EPISODE 067 – Security in Sync: Aligning Enterprise and Product Teams

With her deep experience in both enterprise IT and product security, Nancy shares how she’s been able to bring teams together to align security efforts.  

She’ll break down how she’s fostered collaboration between enterprise and product security and tackled the challenges of the constantly evolving medical device landscape. We also get into what it takes to prioritize both patient safety and security, and how to balance innovation with regulatory demands.

Show Notes: 

• 01:35 – Harmonizing Security Processes Across Teams and Acquisitions
• 04:04 – Lessons Learned from Balancing Product and Enterprise Security
• 08:04 – Scaling Security Solutions for Diverse and Connected Devices
• 11:57 – Navigating Global Regulations Without Stifling Innovation
• 14:26 – Preparing for DEF CON: Tips for First-Time Participants
• 18:44 – Collaboration vs Competition
• 23:56 – Career Advice for Security Professionals

Transcript between Nabil and Nancy Brainerd

Topics covered: Balancing product and enterprise security, medical device security, fostering security collaboration between competitors, sponsorship versus mentorship for security professionals

This transcript has been edited for clarity and readability. 

Nabil: Hi everyone, I’m Nabil Hannan, Field CISO at NetSPI, and this is Agent of Influence. Today we’re really excited to have Nancy Brainerd with us. Nancy, welcome to the podcast. 

Nancy: Thanks for having me.  

Nabil: Nancy, why don’t we get started? Maybe you can tell us a little bit about where you are today professionally. 

Nancy: I work for Medtronic, which is the world’s largest medical device manufacturer. I have been there for 24 years. I have always lived in the IT space, and in 2006 I got the opportunity to move over to our security team, and over time, got the ability to start building out different teams and functions.

So that’s been the primary focus of my career, although I’m sure everybody’s aware that medical devices have been the target and scope of hackers lately, and so I recently had the opportunity, about a year ago, to move over to our product security team in corporate quality. So, I get the privilege of working with our R&D teams and our developers on designing security into our medical devices. It’s been a really cool opportunity, and I joke that I’m finally at the adult table in life.

01:35: How can security processes be harmonized across teams?

Nabil: Well, it’s been fun working with you and your team over the years, and obviously we’ve seen you go through that transition of being at enterprise security to now focusing more on product security. To me, it seems like a very large problem to solve when it comes to product security, when it comes to medical devices, because often organizations are growing through acquisitions. You have different products that do different things, and they all have different types of requirements, regulatory pressures, etc.  

Would love to learn from you what that transition process looked like for you, and what did you learn in terms of maybe similarities and differences between the two roles of enterprise security and product security, and also, what are some best practices that you’ve maybe adopted over the last 24 years that help you better harmonize the initiatives that you have there? 

Nancy: Yeah, it was a little bit of a culture shock to move over. And in that time, I’ve been working with my old team to see how we overlap. How do we work together? Because there is a lot of overlap.

When I stepped into this role, I learned quickly that a lot of what we do is driven through regulatory requirements, compliance, and there’s not a lot of wiggle room for how you are expected to comply. That’s been a big culture shock. But for me, the biggest challenge as I looked to transition teams, but also make sure that both teams were adding value to our businesses, was making sure the businesses understood what we did and what services we could each deliver, because they were going to be done in different ways. 

So we’re working through a RACI right now, a roles, responsibility, definitions. And it’s never going to be perfect, but I expect that it would answer at least 90% of the confusion and the questions out there. So that’s just one approach that we’re taking. That’s really the direction we’re going.

04:04: What Lessons Can Be Learned from Balancing Product and Enterprise Security?

Nabil: When it comes to the medical device space, I think there’s an added layer of complexity when it comes to patient safety, which is very different than most other businesses and what they have to worry about, especially if they’re building software. And additionally, over time, I think there’s a trend of where more things technologically are becoming software today that maybe traditionally was more hardware driven. That also adds more complexity in terms of, how do you ensure proper software integrity and make sure the systems are functioning as needed, with additional layers of complex connectivity as well, with cloud, cellular network, bring your own device or bringing a medical device home for home-based treatments.  

What are some of the main challenges now that you’ve shifted to the product security side that maybe you didn’t anticipate seeing before, and how have you been able to overcome those challenges? 

Nancy: It’s been a tough nut to crack. Historically, patient safety and security were two distinct topics, and people would just religiously keep them separate. So again, it goes back to interpreting regulatory requirements and how you interpret them to be compliant. To us security professionals, it was pretty obvious. You can’t have patient safety without security. It’s a no brainer. But again, it’s cracking that nut of getting people to understand that. And regulators like the FDA and others have started to amend their language to make sure that companies like ours are not just focused on patient safety. They also want to see inclusiveness of security topics and not just the impact to patient harm, but other data sensitivity and other things like that.  

So that has helped to drive some of the top-down mindset of why this topic is so important. I would say we still have to, and we will have to continue, talking about scenarios where patient harm doesn’t just include safety; it’s also security and talking about the consequences of poor security.  

Nabil: How hard is it, really, to foster cultural change when it comes to getting the organization to shift its mindset toward safety and security being truly interconnected?  

Nancy: It’s tough because at companies like ours, we have such a focus on quality. We are delivering medical devices and the expectation for patient safety and efficacy is so drilled into our brains that everything we follow is to the letter of the guiding regulations, so when you try to insert topics that people, number one, they don’t understand and they’re confused by it being intimidating.  

When you try to insert that, they tend to reject that a little bit. They want to keep it separate. So I think we’re starting to finally see some of that change, where we have this great foundation; we have all these great processes. We have this great quality system, and it’s not going to impact it if we insert security into it. In fact, it’s going to make it stronger. And so that’s, that’s the approach that we’ve been taking. But you really have to do it in a way that shows you’re not adding burden. You’re not adding extra rigor. Well, you are adding extra rigor, but you’re not adding extra to the process. We’re already doing what we do really well.

08:04: What Are the Best Ways to Scale Security Solutions for Connected Devices?

Nabil: So when it comes to these devices, in particular, a challenge I see is how rapidly the attack surface expands, especially when the growth tends to be more exponential in nature, as you have more connectivity, like we talked about, more devices, more countries and also different types of businesses being supported by different devices. What are some things you’ve done to ensure that you can successfully scale your initiatives across such a large product ecosystem? 

Nancy: So we’ve seen over the past 10-12 years as medical devices have come front and center from a from a cybersecurity perspective, we’ve played whack-a-mole for a lot of years, and we continuously turn to this burning fire or that burning fire to react, whether it’s to an actual security incident that is showing up in the industry, or whether it’s a new regulation that is being pushed out, we’re reacting.  

The pivot for us in the past couple of years has been, we need a strategy and a roadmap similar to what we would do on the IT side. And we’ve gotten to a point now where the maturity has to start evolving, of not just security, of the devices themselves, but of our programs. We’ve got to start being less reactionary. We’ve got to be a lot more proactive. And that’s where companies like ours, we’re building out strategies and keeping them very simple. We’re focusing on what we call secure by design. So everything on the pre-market side, before a device even goes to the FDA for approval, how are we making that bulletproof from a from a security and safety perspective, the post-market side, we call vulnerability vigilance, and making sure that those devices are monitored and managed and patched and everything. Throughout their lifecycle to keep them safe when they’re out in the field. Trust through transparency. This is a huge one.  

People initially are very skeptical of the way we’ve reacted. We were very defensive initially. Why would anybody hack medical devices? We’ve learned the hard way, you have to be transparent. You have to be engaged. And so being very transparent with our customers, our patients, being audit-ready at all times for any topic that might come up, and then also just making sure our workforce, our winning workforce, is ready for this niche area of cyber, it does require custom expertise and tools and knowledge and everything that goes along with it. So those are the ways that we are expanding and trying to meet those demands, and also we’ve got to stop thinking about these things like medical devices that nobody will want to hack. They are connected. They’re in hospitals. They can be used against people and systems, and we’ve got to start threat modeling them that way.  

Nabil: Do you find that people still have that mindset where they’re questioning as to why an attacker would want to attack a medical device? Or have we moved past that today, where people understand the risks there and they’re willing to work with you from a security perspective?  

Nancy: They are, and I do think that the threat models have evolved as people aren’t necessarily interested in, this is speculation, but I think what we’ve observed is that there’s not a lot of interest in, like I’m not going to hack your pacemaker. There’s not a lot there. I’m not going to get anything out of that unless I really had something against you.  

It’s more about how can our devices be leveraged in a hospital ransomware situation to create chaos for the hospital and then set up for that financial payout to the attacker. So honestly, when I think about tiering the threat models, that’s the one, I don’t ever want to be the cause of a ransomware attack in a hospital.

11:57: Do Global Regulations Drive Innovation or Create Security Challenges?

Nabil: I feel like there’s a Mission Impossible movie scenario or something in there where someone walks by with the phone behind you and turns off your pacemaker and kills you and walks away, and then Tom Cruise shows up trying to figure out what to do about it. I feel like it’s movie idea for another time.  

I want to go back to talking about some of the regulatory pressures that you mentioned earlier, especially with having such a broad range of regulations that are in scope with 160 countries or so that you had mentioned before that you have to adhere to. I’m curious to understand two things: one is, do those regulations feel more like an obstacle than actually being helpful in you being able to build a resilient system? And secondly, do you feel like that’s actually hurting innovation in some way? 

Nancy: I don’t know that I would necessarily call them an obstacle. It absolutely can be noise. And I kind of put it back in the category of firefighting, you know, we’re constantly looking to see what regulation or what law or guidance or standard is popping up in the industry. And like with any other industry, it can be really confusing. Like, a lot of jurisdictions do have regulations or laws in place that we have to comply with that others do not.  

They will simply reference another jurisdiction’s regulations or something. And then you have countries recently like Japan, where they latched on to a new standard, an IEC standard to say we’re just going to follow this. While that’s great, I’m really happy that Japan isn’t reinventing yet another wheel. It’s still something that’s out there that we have to be paying attention to and folding into our policies and procedures and whatnot. I think with anything, I don’t care what industry you’re in, everybody wants to see a more consistent, holistic set of rules, like, just tell me what we need to do, whether I’m in Japan or South America. You know, it doesn’t matter. I just want a consistent set of rules. And how do we, honestly, in the spirit of everything we’re trying to do, protect the patients with secure devices? That should be the goal, instead of all these conflicting policies.

14:26: What Advice Do First-Timers Need When Participating in Def Con’s Hacking Village?

Nabil: Specifically talking about building resilient and secure devices themselves, I had the pleasure of playing some golf with you at the NetSPI charity golf event a few months ago, and you were… I don’t know where that trophy is, but I’ll make sure we get it. We should have gotten it out for the recording.  

We had a really good conversation there during the golfing event, where you mentioned that you are getting prepared to go to DEF CON and take some of your products to the DEF CON Hacking Village and how nerve-wracking that is, how stressful that is, but also how fun and exciting that would be to be able to do that at a big hacker conference like DEF CON.  

Would love to understand from you, what are some things you learned through that process, and are there any things you would have done differently now that you’ve been through that process once? 

Nancy: Yeah, so it’s funny. DEF CON is such a bittersweet topic for us, because this is how we got in the public eye, somebody showing up at, actually it was Black Hat. But ultimately, DEF CON, showing how our devices were vulnerable to a cyberattack. At first, we were very defensive. We were kind of caught on our back foot, but along the way, we’re like, nope, we’re going to change the narrative here, and we’re going to embrace this community. So what we’ve done over time is get your leaders involved early.  

You got to get the communications people involved early, the regulatory people, legal, we’ve got to have the lawyers front and center. But it was all really important. I would say the biggest challenges that we had were convincing our leadership why it was such a good idea to take our devices into the most hostile hacker environment on the planet and let them test our products.  

That was probably the biggest challenge, and once we’ve gotten over that, we’ve had some really good success, and we’ve seen the benefits. We’ve gotten good feedback from our customers, our peers, our government partners, that are there observing it. That’s all been a huge win for us, and we now embrace it. And I honestly think that people need to get over that fear and embrace it. 

Nabil: I think this highlights a unique thing that you’ve uncovered here, with leadership buy-in. I think this kind of leads to treating security as a competitive differentiator, and I feel like it should happen more often, and I don’t see it happening more often. Maybe people are struggling to get the messaging across that way, or maybe it’s because it’s hard to show security as a differentiator, because you can invest a lot in security, but ultimately, it’s not like you get a new feature or something new and flashy that you can show off after making that much of an investment. So, what advice would you have for others who are trying to think ahead and treat security as a competitive difference? 

Nancy: Yeah, I don’t want to say I’ll disagree with you, but I’ll modify that a little bit. From a healthcare industry perspective, we’ve actually embraced the notion that we’re not going to compete with each other. When it comes to security, we have to be on the same team. And honestly, right before I came here today, I was on the phone with a competitor sharing ideas about how to do metrics, you know, something silly like that.  

I do think that showing up at DEF CON and being very public and visible challenges my other peers in the industry to step up and do the same. But I think security is table stakes, and I don’t ever want to publicly say our security is better than theirs. A, because that would make me a target, but B, again, I don’t want to send that message out that we’re competing with each other when it comes to something as critical and important as that. I want people to know we’re working with each other to make this a better ecosystem for the healthcare environment.  

Nabil: That’s really refreshing to hear. And I actually think that’s extremely rare in our industry today, even though I believe that the most senior leadership across some of the most competitive industries, are collaborating, in some sense, but there’s still that spirit of competition to try and outdo others. Whereas in the medical space, I think it’s an altruistic cause, where you’re trying to help people live better quality of life and help them deal with diseases and other ailments that they’re trying to get over, and having that sense of collaboration within the space is really admirable. That’s actually fantastic to hear.  

If I can now shift my question a little bit is, how can we encourage other industries to also be more collaborative versus competitive?

18:44: How Can We Help Industries Shift to Be More Collaborative Instead of Competitive?

Nancy: That’s a great question. And I think you nailed it on the head. What I’ve seen is that healthcare is unique in that we have a common mission. We have a common goal. I do think, if you want to say it that way, the competitive advantage that we have over other industries in promoting that. We belong to different information-sharing groups. There is different information-sharing groups based on industry, like healthcare, retail, financial, aviation, etc. And we have heard the healthcare information sharing groups are the most engaged, the most collaborative, and it’s just by nature. So, I don’t know if I can answer your question, but I do think it is driven primarily just because of the common mission we have. 

Nabil: Now this may be due to my own ignorance, and I would love to be educated better on this from you. If the medical device companies are being this collaborative, are the hospital systems and the hospitals also being equally collaborative when they’re working on different channels? 

Nancy: Absolutely. In fact, I had a call last week with one of the largest healthcare systems in the United States about, how do we work better together to get requirements up front? And honestly, that’s where it gets a little bit more towards the, how do we speed up a sales cycle? Because they’re assessing us based on our security, and we’re trying to meet their requirements. And it’s a lot of back-and-forth, cat-and-mouse type things, but there is a way for us to actually be a little bit more engaged and collaborative about us sharing with them the security of our devices.  

So, these are the kinds of conversations that you have to have with the healthcare providers to make sure that they understand. I wouldn’t limit it to medical device manufacturers. It’s the whole ecosystem, pharma, insurance, everybody. 

Nabil: So when it comes to this space, a thing that fascinates me is I’ve heard that doctors are the worst users from a security perspective.  

Nancy: They are. 

Nabil: They don’t want to remember passwords, they don’t want to go through the security steps, etc., which is understandable, because their job is not to be worried about figuring out how to be secure. Their job is to treat patients, and their job is to perform a certain procedure or surgery, etc., and when they’re doing that, they can’t be bogged down with security controls that are preventing them from caring for their patients. Correct? 

So the question I have for you in this space is, given that specific challenge where the users of your medical devices, in many cases, may be averse to wanting security controls, what are some things that you have to consider to make sure that you’re still able to secure those systems? Because that’s still necessary to happen. 

Nancy: It’s the same way you have to look at it with your employees and how they hate, having to change their password every 90 days. Or, you know, we come up with biometrics and other things to make it easier for them to authenticate and get into their systems securely. It’s the same thing from the doctor’s perspective. Although, I’ll say on the medical device side, it’s probably even a little bit more formalized how we gather those user requirements, what we call the non-functional requirements of using one of our medical devices.  

We know what the intended use of a defibrillator is, but if it has a power-on password, and you have a patient on the table, and that the doctor can’t get the password. It’s things like that, where you want to understand all of those different scenarios and use cases and make sure that, okay, maybe not a power-on password, but it’s going to have an encrypted database or something. I’m making that up, but what other compensating controls do we have to be creative about to protect that device?

23:56: What Advice Can You Give to Others Who Aspire to Be In a Security Role Like Yours?

Nabil: You’ve been very successful in your career, and being a woman in cybersecurity, it’s still a very male-dominated role. You’ve paved the way for many women who look up to you and maybe want to be in a similar role as you are, what advice would you give them? 

Nancy: Yeah, it’s definitely still a very male-dominated world. Although I will say, when you go to a security conference, there’s never a line in the ladies room, so there’s that benefit for now. It’s not an excuse.

A sponsor isn’t necessarily somebody that you can just go out and ask, hey, can you sponsor me? Can you be my advocate when I’m not around and help promote my career aspirations? But I do think that you can be cognizant and aware of people in your immediate periphery that are interested in what you do. Pay extra attention to what you’re doing and lean into that and make sure that they’re seeing all of your contributions, your successes and whatnot, and then hope for that person to be an advocate when you’re not around. I think there’s a lot of other different things that people can do, get mentors and all that.  

But personally, now that I’m at the stage in my career I’m at, I love spending time with the with the younger generation and encouraging those who might be timid about getting into the space that’s intimidating, and just paying a little extra attention to that generation, and coaxing them in and making them see that there are women in leadership roles in this space. 

Nabil: Do you have any advice for women on how to approach identifying the mentors and the sponsors? Often, I think you have to also ask for support and help, which is often challenging because you don’t know who to ask for help. What advice would you have for someone who’s looking for a mentor and looking to learn and have them be an advocate for them?  

Nancy: Mentorship and sponsorship are different, and mentorship, I think, is a little easier. Look for those strong, and it doesn’t have to necessarily be a female mentor, look for those strong leaders around you, and not even in your direct chain, but in in your organization. Who impresses you at a town hall, who impresses you at a staff meeting? I think people don’t realize that they’re going to be complimented.  

They’re going to take that as a compliment, that you look up to them, and they’re going to say yes, unless they’re swamped, crazy busy, they’re going to say yes to being a mentor.  

Sponsors, I think are harder. You can’t necessarily ask somebody to sponsor you. But again, I think it’s about understanding and realizing who is acknowledging and recognizing your achievements, your accomplishments and just getting yourself more and more aligned with that person, and like I said, they will be your voice when you’re not in the room and speak up for you.  

Nabil: I often find that as you get more senior through your career, taking on more and more leadership responsibilities, there has to be a time when you have a shift in mindset, in how you’re approaching your career and how you’re going to pave the way for the next few years. Can you share with us a little bit on maybe an incident or a time when you had to do a shift in your mindset on how you were approaching your career trajectory and how that impacted you? 

Nancy: I was the deputy CISO at our company for four years, and if that’s not a clear career path, I don’t know what is. We had some unexpected leadership changes about a year and a half ago; things didn’t necessarily work out the way I was expecting. I was not automatically the successor to that CISO position. It was around that time that I was starting to look into this product security discipline within my organization, and a position had opened up. So I took it. I look back and yeah, I was extremely disappointed. I was extremely frustrated and upset that I was passed over for this role.  

I look back, though, and it was the best career decision I ever made, and I’m learning so much. Like I said, I feel like I’m actually contributing. I am contributing to the Medtronic mission, which is really cool, and it feels really good.

Nabil: Sometimes a detour might be the best way to go. What about as a community? Any advice for our community as a whole on how we encourage more diversity in the cybersecurity space? 

Nancy: I think we have to be very intentional about being sponsors, being mentors. People can’t necessarily ask you to be sponsors. They might not ask you to be a mentor, but you can intentionally be that for somebody that you admire, that you think is strong. Also, I think, just getting as engaged as possible with the younger generation, whether they’re prior to picking their career paths, or whether they’re already in some sort of corporate role, or whatever the case might be, it’s intentionally focusing on them and guiding them. It’s really about being more intentional about giving them voice opportunities and different things that we might not have had. 

Nabil: Having been in the industry for so long, are there signs you’re seeing that are giving you hope that we’re headed in the right direction today?  

Nancy: The jury is out, definitely. Well, the industry in general. I mean there’s all of this talk about CISOs becoming obsolete, and different things like that. So if the jobs are becoming obsolete, then so are the opportunities for DEI. It’s kind of a snowball effect. I think we were getting there, and now it feels like the industry itself is starting to back off a little bit. 

Nabil: Before we wrap up, I always like to talk to our guests about things they like to do outside of work, outside of security. So what are some things you have going on right now that you’re doing in your spare time? 

Nancy: Well, I am a huge golfer. I’m not good at golf, but I golf a lot, and so that’s primarily what my husband and I are doing. If we’re traveling, we’re golfing. Golf season is over, here in Minnesota, but we’ll be trying to make a few winter trips. Golf is my escape, and I’m a little competitive, so it’s fun to mix those two together sometimes. I just love it. It’s a good life sport. You meet a lot of cool, interesting people and get to spend a couple hours with them, and it’s a good time. 

Nabil: I think you’re being awfully humble by saying you’re not good at it. I would beg to differ. That being said, being good at golf is a very relative term, depending on who you talk to and what your aspirations are.  

My aspiration when it comes to golf, similar to you, I like playing golf. I love being out on the on the golf course, but I’m not necessarily very good at it. That being said, I would like to think I can keep up with anybody and not slow them down. That’s my end goal when it comes to golf. We’ve had the opportunity to play. But when it comes to golf, do you have a favorite golf course or a favorite round of golf that you’ve played? 

Nancy: I’ve gotten the opportunity to play a lot of really cool golf courses. Probably the favorite place I’ve been to is, I was at Pebble Beach a couple years ago and got to play. And it was windy. It was like 40 degrees, raining sideways, but it was incredible. It was a memory I’ll never forget it.  

Nabil: It’s definitely on my bucket list. I’ve done the drive there. I think there’s a 17-mile drive, considered the most scenic drive in the US, correct? And I actually took a picture with the clock that’s outside of Pebble Beach, but I’ve never had a chance to play, but it’s on the list. Hopefully I’ll get there someday.  

Well, Nancy, thank you so much. This was absolutely wonderful and a pleasure to talk to you as always.  

Nancy: Yeah, and I hope we get to do this again really soon.

Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please reach out to us at podcast@netspi.com.