Your Security Stack Is Probably More Complex Than It Needs to Be
Key Highlights
- Deployment velocity matters: Security tools that can be fully deployed in weeks — not months — often deliver more immediate risk reduction and business value.
- Complexity carries hidden costs: Staffing requirements, ongoing maintenance and training demands can significantly increase the true cost of ownership.
- Utilization beats feature count: A solution that uses 100% of its core capabilities may provide greater protection than a feature-rich platform that remains only partially implemented.
I keep having the same conversation with CISOs at 500- to 2,000-employee organizations. They know exactly what controls they need. They’ve done the assessments. They’ve picked the tools. And six months later, they’re still not fully deployed.
The timelines don’t slip because the technology is too complicated. They slip because the tools require more people, more process, and more ongoing care than the organization can realistically provide. It’s a resource problem disguised as a technology purchase.
After watching this pattern repeat across hundreds of mid-market deployments, I think we’re measuring the wrong things when we buy security tools. And it’s costing us more than most people realize.
The feature matrix trap
Many procurement processes continue to be centered around feature comparisons and compliance checks. You identify 2-4 vendors and line them up next to each other comparing their capabilities in order to select the vendor that has the most boxes checked off.
Sounds good on paper. In reality, the result is very predictable: in my experience across hundreds of mid-market deployments, medium-sized organizations purchase the best capability based on price and use approximately 30% of the purchased capability. The remaining 70% remains technically available but will remain unconfigured, unmaintained, and therefore will never provide protection to anything.
I see this occurring in many cases with Privileged Access Management (PAM). As someone who builds PAM solutions for mid-market organizations, I’ve seen this dynamic play out repeatedly. Enterprise PAM platforms provide a wide variety of features including session recording, behavioral analysis, and integration with numerous systems. All of these are genuine and valuable features. However, they assume that you have a full-time team to implement them, at least a 6-month timeline to configure them, and an ongoing full-time staff to maintain all of the implemented features.
Most mid-market organizations do not have any of these resources. They typically have 1-2 IT Generalists who handle all of the organization’s technology issues ranging from printer jams to network security. To ask an individual with this level of responsibility to also implement and manage a large PAM implementation is simply an unrealistic expectation.
Three metrics that actually matter
If I was giving advice to a CISO on how to assess any security tool today I would forget about the feature matrix and focus on three questions.
The first question is how long will it take for this to be completely operational and what percent of all endpoints will it have operational in that time. For a targeted solution it should be weeks not months before it has achieved full operational status. When someone tells you that the deployment time frame for their product will be 6-9 months, you are taking a 6–9 month risk.
The second question is how many employees will this require to be able to run. If the response to the above question is “we will need to hire an employee” or “you will probably want our professional services team to assist with the maintenance of this product” then factor that into the true cost. A $40,000 per year product that requires a $90,000 per year employee to maintain will be a $130,000 per year commitment. Make sure you budget for that.
The third question is what percent of this tool will you really use? Be honest about this. If you think that your employees will be able to configure and maintain 40% of the capabilities of a comprehensive tool, then that is likely better than having a less capable tool where you could use 100% of the capability. In some cases, the less capable tool will provide a greater amount of true security value than the more capable tool, simply because of the lower overall complexity.
Deployed beats theoretical
I am definitely not advocating against utilizing complete or comprehensive security platforms. There are some large enterprises with established security functions and a sufficient number of employees in which these types of solutions will absolutely pay for themselves. In order to fully utilize the capabilities of these types of solutions there must be a sufficient number of competent personnel to fully utilize the breadth and depth of each solution.
However, for the majority of the CISO population at mid-sized organizations, the equation has changed. If a security tool is able to deploy 100% and operate automatically without any additional oversight then it is likely going to do much more for your organization’s overall security posture than a tool that is deployed to 30% of its potential and requires constant attention.
Additionally, there is a compound effect as well. Security solutions that are so simple that they can be managed by the existing staff will survive employee turnover. It is common at mid-sized organizations for the only person who is knowledgeable about a particular security solution to leave and for no other employees to know how to operate that solution. This creates an expensive piece of software that ultimately becomes a liability over time. I have seen this occur within a few months after all phases of a security solution have been implemented.
Changing how we buy
The next time you are evaluating a security purchase, try running this exercise. Take each vendor’s implementation timeline and multiply it by 1.5 because it always takes longer than the sales team says. Then calculate the fully loaded cost including internal staff time. Finally, ask your team, honestly, what percentage of the feature set they will realistically configure and maintain in year one.
The answers will change how you rank your options. For mid-sized companies especially, the simpler choice isn’t a compromise — it is the one that actually gets deployed, actually gets maintained, and actually reduces your risk.
About the Author
David Bellini
Co-Founder and CEO of CyberFOX
David Bellini is Co-Founder and Chief Executive Officer of CyberFOX. He and his brother Arnie previously spun ConnectWise out of their Tampa-based IT service provider, building it into one of the managed services industry’s most widely used platforms. During his tenure he served as COO and later President of International Sales and Operations, and was instrumental in Thoma Bravo’s 2019 acquisition of the company. At CyberFOX, Bellini is focused on bringing enterprise-grade security to mid-market organizations.