SHER
BAIG

There is a device somewhere in a hospital right now - maybe an infusion pump, maybe a ventilator, maybe the monitor tracking whether a newborn is breathing - and it is connected to a network. That connectivity is how doctors get data fast. It is also a door. Sher Baig has spent 17 years thinking about who else might walk through it.

Baig is the Founder and CEO of CyberSalus, a global MedTech cybersecurity company that guards the clinical ecosystem - every IoT device, every networked piece of medical equipment - from the growing army of ransomware gangs and nation-state actors who have figured out that hospitals will pay almost anything to get their systems back online. His company currently watches over more than two to three million medical device endpoints across 150+ hospitals. It has processed more than one million device vulnerability remediations. That is not a marketing number. That is a body count of attacks that did not happen.

Before he built CyberSalus, Baig spent roughly a decade inside GE Healthcare, building that very capability from scratch. He started through GE's elite Information Management Leadership Program, rotated through US and international roles, moved to France to run the EMEA commercial cloud strategy, and eventually became Senior Director of Global Cyber Product Commercialization. The job title barely captures what he actually did: he assembled GE Healthcare's global medical device cybersecurity commercial organization from nothing, turning a nascent capability into a market-defining operation.

Then he left. And built it again - only this time without a parent corporation's balance sheet to fall back on.

San Jose State University gave Sher Baig a degree. General Electric gave him a career trajectory. The GE Information Management Leadership Program - an intensely selective internal rotational path - gave him the framework for thinking about technology, business, and global markets as a single interlocking system, not separate disciplines you toggle between.

GE sent him to France. That is not a footnote - that is a signal. The EMEA assignment put Baig in front of some of the world's most complex healthcare systems, building commercial cloud strategies for GE Healthcare in a region where no two countries approach health IT exactly the same way. You either develop genuine cross-cultural fluency in that role, or you fail quickly. Baig did not fail. He came back with the instinct for global expansion baked in.

Back in the US, his focus sharpened onto something very specific: the growing crisis of medical device cybersecurity. Hospitals were buying expensive networked equipment - MRI machines, infusion pumps, patient monitors - with operating systems that hadn't been patched in a decade. Some ran on Windows XP. The manufacturers hadn't designed these devices with cybersecurity in mind because, in the early years, nobody imagined attackers would target hospitals. That assumption aged poorly.

Baig built GE Healthcare's response. He created the commercial organization around their medical device cybersecurity offering. He developed their "Skeye" platform - an early attempt to give hospitals visibility into their device security posture. He oversaw implementation and program delivery. He ran customer success. He was, in every functional sense, building what would become CyberSalus while he was still on GE's payroll.

Around 2022, Baig left GE Healthcare and founded Cyber Salus Inc. The name was not an accident. Salus is Latin for health, safety, and well-being - a word the ancient Romans used when they wanted to invoke something bigger than individual wellness, something closer to collective protection. For a company whose stated mission is keeping clinical ecosystems safe so clinicians can focus on saving lives, it is a pointed choice.

CyberSalus launched with a specific architecture: 360 degrees of protection for healthcare organizations. Not a single tool, not a compliance checkbox product, but a full-stack managed security service for IoT and IoMT (Internet of Medical Things) environments. The product suite includes OmniCyte and Daedalus as platform offerings, a 24/7/365 Clinical Security Operations Center, continuous vulnerability management, asset inventory reconciliation, and breach support. The company also offers dark web threat monitoring through Veritech Risk Recon.

The scale they reached in a short time suggests the market had been waiting. Within roughly two years of founding, CyberSalus was named the exclusive cybersecurity partner for GE Healthcare customers across the US and Canada - a relationship that speaks both to the quality of their offering and to the trust Baig had built over a decade inside that organization. You don't become your former employer's exclusive security partner by accident.

The company is headquartered in Boca Raton, Florida, with an operational presence in Reston, Virginia. The leadership team has depth: COO Darrin Tyacke brings nearly 30 years in healthcare and cybersecurity. Joel Hagy, Senior Director of Global Cyber Services, comes with US military background and a TS-SCI clearance. These are not the hires you make for a startup that plans to stay small.

The cybersecurity problem in healthcare is not uniquely American. Every country that has modernized its hospitals faces the same exposure: devices that were never designed with security in mind, now connected to the internet, now targeted by criminals who know that a hospital under ransomware attack will pay to restore access to patient records before the ICU goes dark.

Baig has been international about this from the start. His EMEA experience at GE was formative. His advisory role with the Ministry of Health in Singapore - working on medical device cybersecurity policy and regulatory controls - reflects something unusual: a private sector operator trusted enough to shape government policy in another country. Singapore is not a casual reference on a CV. The city-state has some of the most rigorous regulatory environments in the world. Being invited to advise on cybersecurity policy there signals a level of credibility that transcends the standard conference-circuit thought-leadership circuit.

In mid-2024, CyberSalus formally expanded into the Middle East and Asia, launching a new regional office. By January 2025, Baig was at Arab Health Exhibition in Dubai - one of the world's largest healthcare events - representing the company's growing presence in the region. His LinkedIn post from Day 1 at Arab Health noted the "action packed" start; the comments section filled with 30+ former GE HealthCare colleagues tagging each other, turned into something of a reunion. That is the network effect of a decade spent building something large inside a large company: wherever the healthcare industry gathers, your people are there.

Three months later, at HIMSS 2025 in the US - the flagship global health conference - Baig was back on stage, this time highlighting OmniCyte and Daedalus. A photo from the event shows him alongside Paul M. Nakasone, former Director of the NSA and Chief of Central Security Service. That is the kind of room you get into when the work you do is genuinely consequential to national security infrastructure.

In February 2025, Baig appeared on Products That Count, a podcast with an audience of product leaders at major technology companies. Episode 507. The conversation ran nearly an hour and kept returning to a single conviction that shapes everything about how he builds: innovation comes from field time, not office time.

His formulation is direct: nothing interesting happens in the office. The customer insight that drives the right product decision, the edge case that reveals a fundamental flaw in your assumptions, the pricing model that the market will actually accept - none of that shows up in Slack threads or product spec documents. It shows up in hospital corridors, in conversations with biomedical engineers, in the gap between what a CIO says in a sales meeting and what a security analyst says when they're actually trying to manage a thousand medical devices across three campuses.

This is not a novel idea. What makes it notable in Baig's case is that he built an entire commercial organization at a Fortune 500 company on its basis, and then left to do it again. Most people who say "think from the customer's perspective" have never actually rearranged a product portfolio because a field conversation revealed the fundamental offer was wrong. Baig has done it at scale, more than once.

His approach to business model innovation follows the same logic. In the highly fragmented, budget-constrained healthcare market, competing on product features alone is insufficient. The customer's ability to procure, to justify the budget, to get it through a 12-month capital approval cycle - these are constraints as real as any technical limitation. Pricing structures and delivery models that fit into how hospitals actually buy things are themselves a form of competitive advantage. CyberSalus built its model around that insight.

The market Baig operates in is crowded with general-purpose security vendors who have attached a "healthcare" vertical to their pitch deck. CyberSalus is not that. It was built specifically for the clinical environment, by people who spent years inside the largest medical equipment company in the world.

The difference matters. A hospital's security problem is not the same as an enterprise security problem. The devices are not standard compute endpoints - they are FDA-regulated equipment that cannot be rebooted on a whim, patched outside of the manufacturer's schedule, or replaced every three years because a new vulnerability was discovered. Many of them run legacy operating systems that will never receive another security update from the manufacturer. The remediation strategies available in a hospital are fundamentally different from those in a corporate environment.

CyberSalus's offering reflects this understanding. Their wing-to-wing vulnerability management accounts for the constraints of the clinical environment. Their risk engine prioritizes vulnerabilities not just by CVSS score but by the actual clinical risk they represent - a vulnerability in a device monitoring a critical care patient is categorically different from one in an administrative workstation, even if the technical severity score is identical. The 24/7/365 Clinical SOC is staffed for medical technology, not generic IT infrastructure.

The company also serves the financial services sector, suggesting the underlying technology and methodology translates beyond healthcare. But healthcare remains the core identity - and the most important one, given what the stakes are when the systems fail.