For years, cybersecurity leaders have obsessed over visibility into endpoints, cloud environments, identities, vulnerabilities, and threats. Yet one of the industry's most persistent blind spots has nothing to do with detection.
It's procurement.
The average enterprise security program now consists of dozens of products spread across multiple categories, overlapping capabilities, competing platforms, and increasingly complex licensing agreements. Every new purchase promises better protection. Every renewal arrives with a new pricing model. Every vendor claims to be a platform.
For CISOs, the challenge is no longer simply determining whether a security product works, but in determining whether they actually need it.
That reality was the focus of a recent CYBR.SEC.CAST conversation featuring hosts Michael Farnum and Sam Van Ryder alongside Crush Security co-founders Joshua Jones and Josh Johnson, and JB Poindexter & Co. CISO John Barrow, who has felt the pain himself.
Manual monotony
The discussion exposed a problem that most security leaders understand all too well: Modern cybersecurity purchasing remains surprisingly manual.
"We do this manually right now," Barrow explained during the conversation. "We basically break each technology we currently own and validate versus something we're pursuing, list capabilities, cost per capability, ease of deployment, speed to value, ROI, and things like that."
Watch/listen to the full podcast episode:
Bill Brenner
Related:
Bill Brenner
For organizations operating under budget pressure, that process has become increasingly difficult.
Security teams are expected to reduce risk while simultaneously controlling costs. Boards want measurable outcomes. CFOs want justification for every expenditure. Procurement teams often lack the technical context necessary to evaluate competing solutions. Meanwhile, vendors continue expanding their products into adjacent categories, making it harder than ever to understand where genuine innovation ends and feature overlap begins.
The result is a cybersecurity market overflowing with complexity.
Jones argued that many organizations aren't suffering from a lack of security products. They're suffering from too many.
"We can look at your stack and say against the three or four thousand technologies out there, here's the least amount of overlap," he said. "Here's the feature functions. Here's how they compare side by side."
Overlap is expensive
That overlap problem is becoming increasingly expensive.
A company may purchase multiple tools that perform similar functions without realizing it. Organizations often discover that capabilities they're paying for in one platform already exist inside another product they own. In some cases, features included in Microsoft E5, Google, CrowdStrike, or other enterprise platforms remain underutilized while separate point products are purchased to solve the same challenge.
The problem isn't necessarily poor decision-making, but in information overload.
Historically, organizations relied on value-added resellers, consultants, analysts, and internal architects to help navigate the market. Many still do. The best of those partners provide significant value. They understand customer environments, challenge assumptions, and help organizations avoid costly mistakes.
But as Jones noted, the model doesn't always scale. A handful of experienced advisors can guide hundreds of customers. Thousands more may receive far less strategic attention.
At the same time, the cybersecurity market continues to expand at a staggering pace.
Categories that once contained a handful of vendors now contain dozens. Artificial intelligence is accelerating that trend. Vendors are rapidly adding new capabilities, expanding into neighboring markets, and repositioning themselves as broader platforms.
Separating marketing claims from operational reality
The challenge for buyers is separating marketing claims from operational reality.
That's where the conversation turned toward AI.
While much of the industry discussion around AI focuses on offensive capabilities, threat detection, or automation, Johnson believes one of its most practical applications may be helping organizations make better purchasing decisions.
His view is straightforward: no human can realistically keep up with every vendor, every product update, every capability, and every licensing model across the cybersecurity market.
"It's impossible to recall all of that data," Johnson said.
The goal, he explained, is not to replace human judgment. It is to augment it.
By mapping technologies, controls, compliance frameworks, product capabilities, maturity indicators, and organizational requirements into a common model, AI can help security leaders quickly identify options they may otherwise overlook. It can highlight overlap, expose gaps, and provide context that traditionally required countless spreadsheets and hours of research.
For Barrow, the value proposition comes down to something simpler: Time.
Every hour spent untangling contracts, comparing overlapping capabilities, or negotiating renewals is an hour not spent reducing risk.
As security leaders face growing expectations and shrinking margins for error, that tradeoff becomes increasingly difficult to justify.
The cybersecurity industry has spent decades building tools to identify threats.
The next challenge may be helping organizations make smarter decisions about the tools themselves.
Because in a market crowded with products promising visibility, the organizations that succeed may be the ones that finally gain visibility into their own security investments.
