Time to go cold turkey on addictive security

After many years speaking with security decision makers at enterprises, I can confirm a universal truth: cybersecurity teams love buying in new tools!

I've lost count of the times organisations have proudly walked me through their paper-tiger security stack, complete with an impressive selection of tools, including a smattering of "next-gen" offerings promising to detect, prevent and predict attacks in various forms.

Then, almost in what could only be described as a case of cyber split personality, they admit to a deep-seated fear of not understanding what is happening across their networks and an inability to reliably contain a breach should one successfully take hold.

We have cool tools but no clue! My colleague Raghu Nandakumara calls this the “TikTok security stack” – short-form, trend-driven solutions delivering quick dopamine hits of confidence rather than lasting resilience.

I'm not as in tune with Gen Z metaphors, so, much like the "new car smell", I prefer the term "new tool smell" to describe an industry of cyber shopaholics who have become addicted by default.

What is addiction by default?

When organisations are trying to improve security, their default response is to go for a dopamine hit and buy a new tool; cyber security retail therapy, if you will.

Over time, this becomes the operating model. Security challenges are met with procurement. Procurement is mistaken for progress. And progress is measured in dashboards, not outcomes.

If you trace the history of cybersecurity, it reads like a catalogue of ever-expanding optimism. And yet organisations are still being breached at an alarming rate.

According to the government’s 2025/26 Cyber Security Breaches Survey, over four in ten businesses (43%) reported having experienced any kind of cyber security breach or attack in the last 12 months.

So why are we still struggling? It’s because most organisations evaluate tools in isolation. Each product is assessed on what it does, not how it behaves in a wider strategic organisational ecosystem. The result is a patchwork of excellent individual components that collectively provides less clarity and less cohesion.

The illusion of coverage

The modern overstuffed security stack looks impressive on paper but often struggles to deliver meaningful resilience outcomes in practice. It’s because capabilities are disconnected, which present gaps between what an organisation can see and what it can actually do.

This problem is reflected in our Containment Gap research, where 95% of security professionals are confident they can detect unauthorised lateral movement, but only 17% can isolate a compromised workload in near real time.

Most (51%) still take a few hours or longer to contain an incident. In the past, you might have escaped without any consequences. However, nowadays AI is enabling faster, more autonomous attacks, and the window to contain an incident now needs to be minutes or even seconds. You see the problem now.

Why we keep buying tools anyway

I'm not saying we should stop buying security tools. Far from it. Technology is a fast-paced field, and luddites will be left behind. Rather, we need to change how we think about procurement. Reward drives behaviour, so a lot hinges on the reward systems organisations implement.

Security teams are often rewarded for implementing new technologies. It is visible, measurable, and looks good in board papers. Ultimately, it is easier to count tools than to measure resilience. Hence the unravelling state of the industry today especially with frontier AI complications thrown into an already precarious mix.

And then there is the uncomfortable reality of leadership tenure. Many Chief Information Security Officers (CISOs) are in post for less than two years. That is barely enough time to update your laptop, let alone re-architect an entire security model.

So, the rational response becomes buy something that works quickly, typically point solutions that promise coverage against a specific threat or environment, and paint that as an illusion of progress.

It is a bit like buying a very expensive treadmill to get fit. It arrives, looks impressive, but then before long it’s collecting dust in the corner. The problem wasn’t the availability of a treadmill; it was a lack of time, energy, or discipline.

In security, you bought a product, but you didn’t solve the underlying habit. The actual behaviour and reward system which is producing your cyber shopperholic.

Convenience Tooling vs Consolidated Security

If we look at how attacks unfold, most organisations are now reasonably efficient at identifying threats, but not necessarily at stopping them when they start. Far fewer are able to restrain movement once an attacker is inside, and that lateral movement is where the real threat begins.

Forward-thinking leaders are now moving away from just buying the latest prevention tool because it’s easy, and towards to thinking about “what does this add to the continuity of our security system?”

A proper understanding of security coverage also requires honesty. Not heat maps or reassuring dashboards, but a real mapping of controls against actual threat behaviour in line with organisational outcomes. 

In foundational areas such as lateral movement, persistence, and privilege escalation – how a breach starts versus how it spreads, the goal should be platforms that achieve consistent capabilities across the entire estate.

More technology is not automatically better security. In fact, it often just creates more opportunities for fragmentation, confusion, and optimistic PowerPoint slides.

The organisations that succeed will be those that stop measuring progress by the size of their security stack and start measuring it by the effectiveness of the outcomes it delivers.