← Back to Library

If you ask these two questions, you’re asking the wrong thing

Ross Haleliuk · Venture in Security · ·12 min read
Commentary by Hex Index staff

Ross Haleliuk challenges the cybersecurity industry's most persistent anxieties by reframing market saturation not as a failure, but as a necessary engine for innovation. While most voices lament the overwhelming number of security tools, Haleliuk argues that the real crisis lies in the strategic paralysis of the buyers themselves, who mistake shopping for solving. This perspective is vital for leaders drowning in vendor noise, as it shifts the burden of clarity from the marketplace to the organization's internal strategy.

The Illusion of Choice

Haleliuk tackles the pervasive complaint that the market is too crowded, noting that critics often ask, "Should we really be celebrating that? Why do we need so many point solutions?" He dismantles this by drawing a sharp parallel to consumer goods, observing that "nobody can tell the difference between 30+ brands of toilet paper by looking at the package," yet the market thrives on that variety. The author's analogy of a grocery store is particularly effective; he posits that a shopper who leaves with a cart full of unrelated items has failed to plan, not the store for stocking the shelves. As Haleliuk writes, "The store did exactly what it's supposed to do: offer choice. The real problem here is that the person went to the store without a shopping list and without a clear plan of what it is they would like to cook for dinner."

If you ask these two questions, you’re asking the wrong thing

This framing is powerful because it refuses to let security teams off the hook for their own lack of strategic vision. The author suggests that the industry's fatigue stems from "reactively buying tools" rather than starting with a definition of the problems they need to solve. Critics might argue that this view places too much blame on overwhelmed practitioners who are often understaffed and facing threats they cannot control. However, Haleliuk's point stands: without a clear strategy, even the best tools are just "a ton of crap that doesn't add up to a meal." The solution, he argues, is to filter vendors based on whether they can "help us with essentials," noting that most breaches result from mundane failures like unpatched servers or orphaned accounts, not sophisticated zero-day exploits.

The gap between our security capabilities and the attack surface is now the largest it has ever been.

The Paradox of Progress

The second question Haleliuk addresses is the cynical refrain: "but are we getting more secure?" He answers with emphatic certainty, stating, "YES, WE ARE," and supports this by pointing to the proliferation of endpoint detection, multi-factor authentication, and patching practices. The core of his argument is that while defenses are maturing, the "attack surface we have to defend expands faster than anything anyone on the planet can contain." He illustrates this with a visual of two diverging lines: one representing rising security maturity and the other representing an exploding attack surface driven by cloud infrastructure, APIs, and remote work. "Every new layer adds flexibility and speed, but also complexity and exposure," he notes, explaining why the gap between capability and threat is widening even as absolute security improves.

This analysis cuts through the doom-and-gloom narrative that often dominates security news. Haleliuk reminds readers that if defenses weren't improving, the world would have already collapsed under the weight of breaches. He credits the ecosystem of startups for this progress, arguing that "without the first 10-15 point solutions trying to secure the cloud, Wiz would have never happened." This highlights a crucial dynamic: innovation often requires a cohort of failed or niche experiments before a dominant solution emerges. A counterargument worth considering is that this "innovate first, consolidate later" model leaves organizations vulnerable during the chaotic early stages of market development. Yet, Haleliuk insists that "99.999999% of security and IT teams are barely equipped and staffed to keep the lights on," making external innovation not just optional, but essential.

Bottom Line

Haleliuk's strongest contribution is the refusal to accept market saturation as a symptom of industry failure, instead identifying it as a feature of a healthy, competitive ecosystem. The argument's vulnerability lies in its assumption that security leaders have the bandwidth to develop the strategic clarity he demands, a luxury many do not possess. Ultimately, the piece serves as a necessary corrective to the industry's self-defeating cynicism, urging a shift from questioning the number of tools to mastering the strategy behind them.

Sources

If you ask these two questions, you’re asking the wrong thing

by Ross Haleliuk · Venture in Security · Read full article

For the past five years, I’ve been writing openly about all kinds of things in our industry - what I am seeing, what works, what doesn’t, what’s not being talked about, what we are missing, and so on. I’ve intentionally tried to stay away from a lot of nonsense that dominates security conversations, but that doesn’t mean that everything I say will resonate with everyone all the time. That’s perfectly fine and expected. Over the years, I’ve shared plenty of perspectives that ruffled feathers, like the idea that we need more venture capital and startups in security, that there is no such thing as “gatekeeping” in cybersecurity, that most of the security teams’ work has nothing to do with chasing advanced adversaries, or that VCs only really care about 6 cybersecurity markets among many, many others.

I am always super excited to hear from my readers, be it through messages or comments on social media, direct replies, or anywhere else. It doesn’t mean that I am great at responding (founder life), but I love a good debate about security. Disagreements are healthy because they mean people are thinking.

At the same time, there are two questions I get asked over and over again that, frankly, after all these years, still frustrate me every single time. Whenever I see them, I can’t help but wonder: How are we still asking these questions? What do we think they add to the conversation?

In this week’s issue, I want to talk about these two questions and why I think people asking them are completely missing the bigger picture.

“... do we really need this many point solutions?”.

Every time I talk about the market, celebrate the growth of security startups, or simply mention the fact that Google’s biggest ever acquisition is a security company, someone will always jump in with some variation of the same comment: “Should we really be celebrating that? Why do we need so many point solutions? We need fewer products so that security teams can more easily make sense of the market”.

To be clear, I totally get where that frustration comes from. The market is 100% crowded, security teams are overwhelmed, stretched thin, and constantly bombarded by endless sales outreach. That fatigue is real, but the question if we need more point solutions completely misses the point.

Saying that “we don’t need this many point solutions” ignores a ...