Healthcare CISOs Find Security Vendors Overpromising

Chief information security officers have enough on their to-do lists just trying to safeguard hospitals from an ever-evolving array of cyber risks and privacy threats.

But a recent report from Institute for Critical Infrastructure Technology shows they have another challenge: a flood of information – not all of it helpful, or even accurate – from vendors, consultants and other security solution providers.

The report, authored by ICIT Senior Fellow James Scott and researcher Drew Spaniel, with additional research from fellow Rob Roy, offers recommendations for CISOs swimming in too much information, helping them focus on enterprise-wide security demands, better communicate their strategies and gain return on investment from the technologies they choose.

"In many cases, CISOs operate under the unrealistic expectation that they should be able to prevent every breach with a finite budget," according to ICIT. "They are expected to have enough technical expertise to develop a strategy to protect the business and enough business acumen to convince the board to adopt that strategy because it aligns with the goals of the organization.” 

As they try to find solutions that offer the biggest bang for the buck, however, CISOs are inundated by vendor sales spiels: "Over the course of their role, some CISO s claim that annually they may hear hundreds of company pitches for security tools and solutions," authors write.

Not all of these tools are ready-made.

More than 1,200 cybersecurity startups companies have been funded over the past five years, to the tune of $7.3 billion, according to ICIT. Competing in such an oversaturated market, many of them "over-promise and under-deliver by offering unreliable silver bullet solutions."

Oftentimes, as they race to market, hoping to keep development costs low, these fledgling companies enlist CISOs to test out minimally viable products – soliciting them to offer feedback that could then inform development and refinement of the security tools before they're released more widely.

"The process often nets the CISO a discount and occasionally results in a customized and refined solution to the cybersecurity problem," according to ICIT. "However, every time a CISO discovers that the adopted vendor solution is unreliable, they must either adopt or develop a replacement solution."

That added responsibility not only increases the stress CISOs face, ICIT noted, but likely also contributes to the average turnover of 17 months for modern chief information security officers.

HealthcareITNews:   

« Malware Targeting Energy Companies
Ukraine Crisis Fits Cyber War Narrative »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Techmeme

Techmeme

Techmeme is an online news curation service focused on leading edge technology, including cyber security.

Cyber Exec

Cyber Exec

Cyber Exec is an executive search firm dedicated to global talent acquisition in Cyber Security, Information Technology, Defense...

AMETIC

AMETIC

AMETIC, is the Association of Electronics, Information and Communications Technologies, Telecommunications and Digital Content Companies in Spain.

Exabeam

Exabeam

Exabeam is a global cybersecurity leader that delivers AI-driven security operations.

Blockchain Slovakia

Blockchain Slovakia

Blockchain Slovakia is a non-profit organization that brings together researchers, developers, entrepreneurs, regulators, investors and the public to support blockchain technology in Slovakia.

PSW Group

PSW Group

PSW Group is a full-service Internet solutions provider with a special focus on Internet security.

Matias Consulting Group (MCG)

Matias Consulting Group (MCG)

Your Business needs competitive and resilient ICT solutions. MCG defines, deploy & support them enabling you to focus on your core business.

AU10TIX

AU10TIX

AU10TIX’s smart forensic-level ID authentication technology links physical and digital identities, meets compliance mandates, and ensures your customers know their trust and safety come first.

ISA Global Cybersecurity Alliance (ISAGCA)

ISA Global Cybersecurity Alliance (ISAGCA)

Objectives of the ISA Global Cybersecurity Alliance include the acceleration and expansion of standards, certification, education programs, advocacy efforts, and thought leadership.

Epiphany Systems

Epiphany Systems

Epiphany enhances your defensive security controls by providing you with an offensive perspective. We expose the most likely attack paths to your most critical IT assets and users.

Diversified Search Group - Alta Associates

Diversified Search Group - Alta Associates

Diversified Search Group is an industry leader in recruiting diverse, inclusive and transformational leadership for clients.

Sec3

Sec3

Sec3 is a security and research firm providing bespoke audits and cutting edge tools to Web3 projects.

TRM Labs

TRM Labs

TRM enables risk management and compliance for a global community of financial institutions, cryptocurrency businesses and government agencies.

Acumenis

Acumenis

At Acumenis, we help organisations of all sizes to manage information security effectively. Our key services are penetration testing, ISO 27001 implementations, and security

Verosint

Verosint

Verosint (formerly 443ID) provides real-time account fraud prevention that reveals fraudsters hiding in user accounts and proactively blocks them before their attacks can cause harm.

Accompio

Accompio

Accompio offer comprehensive support in the digitalisation of your business processes.