An ICT system consists of multiple interrelated software and hardware components as well as related services. They are often produced by a complex network of suppliers the control of which is hard, time consuming and in many cases almost impossible for a single company. Hence, it is a common practice for malicious actors to target the ICT product supply chain assuming that some members have lax security practices or lag behind in terms of using the latest solutions and protocols. A single company cannot assure the security of complex ICT systems and cannot evaluate risks and therefore, to be successful it needs to tap into a wider network of ICT product developers and suppliers, which in essence leads to forming an ecosystem. We propose in this study that such an ecosystem should be established and managed on the bases of its members capabilities, which in this means capacity to meet desired goals, i.e., security and privacy requirements in a dynamic business context. The proposal is illustrated on the case of the ICT product called IoTool, which is a lightweight IoT gateway. The IoTool uses various third-party components such as sensors and actuators supplied by different vendors