Why Medical Device Security Needs Transparency: The SBOM Revolution | Guest Ken Zalevsky

[00:00:00] chris-sienko_2_02-11-2025_150150: Today on cyber work. My guest is Ken Zaleski, the founder and CEO of Vigilant Ops. Now, vigilant Ops is a platform that helps medical security professionals and medical device users alike. To create and compile an SBOM, or a software bill of materials. It's kinda like reading the ingredients list on the back of a box of cereal or the traditional bill of materials that is used in manufacturing sectors.

[00:00:22] ken-zalevsky_1_02-11-2025_150133: a box of cereal, you can see the food ingredients right on the package. Uh, unfortunately, medical devices aren't that way. You can't flip over a medical device and see what software's running in there. So a software bill of materials is, to give you that transparency and to give you that list of software, that's running.

[00:00:35] chris-sienko_2_02-11-2025_150150: But you'll learn about how SBOMs are helping medical security professionals look at every piece of software they use and identify their most vulnerable pieces and how to defend against breaches in those vulnerable areas. 

[00:00:46] ken-zalevsky_1_02-11-2025_150133: as you move through that software development life cycle, more functions in that organization become impacted by the cybersecurity of the device, certainly from governance, the GRC perspective, you see functions and stakeholders that need to worry about, [00:01:00] uh, SBOs creating SBOs, generating them, providing them to FDA.

[00:01:03] chris-sienko_2_02-11-2025_150150: We also talk about the current state of medical device security and how you can take a part in this crucial industry.

[00:01:10] ken-zalevsky_1_02-11-2025_150133: hospitals are asking manufacturers to provide SBOs. Uh, so you know, you have customer support folks that get involved, field service techs, uh, it really goes across the whole organization.

[00:01:19] chris-sienko_2_02-11-2025_150150: That is all today on cyber work. 

[00:01:21] Chris Sienko: The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an analysis of the most popular and top paying industry certifications.

[00:01:49] Chris Sienko: You can use it to navigate your way to a good paying cyber security career. 

[00:01:53] Chris Sienko: So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, [00:02:00] just below me. You can't miss it. click the link in the description and download our free cyber security salary guide ebook.

[00:02:06] Chris Sienko: Your cyber security journey starts here. 

[00:02:09] Chris Sienko: Now let's get the show started 

[00:02:16] Chris Sienko: Welcome to this week's episode of the Cyber Work Podcast. My guests are a cross section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends, how those trends affect the work of InfoSec professionals, and leave you with some tips and advice for breaking in or moving up the ladder in the cybersecurity industry. My guest today, Ken Zaki, is the Chief Executive Officer at Vigilant Ops and a passionate advocate. For the application of advanced technology to improve cybersecurity across all industries. Prior to vigilant ops, Ken spent more than 20 years at Bayer Healthcare where he led the medical device cybersecurity function. He's a certified cybersecurity leader from the School of Computer Science at GIE Mell Mellon University, and a trusted cybersecurity [00:03:00] consultant. To national and international healthcare industry stakeholders. Uh, now as he said, he, uh, is interested in the application of technology across all industries, but today we're gonna talk about one industry, and that is the healthcare industry, uh, and medical devices and all the, uh, things that need to be secured in that space.

[00:03:15] Chris Sienko: So let's get down to it. Ken, Thank you, for joining me and welcome to Cyber Work.

[00:03:18] Ken Zalevsky: Thank you, Chris. It's great to be here. I appreciate it. Yeah.

[00:03:21] Chris Sienko: pleasure. Good to have you. So Ken, let's start with a bit about your original interests in tech and security. 

[00:03:26] Ken Zalevsky: Mm-hmm.

[00:03:27] Chris Sienko: several degrees, including applied mathematics and business degrees. What was the initial draw to cybersecurity?

[00:03:32] Chris Sienko: Is that, have you been an early tech adopter in tech fan your whole life? 

[00:03:35] Ken Zalevsky: Yeah, that's a good question, Chris. Uh, yeah, I, you know, as, as a youngster, so I have to really go back to say, uh, a lot of it came from my dad, believe it or not. Uh, so, uh, my dad was in, in computer science way, way back when. Um. And, uh, got his master's in computer science and kept bringing home a bunch of gadgets and things to play with prior to even before, uh, even before the personal computers were a big thing.

[00:03:56] Ken Zalevsky: And so, you know, I started getting into tech even back then. Um, [00:04:00] so I, I, you know, I, I kind of just took the tech path and ended up, uh, running cybersecurity and it was almost an accident, really. Um. When I was at Bayer, um, back in the day, and I, and, uh, you may get into this in different questions, but I, I can give you a little background and, uh, but, but, uh, it, it was, uh, early on in my career there that, uh.

[00:04:20] Ken Zalevsky: We started to see some things happening with, uh, some of the medical devices in the field that were a little unfamiliar, familiar to us, um, and cybersecurity and medical devices, believe it or not, wasn't really that big of a thing. I mean, most folks in, in those days, and I'm talking the nineties, talked about, um, hipaa, uh, uh, patient privacy.

[00:04:39] Ken Zalevsky: Data protection. Those were the big topics, right? Cybersecurity didn't become a big deal, uh, until really after 2011, I'd say. But even in the nineties, you know, we, we were starting to think about it, but uh, really it hit home when, uh, one of our devices in the field, I. Actually was, uh, was hacked. Uh, and, uh, I got a call from a frantic salesperson, [00:05:00] uh, one day when I walked into the office and they, and, uh, it just took us all by surprise.

[00:05:04] Ken Zalevsky: But, uh, from then on I was really interested in, uh, the, the tech and bringing good tools, uh, to help protect, um, medical devices, uh, around cybersecurity specifically.

[00:05:16] Chris Sienko: Yeah, I worked in, um, in healthcare, uh, in the late nineties, early two thousands as well, and I remember the, uh, uh, you know, a, a lot of, uh. Issues around OSHA and the big push to digitize paper files. And it was absolutely like pushing a, a, you know, Sisyphean rock up the hill and so forth. It was just 

[00:05:33] Ken Zalevsky: Right.

[00:05:33] Chris Sienko: a nonstop process.

[00:05:34] Chris Sienko: So what, what was it about 2011 where the cybersecurity aspect of it really crept in? Was it, was it sort of like the start of the internet of things 

[00:05:42] Ken Zalevsky: Yeah, you know, it, there were a couple of things that happened around that time, but one, one big push was, um, there was a black hat conference that I attended, uh, at the time. And, uh, and, uh, uh, there was a presenter that got up on stage and actually, uh, showed that he could hack into a. An insulin pump. And he, he happened to be [00:06:00] a diabetic who had his own insulin pump and he had it on him and had his laptop and he had the, the presentation and he showed that with very little effort he could hack into it.

[00:06:08] Ken Zalevsky: Right. And, uh, I think people then started to say, Hmm, this is, uh, this is something, this could be, uh. This could be dangerous, right? I mean, we have, uh, nobody wants to, uh, medical devices that are an island. Everybody wants to connect their medical devices. We all wanna be networked. We all wanna share information.

[00:06:25] Ken Zalevsky: We know it's better for patients and diagnostics. And so, uh, everybody was heading in the direction of sharing and network. Uh, and that kind of took everybody, uh, back a step to say, I. Uh, we have to think about this from, these are computers that are sitting on networks, right? Uh, so I think that was kind of the catalyst for a lot of the change.

[00:06:42] Ken Zalevsky: Um, I started to work with FDA, uh, in the late, uh, started the 20 17, 20 18 timeframe, uh, on I. Software bill of materials, which we'll get into in a, in a minute. But, um, really, um, kind of ushering in that era of wanting to do more and protect, uh, those [00:07:00] devices. Uh, and it was kind of a, from that moment on, I think folks started to realize, uh, we need to address this.

[00:07:06] Chris Sienko: Yeah. Yeah, I remember those, those particular stories coming up in, I think one of our early. Cyber work episodes talked about the, uh, hackers being able to sort of hack into an emergency room while someone's getting heart surgery and so forth. So I mean, those were,

[00:07:18] Ken Zalevsky: Yeah. Real thing.

[00:07:19] Chris Sienko: fears and, and you know, also things that we're still working on.

[00:07:22] Chris Sienko: So, um, yeah, you said before, but before you founded Vigilant Ops in 2020, you 

[00:07:27] Ken Zalevsky: Mm-hmm.

[00:07:27] Chris Sienko: 20 years at Bayer as the head of medical device security. 

[00:07:30] Ken Zalevsky: Right.

[00:07:30] Chris Sienko: and even after founding Vigilant ops, you continued on as a consultant with Bayer for three more years. So. What were your, what was the scope of your responsibilities at Bayer?

[00:07:38] Chris Sienko: What types of devices were you charged with securing, and if applicable, can you say like how the nature of security for medical devices changed over those, those years? 

[00:07:46] Ken Zalevsky: Yeah, sure, sure. So I'll start with Bayer, uh, first. So, uh, Bayer makes, uh, uh, devices mainly, uh, aimed in, uh, the, the digital imaging, uh, market. So digital imaging is ct MR. Scans. [00:08:00] Um, and they're, they're, uh, devices mainly are, uh. Computer controlled injection systems, uh, for MR. And CT scans. So if you've ever had an an MR scan where they inject a contrast agent to illuminate the images, uh, in, in the us I, I wanna say it's an 80 plus percent footprint.

[00:08:18] Ken Zalevsky: Uh, chances are 80. 80 plus, 80% plus, you'll be, uh, hooked up to a bear injector to get, uh, contrast injected. Um, 

[00:08:25] Chris Sienko: Um. 

[00:08:25] Ken Zalevsky: uh, and, uh, they also make patient monitors and, uh, other things that, uh, go along with those, those injectors. But, uh, that's the main thrust of it. They've got loads of devices, as you can imagine, global.

[00:08:35] Ken Zalevsky: It's a global organization, so they've got devices all over the world, uh, in, in hospitals all over the world. Uh, so it's a big footprint. Uh, and something to, to, you know, as, as I. You know, when I was there, it was something that really, uh, a, a big problem to kinda sink my teeth into. You know, how do you secure these devices, how to keep them safe?

[00:08:52] Ken Zalevsky: Uh, not only the versions that are in the field, but you can imagine that, uh, there are continuously new versions of software that's going out there to the field, uh, and [00:09:00] some, uh, devices being updated. During certain time schedules, others not being updated. And so it's, it's not a problem specific to bear, but across, you know, healthcare in general, how do you keep medical devices up to date, you know, with the, with the right software and security patches and those kind of things.

[00:09:14] Ken Zalevsky: And so that was my primary focus, was really kind of, uh, making, you know, looking out for the, the field of devices, looking out for new devices that came out. I mean, pretty much anything that had to do with the, the cyber on those, on those, uh, on that equipment. Um. I, I think that, uh, with respect to where medical devices have gone or how, how they've kind of evolved, um, as I mentioned.

[00:09:37] Ken Zalevsky: Medical devices, uh, have become more connected. I think the, the number that I like to, to use, and I might be even a little outdated at this point, is, uh, 10, around 10 to 15, uh, connected medical devices on average in every hospital room. So if you think about that, right, that's a lot of, uh, uh, uh, threat area, right?

[00:09:56] Ken Zalevsky: Where you've got, you've got this, uh, lots of devices going out to the hospital [00:10:00] network, uh, and, and beyond. And so, you know, medical devices are becoming more connected as we go forward. And even things like simple things, thermometers, right, are connected, right? I mean, in a sense they're sending information and exchanging data.

[00:10:14] Ken Zalevsky: So, uh, you know, medical devices are, you know, in the old days it used to be, and, and I literally remember this, we, you know, we would have a bear injector. That you could not communicate with the hospital system, uh, unless you did these, you know, miraculous connections and, and had these integrations. Right now it's just, you know, a plug and play.

[00:10:32] Ken Zalevsky: Everybody communicates with everybody else. But at the same time, the risk of, uh, security, uh, vulnerabilities and hacks and threats, uh, now becomes much greater because now you have to worry about the hospital network is traffic encrypted across that network. Uh, I'm putting a device in onto a network that I have no idea.

[00:10:48] Ken Zalevsky: What's running on there? So, uh, it's, you know, the problem has become challenging and complex and, and multi-dimensions.

[00:10:55] Chris Sienko: Now we've, we've spoken a lot on here about industrial control, systems [00:11:00] security, and especially the, the problem of legacy systems and trying to keep things updated that, uh, don't even really have a patch function or other, you know, are working on very old operating systems. Is there a similar thing. In healthcare because obviously a lot of these devices are extremely new, as you said, and are very plug and play. 

[00:11:16] Ken Zalevsky: Yeah.

[00:11:16] Chris Sienko: is There a problem, uh, with regards to securing things that interface with much older medical devices in this area?

[00:11:22] Ken Zalevsky: There sure is. And, uh, you know, you, you, you got it right. There's a, you know, we call, you know, it's the legacy problem we call it in med, the med tech space where you have, uh, devices that are out there that are old and, you know, for various reasons. I mean. Hospitals don't upgrade equipment, uh, frequently for a lot of reasons.

[00:11:38] Ken Zalevsky: Uh, one is, you know, you find something that works, uh, and and you keep using it. The other one is, uh, a budgetary, uh, so, you know, they, they don't wanna replace some of these scanners, uh, and CT are a couple million, million dollars at, at least. And so, you know, replacing those frequently is a tough thing to do.

[00:11:54] Ken Zalevsky: So, you know, you end up running, uh, equipment that's older for. Uh, you know, beyond [00:12:00] the lifecycle, the intended lifecycle, I would say, of the manufacturer. And so you get into situations where you actually have devices that are not patchable, uh, because they're so old, because the legacy software they're running is so old that the, the end of life, end of support dates have passed long ago.

[00:12:17] Ken Zalevsky: Nobody's creating patches for them. So, you know, the only, uh, option you have as a hospital, uh, if you have that equipment is to upgrade it, uh, swap it out and, or, you know, take it off the network for sure, but swap it out and get the latest version. Uh, and that is a huge issue. And that's at vigilant ops.

[00:12:32] Ken Zalevsky: One of the things, we'll, we'll we, maybe we'll get into later, but one of the things we, we, you know, when I want out, uh, and started vigilant ops, one of the problems I wanted to tackle was exactly that legacy, you know, how do you, how do you help maintain, uh, the security of those older devices and, uh. I'm happy to talk about that later, but yeah.

[00:12:48] Chris Sienko: Oh, we're gonna talk about it right now 

[00:12:50] Ken Zalevsky: Okay.

[00:12:51] Chris Sienko: that is the next question. So, yeah. Uh, yeah. Can you tell me about. Your responsibility as CEO and founder of Vigilant Ops. 'cause as you said, vigilant Ops is a platform [00:13:00] designed to manage an organization's software, bill of materials, or SBOM. Uh, we've talked about that a teeny bit on this 

[00:13:06] Ken Zalevsky: Okay.

[00:13:06] Chris Sienko: but for our listeners who have not had experience with an SBOM, what is a software bill of materials and like, why is it an important to an organization security posture and, and how do you like, create and maintain an SPM? 

[00:13:16] Ken Zalevsky: Thanks, Chris. That, that's great. So yeah, let's, let's start there. I mean, a, a software bill of materials or, you know, SBO m is what everybody refers to it as, um, is pretty simple concept, right? Uh, everybody's. Probably familiar with a bill of materials, um, especially if they come from manufacturing. You know that every product, uh, that you manufacture usually has a bill of materials and says basically all the stuff that I use to build this product.

[00:13:39] Ken Zalevsky: And, uh, a software bill of materials is analogous to that in the sense that now I'm showing you all the software components I've used, uh, in building my product. Uh, and uh, we also like to kind of make the analogy sometimes to a list of ingredients on a food package. You know, if you flip over over a bottle, uh, a.

[00:13:55] Ken Zalevsky: A bottle of milk or a box of cereal, you can see the food ingredients right on the package. [00:14:00] Uh, unfortunately, medical devices aren't that way. You can't flip over a medical device and see what software's running in there. So a software bill of materials is, the idea behind that is to give you that transparency and to give you that list of software, uh, that's running.

[00:14:11] Ken Zalevsky: the reason that's really important, and we just talked about that a second ago, was, uh. The, each one of these software components that you're running has a lifecycle and a security lifecycle, a cybersecurity lifecycle of its own. Uh, and at any given point in time on that trajectory, that could be, there could be threats or vulnerabilities against that specific software component that you need to be aware of if you're using that component on your network.

[00:14:35] Ken Zalevsky: Um, and. For, you know, for example, uh uh, I know Microsoft comes out with their, you know, everybody knows Patch Tuesdays, right? I mean, they come out with the patches, the security patches for all their products. Uh, and we know that manufacturers, a lot of manufacturers, especially in medical device, and I would say it's probably similar across other verticals, don't build their own operating systems.

[00:14:54] Ken Zalevsky: Usually they usually get one off the shelf, or, you know, so they'll either use a commercial operating system or [00:15:00] in a lot of cases now moving towards open source, maybe like a Linux type operating system. But the idea behind it is. These manufacturers are, you know, building medical devices, uh, to take advantage to leverage their expertise, which is on the medical side, not so much on the tech side, right?

[00:15:13] Ken Zalevsky: So they're, uh, cobbling together, I would say components, uh, either like you said, off the shelf, commercial or open source, and making up these, uh, these devices. And so as a manufacturer, uh, you want to be aware of the components that you're leveraging to build your product so you can make a secure product.

[00:15:30] Ken Zalevsky: But then as a consumer of that. Technology, like a hospital that's putting that on their network. They also need to know, if I'm running Windows XP for example, you know, say great, a great example. It's easy to pick on to say, if I'm still running Windows XP on this device, I have some vulnerability issues I need to worry about.

[00:15:45] Ken Zalevsky: Right? So the first step is awareness, understanding what's on there, and that's the software materials. And then once you have that understanding and understanding where the vulnerabilities are, then you might be able to take some action on that, uh, proactively.

[00:15:56] Chris Sienko: Yeah, Now, uh, if your organization creates an, an sbo m as [00:16:00] it as it obviously should, who's, who's the state holder within the organization for the SBO m who's, who's sort of tasked with or, you know, record keeping? What you find out is this sort of a. the governance risk compliance space, is it more for the security architect who's sort of designing around it?

[00:16:17] Chris Sienko: Is it all of these things? Is it something else? 

[00:16:19] Ken Zalevsky: no, it, it is all of those things. It's kind of all of the above. If I'm, if I'm producing software, and again, sticking with the med tech example, um, what, what we say is, uh, you probably heard shift left, actually. You probably talked about on, on this, on the show before, but you know, everybody's talking about.

[00:16:35] Ken Zalevsky: And, and especially FDA, uh, is talking about building security in, uh, as early upstream as you can, right? So, uh, in that, in that software development life cycle, you want to be able to, uh, talk about secure product architecture from the very beginning, uh, ideally, right? It shouldn't be a bold on so. Then in that case, you have architects, product designers, uh, people that are gathering requirements, maybe people on the front end with customers, uh, [00:17:00] and pulling in customer requirements and requests.

[00:17:02] Ken Zalevsky: Uh, that all should funnel into that secure design. Uh, so as early as you can upstream in the process, you should bake that in. But then as to your point, as, 

[00:17:10] ken-zalevsky_1_02-11-2025_150133: as you move through that software development life cycle, more functions in that organization become impacted by the cybersecurity of the device, 

[00:17:18] Ken Zalevsky: and then get involved with SBO m and so.

[00:17:20] ken-zalevsky_1_02-11-2025_150133: Uh, certainly from governance, the GRC perspective, 

[00:17:23] Ken Zalevsky: uh, you know, 

[00:17:24] ken-zalevsky_1_02-11-2025_150133: you see functions and stakeholders that need to worry about, uh, SBOs creating SBOs, generating them, providing them to FDA. 

[00:17:31] Ken Zalevsky: We know that's a, a mandate, that's a law. Now, FDA requires, uh, SBOs from medical device manufacturers. So to comply with FDA law you need to.

[00:17:39] Ken Zalevsky: Supply SBOs. You need to maintain those, uh, customers are asking for them. So 

[00:17:43] ken-zalevsky_1_02-11-2025_150133: hospitals are asking manufacturers to provide SBOs. Uh, so you know, you have customer support folks that get involved, field service techs, uh, it really goes across the whole organization. 

[00:17:53] Ken Zalevsky: And one of the things we like to say is, uh, you know, we, in, in the old days, we used to see, um.

[00:17:59] Ken Zalevsky: [00:18:00] Cybersecurity issues kinda get thrown over the wall Right. To the engineering teams. Right. You'd have a cybersecurity problem and, uh, oh, they'll, that's not me. That's cybersecurity. That's the engineering team now it's, uh, everybody within the organization at some point, uh, along the line gets involved.

[00:18:14] Ken Zalevsky: Legal folks get involved with agreements they have with customers, and it just goes on and on. Yeah.

[00:18:19] Chris Sienko: So before we get into the, the general topics around, um, medical device security and certain cur current attack vectors and stuff, I, I kind of glossed over this before, but 

[00:18:27] Ken Zalevsky: Yeah.

[00:18:27] Chris Sienko: about your. as, as CEO of, of vigilant ops, like what is, what does your, um, sort of average week look like in terms of what you're, you're implementing for your customers, for your, for your product and, and all the other sort of things. 

[00:18:39] Ken Zalevsky: Yeah. Yeah. Thanks. Yeah, I, that might be my fault. I forgot to answer that question, but Yeah. No, that's a great question. I, you know, as, as the, the vigilant ops, really our concern is. Initial concern, uh, out, out, out the gate was, um, patient safety. You know, I, I came out of that space. I'm, I'm a, a strong patient advocate.

[00:18:57] Ken Zalevsky: I believe in patient safety and security, and I, [00:19:00] I feel like we're all consumers of healthcare at some point. Um, and, uh. I, I feel like we should all have the, the, the best treatment we can and the, the most secure and safe treatment we can. And I, I feel like, uh, bringing advanced technology to that space, uh, was, you know, I've almost felt like a duty.

[00:19:16] Ken Zalevsky: I, I really felt like it was something I needed to do. Uh, and starting vigilant ops and kind of focusing on that to start as a, as a big problem, uh, seemed like the right way to go. So, you know, a typical week for me looks like, you know, we work with customers all the time, as you can imagine on the.

[00:19:29] Ken Zalevsky: Medical device, manufacturer side, there's still a lot of uptake, uh, around software bill of materials. Uh, as much as I'd like to say, uh, it's common knowledge at this point to, to your point earlier, there's still a lot of folks that don't know a lot about software, bill of materials. Um, you know, I've been working on, uh, uh, software bill of materials since 2018, but I still talk to folks today who say.

[00:19:52] Ken Zalevsky: Well, what is that for? How do you use that? Right. And so we see a lot of education on the, uh, the customer side, especially on the device manufacturer side. [00:20:00] Um, on the hospital side, we're seeing, uh, hospitals now starting to demand or ask for a software bill of materials with products. And, uh, it's interesting.

[00:20:09] Ken Zalevsky: Uh, that hospitals now realize the overhead that's involved, uh, in supporting a product when you have no idea what's running in it, which you can imagine. Now if you look back, that's a pretty, pretty straightforward, hindsight's 2020. But you know, you look at that and say, well, that makes sense. If I don't know that these windows components are in there, how do I even know I'm vulnerable or susceptible?

[00:20:28] Ken Zalevsky: And so I, you know, in the old days, hospitals would call us literally. Uh, call bear and say, am I vulnerable? Is this in your product? Right? And so you, you don't have time. You can't do that anymore. As a ciso you couldn't do it back then either, but, you know, they're realizing now there are better ways, right?

[00:20:43] Ken Zalevsky: And so, um, what we see is we're working a lot with hospitals to kind of, um, bridge that gap, um, make them aware of how they can leverage an SBO m So, uh, on the manufacturer side is what do I need an eson for? How do I make my product more secure with one on the hospital side, it's. Now that I have these products [00:21:00] deployed, how can I use an SBO to help protect myself?

[00:21:02] Ken Zalevsky: Right? And so, uh, a typical week is working with both sides of that, all those stakeholders in that equation. Yeah.

[00:21:08] Chris Sienko: Yeah.

[00:21:09] Chris Sienko: Now, uh, you. up something that I, I was sort of tiptoeing my way towards asking, so I'm glad you

[00:21:15] Ken Zalevsky: Yeah.

[00:21:15] Chris Sienko: it because, you know, I've, again, I always like to speak to people who are just getting started in this industry and are just learning and, you know, I want, you know, I'm confident enough in myself, you can talk to me like I'm a 5-year-old and I'm not gonna be offended, but, but to give it like the, the most sort of simple version of it.

[00:21:30] Chris Sienko: Like, like what skills do you need to sort of interpret an SOM, like I'm, you know, using your comparison of. Ingredients lists on food. You could indeed look at a cereal pack and you'll see a million, you know, deoxy, ribo, dooo. Do you know, and 

[00:21:47] Ken Zalevsky: Correct. 

[00:21:47] Chris Sienko: good? Is that bad? Is that a chemical, is that 

[00:21:50] Ken Zalevsky: Right.

[00:21:50] Chris Sienko: name for a, a sugar? Uh, like how, what kind of skills do you really need to interpret an sbam? Either on the, on the consumer side, like you say, or on the [00:22:00] organizational side. 

[00:22:00] Ken Zalevsky: That's a great question. So with respect to SBOM formatting, um, the National Tele Communications Information Administration came out, the NTIA came out with a. A minimum elements list, uh, for the SBO MA couple years back. Uh, and so they've, they've standardized on what should be in an SBO m So the information that's in an SBO m if you're getting an SBO M that's produced by, and there are multiple tools that can generate SBOs, including a VIT obstacles.

[00:22:28] Ken Zalevsky: Uh, but, uh, if you're getting an SBO M that's generated by one of these tools, it would, it should have, uh, standard formatting and include the elements, uh, that are supposed to be there. So I'll start there. Um, most, uh, most. Generators and SBO M creation tools generate the SBO m in one of three formats. And, uh, just to get a little tactical on you, there's SPDX, uh, there's Cyclone dx, uh, there's swd, which isn't as popular.

[00:22:54] Ken Zalevsky: Uh, and then believe it or not, people still use spreadsheets and PDFs and things like that, but sticking with those top three [00:23:00] computer machine readable formats, I would say, um, those things, those files are not easy. Easily read by humans, right? So if I pulled up a js, ONAA cyclone dx JSON file for you right now, that was an sbo m uh, you and I would both have a hard time looking, uh, figuring out what it said, right?

[00:23:17] Ken Zalevsky: I mean, we'd be able to pick out some components here and there, maybe a few versions, but you know, you'd have to really study it, right? Um, so the idea behind a tool like Vigilant Ops is we read that S Bum for you. So we, we, you, you create an SBU using a popular generation tool and you can download those.

[00:23:31] Ken Zalevsky: There's a lot of open source tools. Microsoft's giving some stuff away. To help generate, uh, against their products. Uh, but the idea is you get this SBO and you import it into the digital and ops platform, and it acts like kind of a decoder ring for you, right? It, it pulls it up and throws it into a nice format.

[00:23:46] Ken Zalevsky: You can then look at the elements and the components of it. You can see who manufactured the component, the version, uh, if there are any patches for it. There are lots and lots of information that you can get. From that, you know, way better than, like I said, just one of those kind of machine [00:24:00] readable JSON files.

[00:24:00] Ken Zalevsky: So, uh, using a tool like ours, you don't really have to have much skill, uh, with respect to reading the sbo, where the skill comes in is the next level, and understanding the architecture behind the product. So if you're an engineer. And you're developing medical devices, uh, and you're looking at an SBO m, what you're probably looking at is, and and looking for are components that are vulnerable, uh, dependencies, uh, on those components.

[00:24:28] Ken Zalevsky: So where in my source code am I relying on those components to do some functions, uh, and levels within my software that these, uh, components are buried at? Are they buried? Way, way deep that are gonna be tough to get to. Uh, are they at the surface? Can I replace them? Can I patch them? Uh, are there any latest patches for these components?

[00:24:45] Ken Zalevsky: What are the security patches? What am I running? Um, those kind of things. Uh, there are lots of, um, architectural decisions that are made based on that kind of stuff. Like, uh, can I lock down some services if I use this os, you know, for example. So, you know, not to get too [00:25:00] tactical, but that's what an engineer would be doing.

[00:25:02] Ken Zalevsky: Uh, in our tool, they'd be pulling up, they'd look at an SBO that they just imported. They'd look at the components, they'd look at the vulnerabilities. We have a dependency tree, which allows you to visualize where these components live in the software, uh, and, and trace back the path to the root. So it's all very complicated sounding, but it makes the job much easier for the engineer.

[00:25:20] Chris Sienko: Yeah, I imagine I was, I was trying to imagine, uh, having to have this encyclopedic knowledge of every single, uh, piece of a tool that you would be putting together and saying, well, these three are vulnerable, or these are. To, you know, have dependencies or whatever like that. But 

[00:25:34] Ken Zalevsky: Right. 

[00:25:34] Chris Sienko: it would be a lot Help.

[00:25:35] Chris Sienko: Help more helpful if you 

[00:25:36] Ken Zalevsky: Yeah. To. 

[00:25:37] Chris Sienko: it work for it 

[00:25:38] Ken Zalevsky: To visualize it is much easier. And, and just, just real quick and add on to that is the, the other complexity and, and, uh, it, it's interesting because if you think about a, a medical device, again, sticking with a, a product in the med to med tech space, uh, products aren't usually, uh, it is not a one-to-one mapping of a product to an SBO m It's usually, uh, one to many.

[00:25:58] Ken Zalevsky: So you have a product that has [00:26:00] many SBOs and uh, the reason that is, is because products usually have. Uh, subsystems, sub components, sub products even that are integrated into them that have their own SBOs, right? And so having that structure is, is again, very complicated. So you imagine an engineer generating SBOs for this complex product.

[00:26:20] Ken Zalevsky: Uh, and I've talked to, we've talked to lots of customers that say. I've got a stack of SBOs, I mean, logical stack of SBOs, I don't know what to do with them, right? And so, uh, in our product, we also enable you to kinda manage that product structure so you can actually have SBOs nested within SBOs. Uh, and we lay that out in a real, real simple way.

[00:26:38] Ken Zalevsky: So, again, uh. Uh, from a complexity perspective, uh, we, uh, we say the engineers really, uh, are the source of truth for their products. Uh, we try to take that whole sbo m complexity out of their hands and let them focus on what they do best, which is their medical device.

[00:26:54] Chris Sienko: Yeah, again, it sort of pulling it away from the what is the issue and then they, they give some time to sort of work [00:27:00] on why and how do we sort of create the solution. Right. 

[00:27:03] Ken Zalevsky: Exactly. That's right where the important stuff is for those guys. Yeah.

[00:27:07] Chris Sienko: Yeah. Now, uh, we talked about your work with medical device security at, at Bayer and, and your work at Vigilant Ops specifically. Uh, can we talk a little bit in more of a macro way about micro Mac, uh, medical device security right now in the, in the sort of current state of it, 

[00:27:21] Ken Zalevsky: Mm-hmm.

[00:27:21] Chris Sienko: for listeners who are either users of smart medical devices or trying to protect them or just learning about them, what are some of the most important threats or attack vectors that you'd like our listeners to be aware of? 

[00:27:32] Ken Zalevsky: Yeah. Well we talked about one of them already, legacy devices, right? Um, understanding, uh, what's in a device is the first step towards protecting yourself, um, uh, knowing that you're running. You know, outdated software that hasn't been patched or can't be patched, um, is important, uh, to, to enable you to know what to do with that device.

[00:27:53] Ken Zalevsky: So, if you're a CISO at a hospital that's got devices that are running, um, you know, like I said, maybe a, an older version of windows [00:28:00] that can't be patched or, uh, is, is, you know, just outdated. Uh, there, there may be some things you wanna do with that, uh, device. Maybe you wanna pull it off the network, put it on a subnet.

[00:28:10] Ken Zalevsky: Maybe you wanna only use it. Uh. Locally, uh, you know, there, there are may be ways you can protect yourself, uh, without actually having to upgrade the device. Uh, but that's kind of the first place to start, is to kind of say, take inventory. What, what am I looking at across my landscape? Um, you know, as a, as a personal user of technology or healthcare technology, um, you also wanna make you, you wanna make sure that your, your manufacturer, the manufacturer of your product, the device that you're using, uh, is maintaining.

[00:28:37] Ken Zalevsky: An sbo, they've got an sbo m uh, they have some kind of cybersecurity posture. Uh, they're able to communicate, uh, security patches readily and quickly. Uh, they, they get security patches out to you quickly as you need them. Um, they stay, uh, current with the latest trends. Um, you know, you, you don't wanna see.

[00:28:57] Ken Zalevsky: Uh, a a month, a few months or a year go by [00:29:00] without hearing from your vendor and understanding there's, because I can guarantee you there's probably some patches that have to happen, uh, in that timeframe, just knowing the components that are running on this thing. So, uh, you, you'll, you'll know, uh, you, uh, pretty much out of the gate, um, with your, with the device manufacturer.

[00:29:16] Ken Zalevsky: Uh, their responsiveness, uh, with respect to security, um, how they've, uh, if they've got encryption technology, uh, is really important, especially if you're translating, uh, or transmitting data, uh, your own personal data to the cloud, which I know a lot of folks do. They wear these personal devices that communicate then, uh, and send data to their doctors or physicians, and that's all happening through the cloud, but that all has to be encrypted.

[00:29:38] Ken Zalevsky: Uh, that's all, uh, that's all, uh, mandated by PHI, uh, law. So, uh, HIPAA and others say. Uh, encryption at rest and in transit, uh, is a necessity. So you wanna make sure, check that too. Um, are you encrypting my data? Uh, where's my data going? And are you encrypting it? And are you encrypting it when it gets there?

[00:29:56] Ken Zalevsky: What are you running on the other end? Is it a secure system? Is it, [00:30:00] uh, a HIPAA qualified, uh, system as well? So those are a few things I would start with. Yeah.

[00:30:05] Chris Sienko: Yeah.

[00:30:05] Chris Sienko: no, that's, that's, that's awesome. Now, um, can we talk about like, how do you feel. the healthcare industry as a whole is doing it, keeping on top of security threats. 'cause again, I, I keep thinking back to my days with working with doctors and doctors' offices and how resistant they were to digitizing literal decades of paperwork.

[00:30:24] Chris Sienko: And, and it was always, uh, you know, it was always feet dragging and it was always, you know, do this or you get fined or whatever. But

[00:30:31] Ken Zalevsky: Yeah.

[00:30:32] Chris Sienko: how, how do you, how do you feel about the state of things right now? Have there been any breaches or stories that. Acted as kind of object lessons that have hopefully led to some industry-wide policy change. 

[00:30:41] Ken Zalevsky: Uh, yeah. Yeah, I mean, just that last part, there are lots of breaches and stories that have happened over the last few years, and I know, I'm sure your listen is familiar with a lot of them. I mean, I go back to 2017 and WannaCry in healthcare. Um, you know, I May 12th, 2017, I remember exactly the day it was, it was [00:31:00] just a, a big moment in, in, uh, med tech, especially with cybersecurity.

[00:31:04] Ken Zalevsky: But if you fast forward all the way to today. Uh, and think about some recent stuff. So Change Healthcare was a big one, right? Um, uh, I, I think there were more than a hundred million, uh, folks impacted by that. I mean, we know that it, it, it kinda crippled the industry and lots of, uh, providers. Um, and, and I think it made a lot of, uh, government wake up as well.

[00:31:24] Ken Zalevsky: Not that they weren't awake and doing stuff already. So, I mean, I, I, I. I hesitate saying that, you know, well we, we've seen these biggest, these big breaches and you know, we're moving in the direction to maybe we're gonna eliminate these. 'cause I don't think that's gonna happen. I mean, every time we think we're ahead of the curve, we get hit by something even bigger than we got hit with last time.

[00:31:42] Ken Zalevsky: So, but I think we're moving in the right direction. I think the change healthcare stuff, uh, is kind of put the onus a little bit of the onus and responsibility back on the hospital. Uh, so hospitals now, uh, if HHS, uh, is looking at passing. Uh, legislation that would mandate hospitals to [00:32:00] have a certain level of cybersecurity, which would require, like we just talked about, monitoring vulnerabilities, understanding what's in their devices, those kind of things, uh, at a level that, uh, they haven't done in the past.

[00:32:11] Ken Zalevsky: And so I. Uh, that's not out there yet as a law, but it's been, um, it, it's been thrown out there for comment. Uh, I think if HHS has their way and it actually becomes something, uh, uh, as a law, then we'll see a little bit of change on the hospital side. But what that means to me is then I think the hospitals are gonna go right back to the medical device manufacturers and say, I.

[00:32:30] Ken Zalevsky: Hey, we are being asked for vulnerability monitoring information, component information, stuff that's running in our devices. Please give that to us. Right? So, uh, we'll see a lot of more, uh, demand on the hospital side for software bill of materials and cybersecurity posture and, uh, other things from device manufacturers.

[00:32:46] Ken Zalevsky: So I think all in all, to your question of where are we in healthcare today, I think we're better than we were. I, I mean, definitely we are. Um, you know, back in the day it was, uh. You know, your hair's on fire and nobody knew how to respond. [00:33:00] Now there's, you know, clever incident response techniques and things you can do, you can make, you can be a little proactive.

[00:33:05] Ken Zalevsky: I think if you adopt SBOs, uh, as you know, a transparency mechanism in the hosp on the hospital side, you can be pro a little more proactive than you could be in the past. Device manufacturers have no excuse to not build security into their platforms now. With software bill materials, we're making that even easier.

[00:33:20] Ken Zalevsky: Uh, so I think we're heading in the right direction. Um, I think that, uh, the, the legislation in 2022 was a, a watershed moment, um, for FDA and at the end of 2022, uh, they passed the, the appropriations Cyber, sorry, appropriations Act, uh, which included. A modification to the F, D and C act. Um, the federal, uh, the Food and Drug and Cosmetics Act, which is an old document.

[00:33:46] Ken Zalevsky: That's what FDA runs on, but they gave FDA legislative authority, uh, to require SBOs. So that legislative movement has pushed the SBO m issue to the forefront as well. So we're heading in the right direction. Um, the worst, I [00:34:00] don't know if the worst is behind us. I would hesitate to say it is. I think we'll see more stuff happening, I hate to say, um, but we're working on it and getting, getting there.

[00:34:09] Chris Sienko: Yeah, Now, uh, obviously we're, we've looked behind. Let's look a little forward here. There's no way of getting around this. So can we talk about how generative AI and machine learning technologies have changed the healthcare device security landscape and. Whether it's abetting the attacks or enhancing the defenses, are, are there certain aspects of this tech that you, you are keeping an eye on?

[00:34:26] Ken Zalevsky: Yeah, definitely. It's, it is a great question. Yeah. I mean, AI is pervasive. I mean, we see it in devices themselves doing diagnostics and, and cool stuff like that. Um, we see a lot of, uh, AI algorithms that are running out in there, in the devices. As a matter of fact, uh, we're working right now on a group that's, uh, uh, drafting an AI bomb, uh, so a software mill materials, but specific to ai, uh, algorithms and looking at data sets and other.

[00:34:51] Ken Zalevsky: Issues that occur in an AI bomb different from a, an sbo. Uh, so AI is, uh, is happening, uh, in cybersecurity around ai. AI [00:35:00] bomb is one movement that's happening. Uh, we also see, uh, in our platform, uh, we use AI to, uh, help ferre out dependencies amongst components. So if you look at that massive amount of data that you gather.

[00:35:13] Ken Zalevsky: Uh, when you're generating an S BM with respect to components and, and the, uh, the paths back to the root and the dependent components, and, uh, you can have this, what's called transitive dependencies. Uh, so if, you know, if A depends on B, then B depends on C, then A depends on C, right? So, you know, we, we trace all that stuff back using algorithms that we couldn't have done in the past, uh, and look for connections that maybe humans would not see, uh, if, if they hadn't, uh, you know.

[00:35:39] Ken Zalevsky: Consume this massive volume of data. Uh, and so that's another, another big area. It's really. Uh, if you think about it from an engineering perspective, right, um, there are 75 plus new vulnerabilities daily that are reported to the national vulnerability database. So, uh, if you think about the hundreds of thousands that are out there already and adding to that mountain [00:36:00] every day as an engineer, it is.

[00:36:01] Ken Zalevsky: Nearly impossible to keep up. You know, you get these vulnerabilities thrown at and you have thousands of vulnerabilities to go through. So one of the things we want to use AI for, and we're using it on our side, is to help those, uh, engineers prioritize those vulnerabilities. So, as you can imagine, the more, the more dependencies we can ferre it out, then the criticality of these components is helpful in prioritizing those vulnerabilities.

[00:36:22] Ken Zalevsky: So. Engineers know where to look first. They might have a thousand vulnerabilities, but maybe there's only 25 that they really need to care about today. Right. Uh, and that's, I think, a big use for ai. And we're, we're, we're leveraging it today.

[00:36:33] Chris Sienko: yeah. We've, we've used that phrase before. Don't put perimeter fences around your garbage. You know, that you, 

[00:36:39] Ken Zalevsky: Right. I.

[00:36:40] Chris Sienko: things that can be patched, but none of them are as, as useful as certain other ones. Now, I, I had not heard about. bombs, uh, bill materials here. Is there any sort of resistance to that?

[00:36:51] Chris Sienko: Because I feel like AI is such a sort of black box in terms of what they're made of 

[00:36:56] Ken Zalevsky: Hmm.

[00:36:57] Chris Sienko: you know, especially with regards to sort of large language model and, and sort of [00:37:00] generative aspects of it. Is, has there been any sort of pushback in terms of, Uh, showing exactly what the bill of materials for, for AI devices is because of, of a fear of, you know, giving up proprietary secrets?

[00:37:14] Ken Zalevsky: Uh, that's a really good question, and I can tell you, um, not so far, but it's a pretty, uh, the, the movement's still in its infancy, right? Um, we're, we're still talking about what should be in an AI bomb, um, like we talked about years ago with the software bill of materials. So there's still this kind of, um.

[00:37:31] Ken Zalevsky: Thinking about what information we should, uh, be able to present in there. And so I don't think we've gotten to the point yet to cause, uh, much contention with respect to, um, you know, proprietary, uh, uh, data being shown in the a bomb. But, but I can tell you though that that exact. Dilemma or pushback came with the software bill of materials itself.

[00:37:49] Ken Zalevsky: Right. And it's still, we still hear some of that, not as much as we did. But you know, folks, when SBOs were first introduced, thought the same thing, which is sensible. If you look at a [00:38:00] software bill of materials, you can see the components that are running and you can see the vulnerabilities that. Are there for those components, you've pretty much provided a, a, a plan to a hacker to show them how to get into your device, right?

[00:38:12] Ken Zalevsky: Uh, and so device manufacturers were kind of saying, Hey, this is, uh, giving away our secrets and, and making us more, you know, vulnerable. Um, we've done a lot of stuff. Uh, to protect that and to shore that up. And I think the same thing can happen on the AI bombs side if, if you distribute the SBO m with care.

[00:38:29] Ken Zalevsky: And what I mean by that is, uh, we have through our platform, so just one example, as a distributor, our platform also enables device manufacturers to distribute SBOs to their consumers. And so what you won't see. Is an a AI bomb or an SBO m appearing on any public website, right? So nobody's gonna throw one out there and say, go download my SBO m for a lot of reasons, right?

[00:38:50] Ken Zalevsky: They'll want to control that distribution and AI bombs won't be any different. They'll want to control that distribution. So, uh, we've tackled that problem, uh, internally with our [00:39:00] platform by. Enabling secure authenticated connections and device manufacturers can invite hospitals to consume their SBOs right through the platform.

[00:39:08] Ken Zalevsky: And so there's no question as to how it's being distributed or who's getting it. Uh, and as long as you answer those kind of questions up front and, um, you know, there's a lot of encryption. We encrypt the, the, the SBO before it leaves. Uh, device manufacturer encrypted, uh, in transit, like PHI requires an, uh, re We encrypt it when it's sitting there, you know, with, uh, and so we're, you know, we're taking all these precautions, but, uh, you, you gotta shore all that up and make that mechanism something that folks can trust and believe in.

[00:39:37] Ken Zalevsky: And then you'll start to see that, uh, that attitude kinda wear away. But I, I wouldn't be surprised if it, if it goes that direction like it did with SOM to start.

[00:39:45] Chris Sienko: Yeah, that sounds, yeah, I think that I, I don't know why I thought, uh, that these AI bombs are just gonna be sort of like hanging out in like the classified section or whatever, but yeah.

[00:39:53] Chris Sienko: that, that makes sense that

[00:39:54] Ken Zalevsky: Yeah,

[00:39:54] Chris Sienko: uh, keep it close to the chest like that.

[00:39:56] Ken Zalevsky: yeah, yeah.

[00:39:57] Chris Sienko: yeah, a lot of our listeners are either [00:40:00] just getting into the industry, they're still students or 

[00:40:02] Ken Zalevsky: Mm-hmm.

[00:40:02] Chris Sienko: choosing their career path and, and trying to sort of. Choose their, their educational offerings accordingly, or they're moving into security later in life from other jobs. Uh, you know, so we know that if you want to do digital forensics, you have to know a lot about pen testing. You gotta 

[00:40:15] Ken Zalevsky: Right.

[00:40:16] Chris Sienko: degree of, of, of crime aspects that SOC analyst needs to know all about vulnerabilities and so on and so forth.

[00:40:21] Chris Sienko: So, speaking to the 

[00:40:21] Ken Zalevsky: Yeah.

[00:40:22] Chris Sienko: of someone wanting to get into healthcare security today, what types of skills or experiences or educational tracks or certs should they be focusing on to make themselves kind of job ready from day one? I 

[00:40:34] Ken Zalevsky: I mean, I think, uh, if they're technical in nature, um, understanding, networking, the basics of networking, um, and, and, you know, uh, encryption technologies, uh, is very, very helpful. Um, uh, you know, if you have some programming, language experience or exposure that's helpful. I mean, it's not totally necessary, but I think it's helpful to understand, uh, how software's written.

[00:40:56] Ken Zalevsky: Um, and, you know, uh, uh, various, uh, pieces of [00:41:00] software that are compiled and pull pulled together kind of to make a product. Um, and understanding the communication mechanism between those, uh, is really helpful. So I think at some level that technical piece is, is very helpful. Networking all, all the way up through to kind of programming.

[00:41:14] Ken Zalevsky: Um, I think from a certification perspective, uh, new folks, I've seen a lot of CompTIA. Um, uh, courses being taken by the folks, you know, the newer folks right outta school or maybe trying to get into this, um, and break into this field. Um, it, it, usually they have, and I, they have a lot of good courses, uh, and they're usually aimed at folks without a ton of experience, so you can kind of get those right outta school or, um, even while you're, you're in school.

[00:41:39] Ken Zalevsky: Um, there, there are others, you know, that are. That you hear about a lot, C-I-S-S-P and CISM and those kind of certs, uh, that are mainly for the folks that are a little more experienced, maybe have a few years of experience under the belt. Uh, but I've also seen, which I think is a really nice trend, uh, as, uh, these kind of online or kind of ways to kind of self-educate too.

[00:41:59] Ken Zalevsky: So, I mean, [00:42:00] I know folks, uh, at, at least when I was younger, that would do a lot of this stuff on the side, you know, kind of like. Uh, and it was harder back then to cobble together good resources, but today it's, you can find a lot of good resources out there that you can actually set up a, uh, you know, your own lab, so to speak, and start to, you know, play around with different environments, different ecosystems.

[00:42:20] Ken Zalevsky: Um, I would encourage folks to, uh. Uh, if they have a technical aptitude, uh, or they, they like that kinda stuff. You know, there are lots that you can, you can do, even, you can get certified in Python programming as an example, right? Um, just tho those kind of things can happen and you can do those things, uh, on, on your own.

[00:42:36] Ken Zalevsky: A lot of it can happen on your own. So, I. It doesn't have to be a formal education. Um, for Med Tech specifically, understanding, uh, federal regulations, FDA a specifically, um, is really helpful. Uh, a a lot of what you're doing as a, as an engineer, uh. As an architect of medical device products is thinking about it from a patient safety perspective.

[00:42:57] Ken Zalevsky: Uh, and a lot of that is regulated. There are lots of, [00:43:00] uh, systems out there that are in use today at device manufacturers, uh, that provide the guardrails, uh, for you to kind of, uh, develop code in a safe way, safe, secure way. Um, there, there are lots of security products out there that help you do the same.

[00:43:13] Ken Zalevsky: Uh, I know in the CICD pipeline on the SDLC side, you can look at various tools that. Uh, enable you to kind of like, put the guardrails on development. Uh, you can flag things that aren't secure. I think we're getting more sophisticated ai, uh, in, you know, speaking of ai, uh, permeating that atmosphere as well.

[00:43:29] Ken Zalevsky: So Dev is a great opportunity for AI to come in and help and point out security, potential security flaws and software. So understanding ai, maybe how that works, uh, to the level that you could use it in, in software development is really helpful. Um, yeah.

[00:43:44] Chris Sienko: Now, um, I have sort of a stock question I ask a lot of people 

[00:43:48] Ken Zalevsky: Sure.

[00:43:48] Chris Sienko: regarding to, uh, sort of imp new tech being implemented. We see, uh, change come and it usually comes fast and abruptly and we get a new tech, everyone scrambles to use it. Layoffs or obsolescence [00:44:00] ensues. Uh, I don't know if that's necessarily as much the case in, in in medical security.

[00:44:04] Chris Sienko: 'cause I mean, we've talked about it's, it's got legacy elements, it's got, sometimes it's got slower rollouts and so forth. But, uh, speaking in general for like veteran security professionals. That are currently working, are there certain aspects of bleeding edge, sort of cybersecurity tech they should be engaging with to sort of keep up with these trends so that they don't fall behind or become sort of obsolete dinosaurs?

[00:44:25] Chris Sienko: And if you're a student in an entrance like I, are some of these things that you need to know to future proof your skills? 

[00:44:30] Ken Zalevsky: Yeah, I mean, definitely, you know, as we just talked about, AI is a good one. Um, especially, so I, I think about medical device in, in multiple facets when it comes to ai, right? There's AI that's, that's, um, penetrating the device itself. So they're using it to do diagnostics. They're using it to do, you know, better, um, better patient, um, uh, uh, scans, better patient monitoring.

[00:44:53] Ken Zalevsky: Um, comparing, uh, you know, uh, diagnostic data and actually recommending, uh, courses of action. [00:45:00] Uh, but understanding how those tools work and understanding how the impact of those on the device is really important. Uh, if you look at an OR, for example, we have customers in that space that, uh, a lot of these, a lot of these pieces of equipment are orchestrated to work together in a, in a specific network, uh, environment, uh, that, and they share information.

[00:45:19] Ken Zalevsky: In that, that little network environment, but understanding, again, that communication mechanism, understanding the security encryption technologies, um, you know, we think about, uh, I think about quantum computing and, and, uh, the, the entrance of that. And I know that's kind of still in its infancy and, but taking off and, and so understanding.

[00:45:39] Ken Zalevsky: Uh, where encryption might go is really important, especially for, uh, you know, thinking about again, the OR and communicating information from device to device. Um, how am I encrypting that? Am I susceptible to the, you know, potential break in that encryption? Um, so, you know, those kind of things would be good to, to pay attention to.

[00:45:55] Ken Zalevsky: Um, and then really, if you pull it all the way back to like kind of the, the level that we're at [00:46:00] today, I would say even on the hospital side, a software bill of materials and understanding. Uh, what to do with that information, uh, is even a great place to start, right? I mean, uh, we still talk to folks who say.

[00:46:11] Ken Zalevsky: I have these SBOs, I don't know what to do with them. Right. Um, understand, understanding the, the, the vulnerabilities in the products that you have already, understanding what you can potentially do about those, um, is really important. So staying on top of where SBOs are heading as well, because it's an evolving ecosystem itself.

[00:46:27] Ken Zalevsky: Um, you know, we're, we're, uh, the SBO itself is evolving with more information, potentially adding, uh, adding fields. Uh, FDA is asking for, uh, more fields in the SOM to give more insight. So staying on top of that and understanding that trend is really helpful as well.

[00:46:43] Chris Sienko: Yeah, I totally agree. That sounds fantastic. Now, uh, before we wrap up here, Ken, I have a, a, a sort of more abstract question. I 

[00:46:51] Ken Zalevsky: Hmm. Sure.

[00:46:51] Chris Sienko: you. What's, what's the best piece of career advice you've ever received? 

[00:46:55] Ken Zalevsky: That's a good question. Um, I would say I was an undergrad. Uh, I was in [00:47:00] computer science and, uh, I thought a natural extension for me would be to get a master's. Uh, and so I wanted to roll into a master's in computer science, and I was working on a project at the time, uh, as a student and, uh. Uh, the, the manager of the project, uh, gave me some advice that, uh, I, he probably doesn't even remember.

[00:47:20] Ken Zalevsky: And, uh, and, and, uh, but it, it was really impactful to me. Uh, you know, I said, Hey, I'm, I'm looking at doing a Master's in computer science. I think that's, you know, the natural fit for me. And he said, you know, you seem like an entrepreneurial type, you know, just working with you and, and you know, the way you're, you know, the way you kind of, uh, glom onto technology and look for practical uses of it.

[00:47:42] Ken Zalevsky: You might wanna think about an MBA, um, that might be more suited for you. And, you know, I, my first reaction was, whoa. Uh, and I took a couple courses and ended up, uh, getting an MBA and I really thought that was. Really great advice. Um, and, uh, it, it's benefit benefited me quite a bit. I, I have [00:48:00] that entrepreneurial spirit.

[00:48:01] Ken Zalevsky: I've always had it, uh, and I always feel like, uh, but understanding that technology at a base level has been really, really helpful. Uh, so, you know, being a technologist at heart, but understanding the, uh, the applicability of it, uh, has been really, really good advice. So I would say that's probably the best piece of advice I've ever received.

[00:48:18] Chris Sienko: Yeah, that is, that is awesome advice. And you know, as, as someone who, uh, was going to be a, a chemical engineer in college and went in 

[00:48:25] Ken Zalevsky: Hmm.

[00:48:25] Chris Sienko: very different direction, uh, I think it's really hard sometimes to shake. Uh, your, either your family's expectation or your own personal expectations of what you think your, your life is going to look 

[00:48:35] Ken Zalevsky: right,

[00:48:36] Chris Sienko: this has to progress from this because this always progresses from this. So I 

[00:48:40] Ken Zalevsky: right.

[00:48:41] Chris Sienko: see very easily where. you just sort of think, well, master's is next. I just have to do a master's next because 

[00:48:47] Ken Zalevsky: I, 

[00:48:47] Chris Sienko: do next. 

[00:48:48] Ken Zalevsky: right, 

[00:48:48] Chris Sienko: Um, and so yeah, it, it 

[00:48:49] Ken Zalevsky: right.

[00:48:50] Chris Sienko: guess before you make, jump into any sort of big, uh, change like that, it's always worth asking, uh, what is, what am I actually going to do with this?

[00:48:57] Chris Sienko: What is this actually gonna do material in my life? So, 

[00:48:59] Ken Zalevsky: [00:49:00] Agreed. Yeah, no, it's, I agree. That's great. That's interesting. Yeah.

[00:49:03] Chris Sienko: Yeah. Yeah. Yeah.

[00:49:04] Chris Sienko: Uh, so Ken, we've, we've talked a little bit about vigilant ops so far, but if you wanna tell our listeners more about what your company does and services you provide. Uh, let, let, let's hear it. 

[00:49:13] Ken Zalevsky: Sure. Yeah. Thank you. Uh, yeah. So, you know, we, as I mentioned a couple times, you know, we we're, uh, we specialize in the software bill of materials, but we, we call it the software bill of materials lifecycle. Uh, you know, I, I said a couple times, the software bill of materials is, is great to generate, but you, you need to know how to leverage that SOM once you have it and.

[00:49:33] Ken Zalevsky: That's what our platform does. We manage that, uh, actual life cycle of the software bill of materials. So if you think about it from, uh, inception all the way through to deployment, through to retirement, the software bill of materials is a living, breathing, changing document, uh, that needs to be managed, uh, and continuously monitored.

[00:49:51] Ken Zalevsky: Uh, and uh, that's what our platform does. So we. Enable. We, I, I say we take the SBO M problem off the hands of the, the [00:50:00] technology producer and the technology consumer by providing tools to generate and manage SBOs. And then that platform to share those SBOs, uh, with folks that actually consuming the technology.

[00:50:11] Ken Zalevsky: Uh, and we continuously monitor vulnerabilities. We have, uh, as I mentioned, tools, uh, within the platform that enable engineers to. Prioritize work to disposition vulnerabilities right in the platform. We have our own, uh, customized scoring system. So CBSS is the scoring system used for vulnerabilities. Uh, common vulnerability scoring system, uh, score, uh, from zero to 10.

[00:50:35] Ken Zalevsky: Uh, NVD National Vulnerability Database, uh, analyzes the vulnerability and attaches the score to it, but that score doesn't. Uh, reflect, uh, actually the, the way that software component is being used in that particular product. Uh, normally, so a score, a critical score, uh, in a component, uh, may be a low score in a product.

[00:50:56] Ken Zalevsky: If that component was used in a certain way, maybe certain [00:51:00] surfaces were locked down. Uh, and we allow our product manufacturers to do that right in our platform and say, oh, this vulnerability is critical. But the way we use it, it's a low, and so they can recalculate the score and communicate that to their consumer.

[00:51:14] Ken Zalevsky: So, uh, the whole point of the platform is to communicate security, cybersecurity of these devices, uh, from producers to consumers, and take that real, you know, guesswork out of it on both ends.

[00:51:26] Chris Sienko: Nice. Uh, so got one last question here and then I'll send you on your way. Uh, if our listeners wanna learn more about Ken Zelensky and Vigilant ops, where should they look for you? Both online? 

[00:51:35] Ken Zalevsky: Yeah, sure. Vigilant ops.com. Uh, you can find us there and you can look for me on LinkedIn. Uh, and uh, yeah, I'm happy to connect with folks, uh, that, uh, I always love to connect with cybersecurity folks and, uh, especially, uh, folks that are kind of trying to get into the field and, uh, it's always nice to talk to folks and I'm looking always to give back if I can help, uh, in any way.

[00:51:55] Ken Zalevsky: I am al always available and would like to, so.

[00:51:58] Chris Sienko: Our, our, our fan, [00:52:00] our our listeners are all very LinkedIn savvy, and so you'll probably be getting some, uh, some, some new friends after after this. 

[00:52:06] Ken Zalevsky: Great. Yeah.

[00:52:06] Chris Sienko: thank you so much for your time and insights today, Ken. This was absolutely fantastic. I appreciate it. 

[00:52:10] Ken Zalevsky: Oh, thank you Chris, and I appreciate having me and uh, fantastic questions as well. Thank you.

[00:52:14] Chris Sienko: Thanks. Uh, and thank you to everyone who watches, listens, and writes into cyber work with feedback. If you have any topics you'd like us to cover or guests you'd like to see on the show. Feel free to drop in the comments and we will do what we can to make it happen. So before we go, uh, don't forget InfoSec institute.com/free.

[00:52:30] Chris Sienko: That's a site where you can get a whole bunch of free and exclusive stuff for cyber work listeners. So, uh, for example, we just had a webinar, a beginning Ethical Hacking Course, learn how to hack and use AI in this free one hour course, and it's been. Taught by our superstar educator, Tron Evans. Uh, it's, uh, already happened, but you can, uh, go sign up and get a copy of the video.

[00:52:50] Chris Sienko: So go check that out. Uh, the link will be on the page there. Uh, also check out your free cybersecurity talent development playbook. You'll find in-depth training plans and strategies for the [00:53:00] 12 most common security roles, including SOC analyst, pen tester, cloud security engineer, information risk analyst, privacy manager, secure coder. ICS professional and more. We also have an ebook, uh, salary guide. What are the average salaries by all of these different positions? All of this is on InfoSec institute.com/free. And yes, the link is probably down there in the description. I sure hope it is one last time. Thank you so much to Ken Zaleski and vigilant ops, and Thank you.

[00:53:24] Chris Sienko: all for watching and listening.

[00:53:25] Chris Sienko: This is Chris Sanko signing off. Until next time, keep learning, keep developing, and don't forget to have a little fun along the way. All right. Bye now. 

[00:53:32] Ken Zalevsky: Thank you. Bye.