You Need Fewer, Actually Working
Here’s a stat that should keep security leaders up at night: the average enterprise runs 45 separate security products. Most of those alerts? No one’s reading them. The next breach is probably sitting in one of those dashboards right now buried somewhere behind 2,999 notifications the team hasn’t gotten to yet.
Let’s say the thing nobody in the industry wants to say out loud. Your cybersecurity problem almost certainly isn’t a lack of tools. It’s that you have too many and not nearly enough people to run them properly. That’s uncomfortable to admit, especially after years of buying products, renewing licences, and ticking audit boxes. But the data keeps pointing the same direction. And two incidents from 2024 make the case better than any statistic could.
The 2 a.m. Problem
Picture a security operations dashboard at 2 a.m.
It’s alive. Flickering. Generating alerts across endpoint detection, network monitoring, identity management, cloud security, vulnerability scanning, email filtering, log correlation each of those tools bought for a perfectly good reason, each of them doing exactly what it was designed to do right now. And almost none of it will be read before morning.
This isn’t a hypothetical. It’s the everyday reality for hundreds of organisations across every sector. Vectra AI’s 2026 research found that the average organisation fields around 3,000 security alerts a day — and 63% of them go completely unaddressed. The SANS (SysAdmin, Audit, Network, and Security) 2025 SOC Survey found 66% of security teams simply can’t keep up with the volume.
The Verizon 2025 DBIR (Data Breach Investigations Report) sums it up bluntly: in 96% of confirmed breaches, it was the attacker not the security team who first disclosed the incident.
The alert existed. No one got to it in time.
How Every Company Ends Up Here
Tool stacks don’t bloat because of bad decisions. They bloat because of good ones made one at a time, never reviewed as a whole.
A phishing attack happens. The board asks what went wrong. A new email security tool gets purchased. Six months later, a compliance audit flags a gap. Another tool. An insurance underwriter wants proof of endpoint detection. Another tool. A vendor’s conference demo makes a new threat intelligence category sound essential. Another tool.
Nothing ever gets removed. Decommissioning a tool bought after a security incident carries political risk — it implies the original threat might come back. Contracts run three years. Budgets get ring-fenced. The stack grows in only one direction.
Meanwhile, the market actively encourages this. Global cybersecurity spending is forecast to top $240 billion in 2026. Vendors have every incentive to invent new product categories for every new threat vector. Each one is technically legitimate. The problem is that most organisations deploying them don’t have the human capacity to operate them properly at the depth, and at the speed, that actually matters.
Industry analysis suggests enterprises routinely carry between $200,000 and $500,000 in redundant annual licensing across overlapping security categories. They’re paying for tools that duplicate each other, generating noise that buries the signal, watched over by analysts who are burning out and leaving. Palo Alto Networks puts the average enterprise security stack at 45 products. Some estimates go higher – 70 to 90 at larger organisations. Security teams actively use fewer than half of those on any given day.
| You’re not protected by the tools you own. You’re protected by the alerts you actually act on. |
The Hidden Cost of Tool Sprawl
The licensing fees are the part everyone can see. The harder-to-quantify costs are the ones that do the real damage.
When your security team is context-switching across a dozen different dashboards, each with its own logic, its own alert format, its own severity scale they’re not protecting you. They’re managing interfaces. The cognitive load alone is enough to degrade the quality of every decision they make. And that’s before you account for the time spent on tool maintenance, version updates, integration troubleshooting, and vendor relationship management.
Then there’s the talent problem. Experienced security analysts don’t leave because the work is too hard. They leave because the work feels pointless because they spend their days triaging alerts they know nobody will act on, in a stack so complex that real threats are indistinguishable from noise. The average cost of replacing a security analyst runs well into six figures when you factor in recruitment, onboarding, and the institutional knowledge that walks out the door.
And finally: every tool that’s integrated into your environment is an additional attack surface. Agents, APIs, connectors, service accounts each one a potential entry point if misconfigured or left unpatched. The Sisense breach didn’t happen despite a sophisticated technology environment. It happened partly because of one.
Tool sprawl isn’t just expensive. It actively makes you easier to breach.
CDK Global – When a Two-Week Outage Costs the Industry $1 Billion
What happened
On 18 June 2024, CDK Global – the dominant software platform for North American car dealerships, serving around 15,000 locations across the US and Canada was hit by a ransomware attack. Then, while trying to recover, they got hit again on 19 June. CDK took its dealer management systems fully offline. They didn’t come back until early July, a two-and-a-half-week outage sitting at the heart of a $1.2 trillion industry.
How it happened
The attack was attributed to BlackSuit, an Eastern European ransomware group with roots in the former Conti operation one of the most prolific criminal networks in cybersecurity history.
CDK has never publicly disclosed the precise initial access vector. What we do know: blockchain analysts at TRM Labs tracked roughly 387 Bitcoin around $25 million at the time transferred to a wallet controlled by BlackSuit affiliates just two days after the attack went public. Bloomberg, CNN, and CyberScoop each independently reported it as an apparent ransom payment. It ranked as the second-largest ransomware payment ever recorded. BlackSuit gains access primarily through social engineering and credential compromise. Not exotic zero-days. Just human-scale deception the kind that doesn’t need to defeat a sophisticated detection stack. It just needs to defeat human attention for long enough.
What it actually cost
The Anderson Economic Group estimated collective losses to North American dealerships at more than $1 billion from approximately 56,200 lost new car sales, disrupted parts and service operations, extra staffing costs, and inventory carrying charges on vehicles that couldn’t move. AutoNation, Lithia Motors, Group 1 Automotive, Penske Automotive, and Sonic Automotive all disclosed the operational impact to the SEC. JPMorgan analysts described the situation as “disarray” across the industry. Multiple class-action lawsuits followed.
A Quieter Failure Mode
CDK shows what happens when an attacker moves faster than the response. But tool sprawl creates a second kind of failure that’s actually more common and much harder to spot.
It’s the breach that enters through credentials nobody was watching. Not because the monitoring tool didn’t exist. Because the alert was sitting in the queue somewhere behind 2,999 others, and nobody got there first.
That’s exactly what happened to Sisense.
Sisense – The Credentials Were There. The Attention Wasn’t.
In April 2024, Sisense a US-based business intelligence platform used by enterprise customers in finance, telecoms, and tech suffered a significant data breach.
On 11 April 2024, CISA the Cybersecurity and Infrastructure Security Agency, the US federal body responsible for national cyber defence issued a public advisory confirming the breach and instructing all Sisense customers to immediately rotate every credential they’d ever used to access Sisense services. That’s an extraordinary step. CISA doesn’t issue those advisories lightly, and they explicitly flagged concern for critical infrastructure organisations in Sisense’s customer base.
The story broke publicly through Brian Krebs at KrebsOnSecurity, one of the most trusted independent voices in cybersecurity journalism who cited two sources with direct knowledge of the investigation. It was Krebs who first reported the specifics of what had been accessed and how.
How it happened
Attackers gained access to Sisense’s self-managed GitLab code repository. Inside that repository were credentials – access tokens, API keys, passwords, SSL certificates stored in a way that handed the attackers the keys to Sisense’s Amazon S3 cloud storage environment.
Here’s why this mattered beyond Sisense itself: Sisense’s product works by ingesting credentials from its customers’ own data infrastructure so it can pull analytics from their systems. Which means those stolen credentials didn’t just expose Sisense’s data. They potentially opened a door into every enterprise environment those credentials controlled.
CISA confirmed it was actively involved given the potential cascade risk to critical infrastructure operators.
What it cost
Sisense hasn’t published a quantified financial impact, and the full extent of downstream customer exposure hasn’t been publicly confirmed.
But the structural consequence is clear. When a platform whose entire value proposition is trusted access to enterprise data gets breached at the credential layer, the reputational damage isn’t temporary. And for any regulated customer whose own environment may have been accessed through those stolen keys the compliance and legal exposure is very real.
The breach was in the repository. The signal was detectable. What was missing was the human attention to act on it first.
What Both Incidents Are Actually Telling Us
CDK and Sisense are different in almost every way different industries, different attack vectors, different geographies, different consequences.
What they share is this: both incidents moved at a pace that outran the defender’s ability to respond. Both were, in principle, detectable. Both happened at organisations with substantial security investment.
The failure wasn’t a missing tool. It was a missing operational discipline.
A SIEM generating 3,000 alerts a day that gets two hours of analyst attention isn’t a detection system. It’s a log archive. A credential monitoring tool that flags anomalies nobody investigates isn’t a security control, it’s documented evidence that the signal existed and was missed.
ISACA put this plainly: organisations running 20 overlapping tools have failed under ransomware, while others running five well-operated controls with consistent human attention have absorbed attacks that far worse-equipped companies never survived. The differentiator wasn’t the tooling. It was the operating discipline.
Six Things to Actually Do About This
| # | What to do | How it plays out in practice |
| 1 | Audit what’s actually operated – not just what’s owned | Write down every security tool you have. Then next to each one, write the name of the person who actively monitors it and has a documented response process. The gap between those two lists? That’s your real exposure. Take it to your board. |
| 2 | Put a name on security accountability | Alert fatigue starts as a leadership problem before it becomes a technology one. If no single person owns your organisation’s alert-to-action ratio, that’s the governance gap – not the tooling. |
| 3 | Prioritise integration over raw capability when evaluating anything new | A tool that slots into your existing workflow beats a best-of-breed product that sits in its own isolated dashboard. Before features, ask: does this talk to everything else we already run? |
| 4 | Apply the Sisense question to every vendor holding your credentials | Every third-party with access to your systems is a potential door in. Audit who has what, on what rotation schedule, and what happens if they’re breached. This isn’t IT hygiene – it’s board-level governance. |
| 5 | Measure how fast you respond, not just how much you detect | CDK’s attackers moved from initial access to full disruption in under 24 hours. The real question isn’t whether you have an incident response plan it’s how many minutes pass between an alert and a human taking action. Start tracking it. |
The Business Case That’s Getting Harder to Ignore
Here’s the number that tends to focus executive attention: IBM’s 2024 Cost of a Data Breach Report found that organisations identifying breaches with their own security teams had breach costs nearly $1 million lower than those where attackers made the disclosure. And organisations extensively using security automation saved an average of $2.2 million per breach compared to those without.
Those aren’t security metrics. They’re margin metrics.
The organisation that detects and contains an incident in hours rather than IBM’s reported average of 181 days for breach identification doesn’t just reduce risk. It protects revenue, protects customer trust, and protects its standing with regulators and insurers.
In an environment where cyber insurance underwriters are scrutinising security programmes harder than ever and where regulators are moving from guidance to enforcement the discipline of a consolidated, actively operated security programme is increasingly a competitive asset.
One Honest Question to End On
Your organisation has made significant security investments. That’s not in doubt.
The question is whether those investments are accumulating genuine protection or accumulating complexity that buries the signal you actually need to see.
For most organisations, the answer requires consolidating the stack, closing the gap between tool ownership and operational discipline, and making a deliberate decision about whether in-house capacity is sufficient to run what you’ve built.
For organisations that can’t staff a 24/7 security operations function at the depth the threat environment demands which is most organisations outside the largest enterprises managed services exist precisely to fill that gap.
The tools don’t protect you. The people reading the tools protect you.
| And right now, at 2 a.m., the question worth sitting with is: who’s actually reading yours? |
