When the gap is people, not another product

You were approving the quarterly software spend, the way you do, and you stopped on the security line. Not because it was large, though it was. You stopped because you could not name what half of it did. There was an endpoint product, a separate vulnerability scanner, and a thing the last engineer signed up for that emails a weekly report nobody opens. There was a single sign-on tool, and next to it a second tool that also, somehow, did sign-on. You counted nine. You were fairly sure two of them overlapped, and you were certain at least one had a login that left with an employee in the spring.

The uncomfortable part was not the cost. It was that buying every one of those had felt, at the time, like getting safer. Each purchase was a decision you could point to, a logo on a slide, a box checked. And here you were, more tooled than ever, and no more able to answer the question a customer's security team had asked you last week: who is watching this, and what happens when something fires?

That gap between owning the tools and operating them is the whole story.

A purchase has a clean edge. You evaluate, you sign, you deploy, and the work feels finished. That clean edge is exactly why over-tooling happens to careful people: a tool is the easiest thing to point at when someone asks what you are doing about security.

Running the tool has no clean edge. It is a standing job:

• Someone has to tune the alerts so the signal does not drown, then read them on the days nothing looks urgent.
• Someone has to keep the policies current as people join, move teams, and leave, and prove that the offboarding closed every door.
• Someone has to notice when two tools claim the same job and one of them is quietly doing nothing.

None of that ships in the box. So the stack grows because growing it is the available move, while the operating work, which has no purchase order and no logo, keeps sliding to the week after next. You end up over-tooled and under-operated, which is a more expensive place to be than under-tooled, because you are paying for capability you are not turning into protection.

It is tempting to read a sprawling stack as a buying problem and fix it by buying less. That misreads it. The sprawl is a symptom of a missing operator. When no single person owns the environment, every new gap gets answered the only way an unowned environment can answer: with another tool that promises to cover it.

This is why "too many security tools" rarely makes a company safer. Industry survey data has linked larger numbers of security tools to weaker detection and response, not stronger; one widely cited finding reported that organizations deploying more than 50 tools ranked themselves lower on their ability to detect and respond to attacks (IBM Cyber Resilient Organization Study summary, via IBM Newsroom). Treat that specific figure as one data point, not a law, though the direction matches what we see inside real environments: tools without operators add surface, not safety.

The disease is that integration and attention are jobs nobody was hired to do. A scanner that nobody reads is not protection. It is a subscription with good intentions.

Here is the shift that moves the number on your security line, and it is not a tool at all. It is consolidating the operating job under one partner who runs the layers together, so you are not left stitching nine of them by hand.

We work in three layers, and we run them as one job: the cloud foundation (your AWS accounts under something like Control Tower, with GuardDuty watched, not just enabled), the identity and productivity layer (Entra and Conditional Access in Microsoft 365, configured and kept current, not set once and forgotten), and the operating layer on top that ties alerts, access changes, and evidence into a stream a human is accountable for. The point is not that we resell those products. You may already own most of them. The point is that one team operating them in concert catches what falls between tools, and stitched-together vendors, each minding a slice, never catch the gap in the middle.

Where we do not fit is worth saying plainly. If your instinct is to keep collecting tools and you want a vendor who simply adds a tenth, we are the wrong call. We reduce the operating burden; we do not feed the sprawl.

The question was never which tool to buy next. It was who is accountable for the environment you already have.

Walk back to that renewal screen and the nine lines you could not fully explain. The fix that lasts is not a tenth purchase, and it is not a quarter spent ripping things out to feel lean. It is handing the operating job to one team that treats your stack as a single environment to run, consolidates what overlaps, watches what matters, and can answer the customer's question for you because answering it is their actual work.

Over-tooled and under-operated is a fixable state. The missing piece was never sitting in a vendor's catalog; it was the person, or the partner, whose job is to run what you already bought. So as the next renewal comes around, the more useful question than "what should we add" is this: of everything on that security line, how much is being operated, and how much is just being owned?