Greg van der Gaast is a pioneering cybersecurity speaker and thought chief identified for his unconventional journey from notorious hacker to international safety govt.
With many years of expertise spanning technical operations, management, and technique, Greg challenges outdated safety norms and advocates for business-aligned, human-centric approaches to cyber defence.
We spoke with Greg to discover the teachings of his early hacking years, the persistent vulnerabilities nonetheless going through UK companies, and the way management in cybersecurity should evolve to drive significant, lasting affect.
Your early profession as a hacker is broadly identified, and even labelled as notorious. How did these formative experiences form your perspective on cybersecurity, and in what methods did they finally affect your transition into moral hacking and cyber defence?
It’s attention-grabbing as a result of, in a technique, it gave me an consideration to element round what causes breaches. However, considerably unusually, I believe what it influenced most was my defensive mindset.
Again then, you constructed a pc, put in your working system, after which joined a chat room stuffed with hackers. We didn’t have broadband or house routers. Your laptop was instantly linked to the Web, and there have been no firewalls but.
When you hadn’t secured it — locked it down, patched the whole lot, up to date the whole lot — onerous drives nonetheless made noise again then, and about 30 seconds after becoming a member of that chat room, your onerous drive would begin making a whole lot of noise. Issues would begin shutting down, and also you’d need to reinstall Home windows.
So, oddly sufficient, that’s in all probability what caught with me probably the most — making completely certain that the whole lot is correctly locked down.
Companies throughout all sectors are more and more underneath risk from cyberattacks. In your view, what’s the most vital and chronic cybersecurity risk going through UK organisations at the moment? And why does it stay so troublesome to deal with regardless of years of consciousness?
Everybody will say ransomware, however ransomware is de facto only a payload — it’s a method of monetising a breach. What’s actually surprising is that the best way corporations get breached, the best way attackers get in, hasn’t basically modified within the 25 years I’ve been doing this.
Individuals are nonetheless not constructing methods correctly. They’re not sustaining them correctly. They’re nonetheless not doing asset inventories, they’re not patching successfully, their processes are poor, they usually lack consistency in how they function. It’s like residing in a home with a thousand doorways and home windows, with a number of of them always being left open.
That’s how attackers get in.
For big companies and organisations, you want a holistic, business-aligned safety method — one which’s genuinely proactive and built-in with how the enterprise operates. That’s the way you give you efficient, sustainable methods of doing issues, as an alternative of counting on the present safety establishment, which is actually: ‘simply purchase one other software’.
Cybersecurity is commonly mentioned in extremely technical phrases, however efficient management within the discipline goes far past frameworks and compliance. In your expertise, what defines true management in cybersecurity? And what’s lacking from how the trade at present approaches it?
I believe management is management. It shouldn’t be outlined by cybersecurity particularly.
I see so many management programs in cybersecurity targeted on tech, frameworks, compliance — issues like that. However I’ve discovered that with the ability to have a correct, human dialog with an govt is extremely refreshing for them.
Converse in plain English. Don’t be that basically boring individual nobody desires to ask to dinner. You’d be stunned how way more traction you get whenever you talk clearly and overtly.
In safety, we’re typically shielded as a result of folks don’t actually perceive what we’re speaking about — we’re the ‘geeks’. And when one thing goes improper, nobody desires to take care of us.
I used to be at a convention a couple of years in the past the place boards have been requested why they fund their safety groups or give CISOs cash. The preferred reply — at 35% — was merely to make them go away. Not as a result of they’d justified a technique, method, or ROI, however as a result of they have been seen as annoying or troublesome to be round.
I don’t consider safety ought to be handled purely as a price centre — and I imply that past simply danger. Safety ought to present worth to the enterprise — ideally, it ought to assist generate extra income than it consumes. And when you’re lowering danger within the course of, that’s a bonus.
Reflecting in your journey, from technical experience to management on the board degree, what’s one piece of recommendation you’d supply your youthful self — or to others simply beginning out — to assist them develop each professionally and personally within the cybersecurity area?
I’ve had a vastly transformational journey. I suffered from what I name “Rockstar Syndrome” at an early age — I used to be very technically sturdy, fairly smug, extremely licensed, and doing plenty of issues.
Ultimately, I hit some extent in my profession the place issues turned fairly dire. I assumed, “I’ll as nicely simply give away the whole lot I do know.” And that’s when the true transformation occurred — once I began sharing the whole lot I knew, serving to others with out anticipating something in return.
That’s when the popularity began. Individuals started to see that I really knew what I used to be speaking about. It robotically positioned me as an authority, and that modified the whole lot. It opened the door to the management roles I now maintain, working on the C-level and board degree, main my very own groups.
And my groups. They’re not simply colleagues. They’re my folks. They’re like household. I really like them to bits.
Picture by Ayrus Hill on Unsplash
This interview with Greg van der Gaast was performed by Mark Matthews.
Wish to be taught extra about cybersecurity and the cloud from trade leaders? Take a look at Cyber Safety & Cloud Expo going down in Amsterdam, California, and London.
Discover different upcoming enterprise know-how occasions and webinars powered by TechForge right here.
