https://youtu.be/5BYS4BIBBk0
Christian Espinosa, Founder and CEO of Blue Goat Cyber, is driven by a mission to ensure medical device security while helping his team drive project efficiency through innovative compensation structures.
We learn about Christian’s journey from overcoming a life-threatening health scare to founding Blue Goat Cyber, focusing on medical device cybersecurity. He explains his approach to designing security into medical devices from the start, rather than trying to fix issues later. He shares his Efficiency Driver framework, which incentivizes his team to become more efficient by tying compensation to project outcomes. He also emphasizes the importance of emotional intelligence in cybersecurity, detailing his seven-step methodology for fostering self-awareness, communication, and continuous improvement within teams. His insights offer strategies for medical device manufacturers and cybersecurity professionals to ensure both innovation and safety in their products.
---
Drive Project Efficiency with Christian Espinosa
Good day, dear listeners, Steve Preda here with the Management Blueprint podcast. And my guest today is Christian Espinosa, founder and CEO of Blue Goat Cyber, whose mission is to assist medical device manufacturers in creating products that are not only innovative, but are also secure and compliant with regulatory standards. Christian, welcome to the show.
Thanks, Steve. I appreciate you having me on.
I'm excited to have you and to learn about Blue Goat and I love the blue shirt that goes with it. Actually, the goat is white, but I guess the cyber security is blue rather than red. So my first question is, what is your personal “Why” and what are you doing to manifest it in Blue Goat Cyber?
So a couple of years ago, I developed six blood clots in my left leg and almost ended up dying. And that was something that was a pretty pivotal moment for me because before that, I had done 24 Ironman triathlons and was in really good shape, but I didn't think things like blood clots happened to people like me. But when I was in the hospital, a Doppler ultrasound device that was portable was used to quickly diagnose the blood clots. And after going through a pretty long bout of depression, because my life as I knew it changed completely, I couldn't exercise, I couldn't fly, I couldn't really do anything but sit around.
After I got through that, I decided to start another business and focus on medical devices. Because in my first business that I sold in 2020, we did medical device cybersecurity, but it was part of what we did. And now the focus is on medical device cybersecurity with this company. And largely, I think things happen for a reason. And I often think if that device had not existed or had been hacked and taken off the market, I may not be here today. So my mission is to help these innovative products get to the market and help them stay on the market because they're hack proof or secure from hackers.
Wow. I didn't realize that this is such a big issue in medical devices that they get hacked and then they lose their FDA license or why do they disappear? Can they not just be fixed like any software product?
They can be fixed, but a lot of times are recalled. Pacemakers have been recalled. Imagine you've got an implantable like a pacemaker inside of you and it's got a vulnerability where someone can wirelessly hack it and shock you to death. So now as a patient, you've got to make a decision. Do I get this thing taken out of me, which is a pretty major surgery, or do I live with the risk that someone could possibly wirelessly connect to my pacemaker and shock me to death? I don't have a pacemaker, but if I was in that scenario, that's a tough decision to make. But yes, these things are hackable. And the regulatory authorities like the FDA and in Europe, the medical device regulations are making efforts to enforce security with medical devices now.
Wow, okay. So this is a huge thing. I didn't realize. And obviously, it's like there's not much room for error for medical device security. It's not like your computer in the worst case, you get hacked, you have to pay some Bitcoin to get rid of the hacker, but you're still alive. But medical device, you don't get the second chances. So I now get it that it's super important. So how do you make a medical device hacking proof? How do you create that level of certainty that it will be secure?
So ideally, that is designed into the device. So if a manufacturer like works with us very early on in the design of the device, then we can design cybersecurity into the device. Unfortunately, what happens most of the time is the device has already been developed and they forgot about cybersecurity until the very end. And then we try to like bolt it on or tack it on, which doesn't always work.
Sometimes they have to redesign it the proper way, but yeah, the whole idea is design it in a way where the cybersecurity risk is low enough where somebody does do something that can't affect a patient. Because even with things called like IVD or in vitro diagnostics, which make decisions on someone's blood and what bacteria they have. If somebody can alter the algorithm and give a false negative or false positive result, let's say your blood has sepsis, the device says you don't have sepsis, the doctor doesn't treat it, you could die as well. So, we want to make sure that those things are very unlikely to happen. You can't always get rid of all the risk, but the job is to get the risk to an acceptable level.Share on X
Wow. Okay. So let's talk about frameworks and you are developing these cyber secure medical devices and you developed a unique project management process, which you call the Efficiency Driver or something similar. And I was wondering what triggered you to invent this process and what does it do?
My first company, I made a lot of mistakes and I had people on typical salary. So they got paid a salary no matter how efficient or inefficient their work was, they got the same salary. So then I thought with this company, I'm going to change things up a little bit. So I pay people like a base salary, but the majority of the pay is based on a project. So what I do with our clients is we do firm fixed price with our clients. So if our clients pay us, let's say $100,000, I divide that up into my team.
And what this has done is my team can take on more and more projects, which means they can make more and more money if they become more efficient. So it's really driven a lot of enhancements and improvements in our delivery mechanisms, our communication mechanisms, how the team works together, how projects are divided up from a racy perspective. And I've noticed great improvements because my team wants to make, most people want to make more money. If I give them an incentive to make more money and the way for them to maximize that, to become more efficient, then they're going to find ways to become more efficient, which is the opposite of salaried employees from my experience. Or even hourly, hourly, there's no incentive. There's actually more incentive to become less efficient because you work more hours on something, you know.
Yeah. So is there a flip side to this? Are there risks that might arise because of this approach that wouldn't otherwise be so prevalent?
There might be a flip side. I haven't seen it in my organization, but the flip side that I can see, keep an eye on is people becoming a little bit sloppy and just trying to get something done as quickly as possible and skipping things over so they can do multiple projects at once or maximize the money they make by doing as many projects as possible. We have controls in place to prevent that. We have quality assurance and quality control. So I haven't seen that, but that's something I have to keep an eye on, of course.
And then these people, how do you build some kind of team culture? So when people are working on specific projects and it's completely kind of a result-based commission, well, it's not a commission because it's not a sales job, but is there a way to still kind of send these people into your organization or it's more like an intermediary between independent contractors and kind of a general contractor to put these projects together. And you don't really intend to build a blue goat cyber culture.
Yeah, I do intend to build a culture and I have a culture and I think culture is extremely important and it's something you have to work hard to keep the culture and enforce the culture and hire the right people that meet the criteria for the culture. So the culture that I want to have is everyone has a growth mindset and they want to grow with the organization. They want to take ownership over projects.
They are constantly learning and they want to improve. So all those things tie into this Efficiency Driver and us becoming more efficient. And it also helps in the long run because if we become more efficient and our projects become better documented and better templatized, then it reduces stress and ad hocness on the team. The team knows exactly what to do. They feel like it's well oiled, it's well greased. They feel like they have an opinion to make it better, the process better. That opinion is welcome to be heard. And that's the culture I want. And it also incentivizes people to kind of put their life in their own hands. They're not just tied to a nine to five typical job with a salary and then every year you get a two or 3% raise.
This allows them to put some more of the ownership and agency in their hands to say, I want to take on more projects. I want to help make these more efficient so I can make more money than 2% raise from last year, for instance.
Yeah, I mean, it's great. That's a good way to attract those A players, high performers who want to work like that. Obviously, not everyone wants to work like that. It can be tough,
