Stop buying security tools

Stop buying security tools

Businesses keep buying security tools without necessarily improving cyber resilience. Michael Adjei, Director, Systems Engineering at Illumio, examines why procurement should focus less on additional dashboards and more on containment, complexity reduction, and measurable security outcomes.


Cybersecurity is often measured by businesses solely through a procurement lens. When organisations identify a gap, the instinct is to add another tool, control or layer.

It is often assumed that a business becomes more resilient by having more dashboards, more telemetry and more coverage. This shows activity but often without valuable, measurable progress. 

This is backed up by a recent survey by Barclays, which found that fewer than three in 10 UK businesses were confident in their ability to respond to a major cyber incident, despite 82% saying their cybersecurity measures are keeping pace with technology adoption.

Something is not adding up. We are spending more to keep up with technology but not improving our security outcomes. It suggests something is wrong with our security spending habits.

Buying for activity vs buying for value —

From new threats emerging weekly to new regulations placing greater emphasis on understanding cyber risk, businesses are under immense pressure to secure their networks.

When under such pressure, the automatic response is often to get into activity-mode by buying a new tool that promises to solve the problem quickly. As a result, organisations evaluate products in isolation, focusing purely on what each tool does rather than how it contributes to wider security outcomes.

Doing so might solve a short-term headache, but it often creates significant long-term pain. When buying a tool to solve a single problem, little thought is given to how it behaves within the wider security ecosystem.

The result is overlapping tools, narrow capabilities and purchases driven by confidence rather than clarity. The average organisation now runs 83 different security solutions from 29 vendors.

When organisations operate that many tools, licenses go unused, alerts go uninvestigated and capable teams become stretched across an unmanageable attack surface.

The problem with fixating on tools for attack prevention —

On top of buying too many tools, businesses invest heavily in defences against initial access, execution, persistence, privilege escalation and defence evasion. 

In other words, the stages attackers use to gain entry and establish a foothold. They have analyst coverage, procurement pathways and budget allocations all focused on perimeter-based security.

However, the second phase, where breaches become business crises, is often underfunded, under-tooled and treated as an afterthought.

You might argue that preventing an attack from entering the network should naturally be the priority. That would be true in an ideal world but in reality, you must assume-breach because it is a matter of when not if.

I often compare it to Covid when explaining to boards and leadership teams. Covid does not jump from person to person. It first spreads within the host, and if the immune system cannot contain the infection internally, only then does it spread outward.

Cyberattacks work in much the same way. Yet comparatively little investment has been made on the containment side to stop an attack spreading once it is already inside the environment.

This is borne out by the challenges organisations face when responding to major incidents.

According to CyberEdge research, 95% of organisations are confident they can detect unauthorised lateral movement. However, only 46% can stop it and 17% can isolate a compromised asset in real time.

Essentially, we have built extraordinarily sophisticated systems for seeing the attacker. We have built very little to stop them once they are moving. By failing to contain attacks, businesses allowing them to exfiltrate data, disrupt operations, and cause financial and reputational harm.

My argument is not that organisations should stop buying security solutions. Rather, asking does this investment improve our ability to identify risk, visualise it and enforce controls consistently across the environment?

How organisations should be buying tools —

The starting point for organisations should be a greater focus on the containment side of security, the “spread phase.”

Prioritising impact reduction limits the blast radius of an attack, protects critical systems and reduces the likelihood of a breach becoming a full-scale business crisis. Reducing the probability of attack remains important, but it is becoming increasingly difficult to control.

Attack surfaces are expanding, environments are becoming more complex and attackers are moving faster. Impact, by contrast, is often much more within the defender’s ability to influence.

This requires a change in procurement mindset. Every security purchase should begin with a clearly defined outcome and operating model. What problem are we solving? How will this work within our environment? Who will own it once deployment is complete?

If a prospective solution cannot clearly bring value, organisations should question whether they are solving a security problem or simply adding to the complexity they are already struggling to manage.

This is especially important in foundational areas such as lateral movement, persistence and privilege escalation. These are not narrow challenges that can be solved through isolated point solutions. They require consistent capabilities across the entire estate because attackers do not respect organisational silos, network boundaries or procurement categories.

Ensuring the next security purchase increases cyber resilience —

The aim should be to build a security architecture where people, processes and tools work together to reduce real risk and increase your resilience even in an attack. 

Buying in more tools doesn’t guarantee progress, no matter how much is spent or how impressive the solutions claim to be. Focusing on reducing complexity, containing attains and delivering measurable security outcomes is the way to succeed.




  • Carbon data gap limits lower emission business travel

    Carbon data gap limits lower emission business travel

    Carbon data gaps are weakening lower-emission workforce accommodation decisions today. Most organisations cannot consistently compare emissions before booking, leaving sustainability teams to measure travel after the commercial choice has already been made.


  • Crimson expands regional AI apprenticeship pipeline

    Crimson expands regional AI apprenticeship pipeline

    Crimson is expanding apprenticeships to strengthen regional AI capabilities locally. The Birmingham consultancy is recruiting data and automation trainees as employers confront shortages of commercially experienced technology professionals.


  • Workplace EV charging grants near £34m

    Workplace EV charging grants near £34m

    Workplace charging grants have supported nearly seventy thousand sockets nationwide. Almost £34m has been distributed since 2016, although regional differences and the scheme’s March 2027 closure create new planning pressure.