CISOs face avalanche of security vendors overpromising and under delivering, ICIT report finds
Chief information security officers have enough on their to-do lists just trying to safeguard hospitals from an ever-evolving array of cyber risks and privacy threats.
But a recent report from Institute for Critical Infrastructure Technology shows they have another challenge: a flood of information – not all of it helpful, or even accurate – from vendors, consultants and other security solution providers.
The report, authored by ICIT Senior Fellow James Scott and researcher Drew Spaniel, with additional research from fellow Rob Roy, offers recommendations for CISOs swimming in too much information, helping them focus on enterprise-wide security demands, better communicate their strategies and gain return on investment from the technologies they choose.
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
"In many cases, CISOs operate under the unrealistic expectation that they should be able to prevent every breach with a finite budget," according to ICIT. "They are expected to have enough technical expertise to develop a strategy to protect the business and enough business acumen to convince the board to adopt that strategy because it aligns with the goals of the organization.”
As they try to find solutions that offer the biggest bang for the buck, however, CISOs are inundated by vendor sales spiels: "Over the course of their role, some CISO s claim that annually they may hear hundreds of company pitches for security tools and solutions," authors write.
Not all of these tools are ready-made.
More than 1,200 cybersecurity startups companies have been funded over the past five years, to the tune of $7.3 billion, according to ICIT. Competing in such an oversaturated market, many of them "over-promise and under-deliver by offering unreliable silver bullet solutions."
[Special Report: Ransomware to get worse, hackers hit whales, IoT opens new holes]
Oftentimes, as they race to market, hoping to keep development costs low, these fledgling companies enlist CISOs to test out minimally viable products – soliciting them to offer feedback that could then inform development and refinement of the security tools before they're released more widely.
"The process often nets the CISO a discount and occasionally results in a customized and refined solution to the cybersecurity problem," according to ICIT. "However, every time a CISO discovers that the adopted vendor solution is unreliable, they must either adopt or develop a replacement solution."
That added responsibility not only increases the stress CISOs face, ICIT noted, but likely also contributes to the average turnover of 17 months for modern chief information security officers.