All insights

Know Your Enemy: Cyber Insights from an Ex-Hacker

Greg van der Gaast Greg van der Gaast
Independent Security Strategist

July 16, 2024

van der Gaast Chief Technologist, Security, at CDW

Beyond Recovery: Beyond Technology

Introduction (part 1 of a 5-part series)

Welcome to a new blog series by Hitachi Vantara, in which I hope you’ll be hearing unique insights for the first time. Insights that go well beyond the traditional conversation of “recovery” and have real impact on strategy and the bottom line. If you’re a progressive security leader, IT leader, or in fact a business leader, this series is for you. I assure you we will be touching on topics that are close to your heart.

Have you thought about how storage and recovery capabilities can help you streamline your operations, shed technical debt, accelerate your IT and security programs or even increase your bottom line?

This is a series less about recovery in the traditional sense and more about maturing security, IT and business processes to make you not just more resilient, but also more efficient and profitable. Oh, and no tech jargon. We’re all business here.

About the Author: Greg van Der Gaast

That makes this a good time to introduce myself, your host on this journey.

My name is Greg van der Gaast and, more than anything, I like to solve problems.

I don’t mean do what everyone else is doing to address a problem. I mean really think about the problem, the big picture, the why, and do the best thing possible to achieve the best overall outcome, regardless of the status quo.

It’s led to arriving at some surprising conclusions and developing certain principles during my career. Ones that have been game changing for me and for the organizations that have implemented them, and which I hope you’ll benefit from.

I can pinpoint the start of my security career to seeing the film HACKERS. As motivators to get into this whole hacking thing, Angelina Jolie isn’t a bad one. The day of my 18th birthday, I started doing covert work for the U.S. Defense Department and later the FBI. (There had been a little “spontaneous recruitment effort” at my house after I stole some testing data, following the underground tests of five atomic bombs, from a nuclear weapons facility.)

To say I was good with technology and cybersecurity would be an understatement, and I went on to making quite a good living implementing all sorts of cutting-edge security technology for several large organizations.

Realization: Business-first Approach

And then I reached a realization. A business, an organisation, is not a computer.

I was great at security technology, but I was actually doing a terrible job at effectively achieving the outcome of the organization being more secure. And for all the bluster in security circles about “protecting” the business, I was probably doing it more harm than good in terms of the costs I was incurring and the limited real-world (not to mention the potentially false) sense of security I was generating.

I was not alone, either. The security industry as a whole seemed to be going the wrong way. If you’re wondering what I’m going on about, we only need to look at the statistics on the increasing cost of breaches despite record-breaking security spending every year. And while the industry was celebrating its success at being ever more important and organizations were spending ever-more on security people, products and services, the fact remained that the picture just kept getting worse as the statistics demonstrate.

Watch Our Webinar: Be Prepared and Protected from Cyberthreats and Ransomware

Deconstructing the Status Quo

That realization, and a decade of thinking about how to solve the underlying problems in various roles from auditor, CISO and Chief Technologist for the world’s largest VAR, has taken me some distance away from the security status quo in the pursuit of better and more sustainable outcomes. In ways that, as it turns out, have quite a few other advantages such as generating significant operational savings and creating new opportunities for business.

One of the biggest shifts has been a mindset change, from a technology one, to a business-first one. That is to say, thinking about how to best achieve the ideal outcome of security, as a whole business, and not just as a tech function.

I like to ask roomfuls of security experts why they got into cybersecurity. Was it because they liked to optimize outcomes for the business, or because they liked working with technology? The honest answer is usually because they have an interest in technology.

This almost purely technology-focused approach to security has not been good to businesses. It keeps us from considering a bigger picture with better outcomes. Costs are up, relative spend is up, but the frequency and impact of breaches is only increasing. It’s also unsustainable.

Don’t get me wrong, every part of business leverages technology. Sales, marketing, legal, etc. But the goal of those departments is usually focused on the outcome for the business, not the technology they use to achieve it.

Watch Our Webinar: Cyber Resilience and Ransomware Mitigation Strategies

Security as a Business Enabler

This has led me to look at how to achieve the outcomes of security while also maximizing every possible synergy and opportunity along the way, including business ones. The goal of my approach has been to help clients “solve business problems, so you stop having security ones”.

I’ve been privileged to be able to advise on this topic to a number of organizations ranging from universities to Google, even to the advisory board of MasterCard.

But what’s this have to do with Hitachi Vantara, or even storage and recovery in general?

In the most fundamental way, nothing.

But the changes that need to happen for us to actually make progress in reducing risk (instead of risk managing more and more of it) and provide tangible value to businesses would be almost impossible without it. That’s to say, storage and recovery enables and massively accelerates a transition that allows businesses to be more inherently resilient, as well as more agile and cost-effective.

And when I say storage and recovery capabilities can make us more “inherently resilient”, what I mean by inherently is for our organisations to not get knocked down in the first place. That may sound strange, leveraging recovery capabilities in such a way that you’re less likely to need to recover, but it’s something we hope will make perfect sense by the end of this series.

Rethinking Security

For now, as a bit of a sneak peek, I’ll leave you with a few questions. Have you thought about:

  • How faster recovery effectively lowers risk values by reducing the disruption of incidents? How could you reallocate the resource that was previously mitigating those risks?
  • How reliable recovery can allow you to refocus resource away from your risks and towards solving the IT and business process issues that are introducing them?
  • How this ability to address root causes can sustainably lower your security OpEx costs as you have fewer and fewer issues being created in the first place?
  • The quality issues causing your security issues likely also have other non-security costs, meaning you save the business money by addressing them, rather than spending forever increasing amounts managing risks?
  • How you effectively have a copy of your environment in your backups, and that you could leverage it for testing and rapid prototyping of changes to drive efficiencies and eliminate technical debt?
  • Have you thought of looking at financial models that show how quality [as opposed to risk-management] security approaches have a net benefit to the business before even considering arbitrary risk?

Stay Tuned for More

These are just some of the concepts we’ll explore in this series, so please stay tuned to find out more.

For now, I’d like to thank Hitachi Vantara for allowing me the opportunity to share with you, and hope you’ll join us for the next instalment where we look at the security space, why we’re struggling to make progress, and how we can turn things around to the business’ benefit.


    Greg van der Gaast

    Greg van der Gaast

    Greg van der Gaast started his career as a teenage hacker and undercover FBI and DoD operative but has progressed to be one of the most strategic and business-oriented voices in the industry with thought-provoking ideas often at odds with the status quo.
    He is a frequent public speaker on security strategy, the author of Rethinking Security and What We Call Security, a former CISO, and currently Managing Director of Sequoia Consulting which helps organizations fix business problems so that they have fewer security ones.