Greg van der Gaast is a pioneering ethical hacker whose remarkable career began on the FBI’s Most Wanted list and evolved into a mission-driven journey to reform how organisations approach security.

As the former CTO of CDW and a leading voice in governance, risk, and compliance, Greg champions a human-centric, integrity-led model of information security. Known for his outspoken views and reformative mindset, cybersecurity speaker Greg van der Gaast has become a trusted advisor to multinational corporations, governments, and public sector bodies.

In this exclusive interview, he reflects on his transition from hacker to C-suite executive, the flawed culture of compliance-first security, and what true leadership in cybersecurity looks like in today’s threat landscape.

Q: In today’s increasingly complex digital world, cybersecurity leadership has moved far beyond technical proficiency. How would you personally define effective leadership within the cybersecurity space?

Greg: “I think leadership is leadership. It shouldn't be related to cybersecurity at all. In fact, the best cybersecurity community leaders out there—the biggest trend in leadership—are people who are not techies. They are proper leaders, care about people, care about the business, understand business, and know what matters.

“I see a lot of leadership courses in cybersecurity that are about tech and frameworks and compliance and this and that, and I disregard most of that. But I'm able to have a decent conversation with an executive and they find it hugely refreshing. Explain stuff in simple English analogies, and don't be that really boring person that no one wants to invite to dinner. You would be surprised at the amount of traction you get.

“I think in security, we're somewhat protected because people have no idea what the hell we're talking about—we're the geeks of the geeks. And when something goes wrong, no one wants to deal with us. I was actually at a conference a couple of years ago where they asked boards what the primary reason was for funding their security organisations and giving their CISOs money. The most popular answer, with 35% of the votes, was "to make them go away".

“They hadn't justified a strategy, an approach, or an ROI or anything like that. They were just so annoying and unpleasant to be around, they just wanted to make those people go away—which tells you a lot about the state of cybersecurity leadership. Conversely, if you talk to them about business… I use a scouting analogy: imagine you take your classic car to a garage. They take it in the back, and you see it three hours later. You assume they serviced it, you assume they changed the oil—but you don’t know for sure.

“That’s how most security works. You fill in the questionnaire, you assume they do it—that’s it. But say you went to another garage and you could see them working on it. There’s a glass partition, and if you have questions, you're welcomed in. They’ll show it to you. You see them put blankets on your car, protect it properly—you see that they care about what you care about.

“And it’s visible and transparent. Even if it’s 10% or 20% more expensive, you’re still going to go to that garage. And that, to me, is how you commercialise security. If you're actually good at it—if you stop using it as window dressing and tick-box forms—but actually do it in a well-thought-out way that’s really impressive to people, that you can explain to them, they’ll want it.

“To me, that’s where leadership in security is headed. Having security that truly protects the business by understanding it, but also having that altruism towards it and the people to benefit wherever you can. I don’t think security should be a cost centre—and I mean that beyond the risk equation. I think you should provide business value where you’re actually generating more revenue than you're consuming. And the fact that you’re reducing risk in the process? That’s just a bonus.”

Q: Your entry into cybersecurity is as unconventional as it is fascinating. What initially sparked your interest in hacking and digital systems?

Greg: “I got my start in cybersecurity watching the film Hackers when I was 15 years old. Angelina Jolie was in it, and I thought, "This is apparently how you get girls." And that’s pretty much how it started.

“Google didn’t exist yet, so I Yahoo-searched hacking, discovered things like Linux, different operating systems, TCP/IP—all this stuff. Just being curious, I learned and played around until I hacked nuclear weapons facilities and the Feds wrote me down—as you do. Standard.”

Q: Few professionals in the industry can claim a transformation as dramatic as yours—from hacker to C-suite executive. How has your early experience shaped the way you approach cybersecurity today?

Greg: “It’s interesting, because in one way, it gave me an attention to detail—what to look for, what causes breaches. But weirdly, I think what it influenced the most is the defensive mindset.

“Back then, you built a computer, loaded your operating system, and joined Internet Relay Chat—chat rooms full of hackers. We didn’t have broadband, we didn’t have home routers. Your computer was directly connected to the internet. There were no firewalls yet.

“If you hadn’t secured it, locked it down, patched and updated everything—hard drives still made noise back then—about 30 seconds after joining that chat room, it started making a lot of noise and everything just started shutting down. You’d have to reinstall Windows from floppies.

“So weirdly, that’s probably what stuck with me the most: just making absolutely sure that things are locked down properly. Then there was kind of a gap, when I entered working environments—companies, business, enterprise.

“How do you do that at scale? And then there’s the whole “actually running a business gets in the way” thing. There was a gap there. But some of the principles held, and I kind of came full circle. Now, it’s more about leadership and holistic approaches, and really getting to the root causes: business process, company culture.

“And I don’t mean “security awareness”—I mean real culture. To help do that same thing—have that consistent level of assurance—but also things like efficiency and agility, to actually help the business on a holistic level.”

Q: Many professionals argue that human error is the greatest cybersecurity vulnerability. In your experience, what is the true weakest link when it comes to safeguarding digital infrastructure?

Greg: “Everyone says people. I think people are the first link, but they’re also your first line of defence.

“It’s, in a word, sloppiness. Lack of maturity, lack of processes, lack of integration, not having that full, holistic view of your environment. But also your IT and security functions not understanding the business processes themselves—not knowing what there is to protect.

“Those are the real issues. You hear a lot about “Dave from Marketing clicked an email and everything turned to poo-poo”. But people forget: okay, he clicked an email. So an attacker had Dave’s level of access on his laptop.

“How did they get admin? Because you hadn’t configured that laptop properly.

“How did they get through your VPN? Through your firewall? Because you hadn’t updated the firmware or changed the default password.

“And then how did they run through your data centre like wildfire? Because you had poor system administration techniques and a bunch of unpatched servers.

“But let’s blame it all on Dave from Marketing instead of the security and IT teams who didn’t do their jobs. So—holistic approach.”

Q: The threat landscape continues to evolve at a rapid pace. What types of cyberattacks do you foresee becoming the most damaging or dominant over the next few years?

Greg: “We’re pretty far out there already. Ransomware is very disruptive. We’ve got more and more critical infrastructure being hit. I think that’s going to continue to grow and scale up.

“We’re still not taking the problem seriously. We usually just blame an intern and move on.

“I think someone told me T-Mobile has been hacked six times in the last three years. That’s probably a bad sign.

“I think it’s going to be a bit more of the same, but it’s going to get more and more damaging. The scale of things will get worse and worse. Hopefully, it doesn’t come to actual warfare—that’s the big scenario.”

Q: Looking back on your extraordinary journey, what one piece of advice would you give to your younger self—or to emerging professionals entering the cybersecurity space today?

Greg: “I’ve had a huge transformational journey. I was a severe victim of rockstar syndrome at an early age because I was technically very strong, quite cocky, quite arrogant, highly certified, doing lots of stuff.

“I kind of got stuck at some point in my career—things got pretty dire. It was almost out of desperation: “I’m going to die in a ditch, so I may as well just give away everything I know.”

“That’s when the transformation happened. When I started just giving away everything I knew—trying to help others, sharing the knowledge without expecting anything in return—that’s when I started getting recognition.

“Oh, this person actually knows stuff. This person is being generous.” And that automatically makes you an authority.

“That kind of elevated me, and it led me to the wonderful leadership positions I get to fill now—where I get to work at C-level and board level in the business, and have my own teams.

“And my teams—well, they’re my people. They’re like family. I love them to bits.

“I’m not a huge fan of tech. I’m really bored with technology and the security industry. But I love having that business leadership, that people leadership aspect to it. That’s by far the most rewarding part. I wish I’d done that ten years earlier.”

This interview with Greg van der Gaast was conducted by Mark Matthews.

