The hidden costs of security tool bloat and how to fix it

In this Help Net Security interview, Shane Buckley, President and CEO at Gigamon, discusses why combating tool bloat is a top priority for CISOs as they face tighter budgets and expanding security stacks.

Buckley shares insights on how deep observability can streamline security operations, optimize costs, and strengthen a defense-in-depth strategy.

Many CISOs are under pressure to reduce security budgets while maintaining strong defenses. Why should combating tool bloat be a top priority this year?

CISOs constantly face the challenge of doing more with less. They are tasked with implementing a defense-in-depth strategy—a layered cybersecurity approach that protects against both front-end and back-end threats. This task grows increasingly complex as organizations adopt hybrid and multi-cloud infrastructures, integrate AI, expand security tool stacks, and navigate escalating management challenges.

One of the biggest challenges CISOs face is tool bloat or the accumulation of redundant or underutilized security tools that can drive up costs, create inefficiencies, and complicate integration. In 2024, tool bloat ranked among the top five CISO concerns. While layering security tools aims to strengthen defenses, it can lead to fragmentation, silos, and blind spots that can weaken overall security. This fragmentation can ultimately compromise a defense-in-depth strategy, increasing the risk of breaches.

To address this, organizations must prioritize gaining complete visibility into all data in motion, monitoring East-West (lateral) movement and improving the fidelity of telemetry through network-based metadata. Deep observability, the integration of log and network telemetry data, not only streamlines security tool stacks and enhances efficiency but also reduces complexity—ensuring every tool delivers a meaningful contribution to a defense-in-depth strategy.

Are there particular security domains where you see the most redundancy or overlap between tools?

Tool overlap often occurs between observability and Security Information and Event Management (SIEM) tools. Organizations find they can maximize the value of both when they integrate metric, event, log, and trace (MELT) data with network-derived telemetry. This powerful combination provides the deep observability needed to uncover previously unseen vulnerabilities, such as weak ciphers and expired certificates, that could increase the risk of a breach.

Can you share best practices or frameworks organizations should use when evaluating which tools to keep, replace, or eliminate?

To maximize the value of existing security and observability tools, organizations need deep observability into-data in-motion and the ability to optimize data flows sent to tools for analysis. This reduces duplicative or irrelevant data, potentially lowering the need for multiple tool instances. By analyzing network traffic once and distributing it to multiple tools, organizations can enhance efficiency and reduce agent bloat—a growing challenge as security stacks expand.

Key steps to optimize tool usage:

• Conduct a tool inventory – Assess all security and observability tools, their costs, and functions.
• Benchmark performance – Identify tools that strengthen security posture versus those causing redundancy.
• Prioritize integration – Choose tools that provide broad coverage and integrate well, avoiding siloed point solutions.

Taking these proactive steps ensures each tool plays a distinct role in a layered security model, strengthening defense-in-depth while improving cost efficiency and operational effectiveness.

How can organizations ensure that tool reduction does not lead to security gaps, especially when consolidating different functions into fewer platforms?

Organizations should prioritize tool optimization over reduction. By integrating MELT data with network-derived telemetry and efficiently delivering it to security and observability tools, organizations gain deep observability across network traffic, cloud environments, and endpoints. This added insight helps map security coverage more effectively and aids in eliminating redundant tools.

However, consolidation should be an ongoing process. Security leaders must continuously monitor and assess their tool stack to maintain security effectiveness long after tool consolidation and optimization.

How does improved network visibility help reduce the need for redundant security tools?

Limited visibility often drives organizations to deploy overlapping tools. Given these tools are not instrumented properly, they also do not see all the relevant traffic, causing gaps in security posture. Deep observability eliminates this need by providing a comprehensive view into all data in motion across hybrid cloud environments, not just north-south but east-west (lateral) movement as well.

The key outcomes of this include:

• Proactive threat detection – Lateral (east-west) movement is a blind spot for many security teams. Deep observability enables faster threat detection and response.
• Reduction in redundant tools – A unified, real-time view into all data in motion reduces the need for unnecessary monitoring tools.
• Enhanced operational efficiency – Network-derived telemetry delivers actionable insights, eliminating reliance on fragmented, overlapping tools.

By gaining deep observability, organizations can streamline their tool stacks and execute a robust defense-in-depth strategy.