How to Rein in Cybersecurity Tool Sprawl
Throwing tools at cybersecurity can create more issues than solutions. How many tools are too many, and how can leaders rein in that sprawl?
Tool sprawl is a complex challenge in the cybersecurity world. With quickly mounting and evolving threats, organizations often need new security tools to keep up. And cybersecurity budgets continue to increase for many organizations. The average cybersecurity budget stood at $26 million in 2024, according to a Ponemon Institute survey of 650 IT and cybersecurity practitioners. More than half of respondents reported that their budgets increased.
A bigger budget to spend gives enterprise leaders the ability to buy more security tools. The average organization might work with 10 to 15 different vendors and 60 to 70 different tools, according to a Gartner report. The more tools the better the defense, right?
The multitude of security tools an organization has can introduce more risk. But there is no magic number that defines sprawl or the actual number of necessary tools. How do enterprise leaders recognize when they are dealing with tool sprawl, and how can they reduce it?
The Risks of Cyber Tool Sprawl
New threats continue to emerge, which means cybersecurity leaders need to evolve their strategies. New tools are a part of that process, but simply throwing tools at the problem can lead to additional problems.
“We tend to continue to plug holes as we find weaknesses, and what we end up with is quite a bit of overlap,” Brent Harris CIO at Family & Children's Services (FCS), a nonprofit focused on mental health, tells InformationWeek.
Overlap means that some of the spending on cybersecurity tools is unnecessary. If you have two tools that do the same thing, why do you need to pay for both?
Overlap seems like a natural consequence of tool sprawl, but enterprises also risk overlooking gaps in their cybersecurity strategy when they have too many security tools to manage.
“Because these tools are very sophisticated and each of them are covering a separate aspect of the cybersecurity landscape, I think the biggest risk is to not understand if they're configured correctly to protect the organization in an efficient matter,” says Ron Reiter, cofounder and CTO at data security solutions company Sentra.
The more third-party tools an organization integrates, the bigger its attack surface becomes. Security tools themselves can create vulnerabilities.
“There's a lot of risk just because tools usually touch data,” Jay Mar-Tang, field CISO at cybersecurity company Pentera, explains. Cybersecurity tools are often highly privileged, and threat actors are wise to the potential value in targeting security vendors. The consequences of a successful breach of a security vendor can spill outward and impact its customers. Three-quarters of third-party breaches focus on the software and technology supply chain, according to cybersecurity ratings company SecurityScorecard.
Recognize the Sprawl
Multiple cybersecurity tools are a necessity of operating a business today. So, how can leaders recognize when their current approach is ballooning into sprawl territory?
Security tool sprawl happens for many different reasons. Adding new tools and new vendors as new problems arise without evaluating the tools already in place is often how sprawl starts. The sheer glut of tools available in the market can make it easy for security teams to embrace the latest and greatest solutions.
“[CISOs] look for the newest, the latest and the greatest. They're the first adopter type,” says Reiter.
A lack of communication between departments and teams in an enterprise can also contribute. “There's the challenge of teams not necessarily knowing their day-to-day functions of other team, ” says Mar-Tang.
Security leaders can start to wrap their heads around the problem of sprawl by running an audit of the security tools in place. Which teams use which tools? How often are the tools used? How many vendors supply those tools? What are the lengths of the vendor contracts?
Breaking down communication barriers within an enterprise will be a necessary part of answering questions like these. “Talk to the … security and IT risk side of your house, the people who clean up the mess. You have an advocate and a partner to be able to find out where you have holes and where you have sprawl,” Kris Bondi, CEO and co-founder at endpoint security company Mimoto, recommends.
Auditing does not automatically begin with reducing the number of security tools in place. “That auditing is not just to rip and replace tools or consolidate,” says Mar-Tang. “It also helps you understand generally what you're working with and how the team is working with it.”
Building a security strategy from the ground up would make it easier to avoid sprawl in the first place, but security leaders are rarely in this position. “A lot of security leaders are inheriting their posture,” says Mar-Tang.
The auditing process to understand what tools are being used and how across an enterprise can be lengthy. Mar-Tang advocates for taking a proactive approach. “The sooner we start, the sooner it can be consolidated,” he says.
Security operations, such as penetration tests, can also be a valuable window into potential overlap and gaps in an enterprise’s security posture. Are different tools giving pen tests different answers? Is one tool missing potential issues, while another has those issues covered?
Containment
Recognizing sprawl is an important step, but then, security leaders need to do the work of minimizing it. That process requires multiple stakeholders. If a tool is identified for retirement, either because of overlap or obsolescence, it can’t simply be pulled from the environment. Does the tool in question fill a specific gap? Will removing that tool leave that gap exposed?
Security leaders must talk to the people using that tool.
“There's going to be immediate, ‘No, this tool is absolutely necessary,’” says Mar-Tang. “I think that the leaders are going to have to take that feedback but respectfully challenge their teams as well.”
When it comes time to cut down on the number of tools, security leaders will need to make a compelling argument to their fellow leaders. Why is reducing tool sprawl valuable?
“CISOs will want to … leverage their relationships with other executives to say this will help minimize risk across the board,” says Mar-Tang.
Not only can reducing security tool sprawl reduce risk but it can also lead to a more efficient use of budget and improve team coordination, once users work through the learning curve that comes with changing tools.
“There’s always that learning curve with our engineering staff and administrators to develop the level of confidence and expertise,” says Harris.
CISOs need to make an argument that shows how streamlining security tools enables business operations.
Harris recognized the need for a solution to effectively respond to a crisis, such as an active shooter, and communicate across the FCS campus, which is spread out over multiple buildings. The nonprofit ran a pilot of a solution from endpoint management company Tanium.
“It found things that our other tools didn't know were there and found out-of-compliance software,” Harris shares.
Following the pilot, FCS implemented Tanium’s solution, which Harris describes as a “single pane of glass.” That implementation process allowed the nonprofit to retire two tools.
“We still have a number of other tools in place for network intrusion and detection and end-point protection and all those other things, but Tanium is really our hub of that now,” he explains.
Find the Right Balance
Just because an enterprise is using multiple security tools, it does not mean that it has sprawl on its hands. There is a delicate balance between having too many tools and too few. “If that tool is truly needed, I would argue it's not sprawl. Then it's just a needed tool,” says Bondi.
The platform approach to cybersecurity is an effective way of managing tool sprawl. A single vendor with multiple solutions to an enterprise’s security challenges can cut through that snarl of tool sprawl. But that approach comes with its own set of risks.
“If you have one vendor, you actually are extremely vulnerable because that one vendor is now an infrastructure that a bad actor could be innovating against,” says Bondi.
That single platform may also not be as effective as a strategy built with tools from multiple vendors. “It's definitely cheaper to acquire one tool that does 10 things, but it's also a problem because you're probably getting something that's not the best-in-class,” says Reiter.
Finding that balance will boil down to risk appetite, according to Mar-Tang. “Is it [riskier] to lose the availability of certain information because a certain cloud service provider or a certain tool will go offline versus the inherent risk and cost of using multiple tools?” he asks. “That will depend on the business.”
Staying on top of tool sprawl requires ongoing assessment of what tools are in place and how they are being used. It does not mean CISOs completely stop purchasing tools, nor does it necessarily mean constant purchasing.
“Make sure that there's no new features that the existing vendors are working on that might provide the coverage gap that the CISO is looking for,” says Reiter. “If the answer is no, there's no current vendor that it's going to be able to provide this technology in the upcoming three months then it's the right time to look for a vendor that can fill the gap that is basically emergent.”
About the Author
You May Also Like
2024 InformationWeek US IT Salary Report
May 29, 20242022 State of ITOps and SecOps
Jun 21, 2022