Medtech Cybersecurity Expert Attrition
There aren't enough cybersecurity professionals in medtech. In fact, there aren't enough cybersecurity professionals in general. Regulatory requirements are increasing, and opportunities for cybersecurity expertise in medtech are expanding.
And yet medtech is losing good cyber experts. It seems like every day I get a call from a colleague saying they're leaving their medtech cybersecurity position.
Why are cyber experts leaving medtech now?
The saying goes that people don't leave companies, they leave bosses. In this case, I think cyber experts leave jobs that are supposedly cyber jobs but are actually compliance or sales. Most are dissatisfied with the work. Their boss seems okay, but the day-to-day is a grind that seems to have no end. It's not what they signed up for.
Consider a typical cybersecurity candidate: They worked in IT or network administration for a few years, got into security and hardening of systems, and got CISSP or other difficult certifications that demonstrate chops. They may have even performed pentesting, loving the thrill of breaking system controls and hacking their way through supposedly protected trust boundaries. Cybersecurity expertise is demonstrated in their resume.
The candidate gets hired and asked to take responsibility for the cybersecurity of a specific medical device that is going to market in the next year, as well as a few devices that are already on the market. The premarket device design is already baked: There isn't a lot of room for reengineering better security by design; the hardware was selected years ago and doesn't even allow for modern encryption (a typical challenge in medtech); and the operating system is the main source of risk - something for which security is highly dependent on configuration by the operator (aka the hospital). Put simply, the device's security design leaves a lot to be desired, but not much can be done to fix it. So the cyber expert can't actually implement better security controls but has to defend the porous security...to the FDA, to other regulators, to customers, and internally across the organization (because they sit on a central security team, not with the product team itself). They are asked questions like "What security regulations do we need to meet in Asia?" but can't take the time to systematically answer the question once by creating a central resource, which would actually be fun. The premarket device responsibilities are just paperwork. That's not what cybersecurity professionals shine at.
The rest of the job is postmarket products. They have to do vulnerability assessments on the two marketed products in their portfolio. Those take multiple hours per week and 99% of the vulnerability analysis work they perform results in "not affected" which means no action is taken and no one ever reviews or cares about the work that was done. And even if a vulnerability does affect the product, there may be nothing that they can do: the patch can't be made for over a year, so what's the point of the analysis anyway? They know this analysis could be done via tooling, but that the available tooling isn't mature enough yet. That's a challenge they'd love to work on. But, it's not their job and their boss doesn't want to lend them to that project.
This is a typical picture captured from multiple conversations with my colleagues embedded in medtech cybersecurity. Their roles do not involve much security design or engineering. The work isn't security work, creative thinking isn't in the job, and most of the analysis never sees the light of day. It is thankless drudgery, and it is incredibly hard to maintain the energy to do it.
I don't blame them for leaving.
Proposed solutions: Instead of having cyber experts do the operational analysis, we should be having them design and operate systems that do the work for them. Let's automate postmarket vulnerability assessment. Let's design universal authentication solutions for surgical suite devices for which passwords are a major disruption to clinical flow. Let's train R&D teams on cyber basics so that design choices are secure by default...systematically embedding cybersecurity expertise where it is needed. Let's reorganize to embed cyber engineers in R&D teams, so they become design partners throughout the total product lifecycle.
There's a lot to be improved.
~Shannon, the Optimistic Optimizer.