The book continued selling steadily.
The book was published by Auerbach (CRC Press) on January 8th.
After submitting the draft to Auerbach, we started work on this website and other activities to promote the book, spread the word about PRAGMATIC and look for opportunities to use and further develop the approach. We also applied for a patent. We began thinking about how to apply the method in disparate fields that are also crying out for better metrication and more scientific management.
We wrote the book. We met briefly face-to-face in California and Hawkes Bay, but relied heavily on Google Docs, email and the phone. Thanks Google: we couldn’t have done it without you!
By coincidence, both Gary and Krag were both delivering security metrics workshop/training sessions in the same hotel in Wellington on the same day. A significant quantity of New Zealand’s finest cabernet sauvignon was consumed that evening and the world of security metrics was put to rights. You could say we got on like a house on fire. We met again later that year at Wellington airport to hatch our cunning plan to collaborate on writing the book.
Krag wrote Information Security Management Metrics, published by Auerbach. Gary read and was enthused by it. A few other thought leaders caught the wave but most infosec practitioners were presumably too busy to give it the time it deserved.
Gary wrote Seven Myths About Information Security Metrics for the ISSA Journal. It sank like a stone, with nary a ripple.
Prior to that
Gary and Krag followed parallel career paths, along the way developing common interests in information security, risk management, compliance, governance, IT audit, quality and, of course, security metrics. We both wrestled with the issue of how to measure information security in such a way that management (a) understood what on Earth we were going on about, and (b) found the information useful and motivating enough to Do Something About It. We both tried different approaches. We realized that we were not alone in struggling with this, as is plainly evident from many other books, articles, standards and conversations with other infosec pros.