In a scene seemingly ripped from his cinematic inspiration, van der Gaast was about 16 when he hacked into an Indian nuclear weapons facility and stole data from underground nuclear tests. “They were using an old version of a mail server, which I tricked into giving me an administrative account,” he says. This put him on the radar of a number of intelligence agencies, and eventually he was named one of world’s Top 5 most notorious hackers.

Van der Gaast had just moved from Europe to the U.S. in the fall of 1998 when a group of men in suits from an agency affiliated with the U.S. Department of Defense knocked on his door. “I thought they were actually from immigration,” he says, “because I had overstayed my 90-day visa.”

Thankfully for the teenage hacker, the agency was looking to recruit rising stars from the virtual underground, not prosecute them. At that moment, he quickly switched sides and started working with the Department of Defense in a joint operation with the FBI for the next three years. The work involved collecting intelligence on hackers and surrounding criminal activities, as well as investigating data breaches of national interest.

This unorthodox training served as the launchpad for a 25-year career as a cybersecurity expert, keynote speaker and corporate advisor, leading to his current role as founder and managing director of Sequioa Consulting, where he helps executive leaders and global organizations “do less cybersecurity and do more business securely.”

“I started off by learning lessons about the methods, tactics and capabilities that hackers use,” he says. “But in hindsight? I think what I learned was more about how virtually all of these breaches would have been preventable had organizations simply handled IT fundamentals and made a point to actively mature their processes.”

It's this approach that his company champions. In effect, the company applies methodologies from management consulting, lean thinking and other disciplines in the context of technology to improve IT processes so there are fewer points of failure for threat actors to exploit.

A simple analogy is a car factory where every produced car has defects — the steering wheel off-center, bolts missing from the suspension arms, the brake lines full of air and other defects. It would be ridiculous, he says, to employ more people to fix all these defects on the finished cars. You would instead address the issue, likely in process, at the assembly line station where these defects are happening — reducing the number of defects, and reducing the costs as well.

And yet, van der Gaast says, the approach in cybersecurity is largely the former, and so the industry has largely remained reactive instead of proactive, with the underlying causes remaining mostly untouched.

“Fundamentally, we’re in a bit of an arms race [keeping hackers away from our vulnerabilities], but we need to ask ourselves why are we facing so many challenges?,” he says. “Which is to say, why do we have these vulnerabilities in the first place?”

The former hacker has been asking such broad questions for the last three decades, and it’s a line of questioning that has never been more relevant to businesses and society at large.

The simplest way to look at security is that it’s about vulnerabilities being exploited, and those vulnerabilities are effectively quality issues, he says — defects in code, configuration, gaps in control, design, planning, even culture.

Addressing these issues reduces the number of vulnerabilities, so there are less to be exploited, he says, rather than having to ramp up ever defenses in front of these vulnerabilities. This doesn’t just result in less security spending, he adds — it tends to make business and IT processes more efficient too, which reduces their cost as well.

“Once you start to focus on security more as a function of process and quality, when you start to do things right, you not only fix underlying issues, but it also can help a business create positive change and save money.”

Van der Gaast always begins securing organizations by getting to the root of their problems, digging in far deeper than technology-minded security consultants. “Most companies tend to take an approach to cybersecurity where they’re constantly working to put out fires,” he says. “Instead, I try to look at what’s causing any IT concerns.

“Are challenges coming from the design of applications? Are different business departments using different IT processes and vendors?” he adds. “Once you understand the root cause of concerns, you can begin to optimize and eliminate them systematically.”

Van der Gaast believes we need to change our focus on how we are tackling the problem of cybercrime. Instead of looking at the criminals, we need to focus on why the crime is so easy.

He mentions that virtually all breaches involve known vulnerabilities with available fixes, and that in the majority of cases these fixes had been available for well over a year.

“If I put a bag of grain in your garden, you wouldn’t be surprised to find you have thousands of mice a week later. The ideal solution is not to put down and manage thousands of mice traps, it’s to better store the grain, or change the process as to why you need it.”

The upshot: You can install the best cybersecurity system on the planet, but if you don’t have proper identity management tools, your people are insufficiently trained, and you haven’t patched and upgraded your systems, devices or applications, hackers can simply sidestep your defenses, digital or otherwise, he says. 

Ultimately, in an age of growing AI-powered threats such as automated attacks and deepfake videos, van der Gaast says that successfully defending a modern organization from cybercriminals needs to include training, education and a proactive – not reactive – approach.

These threats, once understood, can often be neutralized through the implementation of solid foundations — it doesn’t matter how fast an attack is if you’re not vulnerable to it — and processes, such as fund transfers always being made through a defined process that isn’t susceptible to being deepfaked.

In his eyes, the best thing you can do to help your organization is determine the issues causing your vulnerabilities and address them, as far upstream as possible, even by looking at organizational and cultural issues. Then have the security teams work with all parts of the organization to understand all the business and IT processes and help redefine them as needed to reduce any risks they might introduce and be aware of any that remain.

Only once organizations have done this, understanding their underlying issues, can they formulate a strategy and roadmap to a better place.

Just as he tore through computer books decades ago, van der Gaast’s interests today still involve absorbing loads of information. The former cybercriminal, whose hobbies today include fixing cars and reading anything he can get his hands on about best business practices, says success in cybersecurity is about a lot more than software: “Many challenges I find come down to culture more than high-tech solutions.”