I’m Klaus Agnoletti. I’ve spent a little over two decades in information security, most of it in Denmark, and a good part of it doing the work that sits between a compliance requirement and the people who actually have to act on it. Governance, risk and compliance on one side; incident response, security awareness and the day-to-day reality of a security team on the other. Translating between those two is most of the job.
I’ve done NIS2 and ISMS work, built security programmes around CIS Controls, run risk assessments and business impact analyses, and reported security to boards and executives in language they could actually use. Before going independent I worked at Deloitte, KPMG, NNIT and nemlig.com, among others.
I also think security is a human problem before it is a technical one. Policies and tools fail when security happens to people instead of with them. That is why I lean on storytelling and games: I built Malware & Monsters to train incident response by making a team actually make the calls, and I co-founded BSides København and KbhSEC to help build a security community people want to belong to. It is also why the games and articles here argue for tested capability over filed documents.
If you want to put that in front of your team, get in touch.
Want to put this in front of your team?
I run these as games your board and your responders actually take part in, not another slideshow. Tell me where your team is and what they need to practise, and we will set it up.