Cybersecurity, AI governance, and MedTech regulatory affairs — from a consulting team that ships compliance and resilience programmes for real, not for slides.
How to run a SIEM and SOAR programme that produces actionable detections rather than a 200-deep Slack channel of high-severity noise. The detection-engineering practices that separate functional SOCs from theatrical ones.
The FDA's 2025 cybersecurity guidance for Software as a Medical Device tightened the documentation bar materially. The artefacts that actually get a 510(k) cleared on the first cycle and the ones that trigger Refuse to Accept letters.
A practical translation between what boards ask about cloud risk and what engineering teams actually have to build. No fluff, no maturity-model bingo, just the controls that move the loss curve.
What an AI risk assessment looks like when it has to satisfy a financial-services regulator, a healthcare auditor, or an industrial safety body. The structure that holds up under scrutiny and the sections that turn into evidence.
The two standards medical software teams are required to follow are usually run as separate processes. Treating them as one integrated lifecycle saves duplicated work and produces evidence that holds up under scrutiny.
A practitioner's guide to NIS2 implementation that goes beyond control catalogs. It covers what regulators actually look for, where mid-market security teams stall, and how to build a defensible programme in 90 days.
ISO 42001 is the first AI management system standard with audit teeth. This is how to actually implement it, where the typical programmes get stuck, and what the EU AI Act overlap saves you.
The EU AI Act's high-risk obligations now sit on top of the existing MDR/IVDR framework for medical SaMD. The overlap saves work; the gaps create new compliance debt. The combined posture vendors need by mid-2026.
The IBM Cost of a Data Breach number is famous. The decisions a CISO can make today to bend that number down are less famous. The four investment categories that demonstrably reduce loss expectancy and the popular ones that mostly do not.
What zero-trust actually means at the implementation layer when you don't have a Google-scale budget. The four moves that close 80 percent of the realistic attack surface, and the trap that swallows the rest.
The three patterns most GenAI applications now combine, with the trade-offs that matter at scale. Latency, cost, evaluation difficulty, governance burden — the parts of the decision that don't show up in the demo.
Clinical validation for AI/ML SaMD is where many vendors lose six to twelve months they did not plan for. The pathway choices, the evidence each pathway requires, and the order of operations that gets you to launch fastest.
The OWASP LLM Top 10 isn't a checklist. It's a threat model that maps cleanly onto product security work if you know how to read it. Where the real risks live in production GenAI deployments and what to actually build.
Most medical-device QMS implementations slow product releases. The ones that don't share three operational disciplines that the standard does not require but does not preclude. The pattern that turns a QMS from a tax into a multiplier.
The framing of prompt injection as a model-quality problem misdirects attention. The realised attacks land in production because of architecture decisions, not because the model is gullible. The product-security pattern that closes the class.