In a recent post in The National CIO Review titled, “Why Security Tool Sprawl Threatens Your Organization,” author Arun Kandel argues that “sprawl” turns security professionals into software wranglers versus strategic defenders. 

Specifically, he claims that when every vulnerability is amplified with overlapping tools, misconfigurations and compatibility issues make breaches more likely. Relatedly, security teams spend excessive time on maintenance instead of threat detection. Lastly, he claims that increased costs for licensing, maintenance, and integration of sprawling tools wastes resources and, ultimately, don’t make businesses safer. All fair points, for sure.

Sprawl counterpoint

While security tool saturation is a real concern, threats from new endpoints, such as mobile apps, have become the new reality. Mobile applications are now an integral part of how many businesses operate and engage with their customers. However, in the rush to develop and deploy these apps, cybersecurity often takes a back seat, for multiple reasons. In fact, a recent ISMG survey sheds light on the alarming disparity between perceived app security and the harsh reality of mobile app vulnerabilities.

1. Perception vs. reality: The disconnect

Despite the prevalence of mobile app security threats to both Android and iOS ecosystems, there exists a significant gap between how organizations perceive the security of their own apps and the actual security status revealed by independent testing. 

According to the Verimatrix survey report “State of Enterprise Mobile App Security 2023,” conducted with ISMG, while 77% of respondents rate their own apps as moderately or highly secure, independent studies indicate that approximately 90% of apps are found to be unsecure. This glaring disparity underscores a critical issue: ignorance or lack of awareness regarding mobile app security.

2. Cost is another factor affecting mobile app security

While cost is often cited as a deterrent, the true cost of neglecting security far outweighs the investment required to implement adequate protection measures. Surprisingly, even free security tools are underutilized, pointing to a broader issue of prioritization and awareness within organizations.

3. Responsibility and accountability

One of the most concerning findings of the survey is the lack of clarity regarding responsibility for mobile app security. While CISOs are often held accountable for security lapses, their involvement in app development and security processes remains minimal. This disconnect highlights the need for greater collaboration between security teams and app developers to integrate security from the outset.

4. Addressing mobile app security as a low priority

For many security professionals, mobile app security may rank low on their list of cybersecurity priorities or ahead of other tools and strategies. This prioritization issue can contribute to the non-use of certain cybersecurity tools, including those specifically designed for mobile app protection. However, overlooking mobile app security can prove to be a costly mistake, as mobile apps are becoming a new gateway for attacks.

5. Steps towards better mobile app security

Closing the gap between perception and reality requires a concerted effort to prioritize mobile app security within organizations. App developers, CISOs, and cybersecurity teams are urged to take proactive steps to raise awareness of mobile app security threats and advocate for the implementation of robust security measures. 

Integration of security into the app development lifecycle and continuous monitoring of app security are essential steps towards mitigating the risks posed by insecure mobile apps. Additionally, fostering a culture of security awareness and accountability across all departments is crucial for safeguarding sensitive data and protecting against potential cyber threats.


Arun Kandel’s warning about security tool sprawl hits home. His insights reveal the dangers of wasting resources and losing focus on threat detection. 

With mobile apps now the go-to for consumer interaction and attackers exploiting them at every turn, mobile risks are now the new reality. The ISMG survey backs this up, highlighting the need to address mobile app security vulnerabilities and not wait until it’s too late. 

While adding additional security tools is the obvious answer for organizations dependent on their mobile apps to power their businesses, firms that rely less on mobile apps may need to find the right balance between reducing sprawl and embracing new tools. Software proliferation—in this case, adding one more critical tool to protect apps—may be a safer bet than limiting one’s toolset.