#64: Jens Gellynck: From QA to Leading Product Security at Barco
We sat down with the Product Security Officer – Healthcare at Barco to discuss the intersection of QA and Product Security, the Secure Software Development Life Cycle, and cybersecurity standards from NIST and IEC.
About Jens Gellynck
Jens Gellynck is a Product Security Officer at Barco with a strong background in quality assurance and cybersecurity. Initially a Quality Assurance Engineer, Jens transitioned into cybersecurity, focusing on secure software development and risk assessment. At Barco, he oversees the Secure Software Development Life Cycle (SSDL) and implements standards like NIST SSDF and IEC 81001-5-1 for a variety of products, including embedded medical systems and cloud applications.Jens is certified in Cisco CCNA, Certified Ethical Hacker, and CompTIA Security+, and is well-versed in ISO and NIST cybersecurity standards. His expertise and proactive approach to new regulations, such as the Cyber Resilience Act, make him a key player in healthcare cybersecurity.
A Summary of Our Conversation
In this conversation, Jens Gellynck, the Product Security Officer-Healthcare at Barco, shared his insights into his career transition from quality assurance to cybersecurity, as well as the challenges and successes he’s encountered while implementing secure software development lifecycles (SSDL) for various products at Barco. With certifications like Cisco CCNA, CompTIA Security+, and Certified Ethical Hacker, Jens has a strong background in cybersecurity and product security standards such as NIST SSDF and IEC 8100151, particularly in healthcare-related products like embedded medical devices and cloud applications.Jens began his journey in cybersecurity out of curiosity, with a strong interest in programming and network management. His early career in quality assurance (QA) gave him the foundational understanding of software development, testing, and deployment processes. He noted the similarities between QA and cybersecurity, highlighting how both fields require critical thinking to break and analyze systems, with cybersecurity going a step further by exploiting vulnerabilities.
After his time in QA, Jens transitioned to application security, where he focused more on secure software development and threat mitigation. This evolution eventually led him to his current role at Barco, where he oversees the secure development of a broad range of products. He emphasized the unique challenge of developing a unified security process that can be applied across Barco’s diverse product line, from projectors and meeting room equipment to highly regulated medical devices.
One of the key challenges Jens discussed was integrating secure development processes into Barco’s broader operations, particularly with the rise of Software Bill of Materials (SBOM) requirements. These are becoming increasingly critical for managing cybersecurity risks, as companies must now account for third-party software components in their products. Jens mentioned the complexities of ensuring that suppliers provide SBOMs for components and how identifying vulnerabilities within those components is a growing focus for Barco.
Jens elaborated on the introduction of the FDA’s new cybersecurity regulations and how Barco recently submitted its first 510(k) application in compliance with these standards. He praised the FDA’s guidelines as comprehensive and well-informed by best practices from other industries, stating that they push manufacturers to implement crucial security measures such as vulnerability management and secure development protocols.
He also touched upon the importance of threat modeling, explaining that it is an integral part of Barco’s secure development lifecycle (SDLC). Threat modeling helps identify assets that need protection, as well as potential risks and vulnerabilities in the system. Jens described how Barco uses this process to implement security controls like secure boot and digital signatures for firmware updates. However, the increasing complexity of embedded systems, cloud components, and SBOM requirements presents ongoing challenges.
As the conversation progressed, Jens discussed the European Cyber Resilience Act (CRA) and NIS2 Directive, both of which are shaping the landscape for cybersecurity in healthcare and other industries. He noted that while Barco is already implementing threat modeling and risk assessments for healthcare products, these requirements are now expanding to cover all products. Scaling these processes across different product lines is one of the major challenges Barco faces as it prepares for stricter regulatory compliance.
Jens also highlighted the importance of collaboration between product security and corporate security teams. At Barco, the product security office works closely with research and development (R&D) to ensure that products comply with cybersecurity standards, while the corporate security team focuses on IT and operational security. This division allows each team to focus on its respective areas of expertise while ensuring a cohesive security strategy across the organization.
The topic of supply chain security was another focal point. Jens discussed how Barco is moving towards requiring suppliers to provide SBOMs contractually, as supply chain vulnerabilities become an increasing concern in the cybersecurity field. He emphasized the need for visibility into the components provided by suppliers and the importance of identifying and managing vulnerabilities within those components.
Jens also addressed how Barco is preparing for the influx of customer inquiries and regulatory requirements driven by NIS2. Hospitals and other critical infrastructure will be required to ask more detailed cybersecurity questions of their suppliers, and Barco is preparing to manage the increased scrutiny. This includes enhancing contractual requirements with suppliers and being ready to provide detailed cybersecurity information to customers.
On the topic of industry differences, Jens reflected on his previous role in the ICT, media, and broadband sector, comparing it to the medical device industry. While both sectors face critical cybersecurity challenges, he noted that the medical device industry is subject to far more stringent regulations, such as those imposed by the FDA. The ICT sector, on the other hand, is expected to see an increase in regulatory pressure, particularly as ISO 27001 and other standards become more relevant.
Finally, Jens offered advice to aspiring cybersecurity professionals, particularly those interested in product security and healthcare. He emphasized the importance of having a technical background, particularly in software development, to understand the intricacies of cybersecurity. Curiosity and a willingness to deep dive into specific technologies and security controls are crucial traits for success in the field. He also stressed the importance of good logging practices, recounting a personal experience where logs played a critical role in identifying the root cause of a security incident.
In summary, Jens provided a comprehensive overview of the evolving landscape of product security, particularly in the healthcare sector. His experiences at Barco highlight the increasing importance of secure development practices, the challenges of managing supply chain security, and the growing regulatory environment driven by acts like the CRA and NIS2. His advice to aspiring cybersecurity professionals underscores the value of technical expertise, curiosity, and a proactive approach to learning and adapting in a rapidly changing field.