Operations
1/16/2015
02:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

A Lot of Security Purchases Remain Shelfware

Companies may be investing more in security, but many are either underutilizing their new purchases or not using them at all, an Osterman Research survey shows.

Just because a company is willing to invest a stack of money on security technologies doesn't make it any more secure than a company that invests less. In fact, greater spending may actually be creating a false sense of security at many companies.

A new survey by Osterman Research on behalf of Trustwave shows that enterprises that invest in new security controls often end up underutilizing the technologies in which they just invested or not using them at all.

Osterman surveyed 172 small, midsized, and large enterprises from multiple industries and found this to be true with at least 30% of the respondents. In some companies, survey respondents said nearly 30% of all new security investments were not being used at all or were underutilized. One company surveyed said 60% of its security software was shelfware.

"The numbers were pretty eye popping," said Josh Shaul, Trustwave's vice president of product management. "We expected some security software on the shelf. What we found was companies are pouring money down the drain, while the folks approving these purchases are getting a false sense of security."

Some examples of technologies being underutilized included firewalls that were installed but never properly configured with the right rule sets, database monitoring tools that were implemented but never looked at later, and data leak preventing tools with few policies for monitoring data loss.

The most common causes for shelfware were all tied to a lack of IT resources, Shaul said. When asked to identify why they were not using their security controls more fully, respondents blamed IT for not setting aside enough time to implement security software properly. They also blamed the situation on a lack of people and an insufficient understanding of some security tools within IT.

"When the security guys want to put something on the network, the network ops guys don't understand it," he said. "They are worried about throughput and latency" and other performance issues.

Security teams need a lot of support from operational teams but often don't get it, especially in large organizations. The situation is somewhat better at small companies, where the person or team responsible for making a security purchase also has to figure out a way to deploy it across the enterprise, he said.

Lawrence Pingree, an analyst at Gartner, said in an email that the survey results reflect an unfortunate reality.

"It's quite common to have shelfware for a variety of reasons, Pingree said. "Many organizations lack the resources to properly staff their security functions, which is what drives quite a bit of Managed Security Services growth in the information security market. Sometimes the complexity of an organization's IT deployment function serves as a hindrance for properly utilizing security products." In other cases, a focus on compliance drives spending without really enhancing security.

Pete Lindstrom, an analyst with IDC, said in an email that the shelfware problem is more likely among large companies than smaller ones and is especially prevalent in areas like advanced malware protection. "CISOs recognize this as well and are looking for ways to integrate their products and squeeze more functionality" out of them.

The Osterman survey found that organizations spent significantly more on security software, hardware, and services in 2014 than they did the year before. The average survey respondent spent about $115 per user on security, compared with $80 per user in 2013. Osterman estimated that $33 of this remains unutilized or underutilized.

The average numbers, though, are not fully reflective of the way big and small companies spend on security. Typically, Shaul said, the cost per user is much higher for small companies, because they often do not get the steep volume discounts that large companies can extract from vendors. On average, small and midsized businesses spent more than $150 per user on security, compared to just more than $70 for a large company.

"In some cases you got the non-technology business leadership putting pressure on security, saying, 'I don't want to be the next big target [of a cyberattack], so what are you doing about it?'" Shaul said. "And the CISO is often responding with 'I got the fanciest firewall I can get.'"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dplyons
100%
0%
dplyons,
User Rank: Apprentice
1/21/2015 | 10:04:59 AM
Re: Firewalls installed but not configured correctly, really?
I have known many standard IT Admins.  I would trust very very few of them with maintaining a firewall, let alone researching/implementing proper security policies.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/21/2015 | 8:40:00 AM
Re: Firewalls installed but not configured correctly, really?
Great point about acess rules, @dplyons. But do you really need a security engineer to configure access to corporate systems via a firewall ? Shouldn't your standard IT admin be able to do that? 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/20/2015 | 4:08:57 PM
fanciest firewall?
I agree with the article mainly. I like the term fanciest firewall, I hope he was not talking about shape, color and other pretty things about the firewall. :--)) Granted, there are really nice firewalls out there, however as I mentioned in my other post firewall would not be considered a security device in today's environment. We need to go beyond firewalls and start implementing strategies that protects us from the things coming through the firewall.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/20/2015 | 4:01:05 PM
Re: Firewalls installed but not configured correctly, really?
I hear you Marilyn and agree. At the same time, with today's high sophisticated tools firewall is not really a security device, nobody is really trying to hack firewall, they are just passing through without any effort.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/20/2015 | 3:57:24 PM
Re: Great Insight
Not only that but no ROI, business could not really afford buying a product but no using it in today's limited budget world. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/20/2015 | 3:55:07 PM
No skilled IT staff?
 

As article mentioned. the main reason maybe there is no skilled IT staff in hour. Sometime companies do the purchase in rush because of immediate needs and when the pressure goes away next a few months, that creates an illusion that the threats or vulnerabilities disappeared, that basically defines the end of project and puts the software recent bought to shelf.
dplyons
50%
50%
dplyons,
User Rank: Apprentice
1/20/2015 | 10:35:45 AM
Re: Firewalls installed but not configured correctly, really?
Incorrectly configured firewalls are all-too-common.  Too many users/managers/CIO's insisting that things "just work", too few security engineers.  The results are access rules that are far too broad, or simply permitting all traffic.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/20/2015 | 8:39:01 AM
Firewalls installed but not configured correctly, really?
This is quite remarkable.. not to mention data from database monitoring tools that was never seen and a lack of policy for diata leak prevention tools. How common is this, really? Please share!
Daniel Riedel
50%
50%
Daniel Riedel,
User Rank: Author
1/19/2015 | 11:36:30 AM
Great Insight
Thanks for bringing to light this all too common scenario, Jai. Businesses can't expect to see results from security software if it just sits on the shelf. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How To Build An Effective Defense Against Ransomware
A compendium of Dark Reading´s best recent coverage of ransomware attacks, as well as best practices for defending your enterprise against them.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Tim Wilson speaks to two experts on vulnerability research – independent consultant Jeremiah Grossman and Black Duck Software’s Mike Pittenger – about the latest wave of vulnerabilities being exploited by online attackers