Cybersecurity leaders today face a paradox of abundance. According to a study by IBM, the average enterprise now manages 83 cybersecurity tools across a market of over 10,000 vendors. CISOs today are no longer struggling with too few solutions – but from too many.

Every product is branded as “AI-powered.” Every platform promises “end-to-end” protection. Yet more tools don’t mean more security. In fact, the same study by IBM shares that 52 percent of CISOs say tool sprawl increases risk by creating blind spots, integration gaps, and operational drag. Complexity, it seems, has become the new vulnerability.

In this noisy, overcrowded landscape, even seasoned teams risk losing focus — or worse, overspending on overlapping technologies that add cost without strengthening defences.

The real question isn’t what’s new, it’s what’s necessary. How can security leaders cut through the noise and make smarter, more strategic investments?

Here are five thought-starters to help CISOs and business leaders sharpen their decision-making and build security strategies that truly protect – not just perform.

1. Start with the risk, not the tool

The most important question in any procurement isn’t “What can this tool do?”, but “What risk are we solving?” Anchor every decision to a specific threat scenario or compliance requirement. At StarHub, we evaluate every tool through the lens of the CIA triad: confidentiality, integrity, and availability. If a solution doesn’t clearly strengthen one of these pillars, it doesn’t make the shortlist. Clarity of risk ensures that security investments are grounded in purpose, not marketing claims.

2. Contain scope creep

Scope creep is the silent killer of cybersecurity ROI. What begins as a single-module evaluation often expands into an overbuilt, underutilised ecosystem. Be ruthless about defining the minimum viable scope. Let business value, not vendor urgency or fear – shape the roadmap. As a guiding principle: don’t spend $5 to protect a $2 asset. Every additional layer of protection should be justified by measurable risk reduction, not theoretical threats.

3. Co-own architecture with the CIO

Security and IT can no longer operate in silos. Architecture decisions must be co-designed, not retrofitted. Establish shared frameworks early, conduct joint reviews, and align on core platforms from the start. When CISOs and CIOs move in lockstep, integration improves, visibility expands, and total cost of ownership drops. A unified architecture turns cybersecurity from a cost centre into a business enabler.

4. Design for humans, not just systems

Technology alone doesn’t secure a business – people do. Involve end users early when introducing new tools and explain why the change is necessary. Empathy reduces resistance, and design grounded in human behaviour fosters adoption and reduces shadow IT – one of the biggest and most underestimated vulnerabilities in modern enterprises. The best security design is human-centric: intuitive, empathetic, and easy to adopt.

5. Turn vendors into partners, not just providers.

In a market full of buzzwords, transparency is your best filter. Be upfront about your objectives and constraints. Ask vendors to demonstrate measurable outcomes, not just features. Hold quarterly business reviews and treat them as strategic collaborators, not transactional suppliers. The best vendors don’t just sell; they co-create, adapt, and evolve with your business needs.

The way forward

Cybersecurity leaders today must move beyond buying tools to building strategy. In a landscape flooded with options and noise, clarity is the real competitive advantage.

Fewer tools and better alignment will deliver sharper insights, lower costs, and smarter outcomes. The future of cybersecurity isn’t about stacking more tools but about orchestrating the right ones. Platformisation, not proliferation, is the path forward to resilience.

---

Hoo Chuan Wei is Chief Information Security Officer, StarHub.

I enjoy working with both MNCs and the public sectors to help strategise cybersecurity architecture and solutions. With more than 26 years of regional experience in information security and telecommunications, banking and the information technology sectors, I am dedicated to provide advice from both an advisor and practitioner perspective.

As an active speaker, I was also an adjunct lecturer with Nanyang Technological University (NTU) and Temasek Polytechnic, presently as an adjunct lecturer at Institute of Systems Science-National University of Singapore (ISS-NUS), authorised instructor with ISC2 and a guest lecturer with the Business Continuity Management Institute. I also serve as an authorised instructor and a Technical Advisor for ISC2 APAC. ISC2 is an international non-profit membership association (International Information Systems Security Certification Consortium) focused on inspiring a safe and secure cyber world.

TNGlobal INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.

Featured image: Growtika on Unsplash

How Singapore can win the AI race – and why it’s not just about technology