symposium (S4) in2017, 2018 and 2019
    • Provided a review and call to action on critical infrastructure security at the (ISC)² Secure Summit BENELUX 2017
    • Lead workshop sessions for the DHS sponsored LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) consortium workshops in Amsterdam (2018) and Houston (2019)
    • Co-Host and multiple panel moderator for the 2013 US Secret Service Global Cyber Security Conference - keynote presentation at the 7th International Symposium on Resilient Control Systems, Denver, CO (2014)
    • Presentation at the Industrial Control Systems Joint Working Group 2010 Spring Conference with Mark Fabro titled: What Went Wrong? A study of actual industrial cybersecurity incidents
    • Presentation on Crossing the Valley of Death for Innovation at Belfast 2014, the 4th World Cyber Security Technology Research Summit hosted by the Centre for Secure Information Technologies (CSIT) at Queens College, Belfast, U.K.

    My major publications are:

    • Government-Funded R&D to Drive Cybersecurity Technologies. IT Professional, 17(4), 62-65. Maughan, D., Balenson, D., Lindqvist, U., & Tudor, Z. (2015)
    • Control Systems Security from the Front Lines. Security & Privacy, IEEE, 12(6), 55-58. Peisert, S., Margulies, J., Byres, E., Dorey, P., Peterson, D., & Tudor, Z. (2014)
    • Crossing the" Valley of Death": Transitioning Cybersecurity Research into Practice. Security & Privacy, IEEE, 11(2), 14-23. Maughan, D., Balenson, D., Lindqvist, U., & Tudor, Z. (2013)
    • Host protection strategies for industrial control systems. In Homeland Security (HST), 2012 IEEE Conference on Technologies for (pp. 87-92). IEEE. McIntyre, A., Lindqvist, U., Peterson, B., & Tudor, Z. (2012, November)
    • Measurable Control System Security through Ideal Driven Technical Metrics. In S4: SCADA Security Scientific Symposium. McQueen, M., Boyer, W., McBride, S., Farrar, M., & Tudor, Z. (2008, January)
    • Denial of Control: Implications of Denial of Service Attacks in Critical Infrastructure Control Systems (Poster). 2008 IEEE Conference on Technologies for Homeland Security (IEEE HST), May 2008. Tudor, Z., Edwards, M., & Fabro, M. (2008)

    Information Security Experience
    My first assigned “cybersecurity” role was in 1982 as an ADP System Security Officer in the Navy. Many of my management roles involved some elements of information security or cyber risk mitigation. Following my Navy career, I worked at several contractor or consulting organizations to provide cyber security tasks including:

    • Penetration test and mitigation recommendations for the World Bank external network
    • Security program development and implementation, coordination and development of IA documentation for Systems Security Authorization Agreements (SSAAs)
    • Developing cyber security risk assessment and mitigation reports, Security Test and Evaluation (ST&E) plans, contingency, business continuity, and disaster recovery plans, and IA policies and procedures
    • Senior InfoSec consultant for the Defense Finance and Accounting Service (DFAS) Forward Compatible Payroll (FCP) project, the Department of Justice Audit Support project, and OSD CIO Information Architecture security review
    • Technical lead for the U.S. Army European Command (EUCOM) requirements evelopment and implementation of a multi-level secure (MLS) environment

    For the past eight years as a Program Director in the Computer Science Laboratory at SRI International, I have provided management and technical expertise for operational and research and development cybersecurity programs for government and commercial customers including the Department of Homeland Security Cyber Security Research and Development Center (CSRDC), DARPA and the
    National Cyber Range. Some projects and accomplishments include:

    • Coordination and subject matter expertise for the LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) consortium. Project manager for the LOGIIC Safety Instrumented System (SIS) project. Onsite technical manager for Third Party Access project assessments
    • Represents SRI at the International Information Integrity Institute (I-4), a world forum for senior information security professionals to share cyber information.
    • Member of the Nuclear Cyber Security Working Group, and contributing author of the 2011 Nuclear Cybersecurity Roadmap
    • Co-leader of SRI’s team on the National Electric Sector Cybersecurity Organization Resource (NESCOR), a broad-based public-private partnership with the Department of Energy (DOE) to strengthen the cyber security posture of the electric sector
    • Former co-chair of the Industrial Control System Joint Working Group (ICSJWG) R&D working group
    • Project manager for the DHS and White House-sponsored Financial Industry Validation of Identity Credential Services (FI-VICS) project
    • Member of the Department of Defense Research and Engineering (DDR&E) special study group on cybersecurity metrics (2010)
    • Coordination and chapter author for the 2009, DHS S&T document A Roadmap for Cybersecurity Research

    Leadership or Management Experience
    In my current role as the Associate Lab Director (ALD) for National and Homeland Security Science and Technology at the Idaho National Laboratory (INL N&HS), I lead 400 scientists and engineers across $370M in programs for Nuclear Nonproliferation, Critical Infrastructure Protection and Defense Systems missions that include heavy manufacturing of armor, application of INL’s unique infrastructure (grid, wireless testbed, explosives range, and a number of research facilities). These missions also support major programs for Department of Defense, Department of Homeland Security, and the Intelligence Community. Being a part of these important missions and leading the great women and men that accomplish important tasks every day has been the highlight of my career.

    As I mentioned in Section 1, I have been leading and managing teams and organizations throughout my career. Several examples are detailed below. As a Submarine Electronics Officer my assignments included:

    • Management of submarine manpower and technical training resources while assigned to the Navy Staff - Developing advanced technologies for submarine protection, force projection, and virtual training for submarine navigation
    • Flag Aide to the Commander of Navy Recruiting
    • Student Control Officer at the Naval Submarine Training Center Pacific responsible for the 20,000 students that annually attended training at that facility

    With Lockheed Martin I was the deputy director of the 250-person Computer Systems Branch of the National Reconnaissance Organization and was also a member of the Future Imaging Intelligence Architecture group, developing the strategy for defense imaging requirements. While a Vice President at SAIC I managed a division of over 250 engineers, programmers, and analysts performing projects for 13 U.S. government agencies. I was also the VP of Operations for 2 small businesses. These positions
    reinforced the importance of compelling value propositions and business cases for programs and decisions.

    Volunteer Experience
    I have worked throughout my career in organizations to mentor young professionals to allow them to succeed in the workplace. For one group, the National Naval Officers Association, I was a chapter president in two different chapters as well as the national Vice President for Membership. I also volunteer for organizations that benefit the cybersecurity profession, including the Security Innovation Network, and (ISC)² participating in JTAs and Item Writing Workshops. I am a voting member of the ISA 99 standards committee ISA99, Industrial Automation and Control Systems Security, which brings together industrial cybersecurity experts from across the globe to develop ISA standards on industrial automation and control systems security.

    As part of the communities I have lived and worked in, I have also worked in United Way campaigns, fundraisers for local charities or community needs.

  • Board Election FAQs Board Election FAQs

    How does the (ISC)² Board of Directors election process work?


    The election takes place for two weeks every year. All members in good standing as of the date specified in the election notice and of the date of the election may vote. The Board puts forth several recommended candidates each year, and members in good standing as of the date specified in the election notice may petition to have their names added to the ballot.


    Who is eligible to vote in the Board election?


    (ISC)² credential holders in good standing as of as of 15 May 2019 and the date of the election 12 September 2019 can participate in the Board of Directors election process.


    Why are only some Board positions available for election?


    Board members are elected to three-year terms, and those terms are staggered so that only one-third of the members stand for election each year. This is consistent with common practices for nonprofit organizations, providing continuity of leadership and stewardship.


    Why doesn't the Board place a call for nominations?


    Early in the year, the Board begins looking for potential candidates for the Board. This review begins by asking for suitable nominations from its various advisory boards and committees. This search typically yields approximately 25 potential candidates. The Nominations Committee then spends time vetting the candidates against various criteria listed below. This nomination and vetting process ensures that candidates have demonstrated their ability and desire to provide their time and energies to the organization over an extended period of time and are likely to be productive Board members.


    What does the Board look for in candidates it puts forth on its endorsed slate?


    When assembling the endorsed slate every election year, the Board is looking for a balance of experience and particular personal characteristics. Prospective Board candidates must:

    • Have an established record of leadership in the field of information systems security.
    • Have experience in a managing or directing strategic program across an enterprise.
    • Have earned the respect and trust of peers in the subject of information security.
    • Have an established record of advancing the field of information security.
    • Have not been a salaried employee of (ISC)² or its affiliates.
    • Possess the ability to: listen, analyze, think clearly and creatively, and work well with people both individually and in a group.
    • Have the willingness to prepare for and attend four or more in-person board meetings, weekly teleconferences and committee meetings, ask questions, take responsibility and follow through on a given assignment, and read and understand financial statements.
    • Create opportunities for (ISC)².
    • Have a commitment from his or her employer to support the time off from work required to support this commitment.
    • Have a willingness to cultivate and recruit future Board members and other volunteers.
    • Possess honesty, sensitivity to and tolerance of differing views, and a desire to serve as a member of a team.
    • Be friendly, responsive, and patient in dealings with fellow Board members, and possess a sense of humor.
    • Adhere to the (ISC)² Code of Ethics.
    • Promote the agreed collective Board opinion above their own personal views.
    • Advocate for the organization. Work for change or acceptance where organizational views do not mirror those of the Board member.
    • Refrain from bringing the organization into disrepute through personal actions or words.
    • Qualify for eligibility based on the current (ISC)² Bylaws.

    What selection criteria does the Board Nominations Committee use?


    The primary criteria used by the Nominations Committee are a matching of potential candidates to the ‘Experience and Personal Characteristics’ described above. The Committee will not nominate anyone whom the members feel, or know from experience, cannot meet these requirements. Above all, the Board is concerned with how well the membership will be served through the work and responsibilities of their proposed nominees.


    Can (ISC)² members nominate others for Board election?


    Yes. As detailed in the (ISC)² Bylaws, the name of any qualified person who agrees to serve if elected may be submitted by a signed, written petition, of at least 500 members in good standing as of the date of the election announcement, to the Board at least 60 days in advance of the start of the election.


    Why do the Bylaws set 500 members in good standing as the requisite number for the petition process?


    When the membership ratified the current Bylaws, they determined one percent was seen as a low enough number that could reasonably be achieved by any member, particularly given that signatures could be electronic and the numerous mediums that are available, both official and unofficial, for gathering those signatures. The Bylaws set a number that would not be so small as to make the process so easy as to be perfunctory and not accurately reflect the size of the organization but at the same time not so large as to be an impediment.


    Does (ISC)² notify the membership when and how to recommend Board member candidates or prepare a petition for candidacy?


    While (ISC)² is not required to notify the membership of any deadline pertaining to the petition process according to its Bylaws, (ISC)² notifies its members of petition procedures and deadlines every year. The Bylaws provide that petitions for names to go on the official ballot must be received no later than sixty (60) days prior to the election in time for the Board to ensure that they are otherwise qualified and agree to serve if elected and to place them on the official ballot. Eligible members may vote for any qualified candidate who agrees to serve.


    What are the instructions for submitting petitions* to nominate a Board candidate?


    To submit a petition, follow these steps:

    • No later than the deadline, submit a written or electronic petition to (ISC)², containing the signatures of no less than 500 (ISC)² members who are in good standing.
    • For electronic petitions, the candidate must submit an e-mail that contains (a) original encapsulated emails from supporters using their e-mail address of record and providing their (ISC)² member ID number; and, (b) an Excel spreadsheet listing of all such names with corresponding email address of record and (ISC)² member ID number.
    • All petitions will be verified to ensure that they meet all of the requirements. If yours does not, we will notify you as soon as possible, giving you the opportunity to resolve the matters that prevented your first submission from being accepted and submit a corrected petition.
    • If someone else nominates you, you may decline the nomination.

    *NOTE: (ISC)² does not endorse petitions. It is up to petitioners to promote their own petition and encourage other members to visit the site and "sign" their petition. (ISC)² will, however, send one email message per election year to all members on behalf of any candidate providing a link to more information about that candidate.


    Other than receiving the required number of petition signatures, what determines if a candidate is qualified?


    The minimum qualifications, as set forth in the Bylaws, are that the candidate be a member in good standing, have sufficient command of the English language, meet the term limits requirement, and agree to serve if elected. Members may vote for anyone who meets this minimum qualification. See the question titled, "What does the Board look for in candidates?" for more details on candidate qualifications.


    Where should I go if I have questions any about the Board of Directors election?

  • Board Election Timeline Board Election Timeline


    15 May 2019

    Announcement of election

    14 June 2019

    Board slate of nominees and electronic petition procedures announced

    14 July 2019, 5:00 P.M. EDT

    Deadline to submit petitions to ballot

    05 September 2019

    Announcement of instructions for electronic voting

    12 September 2019, 8:00 A.M. EST

    Electronic voting begins

    26 September 2019, 5:00 P.M. EST

    Electronic voting ends