Article
Adapting Security With Clear Risk Awareness and Team Support
Oct 1, 2025
Ran in Cyber Security Review 25 August 2025
By Patty Ryan, Chief Information Security Officer at QuidelOrtho
Patty Ryan is the Chief Information Security Officer at QuidelOrtho, where they lead the company’s global information security strategy and operations. With prior experience as CISO at Ortho Clinical Diagnostics, Ryan brings expertise in security architecture, risk management and governance. His focus spans secure design for systems and products, threat detection and identity management to ensure resilient and compliant operations across the enterprise.
Clear communication: The speed at which threats evolve, coupled with the rapid pace of technological advancements in today’s geopolitical landscape, translates to the need for consistent, clear, two-way formal and informal communication across the company regarding risks. Risks exist; they always will. However, companies that adopt frank conversations about risks, defining what is acceptable versus what is unacceptable, will be better able to navigate today’s challenges with more time spent discussing remediation and mitigation efforts.
Something will happen - Information Security is not about preventing all information security incidents but about minimizing damage when something does occur. One of the most effective ways to achieve this is with a robust, adaptable incident response plan. Starting with the CEO, if all understand their role (what to do and what not to do), more time will be spent during an incident focused on the incident rather than on who should do what. It is critical that the company’s executives thoroughly understand their responsibilities for various crisis levels, including customer and regulatory notifications and press releases.
Respect and elevate your people - Information Security teams have always been on the front lines, working long hours full of pressure. Much of the work that a well-run InfoSec team does goes completely unnoticed by the vast majority of the company. And each of those individuals has “things” outside of work that require time, energy and focus. Focus on the team’s hard work and resulting outcomes. Lift the heavy objects that hinder their progress. Provide them with the tools, training, guidance and support they need to succeed. Give them the time they need to restore. Create a sense of unity, where one team speaks the same language and supports each other. Like any other team, Information Security teams
“Old, unknown” stuff. Few companies have entirely new infrastructure. Most rely on external connections that remain active but haven't been reviewed for security issues or had risk mitigation measures implemented. Hardware or software that had not been completely decommissioned from the network. It is also likely that those who were familiar with these “hidden” issues left the company or have not escalated these risks to management. A company will never have an accurate picture of the dangers that exist in its ecosystem without understanding it all.
Legacy vendors. Third-party or supply chain risk is a hot topic in the news today, given the numerous examples of how these partners can impact a company’s resiliency. I am aware that most companies conduct a security-related review of third parties as part of their initial onboarding process. However, as threats evolve, a third party’s cybersecurity posture may also change, so companies must have a means in place to periodically review the cybersecurity posture of any contracted third party. • Non-human identities. Service accounts, API tokens and machine identities are examples of digital identities used by machines, applications or automated processes, usually referred to as non-human identities. These identities share the same threats and vulnerabilities as human identities, but do not undergo the periodic reviews of security controls that human identities do, such as upgrading password complexity or gaining a complete understanding of the identity’s purpose. As a result, these accounts are favored by hackers.
Non-human identities. Service accounts, API tokens and machine identities are examples of digital identities used by machines, applications or automated processes, usually referred to as non-human identities. These identities share the same threats and vulnerabilities as human identities, but do not undergo the periodic reviews of security controls that human identities do, such as upgrading password complexity or gaining a complete understanding of the identity’s purpose. As a result, these accounts are favored by hackers.
Innovators in fields like cloud computing or GenAI, for example, should prioritize protecting users and data, giving the same attention to security as to usefulness and benefits. There are opportunities to integrate fundamental security controls day one, such as data security, strong authentication, less predisposition for vulnerabilities, as well as strong, simple (and practical) patching infrastructure. Malicious actors seek the most significant return with the least effort, and emerging technologies will remain a favored attack path until the landscape changes.
Spend a significant amount of time understanding your business, where it is going and leadership’s thoughts about Information Security. That information is critical not only to the design of any information security strategy, program, project, procedure or policy but also for effective communication with those outside of Information Security.
