Connect with us

Hi, what are you looking for?


Management & Strategy

Security Spending Wasted When Software Goes Unimplemented

There is a scene in the movie “A Bronx Tale” where Robert De Niro’s character says that there is nothing worse in life than wasted talent. In the world of IT, that quote could be changed to say there is nothing worse than money wasted on unimplemented security.  

There is a scene in the movie “A Bronx Tale” where Robert De Niro’s character says that there is nothing worse in life than wasted talent. In the world of IT, that quote could be changed to say there is nothing worse than money wasted on unimplemented security.  

According to a new survey of 172 IT decision makers and influencers in both enterprises and small to midsized businesses, 28 percent of organizations are not getting the most bang for their buck when it comes to their security investments. According to Osterman Research, of the $115 per user respondents spent on security-related software in 2014, $33 was either underutilized or never used at all. In other words, in an organization of 500 users, more than $16,000 in security-related software investments was either partially or completed wasted.

“In Question 6 in the survey, we asked respondents to categorize their security-software spending as a) working about like they planned, b) working, but it could be better, or c) never used,” said Michael Osterman, principal analyst at Osterman Research Inc. “The total of b) and c) was 28.3 percent. We then multiplied that figure by the median of $115.38 per user that organizations spent on security-related software and other expenditures in 2014: $115.38 x 28.3 percent = $32.67.”

The study found that the four biggest reasons for this “shelfware” have a single common theme – a lack of IT resources. IT staff “was too busy to implement the software properly, IT did not have enough time to do so, there were not enough people available to do so, or IT did not understand the software well enough,” the report states.

Perhaps surprisingly, the least serious reason was that IT did not understand the security problems they faced. Instead, the survey found that the respondents felt IT understood the security challenges well, but did not have the amount of people necessary to implement the appropriate solutions to those problems.

“We sometimes see situations where security purchases were made without a deployment plan,” said Josh Shaul, vice president of product management at Trustwave, which sponsored the survey. “This occurs most often when a security team is trying to respond to questions from executive management or the board of directors about the team’s efforts to keep the organization secure. The easiest answer in these situations is often to cite a product purchase.”

“In these cases, deployment is an afterthought, and often the next security product is purchased before that firewall ever gets properly installed and configured,” he continued. “A similar situation is one where an organization’s security priorities are constantly shifting and there is never time to get a new deployment project completed properly.”

In other situations, there was a deployment plan in place, but for some reason that plan did not work and the security solution ended up not being fully deployed, he said.

Advertisement. Scroll to continue reading.

“Sometimes that’s because a security team underestimates the complexity and resource requirements needed to make a security product operational,” Shaul added. “This is most often the case when cross-functional collaboration is required to deploy a security solution. The security team doesn’t fully consider the effort required by the operations team, and the operations team faces a lot of work to configure a security solution that they don’t fully understand and therefore don’t really believe they need. For example, a solution designed to identify abnormal access to sensitive data needs to be setup with detailed knowledge about what normal access to sensitive data looks like. Pulling together that detailed information can generally only be done by people who understand the operation and is usually a huge task that until completed holds up the deployment of the security solution already purchased.”

The report recommends business and IT decision makers set realistic expectations for IT staff resources, and budget appropriately to ensure that the problem is minimized as much as possible.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem