Cybersecurity conversations often center on tools, dashboards, and detection. However, according to this #shifthappens episode guest Greg van der Gaast, cybersecurity leader and Founder of Sequoia Consulting, that is not the main problem. The real challenge isn’t keeping up with attackers — it’s addressing the ways organizations unintentionally create risk.
Drawing on a career spanning teenage hacking, intelligence work, and CISO leadership, Greg offers a perspective shaped not by theory but by experience in environments where security can’t fail. And his message is clear: resilience isn’t built by responding faster. It’s built by reducing the number of issues that require a response at all.
“Security vulnerabilities are defects. Defects in code, defects in configuration, build, lifecycle management… These are all quality defects.”
That reframing changes everything. When cybersecurity becomes a quality discipline rather than a technical function, organizations uncover the structural improvements that make them safer, leaner, and more predictable.
Why Cybersecurity Keeps Fighting the Same Battles
Most security teams operate in “reaction mode.” Alerts spike, vulnerabilities pile up, and teams scramble to close issues as quickly as they appear. But as Greg points out, this reactive posture isn’t a sign of attacker sophistication — it’s the result of organizational systems producing risk faster than security can mitigate it.
Many vulnerabilities don’t stem from cutting‑edge exploits. They come from predictable, recurring issues embedded in business operations: outdated lifecycle practices, fragmented processes, misaligned roles, or unmanaged third‑party tools.
Security tools reveal these problems, but they don’t solve them. They highlight symptoms of failures upstream.
Organizations never escape this cycle if they only treat the symptom.
“Every time you fix a security issue without understanding how you came to have that security issue, is an opportunity lost.”
When teams shift from reaction to root‑cause analysis, they replace firefighting with lasting improvement — and that’s where real resilience begins.
Security Must Live Beyond the Security Team
Risks don’t originate in the security operations center (SOC). They emerge in IT operations, engineering decisions, procurement shortcuts, onboarding workflows, and data‑sharing habits.
Greg highlights that security leaders often lack the authority to influence these areas, even though they are the true sources of long‑term risk. Without that mandate, security becomes a downstream recipient of upstream problems — a setup that guarantees burnout and backlog.
Meaningful change happens when security is woven into everyday processes, not bolted on afterward. Cross‑functional collaboration becomes essential. So does redefining the CISO role as one that shapes how the organization operates, not just how it responds.
When security is visible across teams, risk reduction becomes a shared responsibility — not a siloed burden.
The Hidden Risk: Data That Moves on Its Own
Unstructured data is one of the clearest signals of where process breakdowns occur.
Users often move sensitive files into the easiest places to work – Teams chats, shared folders, email threads, or personal drives – not the places designed to keep data secure. These unintended moves create new attack surfaces and bypass even the best‑protected systems.
Greg notes that the most sensitive information often ends up in the least protected spaces, simply because they fit the workflow better.
AI helps reveal where this data goes, but it’s only the beginning. The real value comes from understanding why it drifted there — what workflow, gap, or convenience caused the behavior. When organizations redesign the process rather than just relocate the file, the problem doesn’t return.
This is where security shifts from policing users to improving systems so users don’t need workarounds in the first place.
“Organizations that spent more time maturing IT process were six times less likely to be breached than the people spending the same amount of resource on cybersecurity tools.”
It’s a reminder that strong foundations outperform more tools — every time.
What This Conversation Makes Clear
Across the conversation, one message comes through clearly: Sustainable cybersecurity is less about adding layers of defense and more about improving how an organization operates. Greg’s insights connect security outcomes to everyday business realities — process design, cross-team accountability, and how data moves in real workflows. Here are the four ideas that stand out most, and why they matter in practice:
Fix the System, Not Just the Alert
Treating each vulnerability as an isolated event leads to endless firefighting. Greg argues for a more strategic approach: Understand where vulnerabilities originate and redesign the workflow that produced them. Whether it’s inconsistent engineering practices, outdated lifecycle decisions, or gaps in application ownership, root‑cause visibility is what enables meaningful reduction. Addressing the system behind the issue, rather than the issue itself, steadily reduces alert volume and strengthens the organization long‑term.
Make Security Visible Across Teams
Security can’t succeed if it operates on an island. The conditions that create risk often emerge from decisions made in IT, engineering, procurement, HR, or operations. Embedding security principles directly into these everyday processes minimizes risk before it reaches the SOC. When teams understand their shared responsibility, the organization moves from reactive containment to proactive prevention — breaking the cycle of recurring incidents and reducing operational strain.
Track Data to Reveal Hidden Gaps
Data movement is one of the clearest indicators of how people actually work. Unstructured information drifting into Teams chats, email, and cloud drives isn’t random — it’s a sign of processes that don’t match real‑world collaboration needs. By following the trail of sensitive data, organizations uncover blind spots in workflows, permissions, governance, and user experience. This visibility allows leaders to not only secure the misplaced data, but also redesign the steps that allowed it to spread, ensuring the gap doesn’t reopen.
Security by Design, Not by Reaction
Security becomes transformative when it’s treated as a quality discipline rather than a response function. Data visibility shows where workflows fail, AI helps surface patterns faster, and people redesign the underlying processes to eliminate recurring issues. And with 86% of organizations delaying AI deployments because of security and data quality issues, it’s clear that even the most advanced tools are ineffective without clean, well‑structured foundations. Resilience grows when organizations reduce the conditions that create risk, not when they accumulate more ways to detect it.
Greg’s perspective is a reminder that cybersecurity isn’t something you layer on top of the business; it’s something you build into how the business works. When teams strengthen core processes, modernize IT foundations, and understand how information truly moves, especially in unstructured spaces, risk becomes easier to predict and far less likely to recur. The organizations that embrace this shift don’t just respond better; they operate more effectively, innovate more confidently, and build a security posture that scales with the business rather than slowing it down.
Episode Resources
#shifthappens Research: The State of AI Report
#shifthappens Insights:
#shifthappens Podcasts:
