Todd Friedman’s passion for improving lives powers his work in medical device and health tech security, a field he describes as less of a job and more a “calling.” As Chief Information Security Officer (CISO) at ResMed, a cloud-connected medical device provider and out-of-hospital health services, Friedman and his team protect both enterprise assets and medical device users by prioritizing data privacy and system security.
Friedman’s unique path to cybersecurity started in the music industry. Following his first security role fighting piracy in the music field, Friedman held many positions in information technology (IT), starting as an analyst and making his way up to management roles.
His varied experience, from protecting Eminem’s and Justin Bieber’s websites to Mattel Toys’ intellectual property, has proven to be an asset throughout his security career. “My CISO roles at three companies have afforded me opportunities to have business relationships and impact beyond IT roles,” Friedman says. As a security executive, he has honed his advocacy skills when it comes to talking about security in the boardroom. “When discussing security in terms of risk with business leaders, there is more acceptance and support, such as identifying risks like the potential loss of highly sensitive health data, downtime, stakeholder assurance impact and financial costs.”
The medical device field truly embodies the need for balance between security and innovation, which makes C-suite security buy-in all the more important. At ResMed, Friedman highlights the connections between business and security goals, rather than treating them as inherently opposite. “Innovation and security can be aligned if there is security by design supplemented with frequent reviews, monitoring and reinforcing that security is a shared responsibility. It is also important to include the security team at critical points in projects and initiatives, including risk analysis, assessments, vendor reviews and ongoing monitoring once solutions are in place.”
This integrated security strategy assures medical device protection throughout the technology lifecycle — which is no small task for the cybersecurity leader. The organizational attitude toward security helps Friedman and his team detect and mitigate cyber threats to their devices. “In my career prior to ResMed, I faced predictable challenges getting management support, overcoming resource constraints and instilling a security-minded culture in organizations. But ResMed is different,” Friedman says. “We treat security as a critical part of our risk management; we have a high regard for compliance and regulatory obligations; and the security team works closely with privacy, legal and other groups. This drives a supportive culture, and that is imperative.”
This culture allows the security team to do what they do best: protecting the company and its patients. Friedman’s priority as ResMed CISO is to improve lives through ensuring the data security of the entire ResMed community. “This is done through numerous activities and requires ongoing program improvement and leveraging security innovations both internally and through partners. Continually refining the security tech stack, risk management, incident response capabilities and maintaining a security-conscious culture are also high priorities for our program,” Friedman says.
Instilling a security-minded environment throughout the organization has helped mitigate some of the challenges of securing medical device technology. Friedman names security assurance and compliance as top priorities of his team. “As medical technology solutions become more powerful and complex, it is not sufficient to secure the device itself — the entire ecosystem needs to be secure,” he says. “We can implement security by design, but if devices are not used as they are intended, then systems run a higher risk of being compromised.” This is where ResMed’s organizational emphasis on security comes in; by treating security as a shared responsibility, medical device manufacturers and users work together to protect medical technology systems from cyberattacks.
The importance of collaboration remains a common thread in Friedman’s cybersecurity and leadership successes. On a security and enterprise level, developing a cohesive team is a cornerstone of productive leadership, according to Friedman. “Good security leaders will build great teams with highly skilled and dedicated people and train them to work well together, understand business goals and objectives, support them and improve their company’s security posture,” Friedman says. The integration of security is a key step to a heightened level of organizational protection. “To be considered part of the business and not an isolated team requires understanding the company culture, what success looks like, and how to create a culture for the security program that fits with the company,” he adds.
Security leaders often think first of what they can do for others, be it supporting staff, securing technology or assessing enterprise risk. As a seasoned cybersecurity professional, Friedman brings an outstanding level of passion to his role. “Security roles have enabled me to meet interesting people, travel, help ResMed succeed through the protection of data and systems and enable innovation. My goal is to leave every project, role and company better and more secure than I found them,” he says. Friedman leads his team with this goal in mind, integrating cybersecurity into all aspects of the enterprise. “When I had an opportunity to join ResMed, I was able to combine two passions: security and helping improve lives. That’s why my whole heart is in this CISO role.”