Connect with us

Hi, what are you looking for?


Incident Response

Boom Goes the Cyber Security Toolbox

More Cyber Security Tools Can Increase Cost, Increase Complexity, and Reduce an Organization’s Ability to be Effective

More Cyber Security Tools Can Increase Cost, Increase Complexity, and Reduce an Organization’s Ability to be Effective

I recently had an occasion to go through my father’s workbench at his home, where he’s been collecting tools and doing fixing, building, and God knows what else for the past 25+ years. There were drawers, cabinets, hanging things, and boxes everywhere. As we went through his various tools we talked about what each thing does, when he got it, and why it was critical to something he once worked on.

My dad’s workbench had no less than 10 different kinds (not types) of screwdrivers that essentially were meant for the same function. He had ultra-long, long, mid-length, short, and stubby flathead screwdrivers – each geared for a specific task, but ultimately with significant overlap. He had about two dozen tools that were used once, probably, for some specific job and he never picked up again.

This got me thinking about my own profession, and some of the absolutely bonkers things I’ve heard lately in terms of the number of tools an organization has at their disposal for cyber security things. I think the biggest number I heard was somewhere around 175 cyber security tools in an enterprise. That makes me think of my dad’s workbench – where about half the tools overlap, and the other half served a purpose once, or twice, and likely never were used again and yet they sit there and take up space just in case.

I bet you have a significant number of cyber security tools in your organization. I also bet you have things that overlap in their purpose, but are ever so slightly different in their feature set that you keep them all around.

In March 2016, Stephan Chenette was quoted as saying:

“With an average of 75 security tools in play, redundancy exists. “Many organizations are hiring security experts to manage redundant products and manage alerts that don’t mean anything.”

Advertisement. Scroll to continue reading.

Stephan’s “Hope is not a strategy” outlook mirrors mine, so I’ve been digging into this troublesome trend of tools explosion. 

Another shining example of this trend continuing is here, from 2019:

As we look at things, small organizations are using on average between 15 and 20 tools, medium-sized businesses are using 50 to 60, and large organizations or enterprises are using over 130 tools on average. This is just massive!” — Matt Chiodi, Palo Alto Networks

As I thought about the types of business drivers that fuel decision makers, three themes were common across all organizations – SMB, to mid-market, to enterprise. These three are manage cost of doing business, decrease overall complexity, and increase effectiveness. That sounds pretty simple, right?

Here’s the problem I believe cyber security, and more broadly IT, needs to keep close to front-of-mind. As we continue to bring in more tools into cyber security toolboxes, we rarely, if ever, retire anything. It seems like everything we bring in is just an add-on. I’ve been talking about this for years, and I know many of you already think this way because I’ve been asked on consultations, “If you think I need tool X, what things is this going to replace in my environment?”.  That’s absolutely the right question to ask, but we’re not asking it enough or learning to say no when the answer is “nothing”.

More tools increase your cost, increase overall complexity, and eventually decrease your organization’s ability to be effective. I’m pretty sure you’re thinking I’m slightly off my rocker in that last one, but I’ll explain myself later.

So, there you have it – my philosophy on improving the state of cyber security, with our three big audacious goals in mind as we careen ahead into 2020 and beyond. I’ll write up a post on each of my business drivers (mentioned above), and then provide some ideas where I think there is innovation or at least more options.

RelatedAre Overlapping Security Tools Adversely Impacting Your Security Posture?

RelatedThe Accountability Gap – Getting Business to Understand Security

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...