Kevin Lynch, CEO and board member at Optiv, a cyber advisory and solutions leader.
When most leaders think about insider threats, they picture a disgruntled employee or a malicious actor intent on harming the organization from within. That threat is real, but it’s no longer the most pressing one facing executive leadership.
A more subtle and far more pervasive risk has taken hold across enterprises. It’s not driven by intent, but by complexity.
How We Got Here
Over the past decade, organizations have done exactly what was expected of them. They invested in cybersecurity. They responded to board expectations, regulatory pressure and a rapidly evolving threat landscape by adding tools, controls and layers of defense. Each investment made sense at the time. Each solved a specific problem.
But taken together, these decisions have created something new. A quiet adversary has emerged inside our environments. It’s the accumulation of complexity itself.
And increasingly, that complexity works against us.
Security stacks have evolved into sprawling ecosystems of overlapping tools, duplicative controls and fragmented data. In fact, industry research reveals, on average, organizations are trying to manage 83 different security solutions from 29 different vendors.
This causes teams to spend more time managing technology than improving outcomes. Signal is buried in noise. Costs continue to rise, yet measurable gains in resilience are not keeping pace.
This is the new insider threat. It does not announce itself or trigger alerts. Instead, it quietly erodes efficiency, increases exposure and limits an organization’s ability to respond with speed and precision.
For CEOs and boards, this is not just a technology issue. It’s also an economic one. The aforementioned research also notes surveyed executives estimate security fragmentation and complexity costs their businesses 5% of their annual revenue, on average.
The Cost Per Capita Problem
At its core, the challenge can be framed in a simple but powerful way. What is your organization’s cost per capita of security risk and resilience?
As industries and companies, we have become more sophisticated in cybersecurity. Our collective expertise has grown significantly. Yet we aren’t seeing the benefits of scale that should come with that maturity. In most domains, scale drives efficiency and lowers per unit cost. In cybersecurity, the opposite often happens.
Organizations talk about platform consolidation and technology rationalization, but the cost per capita continues to rise or, at best, remain flat. That gap represents one of the most significant inefficiencies in modern enterprise operations. Closing it requires a deliberate shift in approach.
Three Steps To Attack Complexity
Reducing cost per capita of security risk and compliance starts with confronting complexity directly. For executive teams, this begins with three practical steps.
Step 1. Achieve Visibility
Leadership must have a clear understanding of where capital is being deployed across the security environment. This means mapping investments by control, function and business unit. Without this level of visibility, it’s impossible to determine whether spending aligns with actual risk exposure.
Step 2. Identify Imbalance
Most organizations are overinvested in certain areas while underinvested in others. Some controls are duplicated across platforms, while others are underutilized or misaligned with the most critical risks. This imbalance creates both wasted spend and hidden vulnerability.
Step 3. Simplify With Intent
Reducing tool count, eliminating redundancy and aligning controls to real risk exposure can materially improve both security outcomes and operational efficiency. Simplification is not about doing less. It’s about doing the right things better.
A Cautionary Tale For AI
Contrary to what some might believe, AI is not a shortcut to reducing complexity. Rather, it’s a force multiplier. And without the right foundation, it will multiply the wrong things.
The pressure to deploy AI at scale is real. So is the promise: faster decisions, smarter operations and a meaningful competitive edge. But there is an equally real risk in moving too quickly without a clear strategy. When organizations layer AI onto fragmented systems, inconsistent data and unclear processes, they accelerate complexity rather than eliminate it.
AI should not be treated as another capability to bolt onto an already strained ecosystem. It should be deployed as a mechanism for simplification. At its best, AI can cut through noise, elevate signal and transform overwhelming volumes of data into clear, prioritized insight. It can improve not just the speed of decisions, but the quality and confidence behind them.
But none of that happens by default. Real value comes from intentional design: simplifying architectures before scaling them, governing data before amplifying it and aligning AI initiatives to clear business outcomes.
Leadership From The Top
Simplifying complexity at scale also requires engagement from the highest levels of the organization.
This is why CEOs and boards must be directly involved in the conversation. This is not a technical issue that can be delegated to the security team. It’s a capital allocation decision, a strategic priority and a leadership responsibility.
Creating economic value while introducing unseen risk is not sustainable. The goal is not to choose between growth and security. That is a false tradeoff. The objective is to enable both at the same time.
Organizations that succeed will treat complexity as a measurable risk factor. They will align investments with real exposure, simplify their environments and leverage AI to enhance clarity rather than obscuring it.
By doing so, they can lower their cost per capita of security while increasing resilience.
That is not just operational improvement. It’s a true competitive advantage.
The quiet insider threat of complexity is not going away on its own. But with the right leadership focus, complexity can evolve into simple security ecosystems that drive smarter, more efficient and more secure growth.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
