When technology changes drastically, the organization needs to change too
Last week I spoke with a colleague who is making a career move from cybersecurity leadership at a medical device manufacturer to cybersecurity leadership (and a promotion) at a healthcare payer. We reflected on the challenges that came with his product security role, and how the structure of his organization had a strong influence on his ability to drive strategy. That is, he couldn't. He was hamstrung by his location in the organization.
When cybersecurity became a regulatory focus for medtech, it seems that many established companies grabbed their CISOs and VPs of information security and said "Here, you're a cyber person, please handle this." But they didn't get the budget, people, and authority to execute the role. And they often didn't have the required expertise. (Protecting an enterprise from enterprise security risk is different from product security design and management, not to mention understanding regulatory requirements.)
At first look, it may seem sensible to give responsibility for cybersecurity to a person with expertise in cybersecurity. However, if that person sits (organizationally) in a cost center (e.g., IT, under the CIO) instead of R&D, they have little power nor influence to execute a strong program. For example, good encryption starts at the hardware level. A central product cybersecurity group in a medium to large manufacturer with multiple products can't impose realistic cyber requirements on product hardware without significant authority.
Here are five organizational models I have seen:
Advisor: The central group sets the standard, provides advice, acquires enterprise tools, and makes reach-back expertise available
Auditor: The central group sets the standard, provides advice, acquires enterprise tools, and makes reach-back expertise available
Matrixed: The central group sets the standards, provides enterprise tools, and provides expert services (i.e., product design, regulatory, marketing, commercialization, postmarket surveillance)
Embedded: No central product cybersecurity group outside of R&D
Enmeshed: The company is the product*, so there's little separation between a "central" group and R&D.
It is difficult to assess the state of product cybersecurity across a large company with many products. I have seen snapshots of the majority of top team medtech manufacturers. Some are using the Advisor model, and it seems to work. Auditor and Matrixed models are tenuous; it seems difficult to find the right funding structure and responsibility matrix. A couple have moved from Matrixed to Embedded, shifting the top product security position from under the CISO to under the top executive of R&D. I have only seen Enmeshed in companies that have one dominant product.
Cybersecurity problems have held up the commercialization of flagship products in a significant number of medtech companies.** Often, organizational transformation is needed to fix systematically underperforming product design.
~Shannon, the Optimistic Optimizer
* Hat tip to a leader in a diabetes technology company from whom I first heard this phrase.
** I hesitate to call them out specifically, but they are googlable. Or email me.