Stop Cybersecurity Consumerism (Part 2/2): Optimize Value, Reduce Spend

As a follow up to Stop Cybersecurity Consumerism (Part 1/2): The BNPL Trap, this article shifts focus from prevention to management – setting clear expectations and being honest about value.  

As business-first security leaders, it is our duty to ensure cybersecurity is done sustainably: supporting overall business objectives and protecting the bottom-line. This requires us to have a hard look in the mirror to be open about our operations. Specifically, understanding areas where value realized was not as expected.  

As of writing, we are still in early 2026 where New Year’s resolutions are strong for some, and old habits are creeping back for others. Remember our resolution to get healthy?  I will build on that through the remainder of this article. (Side note: 2026 has been off to a strong start and I am inspired by my friends & family for sticking through their resolutions and achieving their milestones already this year; sticking to a dry January even when offered a beer at a social gathering).   

1. Projected vs. Actual Usage 

When we commit to become healthy, we have a grand vision of the end state in mind. We see those ads showing extremely fit individuals working out at the local gym, and we want to be one of them. We project a certain weight, physique, and capability based on the assumption of consistently attending the gym. We rarely plan for any contingencies. We assume an ideal world, not the real world. We decide to attend the gym and invest in a membership. 

It’s a convincing argument for an investment, but also the easiest part of the journey.  

The hard part begins after everything is purchased and we have to actually use the gym membership and exercise with the gym equipment. This is harder than it sounds; over 60% of new gym members quit before 90 days.  

Tool deployments often follow the same pattern. They are presented with a future operational state in mind and justified through projection and anticipation of modern operations. During proof of concepts, the tool showcases short-term progress by presenting arbitrary statistics that are difficult to understand and question.  

After deployment, results taper off over time, yielding no substantial results and providing limited to no security value.

Simultaneously, what seemed to be regular access and usage of these tools turns into a rare occurrence, becoming ghost instances running in the background. Turns out, the projected “daily” usage was only a “quarterly” or “yearly” check-in.  

Underutilization in cybersecurity usually looks like this: 

• High initial activity (e.g., logins) followed by long periods of inactivity  

• Updates are delayed or forgotten until a CVE forces attention 

• Configurations are not maintained as infrastructure changes or grows 

• Limited or incomplete integrations 

• Activities performed using the tool become infrequent or rare 

1. Cost does not mean value 

When selecting gym equipment, memberships, and attire there are:  

• Non-negotiables required to perform activities (e.g., gym membership for access to weight training) and;  

• Nice-to-haves (e.g., lifting shoes, lifting belts, etc.) that are not required.  

Appearance over performance is a common trap. It can lead to LARPing (or masquerading), as the focus shifts to look the part rather than do the work. Spending a hundred dollars on a gym membership where the real work happens provides greater value in return compared to $500 on clothes marketed for fitness that don’t impact performance, especially early in the journey. New gym clothes are not required to workout at the gym but a membership for access is.  

Cybersecurity teams have tens of tools for a core set of day-to-day tasks; data suggests this is anywhere from 10 to 80+. A task that is performed infrequently and has a tool available may not necessarily receive an equal value in relation to its cost.  

In addition to a core set of tools that are non-negotiables (functionally distinct tools that you need), many organizations accumulate tools that are functionally similar with overlapping capabilities but are not configured or operationalized effectively.  

Although the original intent was to improve efficiency, we must evaluate whether the value return at least matches the total cost of ownership. Otherwise, performing a task less efficiently can provide a greater value return than a specialized tool. 

High cost of ownership in cybersecurity usually looks like this: 

• Tool cost exceeds time saved for the activity it supports 

• Multiple tools with overlapping functions (especially when a cloud native platform function covers it) 

• Optimizing for micro-efficiency rather than macro-efficiency (end-to-end process optimization) 

What you should do to counter cybersecurity consumerism? 

Continuously evaluate your cybersecurity processes and tools to ensure they remain aligned to the original value drivers. The key question:  

What is the difference between projected and actual value?  

Then, set clear expectations to help your team focus on the correct things, macro-efficiencies. Lean into the scrappy nature and muscle of cybersecurity teams. Who knows, you may spark some creativity and have a tailored solution!  

At SUSA, our design thinking services help leadership teams understand and define security value drivers to reset around performance. Using a people-centric, outcomes-driven approach, we clarify value drivers and co-create a strategy for performance.