Formerly known as Wikibon

Why Cybersecurity’s Tool Problem Is Really an Operating Model Problem

Most security teams are running twenty, forty, sometimes eighty different tools, and that didn’t happen by accident. Every purchase solved a legitimate problem. New attack surfaces required new visibility. Cloud computing required different controls than the data center. Compliance added reporting requirements. Detection and response became specialized. Over time, security architectures evolved into a collection of best-of-breed products, each optimized for its own domain. The problem is that the enterprise is becoming an interconnected system where decisions increasingly depend on context shared across applications, data, people, and now AI. Security architectures evolved one product at a time, but the enterprise no longer operates one product at a time.

Today, each security product has its own telemetry, policy engine, workflows, and view of risk. None understands enough about the enterprise to make decisions independently. Analysts supply the missing context by connecting technical signals to business priorities, critical applications, identities, and operational impact.

This tool sprawl requires a massive amount of coordination to operate a coherent security program, and that coordination has become the dominant cost of cybersecurity. Security teams spend remarkably little time making decisions about security risk. Instead, they spend much of their day assembling the information required to make those decisions. Analysts move between consoles to collect evidence. Engineers reconcile conflicting policies across platforms. Incident responders combine identity information, endpoint telemetry, network activity, cloud events, and business context before they can determine whether an alert represents meaningful risk. In practice, humans are serving as the intelligence layer that fragmented systems need in order to function cohesively.

The bottleneck is no longer visibility

Security strategies have historically been optimized for visibility and defense. Better telemetry produced better detection, which produced better outcomes. That approach worked because coverage was the primary constraint.

Today, most organizations collect far more security data than analysts can realistically interpret. Ask a CISO how many alerts their SOC generates in a day and you’ll probably get a number that no longer carries much meaning. The question has become how many can be investigated before the next thousand arrive. Collecting signals was the hard part once. Now the hard part is building a shared understanding of what those signals mean and deciding how the organization should respond.

Connecting products through APIs helps information move between systems, but it doesn’t create shared meaning. Endpoint platforms describe assets differently than identity platforms. Vulnerability scanners rank risk differently than business owners. Recovery teams evaluate priorities differently than security operations. Analysts bridge those differences every day by applying business context that the technology stack cannot infer on its own. That’s why humans have become the de facto intelligence layer across the security stack.

AI is accelerating a shift that was already underway

Artificial intelligence is making this coordination challenge impossible to overlook. Attackers now use AI to compress reconnaissance times, automate phishing campaigns, and weaponize newly discovered vulnerabilities quickly and with more sophistication. At the same time, enterprises are deploying AI assistants, coding agents, and autonomous workflows across the business, often faster than governance processes can adapt. Both trends increase the speed at which security organizations must understand, prioritize, and respond to change.

The traditional response has been to deploy another security product. But another product means another integration, another policy engine, another workflow, and another queue requiring human attention, and at some point the operational cost of coordinating it exceeds the security value it delivers.

For years, analysts have spent much of their day moving between consoles, enriching alerts, collecting context, documenting findings, and coordinating with other teams before meaningful decisions could be made. Those activities were accepted as the cost of operating a complex security environment, but they consume time without adding much security judgment, which makes them strong candidates for AI-assisted automation.

Making endpoint protection smarter or helping analysts summarize alerts faster looks like the obvious AI use case. The bigger opportunity is reducing the coordination work between systems, so analysts spend less time assembling context and more time exercising judgment, particularly the judgment resilience depends on: what to contain, what to isolate, what to escalate, and how fast.

Experienced practitioners remain essential. What changes is where their expertise creates the most value.

Cyber resilience starts with a better operating model

The coordination problem isn’t only an operational headache. It’s also the reason prevention, as a strategy, has become unreliable. Prevention assumes that enough controls in the right places can stop most incidents before they happen, and that assumption only holds if every control works together, in real time, with full context. A patchwork of best-of-breed tools, each holding a partial view, can’t deliver that. Something slips through the gaps between consoles, and the environment is now changing faster than those gaps can close on their own.

That’s the deeper reason security is shifting from a prevention posture to a resilience posture. Resilience assumes something will get through and measures success by how fast the organization detects it, contains it, and recovers, rather than by how much was blocked at the perimeter. Coordination and resilience are two views of the same shift. An operating model that can’t coordinate can’t prevent reliably, and an operating model that can’t prevent reliably has to be built to recover instead.

This becomes especially important as AI becomes embedded within enterprise processes. Recovery is no longer just about restoring infrastructure. It means re-establishing confidence in identities, data, policies, automated decisions, and business processes before operations can safely resume. Cyber resilience is increasingly a matter of recovering business state, and technology is only one part of that.

Why operating models matter more than copilots

Much of the industry’s AI conversation focuses on product capabilities such as copilots, investigation summaries, and automated response recommendations. Those capabilities are useful, but they don’t fundamentally change how security operates.

A copilot attached to an existing SIEM still assumes analysts remain responsible for gathering context across multiple products before making every decision. The workflow may become faster, but it remains the same workflow, built around the same prevention-era assumption that a human has to sit in the middle of every decision.

An operating model is something different. It defines how information moves, how decisions are made, who has authority to act, and how work flows across people, processes, and technology, including what happens after prevention fails.

Most operating models assume that tools generate signals and people generate decisions. As AI systems become capable of correlating information across products, evaluating routine conditions, and executing bounded actions, that assumption begins to change. Human expertise shifts toward governance, exception handling, and continuous improvement rather than routine orchestration.

That’s a structural change to how the operation runs, and it’s what makes resilience achievable in practice rather than aspirational on a slide.

From optimizing controls to optimizing coordination

The security industry has spent decades optimizing individual products. Vendors built better endpoint protection, stronger identity controls, richer threat intelligence, and faster detection engines. Those advances matter, but they also created an environment where local optimization often came at the expense of operational simplicity.

Organizations that optimize how information, context, and decisions move across the environment will be best positioned to improve resilience without expanding operational overhead at the same pace.

The same shift is beginning to reshape every enterprise function. Competitive advantage is coming less from automating individual tasks and more from reducing the coordination cost between functions, systems, and teams. Cybersecurity is reaching the transition first, because attackers are already operating at machine speed.

Looking ahead to Black Hat

As Black Hat approaches, expect every major security vendor to talk about AI. Look past the flashiest assistant or the fastest autonomous response, and ask which vendors are actually rethinking how security operations work, and whether that rethinking extends past prevention into how fast their platform helps a customer recover. That answer will separate incremental product improvements from meaningful architectural change.

Over the next four weeks, this series will examine how that transition is reshaping cybersecurity. We’ll look at what distinguishes AI-native security platforms from AI-enabled products, why governance becomes central as autonomous systems mature, and why cyber resilience increasingly depends on an operating model that coordinates intelligence across the enterprise rather than another generation of standalone tools.

Article Categories

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
"Your vote of support is important to us and it helps us keep the content FREE. One click below supports our mission to provide free, deep, and relevant content. "
John Furrier
Co-Founder of theCUBE Research's parent company, SiliconANGLE Media

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well”

Book A Briefing

Fill out the form , and our team will be in touch shortly.
Skip to content