I'm Gary, the author
I am Dr Gary Hinson PhD, MBA. With a career spanning four decades in the information risk and security domain, I have come to appreciate the value of global alignment and coordination within the field, particularly concerning the language we share.
I am a research scientist by background. As such, given the choice, I prefer demonstrable facts, precision, accuracy, integrity and objectivity over personal opinions and feelings. I value rationality, clarity, consistency, honesty and transparency in communications. [And, yes, I appreciate that's my subjective perspective!]
​​​​​
I am also a wordsmith, an author, a writer by trade. As anyone who has read my papers and audit reports, visited my websites, blogs and social media outpourings will doubtless appreciate, I write a lot - including this very piece. You may feel it is a long-winded ramble and yes again, you're right ... but the definition of "cybersecurity" is a crackin' illustration of what I believe is a significant issue in the profession - or is it a trade? An industry? A pastime? A career? Who knows! The point is that we are bound to struggle if we can't even agree on the fundamental terms-of-art. If one person's "risk" is another's "threat", if you consider "cybersecurity" to be a superset of information security, whereas I believe it is a subset, we're setting off on the wrong foot, at odds even before we start debating. Loose language plus ambiguity with a heavy sprinking of vagueness is a recipe for confusion, quite apart from the facts of the matter.
Following a microbiology/genetics post-doc in the early 1980s, I became a DEC system/network administrator at a UK pharmaceuticals R&D division. For two decades, primarily in the UK and Europe, I worked in technology and information risk, audit and information security management within major UK power generation, defence and manufacturing companies, gaining a broad understanding of the challenges across these sectors.
​I side-stepped into consulting at the end of the '90s and set up IsecT Ltd., working mostly for large UK and European financial services companies in security advisory and internal auditing roles before emigrating to New Zealand in 2005.
Explaining 'cyber stuff' to managers, specialists and workers in general kept me amused for about 15 years, researching, writing and selling security awareness content for the NoticeBored subscription service.
The All Blacks - superb haka's!
​Throughout my career, I have not only witnessed but also contributed, in a small way, to the evolution and maturity of this critical field. Long-term involvement with the committee behind the ISO/IEC 27000 standards, coupled with real-world experience of small, medium and large organisations across industries and continents, has instilled in me a strong preference for pragmatic, real-world solutions in cybersecurity. I'm keen to apply academic approaches, methods and models.
Thanks to an 'executive' MBA at the University of Bath in 2000, my focus gradually shifted from security operations towards governance, management, strategy, policy and metrics. The challenges of applying risk and security principles in resource-constrained environments have become increasingly evident through consulting for Small and Medium-sized Businesses and running my own micro-business. Coupled with ever-changing information risks, cybersecurity requires frequent realignment with both overarching business objectives and technology capabilities.
I have written extensively throughout my life, including academic papers and a PhD thesis, articles in trade journals, conference/seminar presentations, contributions to textbooks, plus literally thousands of management and audit reports, policies, awareness materials, mind maps, procedures, methods/standards, presentations, papers etc. For example, many of the items in the free ISO27k Toolkit were either written and maintained by me alone or in conjunction with members of the ISO27k Forum, supporting the user community with good quality if fairly basic materials.
​​
For the more discerning professional, I offer a range of ISMS support materials for sale, including those specifically for the neglected management and technical/specialist audiences. My comprehensive suite of policy templates and gigabytes of security awareness content are available through SecAware.com, at very reasonable prices.
​
In conjunction with Krag Brotby, I wrote "PRAGMATIC Security Metrics" (Taylor & Francis/CRC Press, 2013), a textbook introducing a systematic method for designing, evaluating and maintaining security metrics. I remain deeply fascinated by the practical challenges of information risk and security measurement … and may yet return to the topic in other contexts, since the PRAGMATIC 'metametrics' method has broad application.
