Sign up to save your podcasts
Or
Share Katie Bochnowski | SVP Customer Success & Services, NowSecure | Navigating Mobile Security in MedTech
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Katie Bochnowski | SVP Customer Success & Services, NowSecure | Navigating Mobile Security in MedTech
Katie Bochnowski is the Senior Vice President of Customer Success & Services at NowSecure. Katie shares her journey from studying cyber forensics at Purdue University to becoming an expert in mobile app security and forensics. She discusses the impactful work her team does in securing mobile apps, especially in the medtech industry. Katie also offers valuable advice on building relationships within organizations, the importance of security best practices, and staying curious as a professional.
Guest links: https://www.linkedin.com/in/katiestrzempka/ | https://www.nowsecure.com/
Charity supported: Save the Children
Interested in being a guest on the show or have feedback to share? Email us at [email protected].
PRODUCTION CREDITS
Host & Editor: Lindsey Dinneen
Producer: Velentium Medical
EPISODE TRANSCRIPT
Episode 070 - Katie Bochnowski
[00:00:00] Lindsey Dinneen: Hi, I'm Lindsey and I'm talking with MedTech industry leaders on how they change lives for a better world.
[00:00:09] Diane Bouis: The inventions and technologies are fascinating and so are the people who work with them.
[00:00:15] Frank Jaskulke: There was a period of time where I realized, fundamentally, my job was to go hang out with really smart people that are saving lives and then do work that would help them save more lives.
[00:00:28] Diane Bouis: I got into the business to save lives and it is incredibly motivating to work with people who are in that same business, saving or improving lives.
[00:00:38] Duane Mancini: What better industry than where I get to wake up every day and just save people's lives.
[00:00:42] Lindsey Dinneen: These are extraordinary people doing extraordinary work, and this is The Leading Difference.
Hello, and welcome back to another episode of The Leading Difference podcast. I'm your host, Lindsey, and today I am absolutely delighted to introduce you to my guest, Katie Bochnowski. Katie is Senior Vice President of Customer Success and Services at NowSecure co-author of the book, "iPhone and iOS Forensics," and a recognized expert in mobile forensics and app security testing.
Katie holds a master's in Cyber Forensics and Bachelor's of Science and Computer Technology from Purdue University. In her current role, Katie oversees customer support, onboarding and success departments, as well as the mobile AppSec Professional Services Organization that is responsible for pen testing, training, and consulting.
All right. Well, welcome. Thank you so much for being here. I'm so delighted to speak with you today.
[00:01:37] Katie Bochnowski: Awesome. I'm really happy to be here.
[00:01:39] Lindsey Dinneen: Excellent. Well, I would love, if you wouldn't mind just starting off by telling us a little bit about yourself, your background, and what led you to medtech.
[00:01:48] Katie Bochnowski: Awesome. Sure. So, I'm Katie Bochnowski. I work for a company called NowSecure. My background, dating back many years to school is in computer technology and more specifically cyber forensics. Where I am now is mobile app security. How I got into that industry is, is really from that forensic background. Our company used to do data recovery and forensic investigations on mobile devices, and we kind of quickly realized that mobile apps are storing a lot of data. So we shifted into proactively working with organizations to secure those apps that reside on devices. And in terms of medtech, obviously you can probably make that connection, but we began working closely with first, companies that really care about the data that's being stored, and transmitted on those apps, which absolutely includes medtech industry.
[00:02:43] Lindsey Dinneen: Awesome. Okay, so going back a little bit. So when you were first deciding on college paths and career paths and all those lovely things, what drew you to where you ended up?
[00:02:55] Katie Bochnowski: You know, I don't have a great, like "aha" moment for this question. It was just one of those things. I grew up, I had a computer in my house. I did Typing Tutor when I was really young on MS Dos, and I just always en enjoyed that. I had a friend in high school and we both got interested in making our own website with HTML. So, it was just enjoying being around computers and also tinkering to figure out what was wrong with something from a technology perspective. Purdue is where I attended. Purdue had a more generic computer technology degree that I didn't have to know exactly what I wanted to do. You could try different paths, so that's kind of what got me into it. It's not like I knew I wanted to do that my whole life, but I never really went back or questioned it. I always just kind of enjoyed it along the way.
[00:03:45] Lindsey Dinneen: Yeah. Excellent. Okay, so the phrase cyber forensics is just exciting. So, can you dive a little bit more into exactly what that means and entails and what it looks like?
[00:03:57] Katie Bochnowski: Yeah, absolutely. So, it is exciting- -so much so, in fact, that my senior year of college, the very first time they offered this class, it was called Cyber Forensics, it was an elective and it sounded amazing. And, it was amazing. It was really cool. We went through from start to finish, how you collect evidence from a computer and technology perspective, how you keep it pristine, how you collect the data off of it.
We even got to work with local law enforcement as part of an internship to do all that, so I was very lucky in that my very last semester of my four years, they offered this and I just really, really liked it. It always was there in the back of my mind. So yeah, cyber forensics is really the collective of all things digital, which is everything, now. I don't do, necessarily, that work anymore, but I can't even imagine all of the data collection off of Alexas and, and all of those devices. But yeah, that's, that's kind of how I got into that.
[00:04:56] Lindsey Dinneen: Wow, that's really cool. Yeah. So, okay, so talking about this data collection and all of these things, I'm curious, what are maybe one or two things that just really surprised you when you started getting into the industry and doing the work?
[00:05:11] Katie Bochnowski: I know people always said this, and it shouldn't have been a surprise, but when I first started working for NowSecure-- which was actually called Via Forensics back in the day when I first started-- we worked on a lot of individual cases, so people saying, " Can you recover my deleted text messages, and pictures..." and things like that, and the amount of data that really does reside on those devices still after you delete them, going back months, years. So, I don't know if that's still the case now. I don't know if they do a better job of that, but that was surprising to us.
What was also surprising was how much apps are storing and transmitting data on those devices when you don't think about it. So a lot of these cases that we would work on, they would focus so much on voicemails, emails, photos, and text messages, but nobody ever said, "Hey, can you go check the Facebook app or the Messenger app you're using?" That was something we realized pretty quickly, and were shocked to see-- this was 15 years ago-- how many apps were storing incredibly sensitive information on those devices.
[00:06:20] Lindsey Dinneen: Yeah. And so now that there's more awareness of this and people are maybe, hopefully taking a little bit more ownership of even their own awareness and education with all of it, what do you see are the changes and shifts towards better protection?
[00:06:38] Katie Bochnowski: Yeah. Great question. So there's a couple things: One, people are more aware, so they are leveraging the best practices really for these things. So there's places you should and shouldn't store data on devices, and you should use encryption for sensitive information and encryption that can't easily be broken into. The platforms themselves, too--Android, iOS-- have also made improvements in protecting those sandboxes. But, it's not everything, so you absolutely still have to be mindful of that. A lot of organizations like medtech companies and financial organizations do add a lot of those extra protections. But a lot of people don't, still. They're not either, don't think about it as much or aren't aware of it.
And then the other thing that we see is everyone could have, you know, a hundred percent perfect intentions in storing and protecting that data, but you make a mistake, or you accidentally leave a debug flag on or something like that, where this information still can be accessed even though developers and security organizations are following the best practices there.
[00:07:51] Lindsey Dinneen: Hmm. Yeah. So as you look toward the future of device security in general and cybersecurity, what are you looking forward to in terms of improvements, and hope for the future? Because I know there's a lot of things to worry about, just in life. But, what are some of the things that you're hopeful about?
[00:08:11] Katie Bochnowski: Yeah. I'm hopeful for the--I'm going to call it the camaraderie--we're seeing between security and development groups. Not that there was argument or debate between them before-- there probably was a little bit-- but we are seeing a lot more organizations have what they refer to as a Security Champions Program, which brings those groups together.
Security used to be seen, and probably in a lot of cases still, is seen as that blocker. Developers are being rushed and pushed to release features quickly. They have deadlines, timelines, and then if security finds an issue, it has to go back to the drawing board to remediate. But, with these programs, we're seeing either a development group that has a security champion there, or just teams kind of melding together a little bit more to build that testing earlier on. That's a trend we're seeing increase more and more. And, I believe that's going to only continue because it's just the right thing to do for everyone all around.
[00:09:12] Lindsey Dinneen: Yeah, and that collaboration piece is so critical to eventual success, or hopefully even shorter-term success, like said, so that there's not as many iterations. It's like, "No, let's just integrate and do this from the start well together." Yeah.
[00:09:27] Katie Bochnowski: Yep.
[00:09:27] Lindsey Dinneen: Cool. Okay, so, you started with NowSecure, and then eventually you got your first medtech client. Could you talk about that experience?
[00:09:36] Katie Bochnowski: Yeah, absolutely. Actually, before I even started with NowSecure, I worked for a Fortune 100 company in their security department doing firewall rule management. And, it was all good and everything, but I remember thinking throughout my career, I'm the type of person that likes to do things meaningful, making an impact on people.
So, for many years, I was like, "Okay, what am I doing? I'm just executing firewall rules, I'm recovering data..." That's why the forensic work was so appealing to me because you were actually helping assist with investigations that mattered. Then, getting into the mobile app security industry was certainly important, but it took it to a whole new level for me when we got our first medtech client.
I remember going on site and seeing some of the things that the apps can do in conjunction with medical devices, implants, et cetera, and thinking, "If you get this wrong, this can impact a human life." That helped bring all of this to a whole new level, and it's something I talk about internally within our organization as well to help people understand how meaningful it is --what we do, what the medtech industry does, and how important it is to get security right. It's just helped me with a new perspective. I love working with our medtech industry clients. It's contagious to be around them and see how much they care about what they do, and, how important it is to their lives --makes an impact on the way I work as well, then.
[00:11:06] Lindsey Dinneen: Yeah, I love that. I think that's so true. I get so inspired by even just talking with these incredible founders, their devices and their heart behind why they're doing what they're doing. It's not an easy road so choosing to do so, and then hearing that passion is what drives them sometimes in those crazy late nights, early mornings, hassle in between, you know?
So you started getting medtech clients, and now you've developed a niche offering for that group. I'm wondering, what are some of the common themes that you see companies maybe aren't aware to consider when they're starting their development of their devices and apps? And, perhaps just some general advice: What should people be on the lookout for?
[00:11:50] Katie Bochnowski: Yeah, so I guess you-- I shouldn't say unique, but specific to organizations like medtech industry or, financial or healthcare and the apps they build-- is that highly sensitive information. And so I guess my advice and the thing I would point out that I see in those types of applications is not only, of course, best security practices and understanding what's unique in mobile is super important because web apps have been developed for many, many years. Mobile apps now have been many years, but people don't necessarily know that it is unique in the way that they are developed and the different attack surface, right? You have the local device attack surface. You have the attack surface of other apps that could be malicious that are installed on that device.
So, understanding what those mobile unique security best practices are is my number one piece of advice for developers. Number two would then be multiple layers of security protection. So, developing a secure app is one part of it, and a very important part of it. What we see is a lot of organizations sometimes are dependent on either the protections of the device OS itself--the Android OS protections or iOS protections. And, there are tools out there that offer protections like tamper detection: If you detect the app is being tampered with, don't launch it. If you detect the app is installed on an exploited, rooted, jailbroken device, don't launch it. Or, don't allow login.
Those are important, but those can be bypassed and so I say multiple layers of protection. I'm not against those protections. I think they're very important. I think you should do them, but you should also assume in some cases they can be bypassed, and you need to have that foundational security in the way you develop your applications.
[00:13:48] Lindsey Dinneen: Yeah. So, you've had a really interesting career so far, and I'm sure you've seen a lot of things over the years. What are some moments that really stand out to you, especially with your medtech clients, as, as hitting home that, "Wow, I am in the right place at the right time, making an impact."
[00:14:09] Katie Bochnowski: I think it's hard because it's not like there's one single moment. Because what you want to avoid in this industry is a breach, is something like this "oh my gosh," this big negative moment. And so honestly, it's seeing the organizations we work with, not having that happen. When you do see a breach that might be mobile-specific, I immediately jump in and see, "Okay, what happened? How did they exploit this? What was the actual vulnerability that led to this?" We check for that, and we help our customers test for that and knowing, "Okay, whew. They're covered." And we see that kind of stuff all the time. So I don't have, necessarily, a big moment, but I do have those moments along the way where it's like, you see something in the news, and you are not surprised by the way that was exploited. It's something that is foundational to mobile app security, and you know your customers are protected.
[00:15:09] Lindsey Dinneen: Yeah. Well, that's a really good reminder in general because sometimes you get those big, crazy, sort of in-your-face moments that are going, "Yes, okay, I know why I'm here." But then, those don't happen all that much, usually. So having those little encouragements along the way of, "No, you're on the right path, you're doing the right things is incredibly...
[00:15:30] Katie Bochnowski: It's funny; it actually reminds me of sometimes we'll work with customers and they'll use our products or services--and, they'll be upset because we haven't found anything in a certain amount of time. Seriously. And they're like, "You must not be testing enough" or " You haven't found anything high risk in six months." Sometimes, we have to remind them that's good. "Green is good," is what we always say. "Green is good." And, of course you want to check and make sure you're doing everything, in depth as possible. But, if you do a full two-week pen test and nothing big is found, that's good. You're doing a great job. So, take the win. Green is good.
[00:16:07] Lindsey Dinneen: Green is good. I love it. Words to live by. You have had a really interesting trajectory even through NowSecure, but throughout your career and you've stepped into different kinds of leadership roles. I'm wondering how has that evolution been for you as a leader? What are some of your key takeaways that you've discovered work really well, and maybe some lessons learned?
[00:16:29] Katie Bochnowski: Yeah, so I was not the person coming out of college that said, "I want to get my MBA, I want to be a CEO, I want to be, you know, high up in an organization." I just knew I liked computer technology, I liked tinkering--that kind of stuff. So I wanted to do things that were interesting. Via forensics, and now, NowSecure really was amazing for me because I got to do all of that. I got to grow with the company. I was really the first employee with the co-founder here, and as the company grew, I naturally started developing the managerial and the leadership roles as we hired more people and got more clients.
So for me, I learned on the job, along the way, and when I think about it, I see people that are very ambitious to be a manager and, that's okay too. The best leaders that I've seen have been leaders that have naturally and organically developed a mutual respect, trust, and collaboration with their teams, seeing them as partners and peers and not someone to delegate things to in an authoritative way. And that's not just necessarily from a managerial perspective, because I see individual contributors, on my team for example, that exhibit amazing leadership skills, developing those relationships with other departments. And when you do that, you get-- I don't mean this in the way it's gonna sound, but you get people to do things for you because they want to, because they want to support you.
And so that's what I always like to focus on is, just building those relationships, having empathy for other people. And, of course there's delegation that comes with that, but when you do that, then they want to do that for you or for the organization because you've, you've built that foundation.
[00:18:20] Lindsey Dinneen: Yes. That's great advice. I really appreciate that. There were several things in there that, stood out to me. One of them was your comment about even individual contributors can be leaders, so even if you are not technically in a managerial role, or you don't have anyone working underneath you at the moment, doesn't mean you can't develop those skill sets and lead yourself and lead your own direction. So I think that's a really important note. And, something to give a little bit of perhaps inspiration, too. So if you want to be in that leadership role at some point, but you're not there yet, doesn't mean you can't build the skills along the way.
[00:18:54] Katie Bochnowski: Yeah, absolutely. And I think about, I, I have heard people in the past say, "Oh, I can't go ask them to do something. I don't have the authority to do that." I hear that a lot. " I'm not their manager. I can't tell them to do that." And then there's people that don't even think that way, and just build that relationship and get others to collaborate and work with them. Those are the natural leaders that managers are going to see and want to promote to be the next manager. Right? So, if I'm gonna give another piece of advice, it would say, never say, "I don't have the authority, or I don't have the power to do that." Or "It's above my pay grade" is something that I'm like, "Oh, don't say that," because nothing is. You just need to learn to work with others to figure out how to do that.
[00:19:41] Lindsey Dinneen: Yeah, and I think you're absolutely right about relationship building and collaboration being such a key to success in general. I mean, I think about all of the opportunities that are created and these sort of magical, what feel like magical, synergistic moments that happen, but they're not magical. They're because of intentionally cultivating these relationships. So yeah, I love that. And then helping people come up alongside you. So that's actually a concept I'd love to hear about your experience, either as a mentor or mentee, or anything like that that you've experienced that has really been inspirational to you.
[00:20:18] Katie Bochnowski: Yeah. Well, I guess I have maybe two examples. I had someone that was working on my team many years ago and, again, we worked very closely as, I saw him as a partner and he got to a place basically at the organization where I would always tell him, "We could switch jobs, and you could do this and I could report to you and it doesn't matter," because I saw him grow that quickly. And he is now in another position that's probably double my pay and I don't know. But that's... you want to see that. And, some people might be threatened by that, but you shouldn't be, if you are doing the right thing because you want to see people grow into those roles.
I don't know if this directly answers your question, but there is a leader who's a CEO of another organization who I have always looked up to, and I just see this is exactly how she leads. You know, everybody respects her. Everybody wants to support her and her mission at her company. Even when you're not working at her company like me, you just see the way she leads and the way she has built relationships throughout all of the employees in her organization. It's just something that I aspire to.
[00:21:27] Lindsey Dinneen: Yeah, absolutely. And sometimes it's really helpful 'cause you'll get your share of... well I think most people at least have had the experience of getting their share of people in leadership roles that they would maybe not wish to emulate. So getting to be inspired by the people who are doing it correctly is is lovely. Yeah. Yeah. I love that. What is your number one, if you could boil it down, piece of advice for ordinary folks who are looking to up their own security game and just be more aware.
[00:22:04] Katie Bochnowski: Be curious; don't wait for someone to show you or teach you how to do something. Part of what I oversee is managing a group of mobile app pen testers, and the best pen testers that I've seen are not the ones that have tons of experience or skill. It's actually, we've had two interns come straight out of school, come in and just dive into things without being asked, and just go figure it out and learn. And so be curious. Go try online exams and labs, even if you have no clue what you're doing, just try it, research and figure it out, and be curious. And I guess that's my biggest thing.
[00:22:45] Lindsey Dinneen: I love it. Yeah. Curiosity gets you far in life. Yeah. I love that. Okay, so pivoting the conversation a little bit, just for fun. Imagine that you were to be offered a million dollars to teach a masterclass on anything you want. It doesn't have to be in your industry, but it could be. What would you choose to teach?
[00:23:07] Katie Bochnowski: Okay, this might take a nerdy turn.
[00:23:11] Lindsey Dinneen: Excellent.
[00:23:12] Katie Bochnowski: And I would need a lot of education or somebody else who's an expert in this to actually teach the class. But, I've personally gotten really interested the last couple years into brain health, neuroplasticity, managing stress, and the importance of it. And, this is from a personal situation that I went through and not really understanding how just everyday, little stressors--I never saw myself as a highly stressed person. I was actually quite the opposite--but, when you internalize a lot of, just like I said, everyday stressors, doesn't have to be anything big-- arguing with my daughter every morning to get dressed before school has an impact on your body and your brain health. And it started having physical symptoms in me that got scary, right?
I don't need to dive into that, but from that, it helped me in meeting with a bunch of health experts and learning that what an impact your brain health really has on you. So if I could go back and teach some of the exercises that I was given--super simple things like these little games on your app that just help work different areas of your brain that you don't normally work. When you get into a routine at work, and every morning you wake up, send your kid to school, sit down at your desk, do the same meetings, emails, you have the same routine every day--you don't have, just a change in your routine, or try new hobbies, things like that, then your brain doesn't grow and, and that affects your health, and your mood, and all of that.
I've just learned so much about that, and I remember getting to a point where I was like, "Why isn't this a class, a required class, in high school, college, and beyond. It should be part of onboarding at every job. So I guess that's my answer. I don't think I'm quite qualified to teach it, but I'd love to attend it.
[00:25:14] Lindsey Dinneen: There you go. You can facilitate it. How about that?
[00:25:16] Katie Bochnowski: Yeah.
[00:25:17] Lindsey Dinneen: Excellent. Excellent. Yeah, and how do you wish to be remembered after you leave this world?
[00:25:24] Katie Bochnowski: Oh, this is the hard one for me. I think it's probably a cliche answer, but just, you know, caring for others, doing things for others, being kind-- just being a good person...
[00:25:38] Lindsey Dinneen: Yeah.
[00:25:38] Katie Bochnowski: ...is really all I want.
[00:25:40] Lindsey Dinneen: Yeah. Very nice. And then final question. What is one thing that makes you smile every time you see or think about it?
[00:25:50] Katie Bochnowski: Oh, this is also gonna be probably a common answer--my daughter, my daughter, who is six, going on 16, very much a teenager, but I remember a friend of mine telling me 'cause I remember asking her, when your child grows up, isn't it so sad that, oh, they're no longer a baby, they're no longer one, like to see them grow up. And she said, "Well, maybe a little bit. Each stage is something so new that you're so proud of, of what they've developed and grown that you don't even really think about that." Oh, and it's so true. It's just seeing her read and seeing her-- she's going to be a future leader. I guarantee it.
[00:26:27] Lindsey Dinneen: Yay!
[00:26:28] Katie Bochnowski: Just the way I've seen her, and so just seeing that, that pride overcomes any kind of, oh, I miss that one. But, of course, I still miss her when she was a baby. But, yeah, so that makes me smile. That and yoga!
[00:26:42] Lindsey Dinneen: Yes. Yoga is so wonderful. I mean. Yeah. And speaking of ways to help de-stress, calm down a bit. Yeah.
[00:26:51] Katie Bochnowski: It has helped me dramatically, for sure. So...
[00:26:53] Lindsey Dinneen: Excellent. Excellent. Well, it has been a true pleasure and honor to have you here today, Katie. So thank you so much for spending a little bit of time, and we are so honored to be making a donation on your behalf as a thank you for your time today to Save the Children, which works to end the cycle of poverty by ensuring communities have the resources to provide children with a healthy, educational, and safe environment. So thank you so much for choosing that charity to support, and also thank you for continuing to work to change lives for a better world. We're grateful, and I wish you the most amazing continued success.
[00:27:33] Katie Bochnowski: Thank you for having me. This was awesome. I appreciate it.
[00:27:37] Lindsey Dinneen: Awesome. And yeah. Thank you also to our listeners for tuning in, and if you're feeling as inspired as I am right now, I'd love it if you shared an episode with a colleague or two, and we'll catch you next time.
[00:27:52] Dan Purvis: The Leading Difference is brought to you by Velentium Medical. Velentium Medical is a full service CDMO, serving medtech clients worldwide to securely design, manufacture, and test class two and class three medical devices. Velentium Medical's four units include research and development-- pairing electronic and mechanical design, embedded firmware, mobile app development, and cloud systems with the human factor studies and systems engineering necessary to streamline medical device regulatory approval; contract manufacturing-- building medical products at the prototype, clinical, and commercial levels in the US, as well as in low cost regions in 1345 certified and FDA registered Class VII clean rooms; cybersecurity-- generating the 12 cybersecurity design artifacts required for FDA submission; and automated test systems, assuring that every device produced is exactly the same as the device that was approved. Visit VelentiumMedical.com to explore how we can work together to change lives for a better world.
View all episodes
By VelentiumKatie Bochnowski is the Senior Vice President of Customer Success & Services at NowSecure. Katie shares her journey from studying cyber forensics at Purdue University to becoming an expert in mobile app security and forensics. She discusses the impactful work her team does in securing mobile apps, especially in the medtech industry. Katie also offers valuable advice on building relationships within organizations, the importance of security best practices, and staying curious as a professional.
Guest links: https://www.linkedin.com/in/katiestrzempka/ | https://www.nowsecure.com/
Charity supported: Save the Children
Interested in being a guest on the show or have feedback to share? Email us at [email protected].
PRODUCTION CREDITS
Host & Editor: Lindsey Dinneen
Producer: Velentium Medical
EPISODE TRANSCRIPT
Episode 070 - Katie Bochnowski
[00:00:00] Lindsey Dinneen: Hi, I'm Lindsey and I'm talking with MedTech industry leaders on how they change lives for a better world.
[00:00:09] Diane Bouis: The inventions and technologies are fascinating and so are the people who work with them.
[00:00:15] Frank Jaskulke: There was a period of time where I realized, fundamentally, my job was to go hang out with really smart people that are saving lives and then do work that would help them save more lives.
[00:00:28] Diane Bouis: I got into the business to save lives and it is incredibly motivating to work with people who are in that same business, saving or improving lives.
[00:00:38] Duane Mancini: What better industry than where I get to wake up every day and just save people's lives.
[00:00:42] Lindsey Dinneen: These are extraordinary people doing extraordinary work, and this is The Leading Difference.
Hello, and welcome back to another episode of The Leading Difference podcast. I'm your host, Lindsey, and today I am absolutely delighted to introduce you to my guest, Katie Bochnowski. Katie is Senior Vice President of Customer Success and Services at NowSecure co-author of the book, "iPhone and iOS Forensics," and a recognized expert in mobile forensics and app security testing.
Katie holds a master's in Cyber Forensics and Bachelor's of Science and Computer Technology from Purdue University. In her current role, Katie oversees customer support, onboarding and success departments, as well as the mobile AppSec Professional Services Organization that is responsible for pen testing, training, and consulting.
All right. Well, welcome. Thank you so much for being here. I'm so delighted to speak with you today.
[00:01:37] Katie Bochnowski: Awesome. I'm really happy to be here.
[00:01:39] Lindsey Dinneen: Excellent. Well, I would love, if you wouldn't mind just starting off by telling us a little bit about yourself, your background, and what led you to medtech.
[00:01:48] Katie Bochnowski: Awesome. Sure. So, I'm Katie Bochnowski. I work for a company called NowSecure. My background, dating back many years to school is in computer technology and more specifically cyber forensics. Where I am now is mobile app security. How I got into that industry is, is really from that forensic background. Our company used to do data recovery and forensic investigations on mobile devices, and we kind of quickly realized that mobile apps are storing a lot of data. So we shifted into proactively working with organizations to secure those apps that reside on devices. And in terms of medtech, obviously you can probably make that connection, but we began working closely with first, companies that really care about the data that's being stored, and transmitted on those apps, which absolutely includes medtech industry.
[00:02:43] Lindsey Dinneen: Awesome. Okay, so going back a little bit. So when you were first deciding on college paths and career paths and all those lovely things, what drew you to where you ended up?
[00:02:55] Katie Bochnowski: You know, I don't have a great, like "aha" moment for this question. It was just one of those things. I grew up, I had a computer in my house. I did Typing Tutor when I was really young on MS Dos, and I just always en enjoyed that. I had a friend in high school and we both got interested in making our own website with HTML. So, it was just enjoying being around computers and also tinkering to figure out what was wrong with something from a technology perspective. Purdue is where I attended. Purdue had a more generic computer technology degree that I didn't have to know exactly what I wanted to do. You could try different paths, so that's kind of what got me into it. It's not like I knew I wanted to do that my whole life, but I never really went back or questioned it. I always just kind of enjoyed it along the way.
[00:03:45] Lindsey Dinneen: Yeah. Excellent. Okay, so the phrase cyber forensics is just exciting. So, can you dive a little bit more into exactly what that means and entails and what it looks like?
[00:03:57] Katie Bochnowski: Yeah, absolutely. So, it is exciting- -so much so, in fact, that my senior year of college, the very first time they offered this class, it was called Cyber Forensics, it was an elective and it sounded amazing. And, it was amazing. It was really cool. We went through from start to finish, how you collect evidence from a computer and technology perspective, how you keep it pristine, how you collect the data off of it.
We even got to work with local law enforcement as part of an internship to do all that, so I was very lucky in that my very last semester of my four years, they offered this and I just really, really liked it. It always was there in the back of my mind. So yeah, cyber forensics is really the collective of all things digital, which is everything, now. I don't do, necessarily, that work anymore, but I can't even imagine all of the data collection off of Alexas and, and all of those devices. But yeah, that's, that's kind of how I got into that.
[00:04:56] Lindsey Dinneen: Wow, that's really cool. Yeah. So, okay, so talking about this data collection and all of these things, I'm curious, what are maybe one or two things that just really surprised you when you started getting into the industry and doing the work?
[00:05:11] Katie Bochnowski: I know people always said this, and it shouldn't have been a surprise, but when I first started working for NowSecure-- which was actually called Via Forensics back in the day when I first started-- we worked on a lot of individual cases, so people saying, " Can you recover my deleted text messages, and pictures..." and things like that, and the amount of data that really does reside on those devices still after you delete them, going back months, years. So, I don't know if that's still the case now. I don't know if they do a better job of that, but that was surprising to us.
What was also surprising was how much apps are storing and transmitting data on those devices when you don't think about it. So a lot of these cases that we would work on, they would focus so much on voicemails, emails, photos, and text messages, but nobody ever said, "Hey, can you go check the Facebook app or the Messenger app you're using?" That was something we realized pretty quickly, and were shocked to see-- this was 15 years ago-- how many apps were storing incredibly sensitive information on those devices.
[00:06:20] Lindsey Dinneen: Yeah. And so now that there's more awareness of this and people are maybe, hopefully taking a little bit more ownership of even their own awareness and education with all of it, what do you see are the changes and shifts towards better protection?
[00:06:38] Katie Bochnowski: Yeah. Great question. So there's a couple things: One, people are more aware, so they are leveraging the best practices really for these things. So there's places you should and shouldn't store data on devices, and you should use encryption for sensitive information and encryption that can't easily be broken into. The platforms themselves, too--Android, iOS-- have also made improvements in protecting those sandboxes. But, it's not everything, so you absolutely still have to be mindful of that. A lot of organizations like medtech companies and financial organizations do add a lot of those extra protections. But a lot of people don't, still. They're not either, don't think about it as much or aren't aware of it.
And then the other thing that we see is everyone could have, you know, a hundred percent perfect intentions in storing and protecting that data, but you make a mistake, or you accidentally leave a debug flag on or something like that, where this information still can be accessed even though developers and security organizations are following the best practices there.
[00:07:51] Lindsey Dinneen: Hmm. Yeah. So as you look toward the future of device security in general and cybersecurity, what are you looking forward to in terms of improvements, and hope for the future? Because I know there's a lot of things to worry about, just in life. But, what are some of the things that you're hopeful about?
[00:08:11] Katie Bochnowski: Yeah. I'm hopeful for the--I'm going to call it the camaraderie--we're seeing between security and development groups. Not that there was argument or debate between them before-- there probably was a little bit-- but we are seeing a lot more organizations have what they refer to as a Security Champions Program, which brings those groups together.
Security used to be seen, and probably in a lot of cases still, is seen as that blocker. Developers are being rushed and pushed to release features quickly. They have deadlines, timelines, and then if security finds an issue, it has to go back to the drawing board to remediate. But, with these programs, we're seeing either a development group that has a security champion there, or just teams kind of melding together a little bit more to build that testing earlier on. That's a trend we're seeing increase more and more. And, I believe that's going to only continue because it's just the right thing to do for everyone all around.
[00:09:12] Lindsey Dinneen: Yeah, and that collaboration piece is so critical to eventual success, or hopefully even shorter-term success, like said, so that there's not as many iterations. It's like, "No, let's just integrate and do this from the start well together." Yeah.
[00:09:27] Katie Bochnowski: Yep.
[00:09:27] Lindsey Dinneen: Cool. Okay, so, you started with NowSecure, and then eventually you got your first medtech client. Could you talk about that experience?
[00:09:36] Katie Bochnowski: Yeah, absolutely. Actually, before I even started with NowSecure, I worked for a Fortune 100 company in their security department doing firewall rule management. And, it was all good and everything, but I remember thinking throughout my career, I'm the type of person that likes to do things meaningful, making an impact on people.
So, for many years, I was like, "Okay, what am I doing? I'm just executing firewall rules, I'm recovering data..." That's why the forensic work was so appealing to me because you were actually helping assist with investigations that mattered. Then, getting into the mobile app security industry was certainly important, but it took it to a whole new level for me when we got our first medtech client.
I remember going on site and seeing some of the things that the apps can do in conjunction with medical devices, implants, et cetera, and thinking, "If you get this wrong, this can impact a human life." That helped bring all of this to a whole new level, and it's something I talk about internally within our organization as well to help people understand how meaningful it is --what we do, what the medtech industry does, and how important it is to get security right. It's just helped me with a new perspective. I love working with our medtech industry clients. It's contagious to be around them and see how much they care about what they do, and, how important it is to their lives --makes an impact on the way I work as well, then.
[00:11:06] Lindsey Dinneen: Yeah, I love that. I think that's so true. I get so inspired by even just talking with these incredible founders, their devices and their heart behind why they're doing what they're doing. It's not an easy road so choosing to do so, and then hearing that passion is what drives them sometimes in those crazy late nights, early mornings, hassle in between, you know?
So you started getting medtech clients, and now you've developed a niche offering for that group. I'm wondering, what are some of the common themes that you see companies maybe aren't aware to consider when they're starting their development of their devices and apps? And, perhaps just some general advice: What should people be on the lookout for?
[00:11:50] Katie Bochnowski: Yeah, so I guess you-- I shouldn't say unique, but specific to organizations like medtech industry or, financial or healthcare and the apps they build-- is that highly sensitive information. And so I guess my advice and the thing I would point out that I see in those types of applications is not only, of course, best security practices and understanding what's unique in mobile is super important because web apps have been developed for many, many years. Mobile apps now have been many years, but people don't necessarily know that it is unique in the way that they are developed and the different attack surface, right? You have the local device attack surface. You have the attack surface of other apps that could be malicious that are installed on that device.
So, understanding what those mobile unique security best practices are is my number one piece of advice for developers. Number two would then be multiple layers of security protection. So, developing a secure app is one part of it, and a very important part of it. What we see is a lot of organizations sometimes are dependent on either the protections of the device OS itself--the Android OS protections or iOS protections. And, there are tools out there that offer protections like tamper detection: If you detect the app is being tampered with, don't launch it. If you detect the app is installed on an exploited, rooted, jailbroken device, don't launch it. Or, don't allow login.
Those are important, but those can be bypassed and so I say multiple layers of protection. I'm not against those protections. I think they're very important. I think you should do them, but you should also assume in some cases they can be bypassed, and you need to have that foundational security in the way you develop your applications.
[00:13:48] Lindsey Dinneen: Yeah. So, you've had a really interesting career so far, and I'm sure you've seen a lot of things over the years. What are some moments that really stand out to you, especially with your medtech clients, as, as hitting home that, "Wow, I am in the right place at the right time, making an impact."
[00:14:09] Katie Bochnowski: I think it's hard because it's not like there's one single moment. Because what you want to avoid in this industry is a breach, is something like this "oh my gosh," this big negative moment. And so honestly, it's seeing the organizations we work with, not having that happen. When you do see a breach that might be mobile-specific, I immediately jump in and see, "Okay, what happened? How did they exploit this? What was the actual vulnerability that led to this?" We check for that, and we help our customers test for that and knowing, "Okay, whew. They're covered." And we see that kind of stuff all the time. So I don't have, necessarily, a big moment, but I do have those moments along the way where it's like, you see something in the news, and you are not surprised by the way that was exploited. It's something that is foundational to mobile app security, and you know your customers are protected.
[00:15:09] Lindsey Dinneen: Yeah. Well, that's a really good reminder in general because sometimes you get those big, crazy, sort of in-your-face moments that are going, "Yes, okay, I know why I'm here." But then, those don't happen all that much, usually. So having those little encouragements along the way of, "No, you're on the right path, you're doing the right things is incredibly...
[00:15:30] Katie Bochnowski: It's funny; it actually reminds me of sometimes we'll work with customers and they'll use our products or services--and, they'll be upset because we haven't found anything in a certain amount of time. Seriously. And they're like, "You must not be testing enough" or " You haven't found anything high risk in six months." Sometimes, we have to remind them that's good. "Green is good," is what we always say. "Green is good." And, of course you want to check and make sure you're doing everything, in depth as possible. But, if you do a full two-week pen test and nothing big is found, that's good. You're doing a great job. So, take the win. Green is good.
[00:16:07] Lindsey Dinneen: Green is good. I love it. Words to live by. You have had a really interesting trajectory even through NowSecure, but throughout your career and you've stepped into different kinds of leadership roles. I'm wondering how has that evolution been for you as a leader? What are some of your key takeaways that you've discovered work really well, and maybe some lessons learned?
[00:16:29] Katie Bochnowski: Yeah, so I was not the person coming out of college that said, "I want to get my MBA, I want to be a CEO, I want to be, you know, high up in an organization." I just knew I liked computer technology, I liked tinkering--that kind of stuff. So I wanted to do things that were interesting. Via forensics, and now, NowSecure really was amazing for me because I got to do all of that. I got to grow with the company. I was really the first employee with the co-founder here, and as the company grew, I naturally started developing the managerial and the leadership roles as we hired more people and got more clients.
So for me, I learned on the job, along the way, and when I think about it, I see people that are very ambitious to be a manager and, that's okay too. The best leaders that I've seen have been leaders that have naturally and organically developed a mutual respect, trust, and collaboration with their teams, seeing them as partners and peers and not someone to delegate things to in an authoritative way. And that's not just necessarily from a managerial perspective, because I see individual contributors, on my team for example, that exhibit amazing leadership skills, developing those relationships with other departments. And when you do that, you get-- I don't mean this in the way it's gonna sound, but you get people to do things for you because they want to, because they want to support you.
And so that's what I always like to focus on is, just building those relationships, having empathy for other people. And, of course there's delegation that comes with that, but when you do that, then they want to do that for you or for the organization because you've, you've built that foundation.
[00:18:20] Lindsey Dinneen: Yes. That's great advice. I really appreciate that. There were several things in there that, stood out to me. One of them was your comment about even individual contributors can be leaders, so even if you are not technically in a managerial role, or you don't have anyone working underneath you at the moment, doesn't mean you can't develop those skill sets and lead yourself and lead your own direction. So I think that's a really important note. And, something to give a little bit of perhaps inspiration, too. So if you want to be in that leadership role at some point, but you're not there yet, doesn't mean you can't build the skills along the way.
[00:18:54] Katie Bochnowski: Yeah, absolutely. And I think about, I, I have heard people in the past say, "Oh, I can't go ask them to do something. I don't have the authority to do that." I hear that a lot. " I'm not their manager. I can't tell them to do that." And then there's people that don't even think that way, and just build that relationship and get others to collaborate and work with them. Those are the natural leaders that managers are going to see and want to promote to be the next manager. Right? So, if I'm gonna give another piece of advice, it would say, never say, "I don't have the authority, or I don't have the power to do that." Or "It's above my pay grade" is something that I'm like, "Oh, don't say that," because nothing is. You just need to learn to work with others to figure out how to do that.
[00:19:41] Lindsey Dinneen: Yeah, and I think you're absolutely right about relationship building and collaboration being such a key to success in general. I mean, I think about all of the opportunities that are created and these sort of magical, what feel like magical, synergistic moments that happen, but they're not magical. They're because of intentionally cultivating these relationships. So yeah, I love that. And then helping people come up alongside you. So that's actually a concept I'd love to hear about your experience, either as a mentor or mentee, or anything like that that you've experienced that has really been inspirational to you.
[00:20:18] Katie Bochnowski: Yeah. Well, I guess I have maybe two examples. I had someone that was working on my team many years ago and, again, we worked very closely as, I saw him as a partner and he got to a place basically at the organization where I would always tell him, "We could switch jobs, and you could do this and I could report to you and it doesn't matter," because I saw him grow that quickly. And he is now in another position that's probably double my pay and I don't know. But that's... you want to see that. And, some people might be threatened by that, but you shouldn't be, if you are doing the right thing because you want to see people grow into those roles.
I don't know if this directly answers your question, but there is a leader who's a CEO of another organization who I have always looked up to, and I just see this is exactly how she leads. You know, everybody respects her. Everybody wants to support her and her mission at her company. Even when you're not working at her company like me, you just see the way she leads and the way she has built relationships throughout all of the employees in her organization. It's just something that I aspire to.
[00:21:27] Lindsey Dinneen: Yeah, absolutely. And sometimes it's really helpful 'cause you'll get your share of... well I think most people at least have had the experience of getting their share of people in leadership roles that they would maybe not wish to emulate. So getting to be inspired by the people who are doing it correctly is is lovely. Yeah. Yeah. I love that. What is your number one, if you could boil it down, piece of advice for ordinary folks who are looking to up their own security game and just be more aware.
[00:22:04] Katie Bochnowski: Be curious; don't wait for someone to show you or teach you how to do something. Part of what I oversee is managing a group of mobile app pen testers, and the best pen testers that I've seen are not the ones that have tons of experience or skill. It's actually, we've had two interns come straight out of school, come in and just dive into things without being asked, and just go figure it out and learn. And so be curious. Go try online exams and labs, even if you have no clue what you're doing, just try it, research and figure it out, and be curious. And I guess that's my biggest thing.
[00:22:45] Lindsey Dinneen: I love it. Yeah. Curiosity gets you far in life. Yeah. I love that. Okay, so pivoting the conversation a little bit, just for fun. Imagine that you were to be offered a million dollars to teach a masterclass on anything you want. It doesn't have to be in your industry, but it could be. What would you choose to teach?
[00:23:07] Katie Bochnowski: Okay, this might take a nerdy turn.
[00:23:11] Lindsey Dinneen: Excellent.
[00:23:12] Katie Bochnowski: And I would need a lot of education or somebody else who's an expert in this to actually teach the class. But, I've personally gotten really interested the last couple years into brain health, neuroplasticity, managing stress, and the importance of it. And, this is from a personal situation that I went through and not really understanding how just everyday, little stressors--I never saw myself as a highly stressed person. I was actually quite the opposite--but, when you internalize a lot of, just like I said, everyday stressors, doesn't have to be anything big-- arguing with my daughter every morning to get dressed before school has an impact on your body and your brain health. And it started having physical symptoms in me that got scary, right?
I don't need to dive into that, but from that, it helped me in meeting with a bunch of health experts and learning that what an impact your brain health really has on you. So if I could go back and teach some of the exercises that I was given--super simple things like these little games on your app that just help work different areas of your brain that you don't normally work. When you get into a routine at work, and every morning you wake up, send your kid to school, sit down at your desk, do the same meetings, emails, you have the same routine every day--you don't have, just a change in your routine, or try new hobbies, things like that, then your brain doesn't grow and, and that affects your health, and your mood, and all of that.
I've just learned so much about that, and I remember getting to a point where I was like, "Why isn't this a class, a required class, in high school, college, and beyond. It should be part of onboarding at every job. So I guess that's my answer. I don't think I'm quite qualified to teach it, but I'd love to attend it.
[00:25:14] Lindsey Dinneen: There you go. You can facilitate it. How about that?
[00:25:16] Katie Bochnowski: Yeah.
[00:25:17] Lindsey Dinneen: Excellent. Excellent. Yeah, and how do you wish to be remembered after you leave this world?
[00:25:24] Katie Bochnowski: Oh, this is the hard one for me. I think it's probably a cliche answer, but just, you know, caring for others, doing things for others, being kind-- just being a good person...
[00:25:38] Lindsey Dinneen: Yeah.
[00:25:38] Katie Bochnowski: ...is really all I want.
[00:25:40] Lindsey Dinneen: Yeah. Very nice. And then final question. What is one thing that makes you smile every time you see or think about it?
[00:25:50] Katie Bochnowski: Oh, this is also gonna be probably a common answer--my daughter, my daughter, who is six, going on 16, very much a teenager, but I remember a friend of mine telling me 'cause I remember asking her, when your child grows up, isn't it so sad that, oh, they're no longer a baby, they're no longer one, like to see them grow up. And she said, "Well, maybe a little bit. Each stage is something so new that you're so proud of, of what they've developed and grown that you don't even really think about that." Oh, and it's so true. It's just seeing her read and seeing her-- she's going to be a future leader. I guarantee it.
[00:26:27] Lindsey Dinneen: Yay!
[00:26:28] Katie Bochnowski: Just the way I've seen her, and so just seeing that, that pride overcomes any kind of, oh, I miss that one. But, of course, I still miss her when she was a baby. But, yeah, so that makes me smile. That and yoga!
[00:26:42] Lindsey Dinneen: Yes. Yoga is so wonderful. I mean. Yeah. And speaking of ways to help de-stress, calm down a bit. Yeah.
[00:26:51] Katie Bochnowski: It has helped me dramatically, for sure. So...
[00:26:53] Lindsey Dinneen: Excellent. Excellent. Well, it has been a true pleasure and honor to have you here today, Katie. So thank you so much for spending a little bit of time, and we are so honored to be making a donation on your behalf as a thank you for your time today to Save the Children, which works to end the cycle of poverty by ensuring communities have the resources to provide children with a healthy, educational, and safe environment. So thank you so much for choosing that charity to support, and also thank you for continuing to work to change lives for a better world. We're grateful, and I wish you the most amazing continued success.
[00:27:33] Katie Bochnowski: Thank you for having me. This was awesome. I appreciate it.
[00:27:37] Lindsey Dinneen: Awesome. And yeah. Thank you also to our listeners for tuning in, and if you're feeling as inspired as I am right now, I'd love it if you shared an episode with a colleague or two, and we'll catch you next time.
[00:27:52] Dan Purvis: The Leading Difference is brought to you by Velentium Medical. Velentium Medical is a full service CDMO, serving medtech clients worldwide to securely design, manufacture, and test class two and class three medical devices. Velentium Medical's four units include research and development-- pairing electronic and mechanical design, embedded firmware, mobile app development, and cloud systems with the human factor studies and systems engineering necessary to streamline medical device regulatory approval; contract manufacturing-- building medical products at the prototype, clinical, and commercial levels in the US, as well as in low cost regions in 1345 certified and FDA registered Class VII clean rooms; cybersecurity-- generating the 12 cybersecurity design artifacts required for FDA submission; and automated test systems, assuring that every device produced is exactly the same as the device that was approved. Visit VelentiumMedical.com to explore how we can work together to change lives for a better world.