And over the past decade, the CISO role has taken on greater importance and influence.
But what Feris Rifai, cofounder and CEO of Bay Dynamics calls, "a gold rush in security during the last three years," has made the task of evaluating security tools overwhelming.
During the last three years, there was a gold rush in security. So now there is an imbalance between the number of security vendors and the number of CISOs.
"Investors poured money into the industry and as a result, more vendors surfaced. So now there is an imbalance between the number of security vendors and the number of CISOs," Rifai said.
He noted a 2015 report by CB Insights that found, "over the past five years, $7.3 billion had been invested into a whopping 1,208 private cybersecurity startups."
David Zilberman, managing director at Comcast Ventures, a venture capital firm, acknowledges the role investment has played.
I speak to CISOs all the time regarding doing their day job vs. vendor evaluation. They just don't have the bandwidth to do it.
"The need for cybersecurity is bigger than before," he said, "so there are a lot of companies trying to build a better mousetrap. And venture capital firms are fueling it by funding these companies.
Andrew Hay, CISO at DataGravity, said cloud architecture may also be a factor, "specifically SaaS (software as a service) delivery models, lowering the barrier to entry," leading to an exponential increase in security startups that are all, "promising to solve the same problems, or invent a new problem to solve."
Whatever the reasons, Zilberman said there is now, "a sea of vendors with similar products. At one point, Gartner was tracking 23 endpoint protection vendors. I speak to CISOs all the time regarding doing their day job vs. vendor evaluation. They just don't have the bandwidth to do it."
If your product or solution can solve an actual problem, and not just a marketing-derived problem, the 'hype fog' can be cleared away from the product pretty easily.
The imbalance is exacerbated even more by some CISOs deciding to, "move on and try to sell their own products," Zilberman said. "They've joined the vendor ecosystem."
It is not just that there are hundreds of products on the market. It is also that CISOs are solicited as "testers" for "minimum viable products" - the first, rudimentary version of a tool that needs feedback from early users so developers can refine it, eliminate bugs and add features before pitching it to the mass market.
[ MORE ON CSO: Why you need a CSO/CISO ]
That label, "does not mean it's a bad product," Rifai said, noting that Techopedia defines it as, "a development technique in which a new product or website is developed with sufficient features to satisfy early adopters. The final, complete set of features is only designed and developed after considering feedback from the product's initial users."