Just because a company is willing to invest a stack of money on security technologies doesn't make it any more secure than a company that invests less. In fact, greater spending may actually be creating a false sense of security at many companies.
A new survey by Osterman Research on behalf of Trustwave shows that enterprises that invest in new security controls often end up underutilizing the technologies in which they just invested or not using them at all.
Osterman surveyed 172 small, midsized, and large enterprises from multiple industries and found this to be true with at least 30% of the respondents. In some companies, survey respondents said nearly 30% of all new security investments were not being used at all or were underutilized. One company surveyed said 60% of its security software was shelfware.
"The numbers were pretty eye popping," said Josh Shaul, Trustwave's vice president of product management. "We expected some security software on the shelf. What we found was companies are pouring money down the drain, while the folks approving these purchases are getting a false sense of security."
Some examples of technologies being underutilized included firewalls that were installed but never properly configured with the right rule sets, database monitoring tools that were implemented but never looked at later, and data leak preventing tools with few policies for monitoring data loss.
The most common causes for shelfware were all tied to a lack of IT resources, Shaul said. When asked to identify why they were not using their security controls more fully, respondents blamed IT for not setting aside enough time to implement security software properly. They also blamed the situation on a lack of people and an insufficient understanding of some security tools within IT.
"When the security guys want to put something on the network, the network ops guys don't understand it," he said. "They are worried about throughput and latency" and other performance issues.
Security teams need a lot of support from operational teams but often don't get it, especially in large organizations. The situation is somewhat better at small companies, where the person or team responsible for making a security purchase also has to figure out a way to deploy it across the enterprise, he said.
Lawrence Pingree, an analyst at Gartner, said in an email that the survey results reflect an unfortunate reality.
"It's quite common to have shelfware for a variety of reasons, Pingree said. "Many organizations lack the resources to properly staff their security functions, which is what drives quite a bit of Managed Security Services growth in the information security market. Sometimes the complexity of an organization's IT deployment function serves as a hindrance for properly utilizing security products." In other cases, a focus on compliance drives spending without really enhancing security.
Pete Lindstrom, an analyst with IDC, said in an email that the shelfware problem is more likely among large companies than smaller ones and is especially prevalent in areas like advanced malware protection. "CISOs recognize this as well and are looking for ways to integrate their products and squeeze more functionality" out of them.
The Osterman survey found that organizations spent significantly more on security software, hardware, and services in 2014 than they did the year before. The average survey respondent spent about $115 per user on security, compared with $80 per user in 2013. Osterman estimated that $33 of this remains unutilized or underutilized.
The average numbers, though, are not fully reflective of the way big and small companies spend on security. Typically, Shaul said, the cost per user is much higher for small companies, because they often do not get the steep volume discounts that large companies can extract from vendors. On average, small and midsized businesses spent more than $150 per user on security, compared to just more than $70 for a large company.
"In some cases you got the non-technology business leadership putting pressure on security, saying, 'I don't want to be the next big target [of a cyberattack], so what are you doing about it?'" Shaul said. "And the CISO is often responding with 'I got the fanciest firewall I can get.'"