Dr Steven J Bailey


A Doctor of Business Administration in Information Security and Risk Management from Harvard Business School. Steven is a highly accomplished individual in the field of Information Security with a career spanning nearly forty years in security. An experienced CISO and SME in Security Strategy, Governance, IT/Information Risk, Policy, Standards, Compliance, Controls, Assurance, Data Protection and Business Continuity.

An expert in his field and recognised leader by his peers, Steven has had the honour of undertaking one-to-one briefings of two British Prime Ministers, at Downing Street relating to the threats to the UK’s Critical National Infrastructure and the associated risk impact on UK Plc. A number of cabinet ministers (Home Secretaries, Foreign Secretary and Defence Secretaries) have also been briefed by him on similar matters.

Author of no less than 200+ published papers and articles, Steven is now writing his third book, “Enterprise Governance and Security Strategies”. A much sought-after international speaker Steven has been on the global speaking circuit since 1991. And former Vice-President of the London chapter of the Information Systems Audit and Control Association (ISACA).

Industry Contribution

    Steven has taken a very pro-active role within the security industry for many years. Of particular note:

  • A founding co-author of the original CobIT IT Governance and Controls Framework model;
  • Actively involved in the development of the original DTI Codes of Security Practice, transitioning it to become the BS 7799, then ISO 17799 and finally, ISO 27001 & 27002 security standards;
  • Continues to sit on an industry monitoring/review panel for ISO 27001 and ISO 27002;
  • Proactively involved in the development of ISO’s 27003, 27005 (Security Risk Management), 27011 (Telecommunications Security) and 31000 & 31100 (Enterprise Risk Management) standards and guidelines;
  • Sits on a Home Office Computer Crime advisory panel;
  • A proactive steering group member in the development of ISACA’s global qualification as a Certified Information Security Manager (CISM);
  • Actively involved as a panel member for ITIL Risk and Security practices.


Being both business and technically focussed, Steven continues to be extensively involved within the security industry in Strategy, Governance, Risk, Assurance and Compliance issues; actively working to improve the strategies, practices and methodologies in line with current business practices and technology trends.

Business Sectors

    Steven has worked in the following industry sectors:

  • Critical National Infrastructure
  • Finance (Banking and Investment)
  • Insurance
  • Telecommunications
  • Industrial
  • SMART & IoT Technologies
  • Central and Local Government
  • MoD
  • Media
  • Commerce
  • Oil and Gas
  • Utilities
  • Manufacturing

Key Experience

Strategy, Governance, Risk, Regulatory Compliance, Security Assurance and Compliance, Cloud Architecture, Applications Security and Data Protection/GDPR.

As an experienced Executive

Steven have gained extensive experience of Information Security and Cyber Risk, and its associated complexities impacting the business. This enables him to engage and communicate effectively to influence senior stakeholders and to provide a holistic and independent opinion on the risk profile of the organisation, challenging areas of mitigation or control weakness to the good or the organisation.

As Governance, Regulatory, Privacy and Compliance practitioner

As co-author of the original CobIT framework Steven is an expert in its application, as well the COSO Internal Control Integrated Framework. He has extensive leadership experience in the regulatory requirements of the DPA, GDPR, FCA, SOX, Basel II & III, MiFID, SAS70, Dodd Frank, Gramm–Leach–Bliley, PCI-DSS, GLBA, FISMA and HIPAA and the implementation and testing of these within formal frameworks.

As Risk practitioner

Intimately familiar with many Enterprise Level Risk Frameworks, including ISO 31000 and NIST SP 800-37, and the main assessment methodologies, vsRisk, 3LoD, HMG IAS1&2, ISO 27005 and IRAM I & II; but also CRAMM, COBRA, SARA, Octave, FIRM and SPRINT and a number of sector/environment specific methods, both qualitative and quantitative, with exposure to Operational, Financial, Credit and Insurance risk areas.

Particular familiarity with

NCSC/CESG IA Standards 1 through 6, the HMG Security Policy Framework (SPF), the ISF Standard of Good Practice (SoGP), the NIST Security Framework, the NIST SP800 series of Security Standards, the ISO 27000 series of Security Standards (including the development and implementation of ISMS’s); but also other standards relating to Compliance (ISO 19600), PCI-DSS, Cyber Essentials, Business Continuity (ISO 22301 and ISO 22313), Telecommunications (ISO 27011) and, Industrial/Process Controls and SCADA environments (ISO 27019, IEC 62443-2-1, IEC 62645 and ISA99); both general and sector specific.

At an Enterprise Security level

Steven regularly works with Industry and Government preferred methods; Zachman for Enterprise Architecture; SABSA for enterprise security architectures; TOGAF; MODAF; and, ITIL for service management. And having extensive experience in security use case development.

As a Technical Security Designer and Architect

Steven has a solid working knowledge of enterprise technology, specifically secure design, build and control methodologies aligned to relevant security standards and architectural practices; his technical knowledge and experience is very and includes AWS and Azure Cloud Technologies, O365, Big Data and complex Business Continuity needs.

As a general activity

Steven undertakes Research and Development projects in IT Forensics (a particular interest of his), Governance, Risk, Regulatory Compliance and Enterprise Security issues and their requirement’s within CobIT, IRAM, ISF SoGP, ISO 27001/27002 and ITIL. This includes developing appropriate tools to enable corporate compliance, reduce risk, improve efficiency and create value for IT; thereby making IT transparent and putting the business back in control.