KURT HAGERMAN

khagerman59@gmail.com | www.linkedin.com/in/kurthagermanciso
425-802-6082
PROFILE

Current CISO. Technology business leader, expert in governance, risk & compliance. Security industry
thought leader.
Successful track record running governance, risk and compliance programs to support an enterprises security
mission (both corporate and customer-facing). With significant experience leading information security teams
and serving as the leading risk officer, I tend to be known as a specialist in compliance standards (PCI, HIPAA,
ISO 27001, etc.) and how they apply to enterprise organizations. I've conducted hundreds of security reviews
and audits across a number of industries including the payment space, healthcare, financial services and higher
education.
I've been honored to be a frequent speaker on information security topics in the payments and health care
spaces, as well as on cloud security, and I've authored several published articles on the topics of compliance,
risk management, and cyber security.
Security & IT disciplines: Security and IT auditing, compliance, risk management, network engineering,
systems engineering and security engineering.
Specialties: Strategy & Governance; Enterprise Security Risk Management; Policy & Planning; Corporate
Leadership; Cybersecurity; IT Security; Project Management; Change Management

EXPERIENCE
2012-Present CISO - Chief Information Security Officer overseeing GRC programs
Armor Defense Inc. (formerly FireHost, Inc.), Richardson, Texas
(Cyber Security Services company with global presence in US, EMEA & APAC)
Hired as Director of Compliance in July of 2012 and promoted to CISO in January of 2013 with responsibility
for all aspects of the governance, risk and compliance side of the security mission at Armor for both corporate
and customer environments.

Created companys first strategic, comprehensive, global information security, compliance and risk
management programs from scratch.
This effort resulted in Armor obtaining certification/validation against the Payment Card Industry
Data Security Standard (PCI DSS), HITRUST CSF (HIPAA Security), SSAE 16 SOC 1 and SOC
2 reports and ISO/IEC 27001:2005 and later 27001:2013.
Developed, maintained and published information security policies, standards and guidelines to
ensure that the company maintains the security and compliance of both its internal infrastructure
and secure cloud hosting environments in line with leading global security and compliance
frameworks including ISO 27001, PCI, HIPAA and SSAE 16/ISAE 3402. Oversaw the approval
and dissemination of security policies and practices to all company personnel.
Created an information security governance plan through the implementation of a hierarchical
governance structure, including the formation of an information security steering committee.
Established, maintained and operated a comprehensive enterprise risk management program.
Conducted the companys first comprehensive risk assessment that covered all aspects of the
business including technical, business and human risk analysis. Prioritized the risks, developed
mitigation strategies and presented the results to executive management for review and approval.
Oversaw and validated the implementation of approved risk mitigation measures.
Developed and managed enterprise change control program.

Established, maintained and presented a companywide security awareness training program.

Spearheaded a consolidated, biannual external audit program that reduced audit fees, internal costs &
operational disruption for Armors PCI, HIPAA, SSAE 16 and ISO 27001 audits.
The 4 annual external audits Armor commissioned were negatively impacting the operational
teams. Each audit required the collection of essentially the same type of evidence and required inperson interviews with a significant number of operations team members resulting in two to three
week disruptions each quarter. This arrangement also led to higher audit costs due to the
duplicative efforts.

2008-2012

By comparing the requirements for each of the four audits I found significant overlaps among
pairings of audits. The PCI and HITRUST audit requirements overlapped by about 80% and the
ISO 27001 and SSAE 16 SOC audits overlapped by about 65%. I discussed my findings with our
two primary audit firms and developed a plan that consolidated the PCI and HITRUST audits in
the Spring and ISO 27001 and SSAE 16 SOC audits in the Fall. I was able to reduce the overall
audit costs by approximately 35% by getting the audit firms to recognize the efficiencies in this
approach and negotiating fees based on this.

Presenter/speaker at numerous US and International security trade shows and industry events, author
articles, blogs and webinars on cloud and cyber security, PCI and HIPAA compliance.
Speaking engagements include RSA, HIMSS, HITRUST, ISACA North Texas, CSA North Texas,
DAFP Big D Financial Conference, NetDiligence Cyber Risk & Privacy Forum, SecureWorld
Dallas, HIMSS Privacy & Security Forum, PCI London, iHT2, HealthTech NextGen, AKJ eCrime
Mid Year conference (London), InfoSecurity (London), Powering the Cloud (Frankfurt, Germany),
New York State Cyber Security Conference and Center for Identity Management Symposium.
Contributed articles for Healthcare IT News, SC Magazine, Technology Banker, Talking
Payments, Ecommerce Times, IT Briefcase, The Green Sheet and Business Cloud 9.
Numerous webinars and blog posts on topics including: PCI and HIPAA compliance, Data
Encryption, Cloud Security and Risk Management.
Represent Armor by speaking at and pitching the companys vision and solutions at PCI
Community meetings, Black Hat, HIMSS, VMWorld, HITRUST and PCI London.

Created and managed, with the VP of Infrastructure, the companys first-ever enterprise change
management program, immediately improving the up-time of Armors secure cloud hosting
environments and culminating in 99.999% up-time within fifteen months.

Primary negotiator for all Terms of Service and Business Associate Agreements because of my ability to
effectively navigate difficult contractual security, compliance and risk issues.

Provide compliance and risk management oversight for infrastructure update projects and new product
development.

Consult with prospects and customers on PCI, HIPAA and general compliance and security best
practices. Develop solutions utilizing Armor services that help them meet their security and compliance
requirements.

Key asset for Sales team providing security & compliance credibility resulting in increased close ratios
and larger deal size.

Primary security & compliance contact for RFPs, customer audits, security questionnaires and customer
security and compliance questions. Lead customer onsite audits.

Security and compliance contributor to Marketing for company website, corporate presentations and
other marketing materials.

Managing Director, PCI Practice Director

Coalfire Systems, Inc., Seattle, WA and Dallas, TX
(Global provider of cyber risk management & compliance services)
Recruited from SAVVIS by co-founder Rick Dakin. Quickly promoted to Managing Director of the Seattle
office and named PCI Practice Director. Asked to open the Southwest region while still managing Seattle then
moved to Dallas as the Managing Director for the Southwest region.

Opened the Southwest region for the company including staffing, business development and delivery.
The company desired expansion in the Southwest starting in the Dallas area. Managed this effort
remotely from Seattle with frequent trips to Dallas where I hired and trained additional consultants
and worked on business development. Decided to move to Dallas to take on this region full time and
transitioned management of the Seattle office to a new managing director. Very quickly grew our
customer portfolio to include several marquee accounts including Heartland Payment Systems, Jack
Henry & Associates, Pier 1 Imports, Chuck E Cheese, Energy Future Holdings, TXU Energy and
NetSpend.

Led the team that won a significant security consulting/assessment opportunity with a large financial
services organization.
Engaged with this client to understand their requirements. I developed an alternate solution that I
believed would provide them with more value than what they had asked for. Presented both proposals
which led to being selected along with three of the Big 4 consulting firms to compete for the project.

Developed and led the final, live presentation to the Board of Directors selection committee. Coalfire
was awarded the contract based on our alternate solution and was praised by the CIO and Board
committee for thinking outside the box and delivering a proposal that more clearly articulated a
process for evaluating and improving on their security and risk management programs. The client reengaged us two years later after completing the recommended remediation activities to evaluate the
results of their work.

2006-2008

Engaged by the general counsel for a large publicly funded teaching hospital to perform a PCI
assessment and produce a gap analysis and remediation plan to give them path to becoming compliant.
Discovered some serious security issues within the hospitals networks and healthcare systems within
the first week. The entire network including critical patient care equipment was reachable from an
unsecured and uncontrolled wireless network. Immediately delivered this news to the general counsel
resulting in an expansion of the assessment to include a thorough network architecture and security
assessment targeted at providing them with solutions that would segment and isolate sensitive
networks and equipment and implement appropriate security controls to protect their entire network.

National PCI Practice Director

Set official Coalfire position for PCI controls regarding what was acceptable and required to meet
those controls, ensured that all audit staff understood and enforced the positions
Performed quality assurance reviews for PCI reports on compliance
Developed reporting templates and audit methodologies for the PCI practice to streamline the
assessment and reporting process
Provided guidance and mentoring for all QSAs on the proper methodology for conducting PCI
assessments and interpreting/applying the PCI DSS to specific customer situations

Hired, mentored and managed a staff of IT Security auditors and consultants in carrying out consulting
and audit services across multiple market verticals including the payment card industry (PCI), healthcare
(HIPAA and HITRUST), financial services (FFIEC, SOX 404, SSAE 16), risk management and general
security.

Worked with sales to develop new business opportunities, participate in sales calls, determine the scope
and pricing for all engagements.

Assisted customers in understanding how compliance requirements apply to their business and in
evaluating the current state of their security controls program; making recommendations for
improvements to close identified gaps.

Advised customers on the design and implementation of security and risk management programs that
meet a wide range of regulatory security and compliance standards and requirements.

Personally conducted over 200 projects across a wide range and size of customers in retail, payment
processors, service providers and others involved in the industry.

Reason for leaving: recruited by founder of FireHost (now Armor Defense)

Security Evangelist
SAVVIS, Inc., Seattle, Washington
(Managed hosting, network, security services)
Recruited as a Technical Sales Overlay Manager for Security Services due to recommendation by internal
sources. The role was renamed Business Solutions Manager in November, 2006. Promoted to Security
Evangelist in January, 2007.

Performed as a trusted advisor to clients helping them develop security solutions leveraging SAVVIS
security and professional services.

Acted as the technical half of the Sales team; assisting with consistently growing revenue, increasing
market share, removing barriers of entry and creating new business opportunities through the
identification of the right type of customer, strategic pain point identification and more accurate selling
of solutions that are: current, relevant, audience specific, proven, componentized and customizable.

Developed and deliver product training and sales campaigns

Participated on sales calls/appointments and in account planning sessions

Provided the interface between Sales and internal product teams to fine-tune the product effectiveness,
allowing Sales to focus on managing our clients needs and enhancing the customer experience.

Focused on security compliance, especially around PCI (payment card industry) to land new customers.

2004-06

Supported sales teams in Western U.S. including Chicago, St. Louis, Dallas, Denver, Seattle, San
Francisco and Southern California.

Reason for leaving: recruited by founder of Coalfire based on internal PCI project interaction with
Coalfire staff hired to conduct an assessment.

Senior Sales Engineer, NOC Operations Manager

Telesphere Networks Ltd. (acquired by Vonage in 2014), Scottsdale, Arizona
(Global managed voice and data services provider)
Recruited as Senior Sales Engineer by company co-founder with added roles in NOC Operations Management
and Customer Support.

2004

Performed as the technical half of the sales team to develop solutions using TNL services to meet
customer needs. Created all network and soft switch programming documentation for each customer
solution.

Designed and programed custom VoIP solutions using Cisco Avvid technology, including Call Center
applications.

Participated in the evolution of the TNL product portfolio developing new new products and services.

Designed and implemented an advanced security model for the TNL global network.

Responsible for the design and deployment of a network monitoring and reporting system for the
network.

Performed ongoing NOC support for network management, upgrades and maintenance as well as Cisco
soft switch programming.

Reason for leaving: Recruited by SAVVIS due to existing relationships with former Exodus colleagues
and my past work history at Exodus.

Senior Sales Engineer, Product Development/Marketing

IP Sciences, Inc., Seattle, Washington
(Startup network performance monitoring and reporting company)
Recruited via internal recommendation as Senior Sales Engineer with added roles in Product Development and
Product Marketing.

2001-03

Significant participant in defining new messaging for company including writing several marketing
pieces describing the product.

Performed significant competitive market research to determine direction for product roadmap as well as
new pricing options.

Developed initial specification for significant revision to the product UI and reporting functionality;
leading to an essentially new and much improved application.

Significant contributor in pricing discussions, driving a new, more competitive pricing model.

Provided technical sales support for several nationwide prospects.

Reason for leaving: company restructuring due to market conditions resulted in a large RIF that included
my position.

Director Sales Engineering and Customer Support, Director of Test, Product Management Director
responsibility
Widevine Technologies, Inc., Seattle, Washington
(Startup in encryption of streaming media/communications)
Recruited from Exodus by former customer and company co-founder as Director Sales Engineering and
Customer Support with later added role as Director of Test and director level responsibility for Product
Management. Named as contributor on several patents pending.

Spearheaded development of first commercial release. Worked with customers and sales team to identify
actual needs and collaborated with engineering to define the feature set for the first commercial release.
Managed release process and achieved on time release.

Managed the on-time completion of three software release cycles. Played a key role in the design process
including defining features and functionality.

Co-designed the core logic system for a new product line - a conditional access system aimed at the cable
TV market.

Member of Technical Strategy Group to determine technical direction for the company. Contributed in
efforts to reposition the company and offerings post 9/11 to address radical shift in market. Participated
in identifying possible markets and decision to build two new products, one an encryption device and the
other a conditional access system. Company has gained traction in IP/digital television and fiber markets.

Developed Sales Engineering department objectives and growth plan. Provided technical sales support as
well as primary sales contact for many international clients and prospects. Developed and ran customer
technical support plan and system.

Tapped to head the test group of four testers. Designed web-based test case management tool that
allowed the testers and developers to work at their required level of detail while also providing roll-up
views of test progress and status for management. Integrated the test team into the development team,
ensuring that new products would have built-in testability. Ran bug triage meetings.

1998-01

Reason for leaving: economic downturn resulted in a majority of the employees being laid off.

Senior Solutions Architect

Exodus Communications, Seattle, Washington
(Startup hosting and managed services provider)
Recruited to this start-up early on (employee #230) as a Senior Sales Engineer and was promoted to Senior
Solutions Architect.

1996-98

Supported entire local sales team (7 members) from hire through most of 1999. Assisted all sales
executives in qualifying for Club in 1998, 1999, and 2000. Team consistently ranked in top 3 regions of
the company. Recognized personally as West Region SE of the Year for 1999 and Company-wide SE of
the Year for 2000.

Drove increase in average customer sale by 2 to 4 times within first six months through consultative sales
approach; mentoring sales force to use similar methods.

Consulted with customers to identify both business and technical needs and translate these goals into
achievable technical solutions that were appreciatively received. Designed initial web infrastructures for
many high profile, Seattle based Internet startups.

Initiated contact and was primary technical representative for named accounts including Microsoft,
Boeing, Washington Mutual Bank, Nike, Starbucks, and Nordstrom and significant dot-com customers
including Drugstore.com, Senada, Network Commerce, Avenue A, and Activate.

Loaned out to other regions to assist with complex, high profile opportunities.

Go-to person for RFP responses due to my excellent writing skills and innovative solution design. Built
up initial database of responses that was used to jump start a dedicated RFP team.

Led negotiations and developed technical solution for Microsoft to provide them with a dramatic
increase in data center capacity. The solution provided for significantly higher server density and metered
power (both firsts for Exodus) on financial terms that enabled Exodus to remain profitable and deliver
100% of Microsofts needs while protecting capacity availability for other customers in its new Seattle
data center.

Member of 3-person team on special project for Nike (Whatever.com campaign). Successfully developed
streaming media delivery solution for this advertising campaign; provided the high-volume capacity to
carry streaming media for a potentially overwhelming traffic load while retaining URL branding.

Designed the web infrastructure for initial release of the Nordstom.com website based on input from the
Nordstrom project team as well as from the Microsoft and Dell consulting teams.

Reason for leaving: Recruited by CFO of Widevine based on a prior working relationship.

Senior Consultant
VANSTAR, Redmond, Washington
(Value Added Reseller - Consulting Division)
Recruited out of Seafirst as the first Senior Consultant of the Enterprise Technologies team outside of the
Atlanta headquarters. Led and managed multiple large, complex projects for Fortune 500 clients.

Provided pre-sales technical support for local sales staff. Worked with marketing manager and
professional sales executives to qualify and develop consulting/service opportunities.

Provided strategic and tactical technical and security consulting, design and implementation services for
Microsoft BackOffice technology to customers.

1994-96

Primary lead for complex IT migration projects. Designed and implemented a JAD based methodology
to facilitate migration projects. Conducted multiple JAD sessions for large enterprise clients.

Took on North American wide SMS design/implementation for large financial services company in New
York City that had not been properly scoped. Engaged with senior representatives from the client to
understand their needs and requirements and provided strategic and tactical guidance to realign the
project to meet their business and technical goals and timeline. Successfully built collaborative
relationships throughout the organization that allowed me to complete the project on time and on budget.
Client senior management gave me accolades on the success of the project and communicated this to my
management.

Contracted as Consulting Engineer on Starbucks Coffee company wide desktop migration engagement.
The project was at risk due to infighting and lack of cooperation among various IT departments. The CIO
recognized this and elevated my role to primary project manager due to my having developed
collaborative relationships with multiple departments within the business and IT organization. I was able
to foster cooperation among the many groups and successfully guide the project to completion on time.
In addition to this responsibility, I also provided both strategic and tactical technology and security
guidance for the project and added and managed three other consultants from my organization.

Assigned as Lead Consultant for International PC Arcade project due to my expertise in systems design
and integration. Client was designing a new video arcade game platform based on standard PC
components rather than the prevailing embedded systems approach. Used my knowledge of current
technologies and problem solving skills to define technical and security requirements and develop
several innovative approaches to solving the problem. Worked with client to vet each solution and
determine the final approach.

Reason for leaving: I was looking to advance my career in the new Internet space.

Senior Systems Engineer

SEAFIRST BANK, Seattle / COMPUCOM SYSTEMS, INC., Bellevue, Washington
Hired as contract on-site systems engineer through CompuCom Systems and subsequently was hired on by the
bank as Senior Systems Engineer with responsibility for technical consulting, design, and implementation
services to internal bank clients.

1992-94

Assigned to team tasked with the largest, most technically challenging projects in the bank. Co-led team
responsible for setting standards for all desktop and laptop computers and served as a main technical
resource for other teams.

Tagged directly by CIO as lead technical consultant for the Internet Advisory Group and LAN-based
Messaging Team.

Built collaborative relationships within multiple departments within the bank to understand their
computing needs and develop innovative distributed computing solutions to help them achieve higher
performance. One of two people assigned to support the Finance group within the bank.

Successfully transitioned Finance from all Mainframe based to PC based distributed computing including
the design, implementation and management of the only Novell based Ethernet network in the bank.

Reason for leaving: Actively recruited by head of national consulting practice at Vanstar.

Systems Engineering Manager

COMPUNET SUPPORT SYSTEMS, INC., Dallas, Texas
Hired as a network engineer and rapidly promoted to managing and mentoring a team of engineers.

Participated in business development and sales providing engineering and technical support that resulted
in growth of the business from $500k to $3 million in the first year and doubling to $6 million the second
year.

Utilized advanced problem solving skills and the ability to work collaboratively with all client
departments to design innovative network computing solutions.

Directed and managed the design, implementation and ongoing maintenance for multiple Novell network
based infrastructures for clients.

Initiated, developed and delivered business process re-engineering services to facilitate clients full
utilization of the computing technology we implemented.
Designed and implemented new process flows to streamline clients existing word processing and
spreadsheet use, leading to increased efficiency and higher productivity.

Transformed and extended client IBM Selectric macros to word processing applications to
facilitate the transition from typewriters to PC computing.

Mentored and developed engineering staff technical and customer service skills.

Reason for leaving: relocated to support my wife in caring for her aging parents.

PREVIOUS EXPERIENCE
Vice President Operations
O.G.P. Operating, Inc., Dallas, Texas, 1991
Hired as Vice President to oversee operations for small oil and gas company.

Automated all back office systems resulting in increased efficiency.

Implemented new workflows to streamline the end to end process of identifying a new prospect through
investment financing and operations for developing the prospect.

Managed accounting and finance functions.

Vice President
Kavanaugh Financial, Inc., Dallas, Texas, 1987-91
Recruited to provide syndication management and quickly promoted to Vice President and an officer of the
company. Took over day-to-day responsibility for the investment banking arm of the company at age 29 after
the sudden death of one of the two principals.

Performed initial due diligence and analysis of prospective syndications.

Negotiated terms, produced financial models and schedules and managed the syndication process for all
private placement syndications.

Marshaled a failed real estate deal through bankruptcy process, managed the deal post-bankruptcy and
negotiated sale of the property resulting in a full return of all investor capital preserving all tax benefits
and including a small return.

Provided sales support to broker dealers including presentations to investors.

Responsible for management oversight of all syndications as an officer of the general partner.

Automated financial analysis of prospective deals and production of all financial schedules for all
syndications.

Managed corporate Novell network and built and maintained corporate computers.

Syndication Manager
The Myers Group, Dallas, Texas / Seattle, Washington, 1984-87
Hired into the property management department and rapidly promoted to Syndication Manager where I
managed all aspects of the syndication process including initial financial analysis, producing all financial
schedules, interfacing with outside counsel and coordinating multiple internal departments to produce the
private placement memorandum.

EDUCATION

Identified an issue with the existing financial structure for deals and independently created a new
structure that addressed the inequities among the classes of investors. Received approval from the
executive team and implemented the new model resulting in the first new deal selling all investment
units in record time and all subsequent deals fulling selling out.

Computerized the manual syndication financial calculations reducing the time to produce all financial
data for syndications from ten hours to thirty minutes with changes processed in seconds compared to
multiple ten hour cycles.

Integrated the computerized financial schedules and other dynamic elements of private placement
syndications with the word processing system reducing the time to produce a private placement
memorandum from eight hours to one hour.

Developed database to track all aspects of partnership owned properties.

B.S., Industrial Management, Purdue University, 1983 this degree was pioneered by Purdue to place
technically oriented people into management jobs within the manufacturing industry. It requires a
technical/science minor combined with a management major.
Professional Certifications
Certified Information Systems Security Professional (CISSP) certification earned in 2006 (active).
Certified Information Systems Auditor (CISA) certification earned in 2008 (active).
Lapsed certifications: ABCP (Associate Business Continuity Planner) certification (2006), Microsoft MCSE
(1996), Compaq ASE, HP and IBM server technologies (1996)
Interests and Organizations
Sailing, cycling, golf, photography, reading
Member of ISACA, ISC2 and ISSA
Member of CSA North Texas chapter