I'm Gary, your author
I am Dr Gary Hinson, MBA. With a career spanning four decades in the information risk and security domain, I have come to appreciate the value of global alignment and coordination within the field, particularly concerning the language we share.
I am a research scientist by background, mildly autistic. As such, given the choice, I prefer demonstrable facts, precision, accuracy, integrity and objectivity over personal opinions and feelings. I value rationality, clarity, consistency, honesty and transparency in communications. [And, yes, I appreciate that's my subjective perspective!]
​​​​​​I am also a wordsmith, an author. As anyone who has read my outpourings will doubtless appreciate, I write a lot - including this very piece. You may feel it is a long-winded ramble and yes again, you're right ... but the definition of "cybersecurity" is a crackin' illustration of a significant issue in the profession: struggles are inevitable if we can't even agree on fundamental terms-of-art. If one person's "risk" is another's "threat", if you consider "cybersecurity" to be a superset of information security, whereas I believe it is a subset, we're at odds from the outset. Loose language plus ambiguity with a heavy sprinkling of vagueness is a recipe for confusion, quite apart from the facts of the matter.
Following a microbiology/genetics post-doc in the early 1980s, I became a DEC system/network administrator at a UK pharmaceuticals R&D division. For two decades, primarily in the UK and Europe, I worked in technology and information risk, audit and information security management within major UK power generation, defence and manufacturing companies, gaining a broad understanding of the challenges across these sectors.
​I side-stepped into consulting at the end of the '90s and set up IsecT Ltd., consulting mostly for large UK and European financial services companies in security advisory and internal auditing roles before emigrating to New Zealand in 2005.
Explaining 'cyber stuff' to managers, specialists and workers in general kept me amused for 15 years, researching, writing and selling security awareness content for the NoticeBored subscription service.
​Throughout my career, I have not only witnessed but also contributed, in a small way, to the evolution and maturity of this critical field. Long-term involvement with the committee behind the ISO/IEC 27000 standards, coupled with real-world experience of small, medium and large organisations across industries and continents, has instilled in me a strong preference for pragmatic, real-world solutions in cybersecurity. I'm keen to apply academic approaches, methods and models.
Thanks to an MBA from the University of Bath in 2000, my focus gradually shifted from security operations towards governance, management, strategy, policy and metrics. The challenges of applying risk and security principles in resource-constrained environments have become increasingly evident through consulting for Small and Medium-sized Businesses and running my own micro-business. Coupled with ever-changing information risks, cybersecurity requires frequent realignment with both overarching business objectives and technology capabilities.
I have written extensively throughout my life, from academic papers and a PhD thesis, articles in trade journals, conference/seminar presentations, contributions to textbooks, plus literally thousands of management and audit reports, policies, awareness materials, mind maps, procedures, methods/standards, presentations, papers etc. For example, much of the ISO27k Toolkit content is mine - basic ... but free.
​​​For the more discerning professional, I offer a range of ISMS support materials for sale, including those specifically written for the much-neglected management and technical/specialist audiences. My comprehensive suite of policy templates and gigabytes of security awareness content are available through SecAware.com, at very reasonable prices.
​
In conjunction with Krag Brotby, I wrote "PRAGMATIC Security Metrics" (Taylor & Francis/CRC Press, 2013), a textbook introducing a systematic method for designing, evaluating and maintaining security metrics. I remain deeply fascinated by the practical challenges of information risk and security measurement … and may yet return to the topic in other contexts, since the PRAGMATIC 'metametrics' method has broad application.