Tool sprawl: the risk and how to mitigate it

Businesses are increasing their spend on cybersecurity products to keep up with growing regulation and rapidly expanding threats. However, this is creating another problem: tool sprawl, with firms juggling multiple solutions from a range of different vendors, in many cases negatively impacting their security.

The figures are concerning. Organizations juggle an average of 83 different security solutions from 29 vendors, according to an IBM study in partnership with Palo Alto Networks.

New research from Kaspersky concurs, revealing nearly three-quarters (74%) of companies in the UK rely on “multi-vendor ecosystems”.

This is putting firms at increased risk of missing security incidents and burning out staff. Enterprises with fragmented tool stacks can take 72 days longer to detect threats and 84 days more to contain them, compared to more consolidated environments, the IBM and Palo Alto Networks report found.

“The irony of tool sprawl is that more tools don’t equal more security,” says Zac Warren, chief security advisor at Tanium. “They expand the attack surface, drive alert fatigue and slow down response time.”

Fragmented environment

It’s easy to see how tool sprawl happens. Firms are responding to emerging threats and new regulations, while tools can also build up the aftermath of a breach, says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University.

The problem with tool sprawl is that it “creeps in gradually and is rarely deliberate”, says Curran. “A company might add one tool to meet a compliance need, another in response to a breach and another because a vendor made a convincing case. Over time this leads to dozens of products, few of which work well together.”

Tool sprawl often starts with good intentions – plugging gaps with best-of-breed products. But without a plan it “quickly snowballs into a costly, multi-vendor ecosystem”, says Warren.

The motivations to add new tools are usually not malicious, agrees Tim Grieveson, CSO at ThingsRecon. “Teams may request various tools for productivity, a CISO may want to add another layer of security, and some tools may be inherited through mergers and acquisitions. Suddenly, you are managing a patchwork of overlapping systems that weren’t designed to work in harmony.”

As they strive to boost security, teams can “get sucked into selecting tools and ticking off features”, without stopping to ask whether they address the “actual vulnerabilities and attack vectors that really matter to the business”, says Adam Seamons, head of information security at GRC International Group.

The result is a “fragmented environment where no one has full visibility”, says Curran. “The impact is felt most by engineers and security teams. Instead of focusing on real threats, they spend much of their time firefighting – managing dashboards, reconciling overlapping alerts and navigating inconsistent reporting processes. This slows down incident response and increases the risk of mistakes being made.”

Matt Middleton-Leal, managing director, EMEA at Qualys describes how teams can end up being “forced to integrate solutions” in order to carry out their jobs. “This can be time-consuming and potentially prone to human error,” says Middleton-Leal.

Meanwhile, an increasing number of products claiming to be powered by AI is adding another layer of challenge to the tool sprawl issue. “Companies are throwing money at pilots and proofs of concept, but most can’t scale them as the underlying data is a mess,” Warren warns.

Reducing the risk

Overcoming the challenge is not straight-forward. The vision of implementing one security platform to cover everything is “not realistic”, in practice, says Middleton-Leal.

However, there are some steps you can take to reduce the impact of tool sprawl on your business. Reducing risk starts with visibility, Warren says. As a first step, he recommends auditing the tool stack, identifying overlaps and removing anything that isn’t delivering value.

Consolidation can help, but experts recommend it is done mindfully. To reduce the risk of tool sprawl, organizations need to adopt a “holistic strategic, centralized approach to their cybersecurity investments”, rather than being reactive, says Grieveson. This involves a “focused effort to rationalize existing tools and implement new ones, concentrating integration and automation”, he says.

Rather than consolidating for the sake of cutting spend, look at the data coming from your tools, Middleton-Leal advises. “Which ones are still vital to your processes, and which are not providing the data you need? Can you bring tools together to get the right data on your risk profile, and keep it up to date continuously?”

Once overlap has been identified, firms can choose platforms that “integrate cleanly”, according to Seamons. “Simplifying the stack saves money, gives teams breathing space, and makes security work the way it should.”

Overall, tackling the tool sprawl problem is about changing mindsets, ensuring you are adding products for a reason rather than falling for a vendor’s latest sales spiel. “Vendors are quick to push the next shiny solution, but the real challenge lies in changing how a business operates, how it thinks, and being honest about the true root causes of risk,” Seamons warns.

Part of this is about engaging internal teams to ensure you are resilient against cyber threats. Reducing tool sprawl can cut your spend, but the overall goal should be to improve how your team can work around automation and risk operations, Middleton-Leal says.

Training, clear processes and better workload management are “just as important as technology”, adds Curran. “Simplifying toolsets makes the role more sustainable by reducing fatigue and allowing teams to focus on meaningful, higher-value work.”

Crucially, the benefits of reducing tool sprawl – and the time that must be spent doing so – needs to be communicated properly at board level. In budget discussions, the strongest case is “always grounded in risk”, Curran says. “Being able to demonstrate how complexity slows down response times, raises costs and increases the risk of non-compliance can be more persuasive than just asking for more investment.”