Paul Lockley – VP Sales, EMEA:
Recently, I had the pleasure of speaking at the 6th Annual European Medical Device and Diagnostic Cybersecurity Conference. The event covered a wide range of cyber-related issues, including SBOM complexities, the NIS2 directive, hospital cybersecurity challenges, threat modelling, vulnerabilities, and weak links in IoMT security. Amid these discussions, the complexity of getting things done in a large organisation stood out the most.
During a roundtable workshop I chaired on the complexities of creating and managing SBOMs, I expected the primary challenge to be the creation process itself or aligning the SBOM to devices. However, what emerged was a picture of organisational complexity, where different departments or divisions had conflicting demands. Instead of centralised services and shared best practices, there was divisional infighting—not in all cases, but enough to raise concerns. For senior executives, this presents a tough challenge. In matters of cybersecurity and compliance, a unified direction is essential for achieving true operational resilience. Harmony within the organisation must come from the CISO downwards, driving direction and control from the enterprise level to the very edge.
Another major topic of discussion was the depth and breadth of legislation, and the clear direction companies should take to address the evolving landscape of risk. With most existing requirements being enterprise-based, the question arises: how does changing regulation impact tomorrow’s connected landscapes? New entrants like NIS2, CRA, and MDR IDVR are among the factors changing the landscape. While designing future changes is one thing, managing the current fleet of systems, services, and devices—likely to remain in place for some time—is another. Zero Trust offers a great approach to simplifying the way cyber risk is addressed across platforms and legislation. However, Zero Trust is not a product to be bought; it is a methodology and mindset encapsulated by the phrase, “Trust nothing, verify always.”
The encouraging news is that most modern cybersecurity companies, which address the identity of the “thing” rather than the “who”, have the ability to collaborate. This is crucial because tomorrow’s attacks will come from multiple fronts and with various intents. Building a formidable defence will rely on technologies that serve as parts of a broader solution rather than complete solutions themselves. A rich ecosystem of technology partners and the capacity to easily integrate with wider services will determine whether an organisation becomes a “brick in the wall” or a “hole in the fence.”
Navigating the complexities of cybersecurity in the medical device industry requires a unified approach and a collaborative mindset. Organisations must strive for harmony from the top down and embrace methodologies like Zero Trust to effectively manage risks. By fostering a rich ecosystem of technology partners, companies can build a robust defence against the multifaceted threats of the future.
Tern plc (LON:TERN) backs exciting, high growth IoT innovators in Europe. They provide support and create a genuinely collaborative environment for talented, well-motivated teams. Device Authority is focused on securing connected device ecosystems and is recognized as the global leader in Device Identity Lifecycle Management and Identity and Access Management (IAM) for the Internet of Things (IoT).
