A security logo is shown on screen during a keynote address. (Photo by Ethan Miller/Getty Images)

In a study that shows how security teams have taken on too many tools and can’t afford it anymore, Gartner on Tuesday reported that 75% of organizations surveyed are pursuing security vendor consolidation in 2022, up from 29% in 2020.

The survey also found that 57% of organizations are working with fewer than 10 vendors for their security needs, as they are looking to work with fewer vendors in key areas such as secure access service edge (SASE) and extended detection and response (XDR).

“Security and risk management leaders are increasingly dissatisfied with the operational inefficiencies and the lack of integration of a heterogenous security stack,” said John Watts, a vice president and analyst at Gartner. “As a result, they are consolidating the number of security vendors they use.”

Rick Holland, chief information security officer, vice president of strategy at Digital Shadows, said for decades, we have been on the elusive quest for consolidation and "single panes" of glass. Unfortunately, Holland said tool sprawl and its complexity are in our DNA. So Instead of defense-in-depth, Holland said we have relied upon an "expense-in-depth" strategy and become cybersecurity tool hoarders: we keep buying without thinking about the implications.

“Best-in-breed solutions are acceptable if you have the resources to stitch them together, but most organizations don't have this capability,” Holland said. “I would argue that even if you have the engineering capability, do you want to run a software development shop? Consolidate tools, leverage solutions like XDR that can orchestrate your defense, and free your resources to focus on more strategic outcomes for the business, like application security and incident response.”

Dave Gerry, chief operating officer at Bugcrowd, said the rapid expansion of new security products has led to many organizations purchasing the "latest and greatest" without having a strong integration plan in place. Gerry said even the best security product, without a deployment and integration plan will lead to underutilization.

“For the past few years, the industry has seen an incredible amount of M&A consolidation and security organizations are looking internally for ways to leverage existing tool sets or upgrade existing tool sets versus adding to their ever-growing technology stack, driven by both the cost of the security products and the limited internal resources to effectively operate the products,” Gerry said.

Ernie Bio, a partner at Forgepoint Capital, added that while it’s easy to decry tool sprawl, CISOs need to balance trusted platforms with innovation, especially with the rise of product-led growth models that demonstrate immediate proof-of-value and drive bottoms-up adoption by employees at the front lines of serious vulnerabilities and attacks.

“The arrival of SASE and XDR are helpful ways of thinking about and/or architecting more holistic security solutions, but they are not panaceas,” Bio said. “They are a way to natively integrate security, and in the case of SASE, networking, into a holistic solution, in theory, consolidating the number of vendors. Security teams often struggle with integrating yet another security point solution into the stack. Furthermore, many tools are not being optimized or sometimes, used at all, as they get lost in the noise.”