Do you treat your risk model like garbage?
You cling to checklists like your baby clings to her security blanket.
Photo by Designecologist
Join other smart people who absolutely love my writing today.
👉 If you enjoy reading this post, feel free to share it with friends! Or feel free to click the ❤️ button on this post so more people can discover anti-patterns. 🙏
Security blankets and security checklists
Intro
I once did a PCI-DSS compliance audit for a provider doing healthcare payments.
The IT Security lead asked me, “Do you have a checklist?”
I said, “No.”
He said, “Previous security company had an Excel.”
I said, “Good for them. I don’t.”
He said, “Yeah, well, that Excel was like 5 years old anyhow. Way out of date for today’s exploits.”
I said, “Exactly. I deliver outcomes you want today, not 5 year old checklists.”
We did the audit in 3 days. Fixed price. Fixed time. Fixed outcomes.
The stakes are higher in hospitals
That was payments. This is patient safety.
In medical devices that go into hospitals, the stakes are patient lives and the checklist has a different name.
They call it a risk model of patient safety.
And here’s what happens to it after FDA submission.
Your consultant worries that sharing vulnerabilities could expose failed controls, unmitigated attack surfaces, or security gaps they couldn’t close.
Transparency may hurt their next sale — or hand ammunition to competitors.
Consultant culture is project-focused.
Get the contract. Deliver the document. Move on.
The best-practice solution to avoiding accountability is to encourage the industry to trash risk analysis after submission — so nobody can see their dirty laundry.
And that includes FDA.
Your threat model is not a security blanket.
It’s the core security asset of your company.
It’s a learning instrument for you and your hospital customers.
And someone just told you to throw it out like yesterday’s garbage.
Free gap analysis
I’m an entrepreneur. Writer. Podcast host. Musician. Father of 4.
Founder of OpenCRO — FDA cybersecurity threat modeling for MedTech.
42 companies. 14 clearances. Fortune 1 company. 0 rework requests.
If you’re heading into an FDA submission in the next 6–12 months, I’ll review where you stand at no charge.
The OpenCRO risk framework: BusinessThreatModeling.pdf
7-step risk analysis loop. Prioritized, cost-effective countermeasures. Built for regulated software. Fixed price. Fixed outcome.
For more strategic patterns on defending your operation: