If you could go back in time and redesign how responsibilities are divided between IT and security teams, what would you change and why?

The technological maturity of our manufacturing units varies, and cybersecurity is not always a priority for them. Digital transformation projects have helped increase awareness. The steady media coverage of cybersecurity issues has made these conversations easier, as employees now understand the importance of security in both their personal and professional lives. Cyber liability insurance carriers also require proof of regular security practices, such as phishing tests and patch documentation.

Our company is lean, with only 17 IT staff worldwide, relying heavily on consultants. We are publicly traded and undergo frequent SOX audits. Managing numerous projects simultaneously is challenging, especially as I also drive AI initiatives and handle governance and confidentiality issues. With limited resources, forming a dedicated AI team is not feasible, so I work closely with legal to address risks.

Acquisitions add complexity, especially when integrating companies with poor cybersecurity postures. I do not connect new acquisitions to our network until their security practices meet our standards. We have a playbook for onboarding, and I keep separate ERP systems until integration is feasible. Protecting the corporate network is paramount.

We have already restructured our small team of 60 staff, with half supporting EMR applications and half handling technical and operations. Security is embedded within this structure, with a security engineer reporting to me and a dotted line to our technical manager. This approach works well for us. Additionally, we rely on a third-party MDR solution, Arctic Wolf, to extend our monitoring capabilities, which has been highly effective.