People say "crawl, walk, run" to denote a progression of maturity to reach a goal. Institutions are not babies, and executives aren't either. "Crawl, walk, run" provides an excuse to do almost nothing. Instead, start running now.*
Cybersecurity in healthcare is a wicked problem. "Solving" cybersecurity problems feels impossible because the problem itself is undefinable. This image is false. We have smaller, solvable problems, and we don't have to wait.
A software bill of materials (SBOM) is intended to be an ingredient list of software components included in a product. The idea of an SBOM is that buyers of the software can inspect the component list and determine for themselves whether the software is secure enough to buy. When I first got into medtech cybersecurity, I was told that the first step for SBOMs was that they exist (crawl). The next would be to use them in emergencies (walk). The next would be that they become commonplace for use in many scenarios (run), and only at the "run" stage would SBOMs make a big difference in commerce and security. The idea is that SBOMs are not perfect, but as long as they exist they may start affecting the industry. Until they get "good," they won't be useful in day-to-day commerce. I think this is exactly backward. Until they're used day-to-day, they won't become any good. Like MVPs and software, SBOMs need users to grow in value. Run first.
A couple of years ago, anticipating what would become FDA's 2023 authority to require SBOMs, one of the largest medtech manufacturers in the world decided that they needed to first build SBOMs for all products (crawl), then later figure out how to use them (walk/run). At the time I advised that this was exactly backward; they needed to create and use SBOMs effectively before implementing a multi-million dollar program to create SBOMs. (I recently heard that the plan didn't work, and they were changing their approach.)
Don't wait, start running:
For existing software in use: Ask for an SBOM, process the SBOM through a tool that shows leading and lagging indicators of software security risk, then send the list back to the vendor and ask them what they plan to do about the vulns.
For software acquisition: Ask for an SBOM, and ask the vendors how they'll maintain the software.
For building software: Ask the builder for the SBOM, and ask how they'll maintain the software over time.
These are three very "cheap" steps. Don't wait until you have a universal solution. Take the first step (the first jog?) now.
~Shannon Lantzy, the Optimistic Optimizer
* In this post I am not recommending actual running. Check with your doctor first. In business terms, I guess it's good to check with your lawyer first.
Comments