Q&A: Could a software vendor be on the hook if your company's systems get hacked?
One of the nice things about delegation—if we’re being honest with ourselves—is you can leave someone else holding the bag. That’s not necessarily the case when vendors run software in the cloud for you, however.
Jeff Mowry, CIO of Sharonville, Ohio-based electric vehicle manufacturer Workhorse (the one-time contender for producing the U.S. Postal Service's new EV), likes keeping his IT team tight.
See also: Q&A: Getting help: Why Seeq and other tech providers leverage so many partnerships
Workhorse uses the Siemens NX and Teamcenter X software suites, and Mowry credits the tools with keeping his headcount down and allowing his people to focus on the important things. But there are tradeoffs for relying on third parties.
We spoke to Mowry at Siemens Digital Industries Software’s Realize LIVE 2025 event in Detroit in early June about how they use the NX package and the associated benefits and concerns. This interview is edited for length and clarity.
Dennis Scimeca: What are all the specific Siemens software suites you've deployed at Workhorse?
Jeff Mowry: We are using NX to design the truck that you saw [in the exhibition hall at Realize LIVE 2025], our W56 work truck. We designed, engineered, and manufactured that truck using Siemens NX. We were an early adopter for automotive in 2020, signed the contract in late ‘21 and went live in about three to six months in ’22.
We use NX for the design work, the CAD work … [and] Teamcenter X for the PLM [product lifecycle management], in conjunction with NX.
Scimeca: Tracking the BOM [bill of materials] and such?
Mowry: Yeah, tracking the BOM, managing our changes, those types of activities.
Scimeca: Keeping everyone on the same page?
Podcast: Better products faster with design and development driven by AI
Mowry: I think a lot of the bigger automotive [customers], maybe even some of the smaller ones, are using the on-prem Teamcenter. [But our deployment is] all hosted and managed by Siemens. I have no servers. I have no [related] infrastructure. I have no IT team managing that platform.
Scimeca: Do you ever think about cybersecurity, using cloud services like this?
Mowry: Absolutely. Remember, we're a small EV startup. We're a small IT team. [If] you compare our ability to protect our IP in our data center …versus what Siemens has? … They've got deeper reach into more expensive tools. We did a very detailed review before we went live with their CISO to make sure we understood what they had, what they were certified in, what their cybersecurity roadmap looked like. And to be honest with you, we felt they could do a better job of protecting our IP than we could.
See also: Who do you trust? In manufacturing, the answer should be no one
Scimeca: Do you have third-party suppliers that hook right into your system?
Mowry: We just have a handful that have direct access. But it's not prolific. We've used some contract engineering support for that kind of work.
Scimeca: Did you do security reviews before you gave them access?
Mowry: Absolutely.
Scimeca: Even with doing the reviews, even with Siemens providing cybersecurity, is there still something nerve wracking about letting third parties into your systems?
Mowry: Yeah, of course there is. Obviously, we trust Siemens, there's a level of trust that you give up with that. But we thought it would have been higher risk for us to take it on-prem.
The other issue is speed. We had a restart of Workhorse in 2021 with a new management team. We had [the W56], and we needed to be up and running. Our goal was to have the truck out in under two years. … We did it 22 months. … We wanted to have a solution that we could spin up quickly so we could immediately start working on the tool.
Speed was a big piece. Security was obviously a big piece and then cost. … I didn't have to go out and buy servers. I didn't have to stand up the operating system. I didn't have to hire a team to do that.
See also: Taking a manageable approach to zero trust for operational technology
Scimeca: Who takes responsibility if there are cybersecurity incidents?
Mowry: Well, Siemens would.
Scimeca: Because Siemens is responsible for cybersecurity.
Mowry: They’re responsible for keeping up the patches. They manage the multifactor authentication pieces for us. They hold that risk.
I don’t have any IT people supporting the [Siemens] tool sets. I have IT people supporting the ERP applications. I have teams supporting the plant, like with the MES. And I have IT team doing like the traditional email, desktop stuff.
Scimeca: How can you demonstrate that NX and Teamcenter accomplished what you need them for?
Mowry: If you look at what we did in 22 months, I don't know anybody else as being able to get a product out like [the W56] in 22 months, and a lot of that is based on … that digital process, for us to take it from design to production in that short period of time.
Scimeca: What does not having to worry about administering these design tools free you up to do?
Mowry: We’ve talked about a bill of process. I’d like to implement that. We’d like to focus on a configurator. Our product’s getting more complex, so [not having to worry about NX and Teamcenter] allows us to try and focus more on application layer, IT initiatives versus infrastructure.
Scimeca: We’ve talked about cybersecurity for a while, how Siemens is on the hook for any incidents. New SEC rules dictate the disclosure of material cybersecurity incidents. If that happens, who’s responsible for reporting it?
Mowry: I believe we would be responsible because we're publicly traded, so they're a vendor to us.
