Vienna, AT
Projects

Building a Global IT Organization — MedTech

image
August 1, 2025
A global MedTech manufacturer with 3,500+ employees across 30+ countries. I joined in 2010. By the time I left in 2025, I was running the entire global IT function: infrastructure, operations, security, service management, governance, and strategy. Multi-million euro annual budget. When I took over Corporate IT, it was a local support function — reactive, understaffed, and invisible to the business until something broke. The mandate was to turn it into a strategic global organization without stopping the machine. Scaled the team from a small local group to over 100 people across multiple countries. My role was to set the operating model, define what ownership meant at each level, and put the right leaders in place — not to manage every team directly. The model: decentralized delivery, centralized governance. Regional IT leads had clear accountability for their sites. Standards, security policy, architecture decisions, and vendor management were global. That tension — standardization versus local autonomy — was one I actively managed. You cannot run 30+ sites with 30 different approaches to endpoint management or backup strategy. But a one-size-fits-all model fails in practice across different countries, languages, and regulatory environments. The answer: standardize infrastructure and security. Localize support and user experience. And build leaders who could hold that line without constant escalation. Served as executive sponsor for the ISO 27001:2022 certification program — a board-level commitment with direct regulatory implications for MedTech. Medical device regulations require demonstrable information security controls, and customers were increasingly demanding it during procurement. The organization had deep audit experience — ISO 9001, ISO 14001, cybersecurity frameworks — but no existing ISMS and no formal information security management discipline mapped to IT operations. The challenge was not introducing compliance culture from zero; it was translating an organization already fluent in quality and regulatory audit into a new domain with different ownership models, different evidence requirements, and a much broader IT surface area than any previous certification had touched. I set the mandate, secured the investment, and held accountability for scope and pace. My team did the build. I made the calls when cross-functional resistance needed to be resolved at the right level. We achieved certification on schedule. I also sponsored UK Cyber Essentials and CyberTrust Gold Label certification across all sites. Set the strategic direction for infrastructure modernization across the global footprint: network architecture, data center operations, cloud migration, endpoint management, and collaboration platforms. Replaced legacy environments that had grown organically for years with coherent, managed, and documented infrastructure. Established security operations — vulnerability management, threat detection, and incident response — and built service management from repurposed project tooling into a proper ITSM function with SLAs, a CMDB, and reporting the business could actually use. Managed a multi-million euro investment portfolio. Every major initiative had a board-approved business case built around cost, risk, timeline, and ROI — not IT spending for IT's sake, but investment framed against business outcomes. The hardest part was not technical — it was organizational change at scale, across cultures. Getting 30+ sites to treat centralized security standards as shared protection rather than headquarters overreach is a political problem as much as a governance one. You cannot solve that with policy documents alone. In MedTech, every IT decision lands in a context shaped by clinical outcomes, regulatory compliance, and market access. Translating infrastructure risk into that language — "this is what an outage on December 15th costs us in production downtime and regulatory exposure" — was a constant discipline, not a one-time effort. The ISO 27001 program covered a defined product scope — but getting the organization ready to support it was a much larger problem. In a MedTech company that has grown over decades through acquisition and organic expansion, the baseline is not a clean slate. Undocumented processes, inconsistent asset ownership, infrastructure with no clear accountability, and teams that had never operated under formal compliance requirements. Making IT audit-ready meant first making IT legible — to itself, to auditors, and to the business functions it depended on. That was the harder part of the mandate. Scaling a global team while maintaining a coherent culture does not happen through process alone. It requires deliberate investment in people, clear career paths, and leaders in every region who embody the standards you set. Trust and delegation are the actual infrastructure.