Tool Sprawl: What It Is and How to Overcome It
Many IT decision makers are planning to increase their cybersecurity budgets in 2022. Kaspersky shared some research where 86% of IT decision makers in North America said that they were planning to allocate budget for cybersecurity in 2022. Approximately the same percentage of respondents indicated that their cybersecurity budget could increase as much as 50% over the next 12 months.
An Important Caveat
More budget doesn’t equate to more security. We’ll illustrate this point using small- to mid-sized businesses (SMBs) in a moment. First, let’s appreciate the current state of security for SMBs.
Many of these organizations are plagued by a lack of resources. Back in 2019, for instance, SecurityWeek reported that 29% of SMBs had an annual cybersecurity budget of less than $1,000. More than half (52%) of those respondents went on to indicate that they did not have any dedicated security professionals on staff and that they had distributed responsibility for security functions across multiple roles instead. SMBs’ cybersecurity budgets increased by 10% in 2020, according to Help Net Security. Even so, they’re still too low for SMBs to tackle today’s threats on their own.
There’s also the misperception among some SMBs that they don’t need defense in depth. CompTIA reminds us that defense in depth involves implementing several layers of security protocols instead of relying on a simple means of protection. Defense in depth can thereby help to defend organizations against a variety of digital threats using redundant safeguards—so long as it’s implemented. But when SMBs think they’re too small to be targeted by digital attackers, they might not prioritize cybersecurity—and defense in depth, by extension—as much as they could. This leaves them open to digital attack.
The Danger of Tool Sprawl
Acknowledging the challenges discussed above, it would appear there’s an opportunity for SMBs and other organizations to keep investing in solutions. This can help them to drive their security efforts—up to a certain point. Indeed, it can also lead to tool sprawl, a phenomenon where the cost of managing and configuring so many security tools outweighs the return on those tools’ value.
To understand tool sprawl, picture a guy who works at an SMB walking around a trade show or security conference. He sees all these booths offering all these different solutions. How can he choose? He decides to invest in a few, but it turns out to be a lot for him and his team to manage. Together, they experience fatigue and fail to install their new solutions properly, leaving the organization exposed to a breach.
Tool sprawl is getting worse, too. Infosecurity Magazine covered a report where a security vendor polled 1,200 enterprise security decision makers in the United States and the United Kingdom. The vendor found that the average number of security tools used by organization had increased 19% between 2019 and 2021 from 64 to 76. This can complicate the task of achieving comprehensive visibility, creating security gaps that could be difficult to close.
How to Address Tool Sprawl
Clearly, SMBs and other organizations need to counter tool sprawl if they are to effectively defend themselves against security threats. They can do this by beginning with a strategy. They can’t just buy the next tool and keep adding on to what they already have. They need to go about their security investments strategically using something like Version 8 of the CIS Controls. Specifically, organizations can use Implementation Group 1 (IG1) to build basic cyber hygiene within their organizations, helping them to solve real-world security challenges.
Once they have a strategy in place, organizations need to focus on the most precious factor of their calculus: time. Tool sprawl is a time suck. It unnecessarily drains organizations’ time by forcing teams to configure and manage tools, some of which they don’t need. Acknowledging this reality, SMBs and other organizations can look to tools and managed services that can help them save time, add to their defensive capabilities, and avoid adding extra things on top of what their teams are already dealing with.
Of course, this is where we can help. Our Outpost knocks down would-be hackers and exploits, our autonomous systems identify potential vulnerabilities and weaknesses, and our team of real human analysts is available 24/7 for the assist. We do it all through a Managed Network Detection and Response (MNDR) offering that saves you time and lets you get back to meaningful work.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.