Managing Cybersecurity Tool Sprawl

Cybersecurity teams manage a broad spectrum of responsibilities, ranging from governance and compliance to security operations, asset protection, and incident response. This vast scope often necessitates the distribution of duties among multiple specialized teams. Consequently, organizations frequently acquire and maintain redundant security toolsets, leading to increased complexity and cost.

Security tool sprawl is a major challenge. One IBM study finds an average organization using 83 tools from 29 vendors. This proliferation not only generates substantial costs in licensing fees but can also demand considerable staff resources for maintenance and operation. When specialized personnel are unavailable or depart, the organization risks its investment becoming "shelfware"—an unused tool that continues to drain resources without providing security value. Integration challenges make it harder to share intelligence between solutions. This can lead to ineffective visibility and incident resolution.

This article explores the root causes, significant impact, and effective strategies for managing and consolidating the unwanted growth of cybersecurity tool sprawl.

How tool sprawl happens

The proliferation of security tools is driven by a mix of organizational changes, human preferences, vendor influence, and tactical necessity. While the list of reasons is extensive, several common factors often lead to tool sprawl:

1. Mergers and Acquisitions (M&A) are a frequent cause of tool sprawl, as the acquiring organization must often immediately inherit and integrate the target company's existing security infrastructure. Tools that are deeply embedded in daily operations—such as Identity and Access Management (IAM), Endpoint Protection platforms, and Security Operations (SecOps) suites—are notoriously complex to rationalize or decommission, leading to the permanent duplication of core capabilities.
2. Personnel-Driven Tool Adoption: New security hires often arrive with a strong vendor preference or a conviction regarding the efficacy of tools used in their previous roles. This "bring-your-own-tool" tendency frequently results in the introduction of new, often redundant solutions that are adopted based on familiarity rather than a formal assessment of the current security stack's capabilities.
3. Vendor Tool Bundling: In some cases the tool sprawl is also a byproduct of purchasing incentives such as Enterprise License Agreements (ELAs).
4. Regulatory and Compliance Mandates: External pressures may also become a powerful driver of tool acquisition. Organizations may be compelled to procure and deploy security tools to satisfy various regulatory and industry compliance frameworks such as HIPAA, GDPR, PCI DSS, etc.

Internal pressures contribute significantly to sprawl, including both the proactive acquisition of tools based on market buzz—the "next shiny object"—and the reactive creation of solutions. Technically savvy personnel often develop home-grown tools to address immediate requirements. These custom solutions, however, can inevitably become obsolete or a security risk when the original developer departs, as they lack the continuous development and oversight necessary to keep pace with evolving threats.

Impact of more tools

The true Total Cost of Ownership (TCO) for security tools extends far beyond the initial licensing fees. The following describes some of the potential impacts of hidden operational and resource costs associated with too many tools.

1. Maintain human expertise – Security technology isn't set-it-and-forget-it. The upfront licensing cost is often dwarfed by the long-term investment required for continuous maintenance and operation. In reality, the budget for expert security personnel—their salaries, training, and retention—can be several times higher than the cost of the tool itself. Worse, the sudden departure of a key subject-matter expert can immediately degrade the effectiveness of a critical security platform, creating a massive, unmitigated gap in your defense.
2. More tools don’t necessarily reduce risk – Contrary to the intuition, more tools don’t necessarily make an organization safer or reduce risk. In some cases, if a tool is not properly maintained in terms of appropriate configuration or missing patches, it may become a security hazard in itself.
3. Shelfware – Tools that are purchased but not implemented are called “shelfware” and resulted in wasted money. Also, inside a tool, organizations often procure licenses of multiple components; but end up underutilizing most of the functionality.
4. Redundancy and functionality overlap – The logical extension of tool proliferation is redundancy. In many enterprises, multiple security tools exist with overlapping or near-identical functionality. This practice creates redundant licensing fees, but more significantly, dilutes the finite pool of expert security talent who must stretch their bandwidth to maintain, patch, and manage these parallel systems instead of focusing on core threats.
5. Managing tools rather than managing risk – Maintaining a large number of tools may become an objective in itself, distracting security teams from the real goal of managing risk.
6. Procurement burden – Maintaining relationships with a large number of vendors, contracts, and negotiations has its own burden on any organization.
7. Operational inefficiency – Administrators are forced to pivot between dozens of different dashboards and interfaces. This constant context-switching can waste time, slow down investigations, and make it difficult to see the full picture.
8. Alert fatigue –  Multiple tools can generate a massive volume of alerts, many of which are duplicates or false positives. Administrators can become overwhelmed by the noise, increasing the risk that a critical, high-priority alert will be missed.

For reasons listed above, it is healthy practice to create a tools management strategy and do periodic checks to rationalize their use.

Five steps to deal with tool sprawl

A systemic approach is needed to manage tool sprawl. Following steps can help an organization minimize negative impacts and reduce cost.

1. Taking inventory of the existing tools, the capabilities they provide and the associated cost.
2. Define “must have capabilities” needed to manage a security program and keep risk at an acceptable level. Map tools to those capabilities to better understand the big picture. A spreadsheet table could be very helpful.
3. Identify overlap of capabilities to identify redundant tools. Identify expertise gaps as well. At this step an organization should have a good understanding of tradeoffs between tools that should be kept or retired.
4. Evaluate cost of migration from an operational perspective. Some migrations may take longer than others. As an example, merging multiple identity and access management systems may take much longer time than consolidating multiple vulnerability management systems.
5. Create a retiring/migration strategy and execute on it in phases.

This practice should be done on a periodic basis to continuously evaluate effectiveness of the existing tools, identify overlaps, and bring new technologies when needed.

Best of Breed vs. Platform Approach

Two approaches are commonly used when it comes to acquiring technologies. 

1. Ecosystem or Platform approach is where a single vendor provides many capabilities under one umbrella. This approach reduces vendor management overhead and can often provide better integration of data in a single portal.

2. The common counter-strategy to platform approach is the "best-of-breed" approach, which prioritizes selecting the single most effective technology for a specific security function, irrespective of the provider. While this model ostensibly secures the best tactical tool for every job, it can carry a significant strategic drawback: it can inevitably lead to a highly fragmented security ecosystem. The resulting data silos—where critical logs and telemetry are scattered across disparate platforms—can make it nearly impossible to correlate events, leading to a crucial loss of comprehensive risk visibility and prolonged incident response times.

If an organization chooses the “best of breed” approach, they should also ensure that the tools provide options to collect data through APIs for integration and consolidation of risk. Both approaches have their merits and drawbacks and one may work better for one organization and the other for a different organization. Since the “best of breed” approach requires tools integration and maintaining expertise for each individual tool, small-to-medium sized organizations should consider a platform approach seriously.

Defining your strategy

While reducing the complexity of your security environment offers clear benefits, it is essential to recognize that every organization has different requirements and vendor risk tolerance. Full adoption of a platform approach must be cautiously reviewed, and certain inherent risks that cause organizational doubt must be mitigated:

• Vendor Lock-in: Organizations are concerned with their long-term exit strategy and how to manage licensing fees over an extended contract period.
• Platform Capability: Organizations must understand the contingency plan if a component of the platform proves insufficient, e.g. some organizations have policies to employ dual-vendor strategies to reduce exposure to zero day vulnerabilities.
• Continuous Expansion: Organizations should  question how they maintain their strategy over time. For example, where platform vendors continuously acquire new capabilities; what to do if some components are unfavorable (e.g. from financial point of view).
• Single Point of Failure: There is increasing concern over events where one single vendor caused global service outages.

Verizon can help!

Verizon has a broad range of expertise on providing end to end security solutions. This allows us to help from building a consolidation strategy as well as the long term execution.

Verizon is able to take over the management of many technical security solutions, including network, endpoint and vulnerability products. This allows us to assist customers by helping them manage a diverse set of tools, simplify processes from the start, and overtime, rationalize the environment to achieve long term cost efficiencies.