Brett Harris dives into how he has leveraged his unique skill set to build out his Siemens Healthineers team and changed the culture to put product security first.
Ep. 23 | Reimagining Cyber | New Perspectives in Cyber | Brett Harris
Brett Harris 00:02
We're seeing customers asking for security features. It's no longer like, 'Oh, we're gonna, you know, buy the product with a best feature/functions.' No, it is getting involved in, in purchasing. And, you know, they're only allowing the products to go through purchasing that have the best security.
Rob Aragao 00:24
Yeah. Welcome to the Reimagining Cyber podcast where we share short, to-the-point perspectives on the cyber landscape. It's all about engaging and casual conversations and what organizations are doing to reimagine their cyber programs, while ensuring their business objectives are top priority. With my co-host, Stan Wisseman, Head of Security Strategist. I'm Robert Aragao, Chief Security Strategist, and this is Reimagining Cyber. Stan, who do we have joining us for this episode?
Stan Wisseman 00:57
Rob, our guest today is Brett Harris, Product and Solutions Security Officer with Siemens Healthineers. I want to learn more about being a healthineer. Brett has spent over 20 years developing and implementing best practices around technology deliverables, and has ensured security has been and continues to be a core tenet of any solution that comes to market. Hey, Brett, thank you for joining us today. And can you start by sharing a little bit more about your background?
Brett Harris 01:24
Yeah, absolutely. Thanks for having me today. I've really always been interested in technology, even since I was a little kid, and I ended up going to school for computer science, thinking that I want to be a software developer. But when I got out into the real world, I realized that wasn't really the path that I gravitated towards. And I really fell more into like an IT kind of role, which I found that I really loved. And from there, I transitioned over to Siemens into what would now be called a DevOps kind of role with a lot of build automation, and things like that. Not really the concept of Dev and Ops together yet, but you know, starting to work towards that methodology. At that time, there was no term of DevOps that, you know, that's a much more recent term. And then in 2017, I moved into security.
Stan Wisseman 02:28
Interesting path. We just had an episode with Lisa Plaggemier, and she was talking about how everybody has their own journey to get to cybersecurity, and you've had yours. So how did you find your way to product security?
Brett Harris 02:43
Yeah, it's pretty interesting. Actually, I, I didn't see myself as a security person. I did not think that I wanted to move into security, actually, when I was asked to take on a role in security. Basically, we were starting up this new digital health organization within Siemens Healthineers, where we were bringing all of our software platforms and our cloud platforms under one umbrella, and also planning to start up a bunch of new and innovative cloud and software platforms. And they needed someone with like a very specific skill set to help drive the creation of that product security organization. And I don't know, who thought it was a good idea, but they asked me to do it. And I said, No, initially, I said, you know, security is not the direction I want to move in. I really liked DevOps, I want to stay in that, that area. And but, you know, here we are. They convinced me. And I again, I found that I really love security. And I really see that as being my path for with my career. You know, one of the things that I think is so interesting about that is, you know, the whole idea of imposter syndrome, right? Like, I did not think I have the security expertise to be able to do something like that. And in fact, you know, I've now been doing it for, I don't know what, six years or something like that. I've been basically full-time on security. And a couple years ago, I went to DevCon for the first time. And here I was -
Stan Wisseman 04:41
I'm sure that was an experience for you. Right?
Brett Harris 04:44
Super exciting. I love that. I went again, this past August. And here I was like surrounded by all these amazing hackers, quote unquote, you know, and other kinds of security people and I, it just felt like what am I doing here? Like, I don't know anything. But as I've talked with people, I've realized like, this is really a systemic topic in the security industry, very few people really feel like they've got the security chops. And you know, they're really like up there on, on the security, security, everything.
Stan Wisseman 05:24
But the background you bring, let's face it enables you to be credible, with the opposite end/development side of the house that a quote unquote, pure play security geek may not be able to bring to bear. Right? I mean, they they don't have that ability to communicate the same way.
Brett Harris 05:45
That's an excellent point. I never really thought about it that way, actually. Yeah.
Rob Aragao 05:50
Well, I think that's a key, you know, attribute, if you will, what people are looking for in hiring within security openings that are out there. So I kind of want to get into that a little bit. So we know that there's plenty of opportunities, right to bring on additional cyber security resources to any organization out there. When you look at product security, and this, you know, evolution of your career. And as you mentioned, over the past, you know, six years now doing product oriented security, that's still relatively pretty kind of early area of security in general, right, and it kind of sits in different pockets. It's not always kind of part of security, right product teams. But just thinking about right for the listeners know, when they're saying, Well, geez, that might be something of interest, as I hear more about what Brett's been doing. What do you see as some of the kind of key attributes that really you're looking for people that would be able to fit into a product role? And some of that experience you've had, right, coming from other parts of, you know, understand development, the DevOps approach, I mean, I think, again, right, major experience that truly can translate in and now put the security cap on top of that, to drive value back into whatever organization you're a part of.
Brett Harris 06:59
I really, I think the big thing is just being interested in the topic and having a growth mindset. Particularly in product security. We need testers, right? We need architects. We need software developers. Basically, the entire cycle of what is needed. The entire team. You need people with security expertise, and every single one of those roles, right? You need product managers who understand a little bit of security so they can make the right requirements. You need developers who understand security for secure coding practices and code reviews. You need testers for security testing. I mean, that's the one that is kind of the obvious one. And then what I found, in building that organization, that digital health product security organization was that probably like our number one research, or our number one asset, were our architects. So we needed our architects to really ramp up on security. And they were able to really lead the teams and like design, and design the right product outcomes.
Stan Wisseman 08:24
So Brett, you know, we we are also part of a product company. And it is certainly top of mind for product managers and the teams that support the development to continue their roadmap and get features and functions out to market rapidly and as a primary focus, right? So when you have a program that's trying to build security, and how do you get a culture? How have you successfully launched and gotten initial traction and then continue to mature, that kind of built in mindset for security? When let's face it, their primary priorities, priorities are around enhancing the features and functions of the product, which, again, security sometimes isn't viewed as being part of that.
Brett Harris 09:24
Well, I really feel like there's two questions there, right. So, there's the question of like, how we built the culture, which we'll tackle in a second here. But I also want to address your comment about, you know, those security features not always been the top priority. That is something that is is changing and changing really rapidly. We're seeing customers asking for security features. It's no longer like, 'Oh, we're gonna get buy the product with the best feature functions.' No, it is getting involved in, in purchasing. And, you know, they're only allowing the products to go through purchasing that have the best security. Yeah.
Stan Wisseman 10:15
Which is what it takes, right? I mean, if the customers aren't asking for it, then that's not going to be a key priority for those producing the products.
Brett Harris 10:24
Absolutely. So I would say like right now, right there that is changing, like that mindset is changing overall. Now, a few years ago, it wasn't that way. That's really changed a lot and the past couple of years. So when building that digital health, product security organization, I took a couple of different approaches. One thing that I felt was very important was embedding security in the product teams. So, not just having central resources that say, you know, 'Do this, don't do that'. But also having those security-minded architects, those testers that have a security mindset as well, you know, having those kinds of folks embedded in the team. So throughout the whole development lifecycle, you've got a key people there that are influencing the device design and development of those products.
Stan Wisseman 11:30
Now, in the DevSecOps world, we refer to those as Security Champions. Do you have similar terminology when you're doing this? And how do you scale that? Do they have dotted line to you or they direct reports?
Brett Harris 11:46
We're a very matrixed in our organization. So I did have some Security Engineers and Security Project Managers reporting directly to me. And those we did give them a role called Product and Solutions Security Engineer. And, you know, that, typically, it was the architects, I was mentioning architects before. And typically, those were our Security Champions. And those were the ones that were given that product security expert role. So one other thing that - two other things really - that I think are really, were really important. My personal management style is around servant leadership, where I feel that it's really important that I'm helping my team give the best that they can get. And when I built my, my team for supporting these different project teams, I also was motivated by that methodology, and really was creating like a service oriented central security team. So, one, that was going in and helping out the product teams when they needed help when things were not going the right way. And not just like a governance function, where security is the one that no one wants to go to, because they know they're going to get their hands slapped. And that that was super successful. And then the last piece was really tied back to my DevOps and build automation kind of routes, and building in security automation, in that kind of like DevSecOps mindset. So making it easy and making it automated to do the right things.
Stan Wisseman 13:48
So, they help reduce some of that friction as well, because you're exactly under the tooling that they're used to.
Brett Harris 13:54
Stan Wisseman 13:55
Rob Aragao 13:56
Brett, going back to kind of what got started within Siemens, if you will, from a security perspective to understand that it was important to put an emphasis on product security he talked about you know now we're at a point where it's very common that customers are asking 'What are you doing for security? What is your program look like?' You know, you have a Software Bill of Materials and all the different asks but turn back the clock you know, you you as you said you were asked to move into this brand new position that they were creating. But something happened something kinda was an awakening whether was very early on - customers or the FDA -or just something that they saw out there happen they said we better rethink this and start to get a hang up ahead of it and have the opportunity for you then to introduce into this organization you know, these capabilities like can you take us back like what what happened back then?
Brett Harris 14:49
Yeah, absolutely. So, really, we, we ,and Siemens Healthineers, are standing on the shoulders of giants. Our product security program, from what I understand really stemmed from the Stuxnet incident back back in 2010, where the Siemens STEP 7 software was part of the kill chain that was used to compromise those Iranian systems. And from there, I, my understanding is that, that is really where our organizational product security program came out of. For healthcare it, we built off of that once that program was more established. And I would say, like, from what I could tell, the major inflection point for our security program was when WannaCry really started to be per se, pervasive, back in 2017. We had a security program in place, right, like I was already, in this Product Security Officer role for digital digital health. We had Product Security Officers for other business lines, and a Chief Product Security Officer for the whole company. And when WannaCry hit we realized that there were a lot of things that we didn't have in place. So, for example, we like to issue a holding statement that says, hey, customers, we realize something is going on. And just so you know, like we're looking into it, we're on top of that. When WannaCry hit our first major customer it took us I think, a week or two, to get that holding statement out. You know, we didn't know who the right path, the right people to involve were. We had to get agreement with all those people. It took a really long time. So back in 2017, we created this cyber health program, where the goal of that program, and it's still running today, is to raise up our company's capabilities around product security, in every every function, strategy, training, market, and, you know, everything you could possibly think of, there's a bunch of different work streams in that program. And it's done so much to streamline and improve all of everything that we're doing around product security. So using that example, WannaCry took a week or two to get a holding statement out. The last one we had to do we had a holding statement out next day.
Stan Wisseman 17:52
That's great. That's great. Now one of those areas, I imagine based on the you know, the elements of the technology and data involved with the medical technology area has to be around data privacy, and how you're handling and and dealing with PPI and other sensitive data on these devices. So how have you seen those requirements impact your program? And are you doing things like privacy by design? Is that something that you're trying to build in just like you're doing with security?
Brett Harris 18:29
Absolutely, we have a whole data privacy department. And from what I've seen, that was already in place before our product security organization got going. And, you know, as far as like data privacy kinds of topics go we really focus on standards and certifications. So for instance, we've always had a really strong internal data privacy program. We've been ISOs, ISO 27001 certified for a really long time. Our remote support technology that we've built, is also ISO 27001 certified. And coming from my old business line, we've got our Team Play cloud platform, which is where both we host our medical applications, but we also have third parties hosting medical applications and kind of like an app store kind of thing. And, you know, that has really stringent data privacy requirements. It's got the Euro PriSe Privacy Seal. It's also ISO 27001 certified. And, we've even just recently achieved Chinese classified protection of cybersecurity, which is like a super hot standard for security and data privacy. Now, you know, this is also a changing, changing field here. This is becoming more and more important to customers. And customers are asking for different things then what I was seeing customers ask about even a few years ago. Now, it seems like customers want SOC 2 Type 2, high trust, things like that we're seeing.
Stan Wisseman 20:30
We're seeing that too. Yeah.
Brett Harris 20:31
Yeah. So, you know, it's a moving ball. They want more, and we've got to get better. And we've got to work together to do that.
Rob Aragao 20:43
Yeah, I completely agree, we definitely need to do much more collaboration and working together to, to get ultimately we all want to be better security, take the data privacy kind of discussion into the next level around this evolution to cloud, right. So, and you talked about, you know, some of the things that you guys offer up as services. And then, you know, third parties tied into the marketplace offer as well. You know, that pivot though, to the cloud, what are some of the implications as you were going through that, that relate back into product security? I kind of look at it, as you know, sharing what lessons you learned throughout that, which probably, I would assume pretty accelerated, like, you know, we need to shift some certain things, or anything that new is going to be delivered as SaaS or cloud-oriented capabilities.
Brett Harris 21:30
I say cloud definitely brings new and interesting challenges to a product security world. You know, the traditional, like, pre-cloud mindset was really like a shared responsibility. And, and still really is a shared responsibility between us and our hospital systems. So like, when we deliver our, you know, an MRI machine or something like that. We're delivering it with the security capabilities, that the hospital needs to be able to properly secure it, but then it's the hospital's job, to complete that security to make sure that it's in the, you know, the right, technical, you know, right, it's in the right VLAN. It's got the right firewall protections and things like that. With the cloud, where that all comes back to us, very little of it falls to the customer. And very little, little of it is that shared responsibility. And so, you know, coming back to what you just said about privacy, by design, security by design, you really have to build it in at every level, right? We're talking again, DevOps, right Dev SecOps. That you've got the security features, you've got the operations teams working closely together with the development teams, maybe they're the same team. And that's informing them, the security controls that are applied in the cloud. And it's really important that, again, you apply those Dev SecOps principles, because people make mistakes, right? So, if you can build an automation to apply those security principles, then you take that human factor out, yeah, maybe there might be a bug in your automation, but then you fix it, and you fix it once, and then your entire environment is secured.
Stan Wisseman 23:40
The other thing, your, your background, and automation is helping there as well. Yeah, super helpful.
Brett Harris 23:45
Exactly. The other thing that I think is really important is the concept of layered security. You know, a lot of times people describe security as an onion, where you peel back, peel back the different layers. And that becomes more and more important in the cloud, where you're segmenting off the different resources, and you're making sure that only the right resources can talk to only the resources they need to talk to and that they're locked down and secured properly. That way, since you do have this huge footprint that is theoretically publicly accessible, even if a portion is breached, they can't get to, you know, that golden nugget that that the attacker wants, right, maybe they've only breached, you know, a tiny portion and then they get stuck there.
Stan Wisseman 24:45
Going back to one of the things that is driving the market. You mentioned the customer's asking for it and I think another area in that context is around supply chain, right, you know. Given SolarWinds and the spotlight it put on the the the attack vectors that are being used to ultimately leverage those supply chains to hit a target. And then those consumers have a product that has been submitted being vulnerable. And and, you know, it's even scarier to me thinking about the context of what you're dealing with and medical devices. What, you know, are you looking at doing or are doing as far as how to minimize or mitigate some of these supply chain attacks?
Brett Harris 25:38
Absolutely. This, I would say, is another really hard problem. And, you know, it's something that we've been dealing with for a long time, but SolarWinds really kicked the customer interest into high gear. Already, for the past few years, the FDA has been running work groups for, to figure out, how to handle this kind of supply chain information distribution. And there's this concept of an SBOM, a software bill of materials, that medical devices need to provide to customers. Customers are interested in that, I would say. On the customer side, there's a pretty long way to go before we can really figure out as an industry how to properly handle that information that's coming from those SBOMs. Internally, I would say, like, this is one of the best things that we're doing. We catalogue all of our third party software that goes into our products in a system that it was developed by our parent company, Siemens AG, where they proactively monitor the vulnerability is all published vulnerability is for third party software. So anytime we integrate third party component, we register it with this internal program and the analysis team goes and finds the source for where to get vulnerability information from it.
Stan Wisseman 27:25
And I think, I and I think, the SBOMs use that way is a great, yeah, it helps you understand where the vulnerabilities are, and quickly deal with them. And I think, you know, limited access to SBOMs by customers makes some level sense. I guess my concern about, as far as, I'll be blunt, is that you could also arm attackers with understanding what basically the ingredients are in your product. And they could then use that as part of their, you know, analysis as far as how best to attack you. Download, if you see it that way.
Brett Harris 28:08
There is definitely a balance to be played between openness and you know, keeping that information restricted. I have a firm belief that openness is the right medicine for this problem. Attackers are going to get a hold of a device, they're gonna reverse engineer it, they're gonna figure out what's in your product, whether you like it or not. So, you know, being proactive, and, you know, letting your customers know what's in your product, is helping your customers be able to deal with the problem as well. And I would also say that it enables us to deal with the problem before the customer even has to deal with it. Because what we do is, with every one of those vulnerabilities that comes through from that service, we do an evaluation to see how it applies within the specific context of our device. And we do two things with that, that helps drive the determination on what we fix, right? While we're patching what additional security controls were we're putting in place in our products. But we also publish those evaluations to our customers. So if we know about a vulnerability, we have this online portal called Team Play Fleet where customer is ready to have their products registered, and they can go in and see okay, my product has this vulnerability. So what technical control am I going to put in place so that that vulnerability is not an issue in my environment?
Stan Wisseman 29:56
So you do make that visible? That's really good.
Rob Aragao 30:01
Well, Brett, you shed a lot of great details on the role of product security, you've not been in it very long, it's also still a relatively new role. So, I think for listeners they'll appreciate, right, that there's additional opportunities in some areas where they may come from a different background in technology. Maybe maybe not like you did, and be able to help an organization because we are seeing much more asks from the consumers. You mentioned, right, the different business partners even that we're working with on what does it look like from a security scope, within your products, your services, everything you have to offer. And then of course, the things that you can put back into the organization in the best practices and approaches you have into constant evolution, right of things thrown your way, whether it's data privacy requirements, the shift to the cloud, and everything that comes along the way. So Brett, we really appreciate you spending time with us and sharing your journey and focusing on product security overall. Thank you for that.
Brett Harris 30:51
Thank you so much for having me.
Rob Aragao 30:53
Thanks, Brett. Thanks for listening to the Reimagining Cyber podcast. We hope you enjoyed this episode. If you would like to have us cover a specific topic of interest, feel free to reach out to us and you can find out how in the show notes. And don't forget to subscribe. This podcast was brought to you by CyberRes, a Micro Focus line of business, where our mission is to deliver cyber resilience by engaging people, process, and technology to protect, detect, and evolve.