A staggering 61% of security leaders reported breaches in the last 12 months—despite using an average of 43 cybersecurity tools. These breaches weren’t due to a lack of investment. They happened because the tools were misconfigured or failed to deliver protection. This rising wave of failure isn’t about tool shortages. It’s about security control effectiveness. Many companies are finally realizing that installing a control doesn’t guarantee protection unless it’s correctly configured and continuously tuned to face real-world threats.
A recent Gartner® Report, Reduce Threat Exposure With Security Controls Optimization, dives deep into this issue. It highlights the gap between deploying security tools and actually defending against threats. The key message? Without continuous validation, tools offer little more than a false sense of security.
Why Buying More Isn’t the Answer
For years, organizations assumed that more tools meant better protection. Firewalls, endpoint solutions, identity tools, and SIEMs fill out impressive tool stacks. But breaches continue.
Gartner confirms that misconfigurations are a leading cause of successful attacks. Tools often aren’t aligned, well-integrated, or tuned to business-specific risks. Take Blue Shield of California’s 2024 breach as an example. A simple website misconfiguration exposed data from 4.7 million members through Google Ads. That one error rendered a full security stack useless.
It’s clear: the real challenge isn’t tool acquisition. It’s turning those tools into effective, responsive defense systems.
The Shift to Measuring Control Effectiveness
To change the game, organizations must rethink how they approach cybersecurity. It’s not just about tools or IT teams. It’s about partnerships across the business.
Asset owners understand what’s at stake—the systems they manage, the sensitive data they protect, and the business operations that must never stop. Security teams must work closely with them, along with IT and executive leaders, to ensure controls are actually effective.
Training also needs an upgrade. Cyber professionals must grasp not only the technical side but also the business value of the assets they defend and the real-world threats they face.
To track progress, companies should turn to Outcome-Driven Metrics (ODMs) and Protection-Level Agreements (PLAs). ODMs measure how fast misconfigurations are fixed or real threats are caught. PLAs set performance expectations for each defense layer. These tools turn assumptions into proof—and give leadership confidence.
Optimization Isn’t a One-Time Fix
Configuration isn’t something you set and forget. Cyber defenses must evolve as fast as attackers do. According to Gartner, “optimal configuration is a moving target.”
That means security teams must make tuning and validation part of daily operations. Quarterly patches or annual audits can’t keep up with today’s threat landscape. Instead, teams must constantly ask:
- Are our controls still aligned with today’s threats?
- Are our detection rules updated?
- Are compensating controls still effective?
Effective cybersecurity also involves integrating new threat intel, revisiting risk priorities, and ensuring operational changes don’t weaken defenses. It’s not about doing it once—it’s about doing it continuously.
Building for Measurable Protection
To optimize controls, security must be embedded in everyday processes—not tacked on afterward. This requires collaboration. Gartner notes, “no security team can be fully effective in isolation.”
Cross-functional teams that combine security engineers, IT operations, and business stakeholders are key. They offer the visibility and insight needed to ensure controls are doing their job.
Pairing this collaboration with a Continuous Exposure Management approach allows teams to proactively spot gaps, test responses, and adjust defenses before a breach happens.
Security isn’t about having the most tools. It’s about knowing those tools work—against today’s threats, in your specific environment.
Gartner’s latest insights point toward a critical truth: organizations that rely on static defenses will fall behind. The winners will be those who treat cybersecurity as a living, breathing system—measured, validated, and improved every day.
