Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Security Spending Wasted When Software Goes Unimplemented

There is a scene in the movie “A Bronx Tale” where Robert De Niro’s character says that there is nothing worse in life than wasted talent. In the world of IT, that quote could be changed to say there is nothing worse than money wasted on unimplemented security.  

There is a scene in the movie “A Bronx Tale” where Robert De Niro’s character says that there is nothing worse in life than wasted talent. In the world of IT, that quote could be changed to say there is nothing worse than money wasted on unimplemented security.  

According to a new survey of 172 IT decision makers and influencers in both enterprises and small to midsized businesses, 28 percent of organizations are not getting the most bang for their buck when it comes to their security investments. According to Osterman Research, of the $115 per user respondents spent on security-related software in 2014, $33 was either underutilized or never used at all. In other words, in an organization of 500 users, more than $16,000 in security-related software investments was either partially or completed wasted.

“In Question 6 in the survey, we asked respondents to categorize their security-software spending as a) working about like they planned, b) working, but it could be better, or c) never used,” said Michael Osterman, principal analyst at Osterman Research Inc. “The total of b) and c) was 28.3 percent. We then multiplied that figure by the median of $115.38 per user that organizations spent on security-related software and other expenditures in 2014: $115.38 x 28.3 percent = $32.67.”

The study found that the four biggest reasons for this “shelfware” have a single common theme – a lack of IT resources. IT staff “was too busy to implement the software properly, IT did not have enough time to do so, there were not enough people available to do so, or IT did not understand the software well enough,” the report states.

Perhaps surprisingly, the least serious reason was that IT did not understand the security problems they faced. Instead, the survey found that the respondents felt IT understood the security challenges well, but did not have the amount of people necessary to implement the appropriate solutions to those problems.

“We sometimes see situations where security purchases were made without a deployment plan,” said Josh Shaul, vice president of product management at Trustwave, which sponsored the survey. “This occurs most often when a security team is trying to respond to questions from executive management or the board of directors about the team’s efforts to keep the organization secure. The easiest answer in these situations is often to cite a product purchase.”

“In these cases, deployment is an afterthought, and often the next security product is purchased before that firewall ever gets properly installed and configured,” he continued. “A similar situation is one where an organization’s security priorities are constantly shifting and there is never time to get a new deployment project completed properly.”

In other situations, there was a deployment plan in place, but for some reason that plan did not work and the security solution ended up not being fully deployed, he said.

“Sometimes that’s because a security team underestimates the complexity and resource requirements needed to make a security product operational,” Shaul added. “This is most often the case when cross-functional collaboration is required to deploy a security solution. The security team doesn’t fully consider the effort required by the operations team, and the operations team faces a lot of work to configure a security solution that they don’t fully understand and therefore don’t really believe they need. For example, a solution designed to identify abnormal access to sensitive data needs to be setup with detailed knowledge about what normal access to sensitive data looks like. Pulling together that detailed information can generally only be done by people who understand the operation and is usually a huge task that until completed holds up the deployment of the security solution already purchased.”

The report recommends business and IT decision makers set realistic expectations for IT staff resources, and budget appropriately to ensure that the problem is minimized as much as possible.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Conversations

SecurityWeek speaks with two leading CISOs in the aviation industry – Mitch Cyrus of Honda Aircraft, and Mark Ferguson of Bombardier.