.png){kind=small}
A new research report from Reach Security reveals that misconfigured security controls, configuration drift, and unused capabilities across an organization’s existing security technology stack are a primary driver of cybersecurity risk.
Controls built into the security tools you already own are quietly drifting out of their intended state. A policy gets tweaked by a cross-functional team. A break-glass exception is made, then forgotten. A product update ships. A setting changes. But no alarm goes off. Time passes and the “secure” environment is not as secure as it used to be. That’s configuration drift, and as the report makes clear, it’s not a niche problem. It’s an everyday reality for any security team managing a complex cybersecurity ecosystem.
Misconfigured security controls lead to breaches. Who says? Practically everyone.
Among a sample of 250 cybersecurity professionals, 97% of respondents said their organization had either a confirmed breach or a near miss in the past year because of a cybersecurity tool misconfiguration. That means nearly every organization surveyed has either been burned or almost burned because of misconfigured security controls.
That’s not a small operational gap, an edge case, or an occasional administrative hiccup. That’s a systemic problem hiding in plain sight, festering in the very controls you already own. That’s breach fuel. Misconfigured security controls and configuration drift are one of the clearest ways exposure accumulates inside mature security environments.
The research also shows why this problem is so stubborn. The average organization in the survey is running 35 different cybersecurity tools. Reach notes that popular security products are updated about 20 times per year, which means a typical enterprise can be dealing with the equivalent of roughly 700 new features or updates across its stack annually. That is a staggering amount of operational motion to keep aligned. In an environment like that, even superbly excellent teams can fall behind. The stack changes faster than humans can manually keep pace.
That scale also helps explain another telling result: the most common sources of configuration-related near misses or breaches were firewalls, EDR, and identity or access policy controls. In other words, the controls we depend on to block bad things before they become active incidents are exactly where drift is creating the most pain. The front door is there. The lock is there. But the lock is not always locked.
Cybersecurity investment is predominantly reactive
And yet most security spending is still tilted toward the middle and back end of the problem. According to the report, 72% of security spending goes to center-of-boom and right-of-boom tools (these tools help us detect and respond to attacks – and recover), while only 28% goes to left-of-boom prevention (tools that can prevent attacks). That is understandable. Detection and response are concrete. Incidents are visible. Breaches get budgets. But the pattern is still upside down. If misconfigurations are helping create the incident in the first place, then spending most of the budget on what happens after the fact starts to look a little like buying a bigger mop instead of fixing the leak.
Configuration management is a nascent discipline
The report also exposes a painful operational gap. Organizations review configurations an average of 6.5 times per month, but when a misconfiguration is identified, it takes an average of 8.3 days to remediate. Only 2% say they can fix issues in less than a day. That is a real exposure window. A team can know something is off and still spend more than a week getting back to “safe”. And the report suggests speed alone is not enough anyway, because teams are often chasing the loudest issues, not necessarily the most material ones. So the problem is not just “find drift faster.” It is “find the drift that matters, then fix it before attackers get wise.”
What is especially interesting is how immature drift management still looks in practice. The report says many organizations are still relying on point-in-time audits, penetration tests, spreadsheets, manual reviews, and compliance processes to surface drift. That is useful, but it doesn’t seem like a reliable operational approach. Perhaps compliance can tell you something drifted, but it can’t guarantee you catch it in time. And when 21% say audits expose drift faster than operations can respond, it becomes clear that the process itself is lagging behind the immensity of the environment.
Where do you go from here? How should you proceed? Read the report for a full list of recommendations. But if the report leaves you with one takeaway, it should be this: the next breach may not begin with a brilliant attacker. It may begin with a control that quietly drifted out of place while no one was looking. The good news is that this is fixable. But only if organizations start treating configuration drift like what it is: one of the clearest, most persistent, and most preventable drivers of modern cyber risk.
Get the report. Learn more about configuration drift.
