Greg van der Gaast is a pioneering cybersecurity speaker and thought chief recognized for his unconventional journey from notorious hacker to world safety govt.
With a long time of expertise spanning technical operations, management, and technique, Greg challenges outdated safety norms and advocates for business-aligned, human-centric approaches to cyber defence.
We spoke with Greg to discover the teachings of his early hacking years, the persistent vulnerabilities nonetheless going through UK companies, and the way management in cybersecurity should evolve to drive significant, lasting influence.
Your early profession as a hacker is broadly recognized, and even labelled as notorious. How did these formative experiences form your perspective on cybersecurity, and in what methods did they finally affect your transition into moral hacking and cyber defence?
It’s fascinating as a result of, in a method, it gave me an consideration to element round what causes breaches. However, considerably unusually, I feel what it influenced most was my defensive mindset.
Again then, you constructed a pc, put in your working system, after which joined a chat room filled with hackers. We didn’t have broadband or dwelling routers. Your laptop was instantly linked to the Web, and there have been no firewalls but.
When you hadn’t secured it — locked it down, patched all the things, up to date all the things — exhausting drives nonetheless made noise again then, and about 30 seconds after becoming a member of that chat room, your exhausting drive would begin making quite a lot of noise. Issues would begin shutting down, and also you’d need to reinstall Home windows.
So, oddly sufficient, that’s most likely what caught with me probably the most — making completely positive that all the things is correctly locked down.
Companies throughout all sectors are more and more underneath risk from cyberattacks. In your view, what’s the most vital and protracted cybersecurity risk going through UK organisations immediately? And why does it stay so troublesome to deal with regardless of years of consciousness?
Everybody will say ransomware, however ransomware is admittedly only a payload — it’s a means of monetising a breach. What’s really surprising is that the best way firms get breached, the best way attackers get in, hasn’t essentially modified within the 25 years I’ve been doing this.
Individuals are nonetheless not constructing techniques correctly. They’re not sustaining them correctly. They’re nonetheless not doing asset inventories, they’re not patching successfully, their processes are poor, and so they lack consistency in how they function. It’s like residing in a home with a thousand doorways and home windows, with a number of of them continually being left open.
That’s how attackers get in.
For big companies and organisations, you want a holistic, business-aligned safety method — one which’s genuinely proactive and built-in with how the enterprise operates. That’s the way you provide you with efficient, sustainable methods of doing issues, as an alternative of counting on the present safety establishment, which is actually: ‘simply purchase one other instrument’.
Cybersecurity is usually mentioned in extremely technical phrases, however efficient management within the area goes far past frameworks and compliance. In your expertise, what defines true management in cybersecurity? And what’s lacking from how the trade at present approaches it?
I feel management is management. It shouldn’t be outlined by cybersecurity particularly.
I see so many management programs in cybersecurity targeted on tech, frameworks, compliance — issues like that. However I’ve discovered that having the ability to have a correct, human dialog with an govt is extremely refreshing for them.
Converse in plain English. Don’t be that basically boring particular person nobody desires to ask to dinner. You’d be shocked how way more traction you get once you talk clearly and brazenly.
In safety, we’re typically shielded as a result of individuals don’t actually perceive what we’re speaking about — we’re the ‘geeks’. And when one thing goes unsuitable, nobody desires to take care of us.
I used to be at a convention a couple of years in the past the place boards have been requested why they fund their safety groups or give CISOs cash. The preferred reply — at 35% — was merely to make them go away. Not as a result of they’d justified a method, method, or ROI, however as a result of they have been seen as annoying or troublesome to be round.
I don’t imagine safety must be handled purely as a price centre — and I imply that past simply threat. Safety ought to present worth to the enterprise — ideally, it ought to assist generate extra income than it consumes. And when you’re lowering threat within the course of, that’s a bonus.
Reflecting in your journey, from technical experience to management on the board stage, what’s one piece of recommendation you’d provide your youthful self — or to others simply beginning out — to assist them develop each professionally and personally within the cybersecurity area?
I’ve had a massively transformational journey. I suffered from what I name “Rockstar Syndrome” at an early age — I used to be very technically robust, fairly boastful, extremely licensed, and doing numerous issues.
Finally, I hit some extent in my profession the place issues turned fairly dire. I believed, “I could as effectively simply give away all the things I do know.” And that’s when the actual transformation occurred — after I began sharing all the things I knew, serving to others with out anticipating something in return.
That’s when the popularity began. Individuals started to see that I really knew what I used to be speaking about. It routinely positioned me as an authority, and that modified all the things. It opened the door to the management roles I now maintain, working on the C-level and board stage, main my very own groups.
And my groups. They’re not simply colleagues. They’re my individuals. They’re like household. I really like them to bits.
Picture by Ayrus Hill on Unsplash
This interview with Greg van der Gaast was performed by Mark Matthews.
Wish to be taught extra about cybersecurity and the cloud from trade leaders? Take a look at Cyber Safety & Cloud Expo happening in Amsterdam, California, and London.
Discover different upcoming enterprise expertise occasions and webinars powered by TechForge right here.