When a company invests thousands of dollars in security software, you'd expected the product to be used to protect the company.
However, a recent study produced by Trustwave a security services company, shows that in 2014 almost a third of midsized companies bought software they barely or never even used.
"In the security business, we've known forever that there's this problem with security sitting on the shelf not being used," says Josh Shaul, vice president of product management for Trustwave. "Even though we knew that there was a problem in this department, the numbers that came back about the amount of security spend that's being underutilized was pretty eye popping."
The $16,000 Question: Security Dollars Wasted
The study was conducted by Osterman Research, a third-party research firm, on behalf of Trustwave. They surveyed 172 IT professionals who work in midsized businesses.
According to the survey, 28 percent of organizations are not getting the full value out of purchased software. Of the $115 per person organizations spent on security-related software, $33 was underused or not used at all. This means that a company of 500 wasted $16,000 last year.
"That's a huge amount of security product that's being purchased and just not delivering on value," says Shaul, adding that the actual number could be much higher. "That's just what people are admitting to us or what they're conscious of."
Thirty-five percent of organizations say this under or non-use happened because IT has no time or is too busy to implement the software. Thirty-three percent say that they don't have the workpower to make it happen. Nineteen percent say they didn't understand the software solution well enough.
Shaul says that this is most likely is due to a disconnect between who is doing the buying of the software, and who must implement it. Those decisions are usually made by executive management or even at the board of director level.
"When those approvals happen, the folks that approve them feel like those purchases are going to reduce their risk," he says. "They're not thinking about the details of getting it rolled out, configured and deployed."
David Monahan, research director for security and risk managements for Enterprise Management Associates, agrees. "It's a failure to identify the business requirements prior to purchase. They don't include the right people." That mistake can be "exacerbated by the failure to get the right people involved in project management," he adds.
Letting security software collect dust wastes money, but it also creates a false sense of security on the management level. "They know they bought the stuff. They figured it's being used," Shaul says, when in reality the IT department doesn't have enough training or time to make sure that's the case.
IT Involvement and Cloud Options Needed for Security Software to Work
One way to fill the gap between spend and use is to give IT a seat at the table in making software decisions, says Shaul. They should also coordinate with the network team to make sure that the security software purchased can work with the existing system.
Another solution is to turn to the cloud. If companies realize that they're throwing money out the window because they don't have the workpower to put purchases into action, they may outsource it to a third party company.
Monahan points out that the issue with not having enough IT staff to deploy software isn't really because of a lack of spending, but because of the job market. Good people can be hard to find and keep.
"We are in an employee market especially in security," he says. "So the folks that really know what's going on can be tempted away by someone else with bigger purse springs and that will torpedo a project." Working with HR to either bring in the right people or make sure who you have are paid appropriately and are happy with their jobs will help make sure that what is bought is used.
The Good News: Companies Are Dedicated to Security
The survey wasn't entirely bleak. Most organizations reported spending more per employee on security solutions, up from $80 to $115, a 44 percent increase. This means that companies are aware of security issues and dedicated to fixing it.
The survey also found that 43 percent of companies expect to go to cloud-based on managed services in 2015. This could be a boon for smaller companies, which are spending $157 per employee on security versus $73 per employee in larger companies.
"It's difficult to operate your own systems and operate them securely," Shaul says. "A cloud services provider has the manpower to operate the systems they're operating and operate them securely and effectively."
Monahan says that this could lead companies to work with vendors that offer both services on site and through the cloud. Not only does that leave the job up to the pros, but it hurdles over any retention problems. "You don't have to worry about the internal staff issue and things like that," he says.