Interview with a CISO: Greg van der Gaast

One of the most notorious hackers of the ’90s and having been involved in the largest mass hack of all the time, this week, we speak to Greg van der Gaast.

Today, Greg is a leading voice on information security and takes an alternative humanistic approach to security solutions.

He has over two decades of technical, management, and leadership experience in the field. A passionate speaker on visibility, care, and accountability to the Information Security industry, he breaks our industry’s current reactive status quo.

This is a great 3rd edition of Interview with a CISO.

 

 

What will CISOs look like in 5 years?

More business aligned and they will have more of a Business Leader role than the traditional security role we see today. The trend is already starting. Traditionally IT has had poor leadership. There is an opportunity to break away from that, in the same way many CIOs have become CEOs, because every business is now a tech business. CISO’s have this opportunity as well.

What three books would you recommend to aspiring security leaders? (does not need to be security-related)?

The Advantage by Patrick Lencioni

Cyber Security Leadership by Masur Hasib

Start With Why by Simon Sinek

You started as a prominent hacker in the 90’s and are now a renowned CISO. How has this affected your approach to security?

When you’re trying to manipulate systems to do something they’re not supposed to be doing, you have to look at the fine details – how things are actually built behind the scenes. As such, I have a desire to build things properly; and this includes company culture. Being one of the attackers, and by virtue of being surrounded by other attackers, made me realise how vital defence was, and now I scale that up to organisations.

What three things would you change about the Security industry?

  1. The lack of a proactive approach – we need to be more proactive both in the business and IT. Predominantly making improvements and bringing consistency: follow this, and you’ll have fewer issues
  2. There should be a focus on the people within the security team, not certifications, not tick boxes, but understanding your people and helping them grow.  
  3. Get rid of the obsession with standardisation. Look at things holistically and go back to dynamic problem-solving. Look at YOUR business, YOUR people, YOUR culture, YOUR revenue streams, YOUR infrastructure, YOUR issues, stop trying to apply standard controls.

How do you educate the board on security?

The board doesn’t pay me to educate them; they pay me to solve a problem for them. And to solve that problem, I need to have their trust; it’s all about building that relationship.  

If you weren’t a CISO, what would you be doing?

I’d race cars all day, World Endurance Championship specifically.

What is your approach when hiring?

I take a collective approach and work to applicants’ strengths rather than boxing someone to the confines of a job spec. My approach is flexible. I don’t follow a cookie-cutter approach; why lose out on a talented team member and not utilise important traits and skills because they didn’t meet a rigid job spec? We are a team, and we complement each other.

Favourite security-related movie or show?

Hackers – Angelina Jolie