CISOs face avalanche of security vendors overpromising and under delivering, ICIT report finds

As cybersecurity threats proliferate so do the promises and proposed easy fixes from technology companies, the Institute for Critical Infrastructure Technology said. And in a market with some 1,200 competitors, vendors don’t always live up to claims.
By Mike Miliard
11:30 AM

Chief information security officers have enough on their to-do lists just trying to safeguard hospitals from an ever-evolving array of cyber risks and privacy threats.

But a recent report from Institute for Critical Infrastructure Technology shows they have another challenge: a flood of information – not all of it helpful, or even accurate – from vendors, consultants and other security solution providers.

The report, authored by ICIT Senior Fellow James Scott and researcher Drew Spaniel, with additional research from fellow Rob Roy, offers recommendations for CISOs swimming in too much information, helping them focus on enterprise-wide security demands, better communicate their strategies and gain return on investment from the technologies they choose.

Sign up for the Healthcare IT News Privacy & Security Update newsletter.  

"In many cases, CISOs operate under the unrealistic expectation that they should be able to prevent every breach with a finite budget," according to ICIT. "They are expected to have enough technical expertise to develop a strategy to protect the business and enough business acumen to convince the board to adopt that strategy because it aligns with the goals of the organization.” 

As they try to find solutions that offer the biggest bang for the buck, however, CISOs are inundated by vendor sales spiels: "Over the course of their role, some CISO s claim that annually they may hear hundreds of company pitches for security tools and solutions," authors write.

Not all of these tools are ready-made.

More than 1,200 cybersecurity startups companies have been funded over the past five years, to the tune of $7.3 billion, according to ICIT. Competing in such an oversaturated market, many of them "over-promise and under-deliver by offering unreliable silver bullet solutions."

[Special Report: Ransomware to get worse, hackers hit whales, IoT opens new holes]

Oftentimes, as they race to market, hoping to keep development costs low, these fledgling companies enlist CISOs to test out minimally viable products – soliciting them to offer feedback that could then inform development and refinement of the security tools before they're released more widely.

"The process often nets the CISO a discount and occasionally results in a customized and refined solution to the cybersecurity problem," according to ICIT. "However, every time a CISO discovers that the adopted vendor solution is unreliable, they must either adopt or develop a replacement solution."

That added responsibility not only increases the stress CISOs face, ICIT noted, but likely also contributes to the average turnover of 17 months for modern chief information security officers.

Twitter: @MikeMiliardHITN
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn

More regional news

Digital Transformation

Top row - left to right: Dr Don Rucker, National Coordinator for Health Information Technology (ONC), HHS Office of the Secretary, US, Tim Kelsey, SVP - Analytics, HIMSS, Australia and Dr Ahmed Balkhair, Saudi Arabia’s Digital Transformation Advisor, Ministry of Health. 

Bottom row: Dr Anne Snowdon, Director of Clinical Research - Analytics, HIMSS, Canada.

Malaffi, COVID-19

Credit: Malaffi CEO, Atif Al Braiki

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.