The average organization spent $115 per user on security-related software last year, but $33 of it, or 28 percent, was underutilized or not used at all, according to a new report from Osterman Research.
"As much as 60 percent of security software remains completely unused in some organizations," the report said.
Almost all of this wasted spending was on traditional packaged software, because cloud services are typically billed based on use and need little or no additional configuration or customization.
Specifically, 81 percent of security software was still delivered in the traditional way, compared to 19 percent that was cloud-based, according to the survey of IT decision makers in large and small companies.
"There's obviously a lot of products still being sold in the traditional, old-school model," said Josh Shaul, VP of product management at Chicago-based Trustwave Holdings, Inc., which sponsored the report.
What happens is that companies buy the software this year, and hope to get the budget to actually operationalize the software next year, he said.
"That strategy fails," said Shaul.
Next year just brings a new set of challenges, and a new set of software to buy.
"The software is bought to check the box, to calm down the management, to show you're doing something," he said. "But now you're just building up more stuff on the shelf that you're going to 'roll out next year'."
To be more exact, 35 percent of survey respondents said that software was sitting on the shelf because IT was too busy to implement it properly.
33 percent said that IT didn't have enough resources. 19 percent said IT did not understand the software well enough. 18 percent cited insufficient vendor support. 17 percent said IT didn't have sufficient skills or training.
Only 12 percent said that IT did not understand the security problem well enough.
The ratio of spending that goes to traditional software is changing, however.
In 2015, the percent of security software bought traditionally is expected to fall from 81 to 72 percent.
One striking finding was that smaller organizations were spending quite a bit more money on their security technology than large companies.
Those with 1,000 Internet-enabled users or fewer spent an average of $156 on security technology per user -- but larger companies spent just $73.
"When a large enterprise goes to buy endpoint protection for the 50,000 endpoints they've got, that's going to justify a pretty significant discount," said Shaul, with some volume discounts going as high as 80 percent.
"The deck is stacked against the small and medium business," he said.
As a result, small companies are turning to cloud-based security providers at a faster rate than large ones.
According to Osterman Research, not only are cloud-based solutions less wasteful, but they're also typically cheaper than traditional software. They also help smaller companies save on personnel.
"Smaller organizations cannot spread the cost of IT labor over as large a group of users like their enterprise counterparts, and so smaller organizations spend more for IT labor on a per user basis," said the report.