I recently had the pleasure of speaking at the 6th Annual European Medical Device and Diagnostic Cybersecurity Conference. There were a wide range of Cyber related issues being discussed including, SBOM complexities, NIS2 directive, hospital cybersecurity challenges, threat modeling, vulnerabilities, and weak links in IoMT security. Across all of the topics, what stood out for me most was the complexity of getting anything done in a large organisation.
I will take an example:
I chaired a roundtable workshop to discuss the complexities of creating and managing SBOM’s. I had presumed the difficulty would lay in how to create one in the first place or how to align it to devices. Instead, what I heard was organizational complexity, where different departments and/or different divisions wanted different things. Instead of centralized services and shared best practice, there was divisional in-fighting. Not in all cases, but enough to ask questions. The role of the senior executives is a tough one, but where cybersecurity and compliance are concerned, there can be only one voice that sets the direction if true operational resilience is to be achieved. Harmony within the organisation must come from the CISO downwards and must drive direction and control, from the Enterprise to the very Edge.
Another area that garnered much discussion was around the depth and breadth of legislation, and the clear direction that companies should take to solve the evolving landscape of risk. With most existing requirements being Enterprise based, how does changing regulation impact tomorrows connected landscapes? New entrants NIS2, CRA, MDR IDVR are all things that turn the dial amongst others. Designing change for the future is one thing, but how do you manage the invested fleet of systems, services and devices that are in place today, and will likely be there for some time. Zero Trust is a great approach to simplifying the way to address cyber risk across platform and legislation, but it’s not something that can be bought like a product. Zero Trust is a methodology and mindset.
“Trust nothing, verify always”
The good thing is that most modern CyberSecurity companies that address the identity of the “Thing” rather than the “Who”, have the ability to collaborate. Why is that important?
Tomorrow’s attacks will be on multiple fronts and with multiple intents. Building a formidable approach to this will be based on technologies that provide a role within a solution, rather than a solution in its entirety. Having a rich ecosystem of technology partners and a capacity to easily integrate to wider services will be the difference between being a “Brick in the wall” or a “Hole in the fence”
Find out more about #zerotrust #collaboration #NIST and much more www.deviceauthority.com or revisit some of our recent discussions from our virtual security event