More Tools, More Problems?

I came across a thread on r/cybersecurity the other day that really struck a nerve. The original post hit on a statistic brought up at M365 in New York that organizations with 12 or more tools in their security stack were seeing nearly three times as many incidents as others. 

The discussion in that thread covered the expected range of opinions, and it hit home with me, because the underlying issues are among the core problems that we’re trying to solve here at Material.

Spoiled for choice

The end goal of adding new tools to your security stack is, obviously, to protect your environment somehow: to detect more threats, harden your posture, give your team more visibility, or some combination thereof. 

We’ve got no shortage of options for tools in the security industry. We’ve all seen some variation of the security vendor landscape map, and they’re all seeing-eye charts of tiny logos floating in a sea of vendors. 

There’s a reason all those vendors exist and so many of them not only stay in business but thrive: because most of them are at least pretty good at what they do. They detect the threats, misconfigurations, vulnerabilities, and other risks lurking in your environment. And if you choose your new tools with at least some degree of competence, each new tool will find problems that your existing toolset couldn’t… otherwise, why buy the tool.

But where so many security tools miss the mark is that while they may be great at finding problems, many (most?) are not so great at helping you fix them. 

Visibility isn’t the enemy

When you add a new tool to your stack and suddenly see more incidents and alerts, it’s not because your environment suddenly got riskier: it’s because you’re shining light on things you couldn’t see before. That’s a good thing. Nobody wants to be flying blind. 

But visibility alone doesn’t make your life easier. In fact, it usually makes it harder because now you’re buried under another feed of alerts, another dashboard, and another pile of “maybe bad” signals to sort through.

Shiny new tool, terrifying new workload

If you’ve ever trialed a tool that bragged about “catching everything,” you know what happens next: your team spends half the day chasing false positives, manually correlating signals, and reconciling dashboards. Some email security and SaaS tools are especially guilty of this — they flood you with “detections” that look impressive in a demo but turn into chores in production.

That’s not security. That’s overhead. The end result is that your new tool detected a bunch of new problems that existed before, but you were blissfully ignorant of. Now, they’re a new problem to solve.

And this is where skeptics of point solutions and buying a slew of best-in-breed products have a bit of a point: too many detection tools flood you with alerts. That now-old joke that the “R” is silent in most “detection and response” tools exists for a reason and still rings true today. Every “AI-powered” inbox filter or “next-gen” anomaly detector loves to hand you a dashboard of possible problems.

There’s a certain saturation point where too many signals–even strong, valid ones–become noise in and of themselves. Particularly for lean security teams, being buried in blinking red lights doesn’t solve the problems you’re suddenly detecting. You burn cycles chasing false positives, reconciling dashboards, and manually triaging junk. Which, not coincidentally, is how a lot of so-called email security platforms end up being more pain than protection.

The right way forward

The reality is there’s no “correct” number of tools in your stack, obviously. Every organization is different, with different needs and security teams of different sizes and specialties. 

The number of tools you’re using doesn’t matter, what matters is whether a tool:

• Closes a blind spot left by your other tools that actually matters
• Automates as much work as realistically possible
• Gives you a clear outcome instead of another “insight” to babysit

If a tool can’t check at least two of those boxes… is it really worth it? 

I’ve seen this dynamic play out across different parts of the industry. Teams add tools because they want to be safer–and in many cases they get the visibility they need. But far too often, the tools can’t effectively operationalize the information they provide.

What separates the products that last from the ones that get ripped out is usually pretty simple: they reduce risk and reduce toil. 

That’s the north star in my work now. The best security tools don’t just tell you what’s wrong, they help you fix it. They give you peace of mind and they give you and your team time back, so you can put that mental energy into pushing your business and your security strategy forward, rather than playing whack-a-mole on yet another console.