Greg van der Gaast is a pioneering cybersecurity speaker and thought chief identified for his unconventional journey from notorious hacker to world safety government.
With a long time of expertise spanning technical operations, management, and technique, Greg challenges outdated safety norms and advocates for business-aligned, human-centric approaches to cyber defence.
We spoke with Greg to discover the teachings of his early hacking years, the persistent vulnerabilities nonetheless going through UK companies, and the way management in cybersecurity should evolve to drive significant, lasting influence.
Your early profession as a hacker is extensively identified, and even labelled as notorious. How did these formative experiences form your perspective on cybersecurity, and in what methods did they in the end affect your transition into moral hacking and cyber defence?
It’s attention-grabbing as a result of, in a method, it gave me an consideration to element round what causes breaches. However, considerably unusually, I believe what it influenced most was my defensive mindset.
Again then, you constructed a pc, put in your working system, after which joined a chat room filled with hackers. We didn’t have broadband or house routers. Your pc was instantly linked to the Web, and there have been no firewalls but.
Should you hadn’t secured it — locked it down, patched every part, up to date every part — laborious drives nonetheless made noise again then, and about 30 seconds after becoming a member of that chat room, your laborious drive would begin making loads of noise. Issues would begin shutting down, and also you’d need to reinstall Home windows.
So, oddly sufficient, that’s in all probability what caught with me probably the most — making completely positive that every part is correctly locked down.
Companies throughout all sectors are more and more beneath risk from cyberattacks. In your view, what’s the most vital and chronic cybersecurity risk going through UK organisations as we speak? And why does it stay so troublesome to handle regardless of years of consciousness?
Everybody will say ransomware, however ransomware is admittedly only a payload — it’s a approach of monetising a breach. What’s really stunning is that the way in which corporations get breached, the way in which attackers get in, hasn’t essentially modified within the 25 years I’ve been doing this.
Individuals are nonetheless not constructing programs correctly. They’re not sustaining them correctly. They’re nonetheless not doing asset inventories, they’re not patching successfully, their processes are poor, and so they lack consistency in how they function. It’s like dwelling in a home with a thousand doorways and home windows, with a number of of them always being left open.
That’s how attackers get in.
For big companies and organisations, you want a holistic, business-aligned safety method — one which’s genuinely proactive and built-in with how the enterprise operates. That’s the way you provide you with efficient, sustainable methods of doing issues, as an alternative of counting on the present safety establishment, which is actually: ‘simply purchase one other instrument’.
Cybersecurity is commonly mentioned in extremely technical phrases, however efficient management within the discipline goes far past frameworks and compliance. In your expertise, what defines true management in cybersecurity? And what’s lacking from how the trade at present approaches it?
I believe management is management. It shouldn’t be outlined by cybersecurity particularly.
I see so many management programs in cybersecurity targeted on tech, frameworks, compliance — issues like that. However I’ve discovered that with the ability to have a correct, human dialog with an government is extremely refreshing for them.
Communicate in plain English. Don’t be that actually boring particular person nobody needs to ask to dinner. You’d be shocked how rather more traction you get once you talk clearly and brazenly.
In safety, we’re usually shielded as a result of individuals don’t actually perceive what we’re speaking about — we’re the ‘geeks’. And when one thing goes mistaken, nobody needs to take care of us.
I used to be at a convention a number of years in the past the place boards had been requested why they fund their safety groups or give CISOs cash. The preferred reply — at 35% — was merely to make them go away. Not as a result of they’d justified a method, method, or ROI, however as a result of they had been seen as annoying or troublesome to be round.
I don’t consider safety must be handled purely as a value centre — and I imply that past simply danger. Safety ought to present worth to the enterprise — ideally, it ought to assist generate extra income than it consumes. And in case you’re decreasing danger within the course of, that’s a bonus.
Reflecting in your journey, from technical experience to management on the board stage, what’s one piece of recommendation you’ll provide your youthful self — or to others simply beginning out — to assist them develop each professionally and personally within the cybersecurity house?
I’ve had a vastly transformational journey. I suffered from what I name “Rockstar Syndrome” at an early age — I used to be very technically sturdy, fairly conceited, extremely licensed, and doing a number of issues.
Ultimately, I hit a degree in my profession the place issues grew to become fairly dire. I believed, “I could as properly simply give away every part I do know.” And that’s when the true transformation occurred — after I began sharing every part I knew, serving to others with out anticipating something in return.
That’s when the popularity began. Folks started to see that I truly knew what I used to be speaking about. It routinely positioned me as an authority, and that modified every part. It opened the door to the management roles I now maintain, working on the C-level and board stage, main my very own groups.
And my groups. They’re not simply colleagues. They’re my individuals. They’re like household. I really like them to bits.
Picture by Ayrus Hill on Unsplash
This interview with Greg van der Gaast was performed by Mark Matthews.
Need to study extra about cybersecurity and the cloud from trade leaders? Take a look at Cyber Security & Cloud Expo going down in Amsterdam, California, and London.
Discover different upcoming enterprise know-how occasions and webinars powered by TechForge here.
