Twenty-eight percent of security spending wasted on shelfware

The average organization spent $115 per user on security-related software last year, but $33 of it, or 28 percent, was underutilized or not used at all, according to a new report from Osterman Research.

"As much as 60 percent of security software remains completely unused in some organizations," the report said.

Almost all of this wasted spending was on traditional packaged software, because cloud services are typically billed based on use and need little or no additional configuration or customization.

Specifically, 81 percent of security software was still delivered in the traditional way, compared to 19 percent that was cloud-based, according to the survey of IT decision makers in large and small companies.

"There's obviously a lot of products still being sold in the traditional, old-school model," said Josh Shaul, VP of product management at Chicago-based Trustwave Holdings, Inc., which sponsored the report.

What happens is that companies buy the software this year, and hope to get the budget to actually operationalize the software next year, he said.

"That strategy fails," said Shaul.

Next year just brings a new set of challenges, and a new set of software to buy.

"The software is bought to check the box, to calm down the management, to show you're doing something," he said. "But now you're just building up more stuff on the shelf that you're going to 'roll out next year'."

To be more exact, 35 percent of survey respondents said that software was sitting on the shelf because IT was too busy to implement it properly.

33 percent said that IT didn't have enough resources. 19 percent said IT did not understand the software well enough. 18 percent cited insufficient vendor support. 17 percent said IT didn't have sufficient skills or training.

Only 12 percent said that IT did not understand the security problem well enough.

The ratio of spending that goes to traditional software is changing, however.

In 2015, the percent of security software bought traditionally is expected to fall from 81 to 72 percent.

One striking finding was that smaller organizations were spending quite a bit more money on their security technology than large companies.

Those with 1,000 Internet-enabled users or fewer spent an average of $156 on security technology per user -- but larger companies spent just $73.

"When a large enterprise goes to buy endpoint protection for the 50,000 endpoints they've got, that's going to justify a pretty significant discount," said Shaul, with some volume discounts going as high as 80 percent.

"The deck is stacked against the small and medium business," he said.

As a result, small companies are turning to cloud-based security providers at a faster rate than large ones.

According to Osterman Research, not only are cloud-based solutions less wasteful, but they're also typically cheaper than traditional software. They also help smaller companies save on personnel.

"Smaller organizations cannot spread the cost of IT labor over as large a group of users like their enterprise counterparts, and so smaller organizations spend more for IT labor on a per user basis," said the report.

Join the CSO newsletter!

Error: Please check your email address.

Tags metricsOsterman Researchbudgetstrustwavesecurity

More about Inc.Osterman ResearchTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place