From Disparate Tools to Security that Really Works

Most organizations don’t have a security problem, t hey have an accumulation problem.

Over the years, a tool gets added after a breach, another gets layered in when cyber insurance requires it, and a third shows up after an audit. Before long, you’re managing six, eight, or ten security products and still not confident you’re actually protected. That’s tool sprawl, and it’s more common than most IT leaders want to admit.

We recently hosted a discussion with Keegan Bolstad (VP of Sales and Operations) and Jared Olson (Security Team Lead) from OnTech Systems about why tool sprawl happens, what it costs organizations, and how to make the shift from buying tools to achieving security outcomes.

Your Security Stack Is Probably Accumulated, Not Designed

The first thing Jared made clear is that most of the environments OnTech inherits weren’t built with intention.

“Most security stacks are accumulated, not designed. Tools are added reactively after incidents, audits, and insurance requirements. Nobody ever went back and asked: is this the right control? Who owns it? How does it operate? Are we measuring it?”

The result is a stack of individually decent tools operating in complete isolation. Individual tools can be strong, but the operational security around them is weak, so nobody knows who monitors what, who responds to which alert, or who actually owns the outcome.

This accountability gap is especially dangerous because the MSP or IT provider often becomes the de facto integrator without the authority or clarity on what the business actually needs.

More Tools Won't Equal More Protection

Keegan put it simply: “More products doesn’t always mean better protection.”

What matters is whether your tools integrate with each other, whether you have meaningful visibility across them, and whether they’re being used in concert to deliver a defined outcome. The size of the organization changes the shape of the problem but not the nature of it. Smaller organizations often have immature stacks and no deep understanding of why certain tools are in the environment at all. Larger organizations tend to have more tools with more disparity, where something was purchased for one purpose but nobody can confirm whether it’s doing that job or how well.

As Keegan summarized: “There’s not that uniform vision of ‘this is the business outcome we’re working toward, and these are how each tool plays into it.’”

The Hidden Cost: Alert Fatigue and IT Burnout

When tools aren’t integrated, IT teams bear the weight. Jared described what that looks like on the ground: constant fire drills, relentless alert fatigue, and the exhausting question of what really needs attention right now.

When OnTech moves clients toward a more orchestrated security approach, the day-to-day experience shifts noticeably. Teams experience less alert fatigue because they know what to prioritize and why. Security becomes operationalized rather than improvised, authority becomes clearer, and the work itself starts to feel purposeful rather than endless.

“When security is more operationalized and there’s better visibility into what’s occurring,” Jared said, “you’re spending more time improving your security posture and less time just putting out fires.”

Defense in Depth Is Not Just More Layers

There is an important distinction between layered security (lots of tools stacked on top of each other) and defense in depth (layers that each serve a deliberate, connected purpose). In a true defense in depth model, every layer has a defined role across the prevention, detection, response, and recovery spectrum. No single control carries unrealistic expectations, and the tools are practiced rather than merely installed. They get tested, vetted, and simulated through tabletop exercises and identity protection remains the front door of any solid security posture, even in the age of AI.

As Jared put it: “If you don’t test something, the layer doesn’t really exist.”

The AI Acceleration Problem

AI has changed the threat landscape in one significant way: attack chains are faster. Bad actors aren’t necessarily doing anything new; they’re doing it at a pace that outstrips what most teams can keep up with manually. That means defenders have to be faster too, and when tools aren’t communicating with each other, you may have all the data you need spread across two separate systems but no way to correlate it quickly enough to act.

Speed is everything in security and tool sprawl directly undermines your ability to move at the pace the threat environment demands.

You Probably Don’t Need to Start Over

One of the more reassuring takeaways from the conversation is that most organizations don’t need to rip and replace everything.

“Most people’s investment in tools is a very good starting point,” Keegan said. “It’s not always about replacing what they have. It’s about leveraging it better.”

In many cases, tools are configured to only a fraction of their actual capability. Connecting an MDR tool to an identity protection platform, for example, doesn’t require buying anything new. It requires integration expertise and someone who works with these stacks every day. The MSP advantage is real: they’ve seen the same tools across dozens of environments and know exactly where the quick wins are.

How to Prioritize What to Fix First

Not every risk can be addressed at once. Jared’s framework for prioritization starts with three questions: What is the likelihood this risk gets exploited? What is the actual business impact if it does? And what controls are already in place that could most effectively address it?

Some risks get accepted deliberately and documented, particularly when legacy systems are involved and a full replacement isn’t immediately feasible. The goal isn’t perfection. It’s progress grounded in strategy. “We don’t rank by security scores alone,” Jared said. “We look at likelihood, business damage, and effort versus impact.”

Getting Executives to Care

IT leaders often struggle to get budget or buy-in for security improvements, and part of that struggle is a communication problem. Executives can understand outcomes but have a hard time caring about features. Keegan’s recommendation is to stop talking about tools and start talking about what happens, and what it costs, when things go wrong.

Tabletop exercises are especially effective here. Walking an executive through a realistic ransomware scenario, not to frighten them but to create honest dialogue about what the business can tolerate, is one of the most effective ways to align security strategy with business reality.

“A lot of executives feel, ‘I bought MDR, my endpoints are protected, I’m fine,’” Keegan said. “The real conversation is: yes, there are layers of protection, but we’re still going to have some pain. Are we accepting of that pain? Yes or no? Now we can build strategy from there.”

The Risk Register: Accountability in Both Directions

One practical tool the team highlighted is the risk register. A risk register isn’t just an IT document. It’s a communication tool between technology teams and leadership that formalizes a critical question: here is a risk we’ve identified, and we need to know whether leadership is willing to accept it or invest in addressing it.

This structure creates accountability in both directions. If a risk was escalated and leadership chose not to act, that decision is documented. If something goes wrong later, everyone understands why, and the IT team or provider isn’t left holding the bag for a call that was made above them.

A Realistic First Step

For organizations wondering where to begin, Keegan recommends a combination of gap analysis and business impact analysis: lay out everything you have today, identify where the gaps are, and prioritize based on what threats are most active in the current environment. You don’t need to solve everything at once. The process is to identify your top risks clearly, walk through a realistic attack scenario against your current environment, find the weakest links, and fix one path before moving on to the next.

“A bad plan is better than no plan,” Jared noted. “Even if you don’t know what the full future looks like, start somewhere.”

A Note on CMMC

For organizations in the defense industrial base or anywhere in the supply chain of a prime contractor, CMMC compliance is no longer optional or theoretical. The big primes are pushing requirements downstream, and even indirect suppliers need to be thinking about CMMC Level 1 at a minimum.

As Cyberleaf's Director of Channel, Travis Ray, noted, CMMC compliance is directly tied to revenue for many organizations. Jared agreed, noting that in one recent case, 90 percent of a business’s revenue was tied to Department of Defense contracts. Getting that wrong isn’t just a compliance issue; it’s an existential one. Cyberleaf operates as a CMMC L2 RPO with managed security services through a certified SOC, and has built programs specifically to make CMMC roadmapping accessible without requiring a six-figure consultation fee upfront. If CMMC is on your radar, or probably should be, now is the time to have that conversation.

The Bottom Line

Cybersecurity isn’t a purchase. It’s a practice. The organizations that get the most out of their security investments are the ones who know what they have, who owns it, understand what it’s supposed to do, and have a partner who can help them measure, improve, and adapt over time. If you’re buried in tools and not sure you’re actually protected, you’re not alone. You don’t have to start from zero. You just need a strategy.

Looking for a good first step? Start here with our Tool Sprawl Self-Assessment Worksheet.