Is Your Security Software Sitting Unused on the Shelf?

Your security software isn't working? It could be because your company is one of the many that doesn't actually use the products they buy.

When a company invests thousands of dollars in security software, you'd expected the product to be used to protect the company.

However, a recent study produced by Trustwave a security services company, shows that in 2014 almost a third of midsized companies bought software they barely or never even used.

"In the security business, we've known forever that there's this problem with security sitting on the shelf not being used," says Josh Shaul, vice president of product management for Trustwave. "Even though we knew that there was a problem in this department, the numbers that came back about the amount of security spend that's being underutilized was pretty eye popping."

The $16,000 Question: Security Dollars Wasted

The study was conducted by Osterman Research, a third-party research firm, on behalf of Trustwave. They surveyed 172 IT professionals who work in midsized businesses.

According to the survey, 28 percent of organizations are not getting the full value out of purchased software. Of the $115 per person organizations spent on security-related software, $33 was underused or not used at all. This means that a company of 500 wasted $16,000 last year.

"That's a huge amount of security product that's being purchased and just not delivering on value," says Shaul, adding that the actual number could be much higher. "That's just what people are admitting to us or what they're conscious of."

Thirty-five percent of organizations say this under or non-use happened because IT has no time or is too busy to implement the software. Thirty-three percent say that they don't have the workpower to make it happen. Nineteen percent say they didn't understand the software solution well enough.

Shaul says that this is most likely is due to a disconnect between who is doing the buying of the software, and who must implement it. Those decisions are usually made by executive management or even at the board of director level.

"When those approvals happen, the folks that approve them feel like those purchases are going to reduce their risk," he says. "They're not thinking about the details of getting it rolled out, configured and deployed."

David Monahan, research director for security and risk managements for Enterprise Management Associates, agrees. "It's a failure to identify the business requirements prior to purchase. They don't include the right people." That mistake can be "exacerbated by the failure to get the right people involved in project management," he adds.

Letting security software collect dust wastes money, but it also creates a false sense of security on the management level. "They know they bought the stuff. They figured it's being used," Shaul says, when in reality the IT department doesn't have enough training or time to make sure that's the case.

IT Involvement and Cloud Options Needed for Security Software to Work

One way to fill the gap between spend and use is to give IT a seat at the table in making software decisions, says Shaul. They should also coordinate with the network team to make sure that the security software purchased can work with the existing system.

Another solution is to turn to the cloud. If companies realize that they're throwing money out the window because they don't have the workpower to put purchases into action, they may outsource it to a third party company.

Monahan points out that the issue with not having enough IT staff to deploy software isn't really because of a lack of spending, but because of the job market. Good people can be hard to find and keep.

"We are in an employee market especially in security," he says. "So the folks that really know what's going on can be tempted away by someone else with bigger purse springs and that will torpedo a project." Working with HR to either bring in the right people or make sure who you have are paid appropriately and are happy with their jobs will help make sure that what is bought is used.

The Good News: Companies Are Dedicated to Security

The survey wasn't entirely bleak. Most organizations reported spending more per employee on security solutions, up from $80 to $115, a 44 percent increase. This means that companies are aware of security issues and dedicated to fixing it.

The survey also found that 43 percent of companies expect to go to cloud-based on managed services in 2015. This could be a boon for smaller companies, which are spending $157 per employee on security versus $73 per employee in larger companies.

"It's difficult to operate your own systems and operate them securely," Shaul says. "A cloud services provider has the manpower to operate the systems they're operating and operate them securely and effectively."

Monahan says that this could lead companies to work with vendors that offer both services on site and through the cloud. Not only does that leave the job up to the pros, but it hurdles over any retention problems. "You don't have to worry about the internal staff issue and things like that," he says.

Join the CSO newsletter!

Error: Please check your email address.

Tags Osterman Researchtrustwavesecuritysoftware

More about Enterprise Management AssociatesNewsOsterman ResearchTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jen A. Miller

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place