Greg van der Gaast is a pioneering cybersecurity speaker and thought chief identified for his unconventional journey from notorious hacker to international safety govt.
With a long time of expertise spanning technical operations, management, and technique, Greg challenges outdated safety norms and advocates for business-aligned, human-centric approaches to cyber defence.
We spoke with Greg to discover the teachings of his early hacking years, the persistent vulnerabilities nonetheless dealing with UK companies, and the way management in cybersecurity should evolve to drive significant, lasting impression.
Your early profession as a hacker is broadly identified, and even labelled as notorious. How did these formative experiences form your perspective on cybersecurity, and in what methods did they in the end affect your transition into moral hacking and cyber defence?
It’s fascinating as a result of, in a method, it gave me an consideration to element round what causes breaches. However, considerably unusually, I feel what it influenced most was my defensive mindset.
Again then, you constructed a pc, put in your working system, after which joined a chat room stuffed with hackers. We didn’t have broadband or house routers. Your pc was straight linked to the Web, and there have been no firewalls but.
For those who hadn’t secured it — locked it down, patched all the pieces, up to date all the pieces — arduous drives nonetheless made noise again then, and about 30 seconds after becoming a member of that chat room, your arduous drive would begin making loads of noise. Issues would begin shutting down, and also you’d need to reinstall Home windows.
So, oddly sufficient, that’s in all probability what caught with me essentially the most — making completely positive that all the pieces is correctly locked down.
Companies throughout all sectors are more and more below menace from cyberattacks. In your view, what’s the most vital and chronic cybersecurity menace dealing with UK organisations as we speak? And why does it stay so tough to handle regardless of years of consciousness?
Everybody will say ransomware, however ransomware is de facto only a payload — it’s a method of monetising a breach. What’s actually stunning is that the best way corporations get breached, the best way attackers get in, hasn’t essentially modified within the 25 years I’ve been doing this.
Persons are nonetheless not constructing techniques correctly. They’re not sustaining them correctly. They’re nonetheless not doing asset inventories, they’re not patching successfully, their processes are poor, and so they lack consistency in how they function. It’s like residing in a home with a thousand doorways and home windows, with a number of of them always being left open.
That’s how attackers get in.
For giant companies and organisations, you want a holistic, business-aligned safety strategy — one which’s genuinely proactive and built-in with how the enterprise operates. That’s the way you give you efficient, sustainable methods of doing issues, as a substitute of counting on the present safety establishment, which is basically: ‘simply purchase one other software’.
Cybersecurity is usually mentioned in extremely technical phrases, however efficient management within the subject goes far past frameworks and compliance. In your expertise, what defines true management in cybersecurity? And what’s lacking from how the trade presently approaches it?
I feel management is management. It shouldn’t be outlined by cybersecurity particularly.
I see so many management programs in cybersecurity targeted on tech, frameworks, compliance — issues like that. However I’ve discovered that with the ability to have a correct, human dialog with an govt is extremely refreshing for them.
Converse in plain English. Don’t be that basically boring individual nobody needs to ask to dinner. You’d be shocked how far more traction you get if you talk clearly and brazenly.
In safety, we’re usually shielded as a result of folks don’t actually perceive what we’re speaking about — we’re the ‘geeks’. And when one thing goes incorrect, nobody needs to cope with us.
I used to be at a convention a number of years in the past the place boards had been requested why they fund their safety groups or give CISOs cash. The preferred reply — at 35% — was merely to make them go away. Not as a result of they’d justified a method, strategy, or ROI, however as a result of they had been seen as annoying or tough to be round.
I don’t imagine safety ought to be handled purely as a price centre — and I imply that past simply threat. Safety ought to present worth to the enterprise — ideally, it ought to assist generate extra income than it consumes. And if you happen to’re decreasing threat within the course of, that’s a bonus.
Reflecting in your journey, from technical experience to management on the board degree, what’s one piece of recommendation you’ll supply your youthful self — or to others simply beginning out — to assist them develop each professionally and personally within the cybersecurity house?
I’ve had a vastly transformational journey. I suffered from what I name “Rockstar Syndrome” at an early age — I used to be very technically sturdy, fairly conceited, extremely licensed, and doing a number of issues.
Ultimately, I hit some extent in my profession the place issues grew to become fairly dire. I assumed, “I’ll as nicely simply give away all the pieces I do know.” And that’s when the true transformation occurred — after I began sharing all the pieces I knew, serving to others with out anticipating something in return.
That’s when the popularity began. Individuals started to see that I truly knew what I used to be speaking about. It robotically positioned me as an authority, and that modified all the pieces. It opened the door to the management roles I now maintain, working on the C-level and board degree, main my very own groups.
And my groups. They’re not simply colleagues. They’re my folks. They’re like household. I really like them to bits.
Photograph by Ayrus Hill on Unsplash
This interview with Greg van der Gaast was performed by Mark Matthews.
Need to be taught extra about cybersecurity and the cloud from trade leaders? Try Cyber Security & Cloud Expo going down in Amsterdam, California, and London.
Discover different upcoming enterprise know-how occasions and webinars powered by TechForge here.
