Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Security Spending Wasted When Software Goes Unimplemented

There is a scene in the movie “A Bronx Tale” where Robert De Niro’s character says that there is nothing worse in life than wasted talent. In the world of IT, that quote could be changed to say there is nothing worse than money wasted on unimplemented security.  

There is a scene in the movie “A Bronx Tale” where Robert De Niro’s character says that there is nothing worse in life than wasted talent. In the world of IT, that quote could be changed to say there is nothing worse than money wasted on unimplemented security.  

According to a new survey of 172 IT decision makers and influencers in both enterprises and small to midsized businesses, 28 percent of organizations are not getting the most bang for their buck when it comes to their security investments. According to Osterman Research, of the $115 per user respondents spent on security-related software in 2014, $33 was either underutilized or never used at all. In other words, in an organization of 500 users, more than $16,000 in security-related software investments was either partially or completed wasted.

“In Question 6 in the survey, we asked respondents to categorize their security-software spending as a) working about like they planned, b) working, but it could be better, or c) never used,” said Michael Osterman, principal analyst at Osterman Research Inc. “The total of b) and c) was 28.3 percent. We then multiplied that figure by the median of $115.38 per user that organizations spent on security-related software and other expenditures in 2014: $115.38 x 28.3 percent = $32.67.”

The study found that the four biggest reasons for this “shelfware” have a single common theme – a lack of IT resources. IT staff “was too busy to implement the software properly, IT did not have enough time to do so, there were not enough people available to do so, or IT did not understand the software well enough,” the report states.

Perhaps surprisingly, the least serious reason was that IT did not understand the security problems they faced. Instead, the survey found that the respondents felt IT understood the security challenges well, but did not have the amount of people necessary to implement the appropriate solutions to those problems.

“We sometimes see situations where security purchases were made without a deployment plan,” said Josh Shaul, vice president of product management at Trustwave, which sponsored the survey. “This occurs most often when a security team is trying to respond to questions from executive management or the board of directors about the team’s efforts to keep the organization secure. The easiest answer in these situations is often to cite a product purchase.”

“In these cases, deployment is an afterthought, and often the next security product is purchased before that firewall ever gets properly installed and configured,” he continued. “A similar situation is one where an organization’s security priorities are constantly shifting and there is never time to get a new deployment project completed properly.”

In other situations, there was a deployment plan in place, but for some reason that plan did not work and the security solution ended up not being fully deployed, he said.

Advertisement. Scroll to continue reading.

“Sometimes that’s because a security team underestimates the complexity and resource requirements needed to make a security product operational,” Shaul added. “This is most often the case when cross-functional collaboration is required to deploy a security solution. The security team doesn’t fully consider the effort required by the operations team, and the operations team faces a lot of work to configure a security solution that they don’t fully understand and therefore don’t really believe they need. For example, a solution designed to identify abnormal access to sensitive data needs to be setup with detailed knowledge about what normal access to sensitive data looks like. Pulling together that detailed information can generally only be done by people who understand the operation and is usually a huge task that until completed holds up the deployment of the security solution already purchased.”

The report recommends business and IT decision makers set realistic expectations for IT staff resources, and budget appropriately to ensure that the problem is minimized as much as possible.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.