256: Drive Project Efficiency with Christian Espinosa

Christian Espinosa, Founder and CEO of Blue Goat Cyber, is driven by a mission to ensure medical device security while helping his team drive project efficiency through innovative compensation structures.

We learn about Christian’s journey from overcoming a life-threatening health scare to founding Blue Goat Cyber, focusing on medical device cybersecurity. He explains his approach to designing security into medical devices from the start, rather than trying to fix issues later. He shares his Efficiency Driver framework, which incentivizes his team to become more efficient by tying compensation to project outcomes. He also emphasizes the importance of emotional intelligence in cybersecurity, detailing his seven-step methodology for fostering self-awareness, communication, and continuous improvement within teams. His insights offer strategies for medical device manufacturers and cybersecurity professionals to ensure both innovation and safety in their products.

Listen to the podcast here

 

Drive Project Efficiency with Christian Espinosa

Good day, dear listeners, Steve Preda here with the Management Blueprint podcast. And my guest today is Christian Espinosa, founder and CEO of Blue Goat Cyber, whose mission is to assist medical device manufacturers in creating products that are not only innovative, but are also secure and compliant with regulatory standards. Christian, welcome to the show.

Thanks, Steve. I appreciate you having me on.

I’m excited to have you and to learn about Blue Goat and I love the blue shirt that goes with it. Actually, the goat is white, but I guess the cyber security is blue rather than red. So my first question is, what is your personal “Why” and what are you doing to manifest it in Blue Goat Cyber?

So a couple of years ago, I developed six blood clots in my left leg and almost ended up dying. And that was something that was a pretty pivotal moment for me because before that, I had done 24 Ironman triathlons and was in really good shape, but I didn’t think things like blood clots happened to people like me. But when I was in the hospital, a Doppler ultrasound device that was portable was used to quickly diagnose the blood clots. And after going through a pretty long bout of depression, because my life as I knew it changed completely, I couldn’t exercise, I couldn’t fly, I couldn’t really do anything but sit around. After I got through that, I decided to start another business and focus on medical devices. Because in my first business that I sold in 2020, we did medical device cybersecurity, but it was part of what we did. And now the focus is on medical device cybersecurity with this company. And largely, I think things happen for a reason. And I often think if that device had not existed or had been hacked and taken off the market, I may not be here today. So my mission is to help these innovative products get to the market and help them stay on the market because they’re hack proof or secure from hackers.

Wow. I didn’t realize that this is such a big issue in medical devices that they get hacked and then they lose their FDA license or why do they disappear? Can they not just be fixed like any software product?

They can be fixed, but a lot of times are recalled. Pacemakers have been recalled. Imagine you’ve got an implantable like a pacemaker inside of you and it’s got a vulnerability where someone can wirelessly hack it and shock you to death. So now as a patient, you’ve got to make a decision. Do I get this thing taken out of me, which is a pretty major surgery, or do I live with the risk that someone could possibly wirelessly connect to my pacemaker and shock me to death? I don’t have a pacemaker, but if I was in that scenario, that’s a tough decision to make. But yes, these things are hackable. And the regulatory authorities like the FDA and in Europe, the medical device regulations are making efforts to enforce security with medical devices now.

Wow, okay. So this is a huge thing. I didn’t realize. And obviously, it’s like there’s not much room for error for medical device security. It’s not like your computer in the worst case, you get hacked, you have to pay some Bitcoin to get rid of the hacker, but you’re still alive. But medical device, you don’t get the second chances. So I now get it that it’s super important. So how do you make a medical device hacking proof? How do you create that level of certainty that it will be secure?

So ideally, that is designed into the device. So if a manufacturer like works with us very early on in the design of the device, then we can design cybersecurity into the device. Unfortunately, what happens most of the time is the device has already been developed and they forgot about cybersecurity until the very end. And then we try to like bolt it on or tack it on, which doesn’t always work. Sometimes they have to redesign it the proper way, but yeah, the whole idea is design it in a way where the cybersecurity risk is low enough where somebody does do something that can’t affect a patient. Because even with things called like IVD or in vitro diagnostics, which make decisions on someone’s blood and what bacteria they have. If somebody can alter the algorithm and give a false negative or false positive result, let’s say your blood has sepsis, the device says you don’t have sepsis, the doctor doesn’t treat it, you could die as well. So, we want to make sure that those things are very unlikely to happen. You can't always get rid of all the risk, but the job is to get the risk to an acceptable level. Share on X

Wow. Okay. So let’s talk about frameworks and you are developing these cyber secure medical devices and you developed a unique project management process, which you call the Efficiency Driver or something similar. And I was wondering what triggered you to invent this process and what does it do?

My first company, I made a lot of mistakes and I had people on typical salary. So they got paid a salary no matter how efficient or inefficient their work was, they got the same salary. So then I thought with this company, I’m going to change things up a little bit. So I pay people like a base salary, but the majority of the pay is based on a project. So what I do with our clients is we do firm fixed price with our clients. So if our clients pay us, let’s say $100,000, I divide that up into my team. And what this has done is my team can take on more and more projects, which means they can make more and more money if they become more efficient. So it’s really driven a lot of enhancements and improvements in our delivery mechanisms, our communication mechanisms, how the team works together, how projects are divided up from a racy perspective. And I’ve noticed great improvements because my team wants to make, most people want to make more money. If I give them an incentive to make more money and the way for them to maximize that, to become more efficient, then they’re going to find ways to become more efficient, which is the opposite of salaried employees from my experience. Or even hourly, hourly, there’s no incentive. There’s actually more incentive to become less efficient because you work more hours on something, you know.

Yeah. So is there a flip side to this? Are there risks that might arise because of this approach that wouldn’t otherwise be so prevalent?

There might be a flip side. I haven’t seen it in my organization, but the flip side that I can see, keep an eye on is people becoming a little bit sloppy and just trying to get something done as quickly as possible and skipping things over so they can do multiple projects at once or maximize the money they make by doing as many projects as possible. We have controls in place to prevent that. We have quality assurance and quality control. So I haven’t seen that, but that’s something I have to keep an eye on, of course.

And then these people, how do you build some kind of team culture? So when people are working on specific projects and it’s completely kind of a result-based commission, well, it’s not a commission because it’s not a sales job, but is there a way to still kind of send these people into your organization or it’s more like an intermediary between independent contractors and kind of a general contractor to put these projects together. And you don’t really intend to build a blue goat cyber culture.

Yeah, I do intend to build a culture and I have a culture and I think culture is extremely important and it’s something you have to work hard to keep the culture and enforce the culture and hire the right people that meet the criteria for the culture. So the culture that I want to have is everyone has a growth mindset and they want to grow with the organization. They want to take ownership over projects. They are constantly learning and they want to improve. So all those things tie into this Efficiency Driver and us becoming more efficient. And it also helps in the long run because if we become more efficient and our projects become better documented and better templatized, then it reduces stress and ad hocness on the team. The team knows exactly what to do. They feel like it’s well oiled, it’s well greased. They feel like they have an opinion to make it better, the process better. That opinion is welcome to be heard. And that’s the culture I want. And it also incentivizes people to kind of put their life in their own hands. They’re not just tied to a nine to five typical job with a salary and then every year you get a two or 3% raise. This allows them to put some more of the ownership and agency in their hands to say, I want to take on more projects. I want to help make these more efficient so I can make more money than 2% raise from last year, for instance.

Yeah, I mean, it’s great. That’s a good way to attract those A players, high performers who want to work like that. Obviously, not everyone wants to work like that. It can be tough, but for those that can thrive on this, it’s a great way to attract them. So, you have authored, Christian, several books, and I’d like to ask you a little bit about that. You wrote a book which was The Smartest Person in the Room. What was this about, and why did you write it? What was the premise of the book?

That book is about my entrepreneurial journey with my first company. In cybersecurity and high-tech industries, people feel significant by being smarter than other people. And what I realized in my first company, and this ties to culture, is 99% of my problems were because my staff didn’t have emotional intelligence. They had a high IQ or high rational intelligence, but lacked emotional intelligence. So they would talk over clients’ heads. They would argue with each other about who was smarter about something, and this all came to a head to me once when I heard one of our clients’ recordings. The client was not getting what my engineer was telling the client, and then I talked to the engineer about it, and he said, they just don’t get it. And I’m like, the client’s a doctor. It’s the doctor’s office. We’re cybersecurity. We probably don’t understand what they’re doing. So we need to explain it in a way they do get it so they can actually become more secure. And that was sort of the pivotal moment for me, and it made me write the book. And the book is based on what I did in my organization to add that emotional intelligence to the already highly rationally intelligent individuals. And not everybody was on board. I talked about enforcing culture earlier. I had to let some people go. They simply did not want to develop emotional intelligence, which is bizarre to me because I like to improve in various aspects of my life. But I have to come to terms with not everybody wants to improve.

So how can someone build their emotional intelligence? So what is the process for that?

I have a seven step methodology I wrote about in the book. I can quickly run through the seven steps. The first step is awareness. Everything starts with self-awareness. I’m not talking about being aware of everything else. And in the book, I talk a lot about neuro-linguistic programming. We’re actually very predictable. We have these programs in our brain that given a stimulus or trigger, we automatically run the program, but we don’t even realize it half the time. And that’s a strong neural pathway in our brain. So once we have the awareness of that, we can do something about it. Like if we find ourselves in the same situation over and over, like somebody asking us something, we automatically get defensive, then we get an argument. There’s a way to reprogram the brain. And that’s the awareness though. But the awareness has to be actionable. A lot of people have awareness, but they’re unable to do something about it. The second step is mindset. So I’m a believer in a growth mindset versus a fixed mindset. A growth mindset means that we can change. Our brain has neuroplasticity. We can learn new things. People that have a fixed mindset will say, that’s just the way I am. I can’t change. That’s just who I am, which is not good for like my culture. I want people that are willing to change. The third step is acknowledgement. One of the things I realized as a leader is I was horrible at acknowledging myself for my accomplishments, which meant when I reflected on it, I was horrible at acknowledging my team. I remember in 2005, I stood under the finish line of the Ironman World Championship in Kona, Hawaii. And I told myself I would do that race someday. I have a picture of me under the finish line, just standing there. And then in 2015, I actually finished the race. So 10 years later, I finished the race. And I remember finishing the race, I was automatically thinking about the next thing to accomplish. I never once took a moment to like, congratulate myself or appreciate what it took me to get there. And I realized I wasn’t doing that with my team either. The fourth step is communication. Communication is a big topic, but I’m a proponent that the meaning or the purpose of communication is the response you get. So if you’re not getting the response you want, which could be the budget you want, the answer you want, the person is not understanding, the ownership shifts back to you to change or alter how you’re communicating so it resonates with the person you’re communicating with. And people rarely do that. We often just blame the other person. Like my engineer did when he said they just don’t get it. He should have made sure they got it. I mean, that’s our end goal at the end of the day is to help people become more secure. And then step five is monotasking. So monotasking is the opposite of multitasking. It’s doing one thing with concentrated effort or focused attention. I think multitasking is horrible. It makes you very busy but not very productive. It makes you very anxious because you’re always on the edge for the new text message, the new email, the new Instagram alert or whatever. And monotasking helps with two things. One of them is being present. So if I’m monotasking, I’m not thinking about anything else. And I’m conversing with someone or having a conversation. I’m present. And that improves your relationships. The second thing is it helps you become much more productive. If I can block out an hour time on my calendar and just do one thing, like turn off my phone or put it on silent, turn off Slack, turn off WhatsApp, whatever, just do one thing, I’ll become much more productive. And that’s how I schedule my day in blocks of time. And then the sixth step is empathy. So in our society today, we have a lot of division. We constantly focus on what’s different about us. There’s the pro-vaccine, anti-vaccine, the Democrats, Republicans. There’s all these different like factions and it’s hard to be empathetic when you see yourself different from somebody else. For me, this kind of struck home when I was in the hospital when I had those blood clots, because I don’t know anything about blood clots. I’ve never had them before. And the doctor told me I had six blood clots in my leg. And I asked him, I say, what does this mean? And he said, he told me it means I could die or have a stroke at any moment. So I was there alone. I didn’t have any family members near me. I was kind of freaking out, started crying a little bit. And he said, kind of in a very dismissive way, he’s like, don’t worry about it. I see this all the time. And it kind of like snapped out of my feeling my life was over stage. And I’m like, you know what? I don’t see this all the time. This is a first for me. I think he was trying to be empathetic, but it felt very demeaning, actually. And that goes back to him seeing himself as a doctor and me as a patient versus we’re two fellow human beings. It’s again that division. And the last step is kaizen. Kaizen is a Japanese word that means continuous and never-ending improvement or constant improvement. Share on X I think with anything in life, we’re not going to master it overnight. We have to take the steps. And some of the steps might be in a slightly wrong direction, but we will know that if we take the step. So I’m a proponent of Kaizen and developing the courage to take the first step and realize that this is a process. You're going to learn along the way, but if you wait for everything to be perfect, you're never going to take that first step. And that applies to pretty much everything in life. Share on X

Yeah. And then you never know, you never learn because you don’t put out impulses which can elicit a response and you have no response, you have no information and you’re not learning. And that’s a fascinating process. What I’m not sure I understand is, do you say all these seven steps make someone more emotionally intelligent by practicing like monotasking? Is it because you’re more present, you’re more emotionally intelligent?

Yes.

Yeah, and the Kaizen, how does that make me more emotionally intelligent?

So one of the things I noticed with, because my audience for the book is highly rationally intelligent individuals. One of the things I noticed is they would try something and if it didn’t work, they would give up. Like they would try to learn how to communicate better or try to learn how to build rapport, as an example. And then if it didn’t work, they’d be like, see, I told you that this wouldn’t work, or they would give up. So the whole philosophy of like, it’s an opportunity to learn about what aspects of what you tried did work. And it may take you a hundred times to learn this skill and you may get worse before you get better. So it’s trying to apply that philosophy and the same thing with monotasking. I’m a believer in checking in with yourself, which means you have to silence the dialogue, the inner dialogue, all the noises around you and just sit with yourself for a while. And that helps the emotional intelligence as well as that being present part. If I’m monotasking and I’m with somebody or communicating with them, I’m going to be a more effective communicator because I can see how they’re responding. I can be present and be quiet and listen more and just create the space for a better dialogue as well.

Yeah, that’s interesting. I recently realized that I thought that when I take notes, I’m actually being more present because I acknowledge that the person, what the person is saying is important because I write it down and I pay attention to it. But now that we have AI, which is a note-taking AI, and I started using that, I actually realized that I can be much more present in these conversations because I don’t have to take notes, I don’t have to look down, and I don’t have to think about how to summarize the thing in verbal form and I can be more present. That is very true. Very interesting. I mean, I could ask a million more questions because it’s a fascinating topic. However, I’m going to ask you a closing question, which is more an open one, which is, what is the most important question that a business owner should ask themselves?

I think the most important question is, what is the problem they solve and who they solve it for and being able to distill that down to a very succinct message. That’s a challenge. I think a lot of business owners and it needs to be your price point for your service needs to be in alignment with how big the problem is you solve for people.

Wow. Okay, I like that. And it’s probably a question that is worth re-asking every now and then because something that maybe looks like a unique solution, it can get commoditized over time, it can get disrupted, and you wake up one day and you’re no longer are creating as much value as you thought you were, and then the market can just go away from you. Yeah, that is fascinating. Christian, if someone would like to learn more about what you do for medical devices, how do you make them more secure? Maybe they have a medical device. They want to build cybersecurity into it from the get go, or they just want to learn more about Blue Goat Cyber or yourself. Where should they go and where can they find out more information?

Yeah, they can go to the website, bluegoatcyber.com. We’re also on all social media. LinkedIn’s a good one as well. They want to learn about me personally. They go to my website. It’s christianespinosa.com. My books are on Audible as well as Amazon and most bookstores as well.

Okay, well, definitely check out Christian Espinosa’s books. He also has a book in between. We didn’t have time to cover this in this episode, unfortunately. And you got four other books. So it’s like six books. Also, medical devices. Christian wrote a book. So if you want to dig deeper into how these devices can be secured, then probably you can read his book about that as well. So if you enjoyed this episode, don’t forget to subscribe and like the episode on YouTube. Follow us on LinkedIn and give us a review on Apple podcast and Christian Espinosa, founder and CEO of Blue Goat Cyber, thanks for coming and sharing your wisdom and knowledge on the show and thanks for listening.

 

Important Links: