By Anurag Singh, Chief Executive Officer, RAH Infotech
Every year, enterprises spend more on cybersecurity and yet somehow feel less secure. That is not a paradox. That is complexity working against you.
When I talk to CISOs and IT leaders across industries, there is a common thread running through those conversations. It is not a shortage of tools, but often the opposite. Over the years, organisations have accumulated so many security products, dashboards and reporting streams that the stack itself can become difficult to govern. According to Panaseer’s 2026 Security Leaders Peer Report, organisations are using an average of 61 security tools and 58 dashboards. The same research found that 65% of security decision makers believe fragmented dashboards and multiple tools are overwhelming teams with incomplete intelligence.
We are funding complexity and calling it defence.
More Tools, More Gaps
The assumption that every new security tool automatically makes an organisation safer needs to be challenged. The issue is not the addition of specialised tools by itself. Many point solutions solve very specific and important security problems. The problem begins when tools are added without architectural discipline, integration, clear ownership and measurable control outcomes.
This is where security sprawl becomes dangerous. Every tool requires trained people to operate it. Each generates its own stream of alerts. Each has its own integration requirements, reporting formats and operational dependencies. The result is not always a stronger defence posture. In many cases, it is alert fatigue, blind spots and teams spending more time managing security infrastructure than addressing risk.
There are signs that organisations are becoming more conscious of this problem. Enterprise Technology Research’s 2026 State of Security study notes that vendor sprawl is easing, with 35% of respondents expecting to increase the number of vendors in their stack, down from 40% in its 2025 survey. That is a useful shift, but the larger issue remains: security investment must now be judged by outcomes, not by the number of products deployed.
In Indian enterprises, this problem often shows up during audits, SOC reviews, cloud migrations or compliance exercises. Multiple tools may be present, but ownership, integration, evidence and control assurance are scattered. That is when leadership realises that visibility on paper is very different from operational visibility.
The Numbers Behind the Problem
Security complexity has a real price tag, and it shows up clearly in breach response, staffing pressure and governance effort. IBM’s Cost of a Data Breach Report 2025 placed the global average cost of a data breach at USD 4.44 million, down 9% from USD 4.88 million in the previous year. That reduction was attributed largely to faster identification and containment, supported by security teams and the use of AI and automation. IBM also noted that the mean time to identify and contain a breach fell to 241 days, the lowest level in nine years.
This should not be read as a sign that risk is reducing. It shows that speed, automation and integrated response capabilities matter. When teams can detect, investigate and contain incidents faster, the financial and operational impact reduces. When environments are fragmented, the opposite happens. Threats remain hidden longer, evidence is harder to correlate, and response becomes slower than it should be.
On the people’s side, the challenge is just as serious. The World Economic Forum’s Global Cybersecurity Outlook 2026 identifies the rapidly evolving threat landscape, third-party and supply chain vulnerabilities, and cyber skills shortages among the top challenges to cyber resilience. It also notes that among organisations reporting insufficient cyber resilience, 85% cited missing critical skills and people needed to fulfil cybersecurity objectives.
This is the cycle enterprises need to consciously break. We build more complex environments, then struggle to find enough skilled people to manage them. The result is predictable: teams get stretched, controls drift, and risk accumulates quietly.
Complexity Is an Attacker’s Best Friend
The security industry often frames complexity as a management or budget problem. I think that framing underestimates the issue. From an adversary’s perspective, a fragmented enterprise security environment is an opportunity. Disconnected tools mean inconsistent policy enforcement. Inconsistent enforcement means gaps. Gaps translate into entry points.
Panaseer’s research found that 77% of security decision makers believe traditional controls assurance is not fit for purpose for today’s threat landscape. That is a serious warning. If organisations cannot continuously verify whether controls are working as intended, then the security stack becomes difficult to trust, even when individual tools are functioning.
At the same time, threats are becoming faster and more adaptive. Cyble’s threat intelligence analysis found that ransomware attacks on U.S. targets rose 149% year-on-year in the first five weeks of 2025. While that figure is specific to the U.S. market, it reflects a broader reality that enterprise defenders everywhere recognise: adversaries are moving quickly, industrialising their methods and looking for weak links in complex environments.
Supply chain exposure adds another dimension. The World Economic Forum’s 2026 report states that 65% of large companies by revenue identified third-party and supply chain vulnerabilities as their greatest challenge to cyber resilience, up from 54% in 2025. When your third-party ecosystem is extensive and your own environment is fragmented, your perimeter becomes harder to define and even harder to defend.
What Rationalisation Actually Means
When I advocate for reducing complexity, I am not suggesting that enterprises strip down their defences. I am saying that the value of security investment is weakened when tools cannot talk to each other, when teams are managing too many disconnected consoles, and when visibility is a patchwork rather than a picture.
The path forward is not simplistic vendor reduction. It is security architecture rationalisation. Before any enterprise evaluates a new security product, it should ask whether the existing stack is being used to its full potential, whether the proposed addition integrates meaningfully with what is already in place, and whether it improves visibility, response or control assurance in a measurable way.
IBM’s 2025 breach research offers a clear signal here. Organisations with extensive use of AI in security saved an average of USD 1.9 million in breach costs compared to organisations that did not use these solutions. That is not a marginal gain. It is a structural advantage, and it comes from reducing manual overhead, improving speed and helping teams make sense of larger volumes of security data.
Integration-led security is not about taking risks with fewer defences. It is about achieving genuine visibility rather than the illusion of coverage that a sprawling, siloed stack provides.
A Leadership Imperative
Security complexity is ultimately a leadership problem as much as a technology one. It grows incrementally, one justified purchase at a time, and it rarely gets a clear line in any budget review. But the hidden costs, breach exposure, staff burnout, delayed detection, duplicated effort and wasted licensing spend, are very real.
As enterprises navigate an environment where threats are faster, smarter and better funded than ever, the answer cannot be more of the same. The organisations that will build genuine resilience are those that treat simplification, integration and control assurance as strategic priorities, not afterthoughts.
Complexity is not strength. It is often the gap that attackers walk through.