top of page

Leadership: Do we Need a Chief Operations Security Officer (COSO) in the Emerging IoT World?

Good decision making is the hallmark of a great leader. A leader’s ability to make a high percentage of good decisions, in a timely fashion, is fundamental to the effectiveness of the individual and the success of his or her organization. In fact, Bain researchers found that decision effectiveness is 95% correlated with financial performance [Forbes, ‘17]. Yet, about half of business decisions end in failure, a study showed!

Decision making in a highly cross-functional environment is very challenging. It requires at least some exposure and knowledge across various functions, in addition to learning agility, to be effective. The breadth of exposure helps in overcoming individual unconscious biases. People feel better about making decisions in the areas in which they have some experience. While it is well understood that leaders often don’t have to (and shouldn’t) make decisions in vacuum, they still have to form teams by assessing and onboarding right people, ask right questions, facilitate right level of discussions among cross-functional team members, solicitate and appropriately value views from various stakeholders, and influence decision making – all of these require breadth of knowledge.

The Internet of Things (IoT) cybersecurity is that highly cross-functional environment with lots at stake. Following recent headlines indicate the potential impact if not managed well:

Poor decisions in this space could lead to big losses and/or safety concerns. As shown in the figure below, a recent McKinsey report indicates how critical the IoT Cybersecurity is and how ill prepared the companies are in managing it. The organizational and talent gap is the biggest challenge. Clearly, a new leadership position to manage IoT cybersecurity can easily be justified.

Knowledge participation required for IoMT cybersecurity

While the discussion here is tailored towards Healthcare, the principles can broadly be applied to any industry vertical. As seen in the adjacent figure, IoT and cybersecurity of IoT in healthcare both sit at the intersection of many functions. There is no one role in current healthcare organizations that has the right blend of cross-functional exposure. The Chief Medical Information Officer (CMIO) role typically covers the intersection of IT and clinical operations; s/he may likely not have enough exposure to the technical inner-workings of medical devices and related regulatory requirements. While clinical engineering leaders understand medical devices, clinical operations and relevant regulatory requirements, very few of them if any also understand IT.

More often than not, IT and/or Information Security (IS) teams are requested to manage IoT cybersecurity risks because of their digital savviness; many if not most of them, however, lack good understanding of medical devices! Following questions help in understanding the difference:

  1. Who typically does the design of clinical telemetry system/network in a hospital?

  2. Who typically does the design and installation of building automation system?

These IoT systems are designed with different philosophies and performance criteria in mind. The Internet of Things could also be thought of as Internet of Operations Technologies (i.e. medical devices, HVAC network, etc.). The table below outlines some of the key differences.

Performance expectations from IT vs. OT (operations technology - IoT) systems

Clearly, the IoT and its cybersecurity require broad business critical operational considerations. Hence, we ask the question: Do we need a Chief Operations Security Officer (COSO) in the emerging IoT world? A Chief Information Security Officer (CISO) can certainly take on this additional matrix management responsibility with increasing exposure to other areas such as clinical operations and operating technologies (i.e. medical devices).

The new role calls for an incredible amount of leadership to be effective. Learning agility would enable a leader to make good decisions, empathy would help her/him in gaining organizational engagement, courage would allow him/her to bring new practices, credibility would help in gaining support from her/his colleagues from other functions, and decisiveness should help him/her in speedy execution and delivering results. These are some of the key leadership attributes this new role requires.

Required leadership attributes in Chief Operations Security Officer

Every organization is going to need an effective cybersecurity solution. What they, however, need first is a good security leader who understands the business, technologies, culture and key operational processes well. This leader with presence and clout will ensure that his/her organization thrives in the emerging IoT world while managing all cybersecurity related risks. S/he will not only put in place right processes, policies and security solutions but will also build a culture that prioritizes cybersecurity in the business.

MediTechSafe has developed a proprietary solution to help hospitals manage their cybersecurity, medical devices and clinical networks related risks considering both IT and Operations Technology (OT) needs. If you are a healthcare provider (or a biomed services provider) interested in learning more about MediTechSafe’s solution, you could reach us at

bottom of page