After more than 30 years in the security field, I’ve learned to spot the pattern. A company gets scared about security. Sometimes it’s due to an actual breach; sometimes it’s just news of what happened to someone else. Other times, it’s an “unpleasant” board meeting that sets everyone on edge. Whatever the cause, word comes down: buy a new platform, add another agent, get another dashboard.
Everyone feels safer for a while – until the next breach hits, and the realization dawns that nothing actually changed except the budget line.
These days, there’s a tool for everything: endpoint, identity, email, data, cloud, compliance … you name it. Every box is ticked. If technology were the answer, we’d be bulletproof by now. What’s going on here?
The Psychology of ‘Do Something!’
Panic shopping for security tools is understandable. Executives itch to “do something!” and the purchase of a new tool certainly does feel like something is being done. Suddenly you’ve got a new box on the network diagram, a new line on the insurance questionnaire. But it’s the cybersecurity version of buying a treadmill after a bad checkup. Are you truly going to use it, or are you going to hang clothes on it?
Too many executives ask, “What can we buy right now to make us feel better?” What they should ask is, “Do we have the right processes in place to prevent an attack from happening?”
In 2023 attackers used basic social engineering techniques to breach MGM resorts, ultimately knocking out casino systems from Vegas to Macau. In response, executives across all kinds of industries rushed to buy new “identity management solutions.” But they didn’t stop to ask the difficult question: would any software have stopped an employee from being tricked by a phone call?
Spoiler alert: nope.
When Tools Become Attack Surfaces
So, what happens next, after the shopping spree? You’ve got (at least!) one more new security tool to deal with. Every tool is, by definition, another piece of software. Software introduces complexity, credentials and potential vulnerabilities. More tools mean more moving parts, more configurations, expanded attack surface … in short, more ways for things to go wrong.
ENISA’s 2024 Threat Landscape Report noted that security infrastructure itself has become a prime target for attackers. Compromise one SIEM connector, and you inherit its privileges. Poison one logging system, and you can hide in plain sight.
Every time we add another “solution,” we create another opportunity for failure.
The Human Cost of Tool Sprawl
Here’s something else that too many executives ignore: the impact of simple human exhaustion.
Ask any analyst what their day looks like, and you’re not going to hear about Jason Bourne chasing hackers through cyberspace. You’re going to hear about toggling between 15 consoles, reconciling contradictory alerts, and explaining to management why none of the “real-time dashboards” agree with one another.
The phenomenon known as “alert fatigue” is a numbing state in which the next big warning looks exactly like the last thousand false positives. According to Ponemon Institute research cited by Redscan, the average organization’s security operations center receives 17,000 malware alerts per week! However, fewer than 20 percent are ever investigated. That’s a perfect recipe for alert fatigue. That same Redscan report noted that over 30 percent of IT professionals admit to ignoring alerts due to the high number of false positives.
The Myth of Automation
But hey! Maybe some new technology will save the day. Not long ago, SOAR (Security Orchestration Automation and Response) was going to be our solution in shining armor. Ah well, moving on … maybe AI will ride to our rescue.
You’ve heard all the pitches. “Autonomous threat detection!” “Self-healing infrastructure!” The marketing slides are glorious. But when you ask practitioners what happens next—meaning, who reviews the AI’s decision, who remediates, who verifies—the silences can be long and awkward.
Automation is powerful, but it’s not intelligence. Without disciplined humans to design, configure, test, and supervise those automations, even the shiniest new tool will simply accelerate mistakes. When AI-driven systems are surrounded by gaps in process like misconfigured connectors, and unreviewed alerts? It’s going to be the same old story, just with fancier tech.
Fewer Tools, More Control
If tool stacks prevented breaches, no Fortune 500 would ever make the news. But the truth is, complexity is not a badge of sophistication. In fact, all too often it’s a measure of fragility.
Instead of measuring your security by the number of products you’ve purchased, measure it by the number of products you truly own. By ownership, I mean tools that have a named operator, documented procedures and a verified test date. If you can’t name who’s responsible for a given system, you don’t control it.
What Real Security Looks Like
Sometimes simpler is stronger. A business with a small number of well-maintained defenses and clear response procedures is safer than one with a glittering array of “solutions” that nobody manages. Mature security isn’t a question of stacking tools, it’s about mastering process.
Real security is patch management done on schedule. It’s a backup that’s tested every quarter, not just talked about in meetings. It’s multi-factor authentication on critical accounts, strict access control for admin privileges, and, oh yeah, someone actually reading all those logs.
None of these things are glamorous. None are “next-gen.” But they work.
The NIST Cybersecurity Framework 2.0, released in 2024, emphasized this shift explicitly, when it added governance as a key pillar in cybersecurity programs. The message is, security is an operational matter, not a transactional one. You measure it in routines, not receipts.
I’ve seen organizations with 20 overlapping tools crumble under ransomware. I’ve seen others with nothing fancier than a good firewall, endpoint protection and consistent backups sail through attacks with barely a hiccup. What made the difference wasn’t what they bought. It was what they did.
The Cultural Shift
On his deathbed, the actor Edmund Kean famously said, “Dying is easy. Comedy is hard.” Here’s my version for cybersecurity professionals: Buying is easy. Operating is hard.
It all comes down to the unglamorous, disciplined work of process, by which I mean configuration, testing, documentation and ownership. That’s what creates resilience. No, that work doesn’t photograph well, and it doesn’t come with a vendor logo. But it’s the difference between a security program and a shopping list.
Buying a tool gives you the illusion of safety. Running it well gives you the reality. My advice? Choose reality. Everything else is marketing.
