I work on cybersecurity risk in industry, manufacturing and energy, where downtime means safety incidents and production losses. My job is to make security a business decision, not a stack of documents that satisfies the auditor and changes nothing on the plant floor.
I have done this at scale. Building a global OT security programme across 40+ manufacturing sites cut response to the same class of incident from weeks to minutes.
Focus areas
Security programme design for industrial and energy environments. Project security architecture through buy-build-run lifecycle. Security governance that drives decisions, not documentation.
Fifteen years in industry, manufacturing and energy, spanning major incident and problem management, enterprise security governance, and OT security programme delivery.
I’m open to the right opportunity in security leadership, and to selected advisory work.
Featured content
Latest from the blog
Your certificate signals. It doesn’t tell you what to protect A certificate signals that you follow a recognised process. It won’t tell you your risk context, or what your programme should cover and what it shouldn’t. That decision is yours, and it is the part that actually reduces risk. 10 July 2026
OT telemetry in the SOC is the easy part Getting OT telemetry into the SOC is the easy 80%. The part that decides the outcome is organisational: who owns the assets, and how a detection becomes a safe action the automation team can actually take. 9 June 2026
AI in your business: the decision is yours, not the model’s The value of AI and its risk are the same feature. You cannot control the decision yet, only the boundary, so deploy AI only where you can accept the worst it can do, and stay out of everywhere else. 28 May 2026
Sizing cyber for the company you actually are A cyber programme for a newly standalone business should be dimensioned from its market position, management’s actual intentions, and the mandatory floor. Not scaled down from the parent’s programme. 26 May 2026
Risk appetite is not where you think it is Most organisations confuse risk appetite with risk tolerance. Between the two sits governance, and almost nobody manages that gap. 10 April 2026
Portfolio highlights
The ISMS beyond the certificate, why most organisations have an ISMS but not a management system, and what changes when compliance is no longer enough.
Core ISMS capabilities framework, a capability model covering governance, risk, controls, operations, and measurement within an ISMS.
System security concepts (7 articles) A methodology for implementing systematic security documentation within ISMS frameworks.
- The foundation of security governance, what security concepts are, stakeholder perspectives, and early planning principles
- Core components, how architectural choices transform threats across SaaS, cloud, and on-premise environments
- Control selection and security frameworks, proportionate response using ISO 27001/27002, NIST, IEC 62443, and CIS Controls
Capability sections covering Risk Management, Governance, Policy and Guidelines, Instructions, Communication, Controls, and Assurance are in development.
Research & publications
Technical writing and analysis on security frameworks and risk quantification.
Get in touch
If you’re hiring for security leadership in industrial environments, or want a second opinion on an existing programme, I’d be glad to talk.
This site is built with Quartz and published under CC BY 4.0.