Are Your Security Tools Creating More Work for Your Team?

#1728837: Are Your Security Tools Creating More Work for Your Team?

Description:	Security tools are supposed to solve problems and make our lives easier. Why does it seem like they're doing the opposite and creating more work? Check out this post by Caleb Sima of Whiterabbit for the discussion that is the basis of our conversation on this week's episode, co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is Evan M., CISO, Robinhood. Huge thanks to our sponsor, Endor Labs. The information paradox Security tools inherently create work because they generate information that requires action. Erik Cabetas of Include Security laid out the fundamental dynamic: "Most every security tool is going to cause 'more work' because it gives you more information. You've got results, awareness, observation/insight, detections, etc. for you to make risk decisions on." He emphasized that since all tools produce something new to process and act on, the best ones are "optimized to give you the least amount of additional work with the highest quality information (i.e., high signal to noise)." Greg Notch, CSO at Expel, broke down the core capabilities every security tool provides: visibility, detection, prevention, and response, and noted that only prevention might not require additional effort, "but that's only true if its false positive AND false negative rates are very close to zero. (which I have never experienced)." The reality, he said, is that "the entire industry is about providing treatments not cures, because the cures are (usually) out of security's scope." Setting realistic expectations Vendors who are honest about implementation effort win in the long run. Mo Sadek of Alice (Formerly ActiveFence) framed it as an expectation problem. Organizations wouldn't overestimate a tool's value if vendors were upfront about the baseline effort required before seeing real value. The vendors that ultimately succeeded "were always the ones that had a clear path to success that our teams were able to roadmap and resource." Jon R., CISO at IOmergent, reinforced this point: "Very few security tools work well out of the box; they almost all require some level of tuning and configuration. Often time much more effort than what the sales team promises." He stressed that teams should leverage vendor technical support for configuration reviews and operational processes, but if the tool remains a time sink after that effort, it's likely the wrong choice. Prioritization over noise The right tool is rarely the most expensive. "All tools result in more work, but having no tool creates risk," said Anthony Harrison. The distinction, he said, is that better tools help prioritize work while worse ones "just give you data (lots!) with no actionable insights." He added a crucial reminder that cost doesn't determine quality. Jad Elahmad of Century Supply Chain Solutions illustrated this with a GRC platform evaluation, where a top-market tool with strong brand recognition would have created "more administrative overhead than value. The framework was powerful, but the configuration effort, maintenance requirements, and workflow complexity would have added work for every team involved without meaningfully improving our risk posture." The cart before the horse Tools deployed without understanding the underlying process create more problems than they solve. Todd Hammond of Pace University identified this as an order-of-operations problem rather than a tool problem. "Too often, cybersecurity practitioners ignore basic business principles in this case, operations management," he explained. His prescription: identify the actual problem first, understand the end-to-end process without considering technology, map the workflow, then determine where technology creates velocity and efficiency. "Fit the tool capabilities to process, not the other way around," he emphasized. Drawing a sharp analogy, he noted that "a manufacturer would never install automation before designing the production line. In cybersecurity, tools are often purchased first and the process built later. That inversion is why tools end up creating more cost, complexity, and risk than they resolve." Please listen to the full episode on your favorite podcast app, or over on our blog, where you can read the full transcript. If you're not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now. Listen to the full episode here.
More info:	https://www.linkedin.com/pulse/your-security-tools-creating-more-work-team-cisoseries-pxrtc/

Description:

Security tools are supposed to solve problems and make our lives easier. Why does it seem like they're doing the opposite and creating more work?

Check out this post by Caleb Sima of Whiterabbit for the discussion that is the basis of our conversation on this week's episode, co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is Evan M., CISO, Robinhood. Huge thanks to our sponsor, Endor Labs.

The information paradox
Security tools inherently create work because they generate information that requires action. Erik Cabetas of Include Security laid out the fundamental dynamic: "Most every security tool is going to cause 'more work' because it gives you more information. You've got results, awareness, observation/insight, detections, etc. for you to make risk decisions on." He emphasized that since all tools produce something new to process and act on, the best ones are "optimized to give you the least amount of additional work with the highest quality information (i.e., high signal to noise)." Greg Notch, CSO at Expel, broke down the core capabilities every security tool provides: visibility, detection, prevention, and response, and noted that only prevention might not require additional effort, "but that's only true if its false positive AND false negative rates are very close to zero. (which I have never experienced)." The reality, he said, is that "the entire industry is about providing treatments not cures, because the cures are (usually) out of security's scope."

Setting realistic expectations
Vendors who are honest about implementation effort win in the long run. Mo Sadek of Alice (Formerly ActiveFence) framed it as an expectation problem. Organizations wouldn't overestimate a tool's value if vendors were upfront about the baseline effort required before seeing real value. The vendors that ultimately succeeded "were always the ones that had a clear path to success that our teams were able to roadmap and resource." Jon R., CISO at IOmergent, reinforced this point: "Very few security tools work well out of the box; they almost all require some level of tuning and configuration. Often time much more effort than what the sales team promises." He stressed that teams should leverage vendor technical support for configuration reviews and operational processes, but if the tool remains a time sink after that effort, it's likely the wrong choice.

Prioritization over noise
The right tool is rarely the most expensive. "All tools result in more work, but having no tool creates risk," said Anthony Harrison. The distinction, he said, is that better tools help prioritize work while worse ones "just give you data (lots!) with no actionable insights." He added a crucial reminder that cost doesn't determine quality. Jad Elahmad of Century Supply Chain Solutions illustrated this with a GRC platform evaluation, where a top-market tool with strong brand recognition would have created "more administrative overhead than value. The framework was powerful, but the configuration effort, maintenance requirements, and workflow complexity would have added work for every team involved without meaningfully improving our risk posture."

The cart before the horse
Tools deployed without understanding the underlying process create more problems than they solve. Todd Hammond of Pace University identified this as an order-of-operations problem rather than a tool problem. "Too often, cybersecurity practitioners ignore basic business principles in this case, operations management," he explained. His prescription: identify the actual problem first, understand the end-to-end process without considering technology, map the workflow, then determine where technology creates velocity and efficiency. "Fit the tool capabilities to process, not the other way around," he emphasized. Drawing a sharp analogy, he noted that "a manufacturer would never install automation before designing the production line. In cybersecurity, tools are often purchased first and the process built later. That inversion is why tools end up creating more cost, complexity, and risk than they resolve."

Please listen to the full episode on your favorite podcast app, or over on our blog, where you can read the full transcript. If you're not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now. Listen to the full episode here.

More info:

https://www.linkedin.com/pulse/your-security-tools-creating-more-work-team-cisoseries-pxrtc/

Date added	March 17, 2026, 9:02 p.m.
Source	LinkedIn
Subjects	PodCasts / Webcast / Webinar / eSummit / Virtual Event etc. Security Management/Strategic Security/ROI/ROSI - CISO and Higher Level