Episode Details

Cybersecurity assurance was supposed to give boards, regulators, customers, and partners a clear answer to one question: can the security of the organizations they depend on actually be trusted? In 2026, that answer is harder than ever to come by. Supply chains are sprawling, attackers are pivoting through third parties, and too many assurance reports still rely on questionnaires, self-attestations, and frameworks that have not kept pace with the threat landscape. The 2026 HITRUST Trust Report calls that gap what it is: a Trust Crisis.

In this Brand Spotlight, Vincent Bennekers, VP of Quality at HITRUST, walks through what four years of performance data across thousands of certified environments now show: 99.62% of HITRUST-certified environments remained breach-free in 2025. That stands in stark contrast to industry surveys reporting that more than 40% of organizations have experienced a breach. Vincent Bennekers is direct on why the numbers hold up: prescriptive controls, a centralized quality review, and an assurance methodology built for measurable outcomes rather than checkbox compliance.

Healthcare makes the point even sharper. HITRUST examined the top fifty breaches on the HHS OCR breach portal, the public listing some in the industry refer to as the wall of shame. None of them occurred in a HITRUST-certified environment. For an industry that consistently ranks as the most breached and the most expensive to breach, that is a signal worth pausing on.

Quality of the report itself matters as much as the framework behind it. Vincent Bennekers describes a layered review model with automated and manual checks, independent reviewers, and centralized HITRUST quality assurance prior to issuance. Every certification HITRUST issues goes through that same review. Stakeholders consuming any other assurance report should be asking exactly how its integrity is being ensured, and what is actually behind the stamp.

Supply chain risk is the throughline. The 2025 Verizon Data Breach Investigations Report found third-party-involved breaches doubled, climbing from 15% to 30%. HITRUST requires service provider coverage, mandatory in the r2 assessment and optional but heavily adopted in the e1 and i1, where over 80% of organizations are choosing to address service provider controls thanks to a streamlined inheritance model.

The report closes with a five-step roadmap for stakeholders: shift from flexible compliance to threat-intelligent assurance, verify assurance report integrity, reduce supply chain exposure, secure AI implementations through prescriptive controls, and reassess the definition of good information security assurance. Vincent Bennekers is clear that AI belongs in this conversation now, with HITRUST offering AI certification to address risks across data protection, model integrity, and automated decision-making.

This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight

GUEST

Vincent Bennekers, VP of Quality at HITRUST
LinkedIn: https://www.linkedin.com/in/vincent-bennekers-a0b3201/

RESOURCES

Learn more about HITRUST: https://hitrustalliance.net/
Download the 2026 HITRUST Trust Report: https://hitrustalliance.net/trust-report