SECTION 2

The visibility black hole

Complexity outpaces control

When more data means less insight

With control failures being the driving force behind breaches, almost every team is striving for a clearer line of sight. But at the end of 2025, just over one-third (37%) of cyber teams are confident they have full visibility across their IT estate.

For everyone else, there are simply too many tools and too much data.

On average, teams are now wrangling with 61 different tools and 58 reports or dashboards, each with its own alerts and data feeds. Instead of making things clearer, this tangle of reports builds more noise, more checks, and ultimately leads to more blind spots, control failures, and breaches.

It’s little wonder, therefore, that 65% of security leaders say their teams are overwhelmed with fragmented data sets. Instead of a single clear view, they’re faced with gaps, chasing numbers, and missing patterns and insight. Many CISOs are at a loss, with almost two-thirds (61%) stating their controls environment is too complex to confidently manage without automation.

Number of tools

Agree controls environment is too complex to manage without automation

Data fragmentation impacts control assurance

For all the data, alerts, and dashboards, most security leaders fear they still can’t see what truly matters. 42% of cybersecurity leaders state their biggest controls concern is the lack of visibility into how effectively they are working.

One in five (20%) CISOs say their biggest controls challenge is not being able to review and update controls as often as they should. A lack of resources and manual checks means updates don’t happen quickly enough. By the time a control gets checked, the threat may have already changed.

It all adds up. 54% of cybersecurity leaders told us control failures only come to light post-incident. And the same number again (54%) say they have no way of understanding if controls are in place and working at any one time.

Over half of CISOs have no clear understanding if controls are in place and working

As the threat landscape moves faster, many are left with snapshots, not a live feed. 77% of CISOs say traditional control assurance is no longer enough. The gap between what leaders want - continuous, clear oversight - and what they get is growing wider.

As the threat landscape moves faster, many are left with snapshots. The gaps between what leaders want – continuous, clear oversight – and what they get is growing wider.

Making sense of cyber data

The modern security stack doesn’t just add noise - it adds pressure. With every new tool, dashboard, and report, team focus is stretched thinner. It’s why 7 out of 10 (71%) security teams are experiencing reporting burnout when faced with the growing demands of control monitoring and compliance.

It’s not just about having too much to do. Most CISOs know that every hour spent juggling reports is an hour not spent stopping threats. In fact, 87% believe that if they could cut back on time spent gathering and reporting data, they’d have a better shot at preventing breaches.

87% of those surveyed said that the biggest risks they face are the "unknown unknowns" they can’t see coming.

The majority surveyed (89%) stated they need a tool that makes sense of their security posture performance by turning raw data into clear, usable insight that drives prioritization and action.

MAIN TAKEAWAY

You can’t protect what you can’t see. Your tools are hiding risks and delaying action.

Increasing complexity and tool sprawl have outpaced a cyber teams ability to see and protect their environments. Many are still relying on manual, point-in-time control checks creating critical "unknown unknowns".

Organizations have outgrown traditional, manual control assurance approaches. A sprawling patchwork of disconnected tools is hiding threats that most organizations only discover after damage is done.

How CISOs are responding in 2026

Mature organizations are investing in purpose-built platforms (or engineering their own solutions from the ground up) that unify visibility and automate control validation.

They’re building towards an architecture that delivers the independent, verified governance and oversight they need to deliver a single source of truth on controls coverage and effectiveness that bypasses the complexity of modern-day tool sprawl.