Skip to content
Cybersecurity

Five Seconds On Elbrus And The FDA Submission

This is me on the summit of Mt. Elbrus. 18,510 feet. Highest peak in Europe. What the photo doesn't show is that four hours earlier, I almost died on that mountain.

The takeaways

  1. 01Fumbling a Coke bottle and subsequently slipping on a 45-degree snow slope taught the author a crucial lesson about inattention.
  2. 02The author’s near-fatal accident on Mt. Elbrus highlighted that immediate consequences often follow a lapse in attention.
  3. 03The article draws a parallel between the author's mountaineering mistake and common oversights in medical device cybersecurity submissions to the FDA.
  4. 04Delaying focused attention during the FDA submission process can lead to deficiency letters, postmarket vulnerabilities, or difficult audit questions.
  5. 05Blue Goat Cyber was founded on the principle of meticulous attention to detail in medical device submissions, treating each one with the gravity of a life-threatening mountain climb.

We were on the steepest section of the climb. A 45-degree snow slope.

I stopped for a break, pulled a bottle of Coke out of my pack, and fumbled it.

It hit the snow and accelerated down the mountain fast.

Someone said, "Man, that's gonna hurt if it hits someone."

I ignored the warning.

Five seconds of daydreaming later, my crampons slipped. I started sliding down the same slope, picking up speed exactly like that bottle.

I had an ice axe in my hand. I knew how to self-arrest. I'd practiced it.

I just hadn't been paying attention.

I got the axe in, kicked the spikes in, and stopped. Bruised, scraped, very much alive.

The Real Cost Of "Good Enough" Attention

The lesson wasn't about Elbrus.

The lesson was that the cost of "good enough" attention is paid later, not in the moment.

In the moment, the lapse is invisible. I was breathing. The team was twenty feet away. The mountain looked the same as it had thirty seconds earlier. Nothing about the environment told me I had just made an expensive decision.

The cost arrived five seconds later, when my crampons slipped and physics took over. The gap between the lapse and the consequence is where most disasters live. Long enough that you do not connect them in the moment. Short enough that there is nothing you can do about it once they catch up.

That gap is also the part you cannot train into a team by lecturing about it. The only people who really internalize it are the people who have slid down their own slope, gotten the axe in, and looked back up at how close it was.

Why I See The Same Pattern In Submissions

I see the same pattern in medical device cybersecurity submissions.

A team rushes a threat model. Skips a control. Skims a vendor's documentation. Marks something "good enough" because the deadline is loud.

Then the deficiency letter shows up. Or the postmarket vulnerability does. Or the auditor asks the obvious question nobody wanted to ask in the design review.

Five seconds of daydreaming on a slope.

A week of "good enough" on a submission.

Same mistake.

The thing the team felt in the moment was relief. The deadline got hit. The package went out. The Friday afternoon got its weekend.

The cost shows up sixty days later in a deficiency letter that lists seven items, three of which the team knew were soft when they shipped. By then the original engineers have moved on to the next project, the context is half-cold, and the rework will take three times longer than the original work would have if it had been done right.

How To Build The Habit Of Not Drifting

You cannot eliminate the lapses. You can shorten the gap between the lapse and the catch.

On the mountain that is the ice axe in your hand, not on your pack. It is the habit of glancing at your crampons every few steps even when nothing feels wrong. It is the rope team that calls out a slip the second they see it, before the slipping person has registered they are sliding.

On a submission it is the peer review that runs before the package leaves the building. The checklist that forces a second pair of eyes on the threat model. The cultural rule that says "good enough because the deadline" is a flag, not a status. The senior engineer who can say "stop, this is the part we always get burned on" without it being a political event.

None of that is glamorous. All of it is what keeps the slide from turning into a fall.

The lesson I took off that mountain is the reason Blue Goat Cyber exists.

We've helped 250+ medical devices get through FDA and global clearance. And we still treat every submission like the mountain could kill us.

Because the moment you don't, it will.

“Five seconds of discipline now beats five months of rework later.”
Christian Espinosa, headshot

About the author

Christian Espinosa · Founder, Blue Goat Cyber

Christian is the founder of Blue Goat Cyber, a medical device cybersecurity firm. He's an Air Force Academy graduate, 24x Ironman, climber of two of the Seven Summits, and the author of The Smartest Person in the Room and The In-Between.

Keep reading