Jacob Combs

#45: Jacob Combs: Securing a Product Ecosystem

We sat down Jacob Combs, VP of Cybersecurity at Tandem Diabetes Care, to talk about how he manages product security at Tandem, and how he overcomes the need to secure an entire ecosystem, beyond the product’s perimeters.

About Jacob Combs

Jacob Combs is the VP of Cybersecurity at Tandem Diabetes Care. Jacob is, to use his own words, an expert in “Strategic cybersecurity leadership and risk management for products that change the world.” A Veteran technology and security leader with a focus on protecting and advancing critical infrastructure sectors across the globe, Jacob has held key positions at, among others, Insulet, Boeing, Qualcomm, and currently, Tandem.

Summary of the Conversation with Jacob Combs

Jacob Combs, VP of Cybersecurity at Tandem Diabetes Care, shares insights from his extensive career in cybersecurity. Jacob’s background includes key positions at Insulet, Boeing, Qualcomm, and Tandem. He discusses his journey into product cybersecurity, the unique challenges of securing medical devices, and his strategies for building robust cybersecurity practices.

Introduction

  • Career Overview: Jacob has held key cybersecurity positions at several prominent companies and is now focused on product security at Tandem Diabetes Care.
  • Current Role: As VP of Cybersecurity, Jacob leads efforts to secure medical devices and manage cybersecurity risks.

Key Insights and Highlights

  • Journey into Cybersecurity:
    • Unconventional Start: Jacob began his career as a service desk technician, which developed his troubleshooting and communication skills.
    • First Cybersecurity Incident: His first exposure to a cybersecurity incident sparked his interest and led to a dedicated focus on security.
    • Product Security: Transitioned to product security in the medical device industry, merging his software development background with cybersecurity.

Building a Product Security Practice

  • Philosophy Over Blueprint: Jacob emphasizes understanding the industry, company, and product specifics to build a robust security practice.
  • Immersing in Technical and Business Aspects: He adopts roles akin to product manager, architect, and quality engineer to ensure comprehensive security integration.

Securing an Ecosystem vs. Multiple Products

  • Medical Device Ecosystem: Describes the challenges of securing interconnected medical devices, controllers, and backend systems.
  • Lifecycle Management: Emphasizes the importance of managing encryption keys, certificates, and sensitive data over the long lifecycle of medical devices.

Regulatory and Compliance Challenges

  • Increased Regulation: Discusses the impact of recent regulatory changes, including the FDA’s pre-market guidance.
  • Risk Management Focus: Highlights the growing complexity of managing regulatory compliance and the importance of robust risk assessment and communication.

Tips and Strategies for Product Security

  1. Involve Security Early: Emphasizes the importance of integrating security considerations from the design phase.
  2. Test Early and Often: Recommends frequent and automated testing to ensure compliance and security effectiveness.
  3. Leverage Existing Frameworks: Advises using established frameworks like OWASP for comprehensive security testing.
  4. Effective Communication: Stresses the need to articulate the value of product security programs to management, using metrics and regulatory achievements to demonstrate impact.

Personal Reflections

  • Quiet Days are Good Days: Jacob reflects on the importance of maintaining security to avoid major incidents, finding fulfillment in the daily process of securing products.
  • Overcoming Imposter Syndrome: Encourages security professionals to believe in their skills and contributions, emphasizing that small actions can have a significant impact.

Conclusion

  • Impactful Security Practices: Jacob’s approach to product security integrates technical expertise with a deep understanding of the business and regulatory environment.
  • Future Trends: Emphasizes the ongoing importance of risk management, lifecycle security, and regulatory compliance in the evolving landscape of product security.

Final Thoughts

  • Collaboration and Learning: The conversation highlights the importance of continuous learning, collaboration, and communication in building effective cybersecurity practices.
  • Gratitude for the Role: Jacob expresses gratitude for working in an industry that makes a real difference in people’s lives through secure medical devices.