Greg van der Gaast is a pioneering cybersecurity speaker and thought leader known for his unconventional journey from infamous hacker to global security executive.
With decades of experience spanning technical operations, leadership, and strategy, Greg challenges outdated security norms and advocates for business-aligned, human-centric approaches to cyber defence.
We spoke with Greg to explore the lessons of his early hacking years, the persistent vulnerabilities still facing UK businesses, and how leadership in cybersecurity must evolve to drive meaningful, lasting impact.
Your early career as a hacker is widely known, and even labelled as infamous. How did those formative experiences shape your perspective on cybersecurity, and in what ways did they ultimately influence your transition into ethical hacking and cyber defence?
It’s interesting because, in one way, it gave me an attention to detail around what causes breaches. But, somewhat strangely, I think what it influenced most was my defensive mindset.
Back then, you built a computer, installed your operating system, and then joined a chat room full of hackers. We didn’t have broadband or home routers. Your computer was directly connected to the Internet, and there were no firewalls yet.
If you hadn’t secured it — locked it down, patched everything, updated everything — hard drives still made noise back then, and about 30 seconds after joining that chat room, your hard drive would start making a lot of noise. Things would start shutting down, and you’d have to reinstall Windows.
So, oddly enough, that’s probably what stuck with me the most — making absolutely sure that everything is properly locked down.
Businesses across all sectors are increasingly under threat from cyberattacks. In your view, what is the most significant and persistent cybersecurity threat facing UK organisations today? And why does it remain so difficult to address despite years of awareness?
Everyone will say ransomware, but ransomware is really just a payload — it’s a way of monetising a breach. What’s truly shocking is that the way companies get breached, the way attackers get in, hasn’t fundamentally changed in the 25 years I’ve been doing this.
People are still not building systems properly. They’re not maintaining them properly. They’re still not doing asset inventories, they’re not patching effectively, their processes are poor, and they lack consistency in how they operate. It’s like living in a house with a thousand doors and windows, with several of them constantly being left open.
That’s how attackers get in.
For large businesses and organisations, you need a holistic, business-aligned security approach — one that’s genuinely proactive and integrated with how the business operates. That’s how you come up with effective, sustainable ways of doing things, instead of relying on the current security status quo, which is essentially: ‘just buy another tool’.
Cybersecurity is often discussed in highly technical terms, but effective leadership in the field goes far beyond frameworks and compliance. In your experience, what defines true leadership in cybersecurity? And what’s missing from how the industry currently approaches it?
I think leadership is leadership. It shouldn’t be defined by cybersecurity specifically.
I see so many leadership courses in cybersecurity focused on tech, frameworks, compliance — things like that. But I’ve found that being able to have a proper, human conversation with an executive is incredibly refreshing for them.
Speak in plain English. Don’t be that really boring person no one wants to invite to dinner. You’d be surprised how much more traction you get when you communicate clearly and openly.
In security, we’re often shielded because people don’t really understand what we’re talking about — we’re the ‘geeks’. And when something goes wrong, no one wants to deal with us.
I was at a conference a few years ago where boards were asked why they fund their security teams or give CISOs money. The most popular answer — at 35% — was simply to make them go away. Not because they’d justified a strategy, approach, or ROI, but because they were seen as annoying or difficult to be around.
I don’t believe security should be treated purely as a cost centre — and I mean that beyond just risk. Security should provide value to the business — ideally, it should help generate more revenue than it consumes. And if you’re reducing risk in the process, that’s a bonus.
Reflecting on your journey, from technical expertise to leadership at the board level, what is one piece of advice you would offer your younger self — or to others just starting out — to help them develop both professionally and personally in the cybersecurity space?
I’ve had a hugely transformational journey. I suffered from what I call “Rockstar Syndrome” at an early age — I was very technically strong, quite arrogant, highly certified, and doing lots of things.
Eventually, I hit a point in my career where things became pretty dire. I thought, “I may as well just give away everything I know.” And that’s when the real transformation happened — when I started sharing everything I knew, helping others without expecting anything in return.
That’s when the recognition started. People began to see that I actually knew what I was talking about. It automatically positioned me as an authority, and that changed everything. It opened the door to the leadership roles I now hold, working at the C-level and board level, leading my own teams.
And my teams. They’re not just colleagues. They’re my people. They’re like family. I love them to bits.
Photo by Ayrus Hill on Unsplash
This interview with Greg van der Gaast was conducted by Mark Matthews.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
