Security Spending Wasted When Software Goes Unimplemented

There is a scene in the movie “A Bronx Tale” where Robert De Niro’s character says that there is nothing worse in life than wasted talent. In the world of IT, that quote could be changed to say there is nothing worse than money wasted on unimplemented security.  

According to a new survey of 172 IT decision makers and influencers in both enterprises and small to midsized businesses, 28 percent of organizations are not getting the most bang for their buck when it comes to their security investments. According to Osterman Research, of the $115 per user respondents spent on security-related software in 2014, $33 was either underutilized or never used at all. In other words, in an organization of 500 users, more than $16,000 in security-related software investments was either partially or completed wasted.

“In Question 6 in the survey, we asked respondents to categorize their security-software spending as a) working about like they planned, b) working, but it could be better, or c) never used,” said Michael Osterman, principal analyst at Osterman Research Inc. “The total of b) and c) was 28.3 percent. We then multiplied that figure by the median of $115.38 per user that organizations spent on security-related software and other expenditures in 2014: $115.38 x 28.3 percent = $32.67.”

The study found that the four biggest reasons for this “shelfware” have a single common theme – a lack of IT resources. IT staff “was too busy to implement the software properly, IT did not have enough time to do so, there were not enough people available to do so, or IT did not understand the software well enough,” the report states.

Perhaps surprisingly, the least serious reason was that IT did not understand the security problems they faced. Instead, the survey found that the respondents felt IT understood the security challenges well, but did not have the amount of people necessary to implement the appropriate solutions to those problems.

“We sometimes see situations where security purchases were made without a deployment plan,” said Josh Shaul, vice president of product management at Trustwave, which sponsored the survey. “This occurs most often when a security team is trying to respond to questions from executive management or the board of directors about the team’s efforts to keep the organization secure. The easiest answer in these situations is often to cite a product purchase.”

“In these cases, deployment is an afterthought, and often the next security product is purchased before that firewall ever gets properly installed and configured,” he continued. “A similar situation is one where an organization’s security priorities are constantly shifting and there is never time to get a new deployment project completed properly.”

In other situations, there was a deployment plan in place, but for some reason that plan did not work and the security solution ended up not being fully deployed, he said.

“Sometimes that’s because a security team underestimates the complexity and resource requirements needed to make a security product operational,” Shaul added. “This is most often the case when cross-functional collaboration is required to deploy a security solution. The security team doesn’t fully consider the effort required by the operations team, and the operations team faces a lot of work to configure a security solution that they don’t fully understand and therefore don’t really believe they need. For example, a solution designed to identify abnormal access to sensitive data needs to be setup with detailed knowledge about what normal access to sensitive data looks like. Pulling together that detailed information can generally only be done by people who understand the operation and is usually a huge task that until completed holds up the deployment of the security solution already purchased.”

The report recommends business and IT decision makers set realistic expectations for IT staff resources, and budget appropriately to ensure that the problem is minimized as much as possible.