A security analyst at a mid-sized firm starts a Tuesday shift with fourteen consoles open. Each one shows a slice of the network. None shows the whole picture. By the time she connects an endpoint alert to a login anomaly sitting in the identity tool, the intruder has already moved on. Every tool worked exactly as sold. The defence still failed.

Most firms are buried in security technology. The average organisation now runs 83 separate security solutions sourced from 29 different vendors, according to research from the IBM Institute for Business Value and Palo Alto Networks, Capturing the cybersecurity dividend (2025). Each tool was bought to close a specific gap. Stacked together without integration, they open new ones.

The average organisation runs 83 separate security solutions from 29 vendors. Each was bought to close a gap. Stacked without integration, they open new ones. — IBM Institute for Business Value and Palo Alto Networks, 2025

In the same study, more than half of security executives said the fragmentation of their tools was limiting their ability to deal with threats. The stack meant to protect them had quietly become one more thing to manage.

How sprawl turns into exposure

Every tool watches its own slice: endpoint, identity, email, cloud, network. Each speaks its own data format and raises its own alerts. None carries the context held by the others.

A modern intrusion rarely stays in one slice. An attacker steals a credential by phishing, signs in as a valid user, escalates privilege, then moves toward data. That single chain surfaces as four unrelated events across four separate tools. No analyst sees the full sequence, because no single console holds it.

Volume compounds the gap. Disconnected tools generate disconnected alerts, and the real signal sits buried under thousands of low-priority notifications. Every new tool also adds its own integration points, and every integration is another door an attacker can try.

Sprawl hides quiet failures too. Tools left in default settings, half-deployed, or never connected to anything still look like coverage on a procurement list. In practice, they are gaps with a logo.

What it costs the business

For the board, the cost lands in two places.

The first is the breach itself. IBM's Cost of a Data Breach Report 2025 put the global average at 4.44 million US dollars, with the United States average at a record 10.22 million. The single largest driver of that figure is time: the longer an intrusion goes unseen, the more it costs to contain and clean up.

Speed is exactly what fragmentation takes away. The IBM and Palo Alto Networks research found that organisations running consolidated platforms detected incidents 72 days faster and contained them 84 days faster than organisations running fragmented tools.

Organisations on consolidated platforms detected incidents 72 days faster and contained them 84 days faster than those on fragmented tools. — IBM Institute for Business Value and Palo Alto Networks, 2025

The second cost is quieter and recurring. Redundant licences across overlapping categories run into real money every year, and every tool carries a tuning and maintenance burden that pulls engineers away from defending the network. The board ends up paying more each year for a stack that sees less.

Four moves, starting this quarter

1. Inventory what you own.
   List every security tool and map each one to the function it covers. Where two or more tools cover the same ground, you have found your first consolidation candidates.

2. Find the tools nobody uses.
   Flag every product running in a default configuration or opened by fewer than half the team. A tool nobody uses defends nothing. It adds cost and hides a gap.

3. Consolidate toward platforms that share context.
   Favour platforms that exchange data with each other over point products that work in isolation. Gartner reported that 75 percent of organisations were already pursuing vendor consolidation by 2022, up from 29 percent two years earlier, and the leading reason was a stronger risk posture, not a smaller bill. By 2022, 75 percent of organisations were pursuing security vendor consolidation, up from 29 percent in 2020. The top reason was stronger risk posture, not lower cost.Gartner, 2022

4. Change the number you report upward.
   Stop counting tools owned. Start measuring mean time to detect and mean time to respond, and track whether each consolidation move shortens them.

The number worth knowing

Return to the analyst with fourteen consoles open. No new tool would have helped her. What she needed was for the ones she already had to talk to each other. A fifteenth console would only have slowed her down.

The question for the board is not how many tools defend the company. It is how many of them work together. That is the number worth knowing, and the one worth deciding to fix.

Sources

• IBM Institute for Business Value and Palo Alto Networks, Capturing the cybersecurity dividend: How security platforms generate business value (2025). https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/unified-cybersecurity-platform

• IBM, Cost of a Data Breach Report 2025. https://www.ibm.com/reports/data-breach

• Gartner, Gartner Survey Shows 75% of Organizations Are Pursuing Security Vendor Consolidation in 2022. https://www.gartner.com/en/newsroom/press-releases/2022-09-12-gartner-survey-shows-seventy-five-percent-of-organizations-are-pursuing-security-vendor-consolidation-in-2022

Disclaimer

This article is provided for general information only and does not constitute security, legal, or financial advice. Statistics cited reflect the sources named and the periods they cover, and figures change over time. Organisations should assess their own environment and consult qualified professionals before making security investment or consolidation decisions.