The information security space is quite a disaster.
We have data breaches being disclosed constantly; and half of the time these breaches could have been easily avoided.
Then, we hear statistics about the talent shortage.
They say that we’re over a million professionals short, yet when you ask anyone trying to get into the industry, looking for security jobs is hopeless.
Recruiters want professionals with 10 years of experience in technology that was only developed 2 years ago.
These are all problems that Greg Van Der Gaast seeks to shed light on in his new book Rethinking Infosec.

Elevator pitch

In this, the first book of the InfoSec Leadership series, we explore what is going wrong with our general approach to Information security.
Why is it that, despite huge amounts of effort and spending, we are unable to stop the increasing occurrence of breaches?
And why are those breaches so often caused by the simplest and most preventable of issues?
Are we approaching the problem correctly?
Is there a simpler way? A cheaper way? A more rewarding way? I think there is.

Check out our video interview.

The Author

Greg Van Der Gaast is unique among cybersecurity professionals.
He got his start in information security several decades ago when the industry was nowhere near as mature as it is today (if you can actually call cybersecurity programs these days mature).
A lot of his experience came from his own hacking.
For example, he often put systems online and challenged other hackers to break into them.
That is to say, he has a deep technical background, but he does not believe in abiding by the status quo.
If you watch any of his talks, or read any of his articles, you will immediately notice this.
As a result, Greg’s opinions seem to ruffle other cybersecurity professionals.
In my opinion, Greg makes valid points.
As security professionals, we must keep open minds.

Rethinking InfoSec – 3 Main Ideas

Being that Rethinking InfoSec is 57 chapters long, there’s no way that we can discuss all of the valuable ideas from the book here.
Plus, it really wouldn’t be fair to the author if I “spilled the beans.”
So, I have chosen three of the main ideas from Rethinking InfoSec that resonated with me.

You need to solve problems upstream

Many of the issues that security teams have to deal with are the result of issues further up the “IT stream.”
Think about it for a minute.
How many security incidents could be eliminated by having solid IT processes in place.
For example, that incident that an attacker used an exploit to attack a vulnerable service on the web server – wasn’t there a patch out for that?
Or, the employee who fell for a phishing email and gave their credentials to an attacker – what about Multi-Factor Authentication?
In fact, recent research showed that nearly one-third of breaches were caused by missing patches.
You see, when your organization does have a security incident, you should trace all the way back to the root cause to eliminate this issue.
Sure, it’s more effort, but if you do this a few times, you will soon find yourself with fewer incidents.
Rethinking InfoSec does a great job explaining this concept.

Organizations can do more with less

Statistics show that businesses’ cybersecurity spending is rising rapidly.
It’s quickly consuming more and more of IT spend.

There are huge problems with this.
First of all, think about this from a board’s perspective – why is a department making literally $0 for the company consuming so much money?
It’s a valid question.
To answer this question, first think about the reason we even have information security operations – to enable the business, right?
If the company couldn’t send emails, for example, because they didn’t have a way to secure them, how could the business function?
At its core, the job of infosec is to enable the company to function.
So, why are we spending so much on it?
To finish this idea, we have to go back to our previous Rethinking InfoSec idea – solve problems upstream.
If we solve problems upstream, we have fewer incidents to deal with.
And if we have fewer incidents, we need fewer analysts.
And if we need fewer analysts, we consume less of the IT budget.
You get the point, right?

There is no skills shortage

This is possibly one of Greg Van Der Gaast’s most controversial points.
His LinkedIn articles on the topic bring a mix of comments – some supporting the idea and others rejecting it.
But the ominous security shortage that everyone is talking about may not actually exist.
You see:
If you spend any amount of time looking at cybersecurity job listings, there’s something that you immediately notice.
The experience and skills required on them are quite unrealistic.
There’s usually a long list of certifications desired.
Additionally, they typically want someone with 10 or more years of experience in very specialized tools and solutions.
It’s like the industry is pigeon-holing everyone.
Is there no such thing as someone well-versed in multiple security skills?
Or can you not hire someone with a solid foundation and train them on the tools that your organization uses?
Overall, the security industry isn’t using the full capabilities of its human resources.
These are all things that Rethinking InfoSec reviews.

So, should you read Rethinking InfoSec?

Are you an IT manager or director who must handle the security for your organization?
Are you a cybersecurity professional already working in the industry?
Are you a student or aspiring security professional?
If you are any of these, you should grab a copy of Rethinking InfoSec.
The thought-provoking approach that Greg Van Der Gaast takes to tackle some of the fundamental issues that we are facing today, is a must read.

Here’s a word of warning:
You shouldn’t expect a step-by-step approach to solving cybersecurity problems.
Instead, you should expect guidance on mindset shifts that must take place.
It’s pretty obvious that as a whole the security industry is failing miserably.
There are a lot of “fundamental” security concepts challenged in the book.
Read it with an open mind.
Forget what you’ve been taught or learned on certifications.
If we can’t accept some criticism and look deeply at how we as individuals can improve, how will we bring change to the security industry?
So, if you grab a copy of Rethinking InfoSec, temporarily ignore conventional security thought and look at things in a new light.
I’m sure, you’ll take away some keys to make you a much better cybersecurity professional.

So, I recommend you go grab a copy of Rethinking InfoSec.

Leave a Reply

Your email address will not be published. Required fields are marked *

About SmartFix

We are a family owned business that provides fast, warrantied repairs for all your mobile devices.

Brooklyn Area

2307 Beverley Rd Brooklyn, New York 11226 United States

1000 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

San Francisco Area

358 Battery Street, 6rd Floor San Francisco, CA 27111

1001 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

121 Resources for you to:

Learn & Master Cyber Security
Send Me the PDF
Get the Exclusive Bonus
Privacy Checklists and My Favorite Resources

Get Instant Access! 
Your information will never be shared

Reasons to Subscribe to the CyberX Email List:


 1. Free Stuff 
You'll get instant access to free resources. 

 2. Content Tailored to You 
Over time, Ill get to learn more about you and deliver content that actually matters

 3. No Hype 
Just real content that's meant to make a difference. 


Download the PDF Version Of This Guide

Want to save this guide for later? I'll email you the PDF for free. 

Would the SMB Cybersecurity Plan Be Helpful?

Do you want a proven plan for security for your SMB? How about a logical plan for reducing the risk of breaches?
Pivot To Infosec Virtual Summit - Are you wanting to pivot to infose?
Check Out Free Event