Security tools that were effective two years ago are now creating business risks. What’s changed? According to Fernando Medrano, Deputy CISO at Fastly, the fundamental assumptions underlying most enterprise security tools no longer align with the current threat landscape.
And that mismatch is creating both security gaps and operational inefficiencies.
The business impact of faster attacks
The numbers tell the story. Tasks that took attackers 15 hours two years ago are now completed in 15 minutes. But most enterprise security tools still operate on the old timeline.
“You might have had more time to detect that activity in the past,” Medrano explains. “Now you have to be able to detect and act much quicker.”
For IT leaders, this speed change requires security teams to have different skills. Incident response processes need revision. Security tools that seemed adequate last year may no longer provide sufficient protection.
More concerning is the scalability challenge. Modern attacks don’t just move faster; they scale automatically. A single attacker can now probe thousands of API endpoints simultaneously, analyzing responses and adjusting tactics in real-time.
Why traditional security investments aren’t working
Most enterprise security stacks were designed for a different threat model. They assume human attackers work methodically. They’re built for detection windows measured in hours or days, not minutes.
But the larger issue isn’t technology; it’s organizational.
“The biggest misconception about API protection is thinking you can deploy an AppSec tool, turn it into blocking mode, and you’re good to go,” Medrano notes.
This reflects a common pattern in IT procurement. Organizations buy security tools expecting plug-and-play solutions. They underestimate the ongoing operational requirements.
As a result, they spend on expensive tools, better defined as those that block legitimate customer traffic or slow critical business processes instead of ones with the highest license cost.
The real ROI problem with security tools
Medrano’s experience reveals a pattern that should worry CFOs and CIOs. Organizations frequently replace security tools within two years of deployment.
“I cannot recount how many times I or my peers have bought a security tool and are looking to replace it two years later,” he says. “You see something in a demo, everything works perfectly. You deploy in your environment, and nothing seems to work as expected.”
This replacement cycle represents significant hidden costs. Not just new licensing fees, but integration costs, training expenses, and the opportunity cost of security team time spent on tool management instead of strategic security initiatives.
The problem stems from a disconnect between vendor promises and operational reality. Security tools often work well in controlled demo environments but struggle with the complexity and scale of real enterprise applications.
Building security that supports business growth
The most successful organizations take a different approach. They view security as an enabler of business growth rather than a constraint on operations.
This starts with understanding that application security isn’t a one-time implementation. It’s an ongoing operational capability that needs to scale with the business.
“As customers grow, they generally start receiving more traffic,” Medrano explains. “Keeping up and predicting what that growth looks like is difficult. Predicting how much infrastructure you need is even more challenging.”
Smart organizations select security platforms that can evolve with their changing business needs. They avoid solutions that require predicting future traffic patterns or capacity requirements and focus on services that can handle traffic spikes, seasonal variations, and business growth without requiring infrastructure planning.
The integration challenge
One of the most significant operational challenges facing IT leaders is integrating security tools. Most organizations use multiple point solutions: endpoint protection, network monitoring, application security, and identity management.
The theory is that these tools correlate events to provide comprehensive threat detection. The reality is different.
“The idea that you can tie these disparate events together into clearly malicious activity hasn’t proven to work quite as the industry hoped,” Medrano observes.
This creates two business problems. First, security teams spend more time managing tools than conducting threat analysis. Second, the lack of integration reduces the effectiveness of each individual tool investment.
For IT leaders, this suggests a different procurement strategy. Instead of building security stacks from multiple vendors, consider platforms that provide integrated capabilities. The operational savings often justify higher platform costs.
What smaller organizations can learn
Enterprise security practices are being adopted by smaller organizations. Not because smaller companies face the same threats, but because the fundamentals of effective security remain constant, regardless of an organization’s size.
The key insight isn’t about budget allocation. It’s about the organizational approach.
“It’s more about how larger companies think about security,” Medrano explains. “Understanding that security done right from the beginning will save costs on the back end.”
This means incorporating security considerations into application design from the outset. It means building partnerships between security teams and development teams. And it means treating security as a business enabler rather than a compliance checkbox.
For smaller organizations, this approach can actually reduce total security costs. Security built into applications from the beginning requires fewer tools and less ongoing management than security retrofitted after deployment.
Making smarter security investments
The most effective security investments share common characteristics. They provide immediate value without requiring extensive customization. They integrate well with existing workflows. And they support business operations rather than constraining them.
“Fastly can provide value very quickly for applications you need to protect from external malicious activity,” Medrano notes. “We built our products to be as easy as possible to use.”
For IT leaders evaluating security investments, this suggests focusing on solutions that demonstrate clear business value quickly. Look for tools that security teams can implement and see results within days, not months.
The strategic imperative
The security landscape has fundamentally shifted. The most successful approach isn’t necessarily about buying more tools, but focuses on security platforms that can adapt to changing threats while supporting business operations. This means choosing solutions based on operational effectiveness rather than feature checklists and building security programs that can scale with growth.
It also means treating security as a strategic business capability rather than a technical compliance requirement.
The organizations that will thrive in the next phase of digital business aren’t those with the most security tools. They’re the ones who understand security as a fundamental enabler of business success.
Ready to modernize your API security strategy? Learn how Fastly helps organizations build adaptive, high-performance protection that scales with business growth. Explore Fastly’s API Security solutions →
Read More from This Article: The hidden cost of outdated API security: Why CIOs need to act now
Source: News