Why CISOs Should Own Application Rationalization

Reducing overlap and mitigating potential security gaps are just two reasons why application rationalization is a sound strategy

A major cybersecurity concern many organizations and executives may not be aware of but will become more prevalent in years to come are gaps in their IT infrastructure backend caused by tool sprawl. Tool sprawl occurs when IT teams rapidly adopt new technology, often leading to overlaps or missed requirements. With the IT tool market’s rapid expansion, the sheer volume of tools businesses adopt today is creating too much security complexity to manage.

More than $3.8 trillion was spent on technology applications in 2019 alone. With so many tools in use, it’s not always easy to identify what is causing the security gaps. How can enterprises prevent security incidents caused by tool sprawl?

Application rationalization utilizes modern IT tools rationalization platforms to keep pace with the rapid adoption of tools and the accelerated pace of change across the industry. These platforms automate the tools portfolio auditing process and monitor the tech stack continually to help identify overlap and gaps and make informed change recommendations.

Chief information security officers (CISOs) are in a unique position to own application rationalization because they have the most significant existing knowledge, expertise and responsibilities focused on security measures.

Here are a few reasons why CISOs should own application rationalization:

CISOs have a holistic understanding of the security concerns and IT environment

Understanding the organization’s needs from a software assets and tools perspective is a blind spot for many organizations. This leads to overinvestments in some areas and gaps of coverage for other functional areas, which creates more risk for outages and cyber incidents. Since CISOs direct their attention toward broader security concerns, it can be easy to forget about software applications threatening their security landscape.

Yet, in many organizations, CISOs are the principal executive responsible for an organization’s information and data security. These responsibilities typically include real-time analysis of immediate network threats, educating employees on cyber risks, managing the security architecture and conducting any investigations or forensics in the instance of a security breach.

Based on this extensive knowledge and understanding of their organization’s IT environment, CISOs have a unique opportunity to own their asset management practice and consider a more significant focus on software asset management through effective application rationalization.

Standard operating processes need to come from the top down

While every employee and member of an organization should have some insight into the tools portfolio, there is often miscommunication among internal teams and departments regarding who is using which tools. For example, one IT team may have five tools that accomplish the same goal as a different team’s tools, causing overlap. This unnecessary overlap and miscommunication can quickly create security gaps, turning this into a much larger issue.

In reality, change and process optimization need to come from the C-suite. Policies and general company culture are top-down initiatives and to achieve full organizational buy-in and limit the resistance to change, CISOs need to own the application rationalization process within the tools portfolio. Start by implementing standard operating processes and requirements for reducing the number of tools as well as the ongoing adoption of new tools. For example, the CISO signs off on each tool purchase following their application rationalization to evaluate and compare to existing tools capabilities.

CISOs focus on functionality versus pure cost optimization

Tools within the portfolio can span thousands of different toolsets adopted across each department, but they often fall within unique categories. Some tools focus more on simple operations, while others have greater functionality and root deeper into the system. With multiple tools across multiple departments, it can become even more challenging to figure out where these tools overlap.

Unfortunately, many companies fail to practice continuous IT tools rationalization with insight into every product’s features and struggle to determine whether it meets their organization’s needs. If the tool has a strategic functionality and works within the infrastructure or on an operational level, however, CISOs should be in control. While CIOs may make the final call based on cost, CISOs owning the tools rationalization process can help prevent blind spots and security risks created by the gray area of IT asset management.


The most effective solution organizations can utilize to eliminate tool sprawl is IT tools rationalization. Through the use of modern application rationalization platforms, businesses can conduct a comprehensive evaluation of their entire tools portfolio and identify redundant or unneeded tools that may be causing major security concerns.

A company with a systematic approach for tracking IT tools drastically reduces its chances of succumbing to potential security threats. Beyond threat mitigation through sprawl reduction, tool rationalization can fight security threats by drawing attention to legacy systems that lack enhanced security features and need attention. Regardless of the reason, nearly every business needs to rationalize its tools portfolio, and CISOs should play a strategic role in the process.

Avatar photo

Sean McDermott

Sean McDermott is the President & CEO, Founder of RedMonocle and Windward Consulting Group. In addition, Sean was the Founder and CEO of RealOps, Inc., the pioneer in enterprise management Run Book Automation solutions which was acquired by BMC. Before starting Windward, Sean held senior positions with Predictive Systems and Booz Allen Hamilton.

sean-mcdermott has 1 posts and counting.See all posts by sean-mcdermott