Security Shelfware Continues to Be a Big Challenge

A Trustwave-sponsored study reports that 28 percent of organizations are not realizing the full value of security-related software investments.

security shelfware

A new study conducted by Osterman Research and sponsored by Trustwave provides insight into the challenge of shelfware. Shelfware describes software that sits on the shelf, instead of being properly utilized. The study was conducted in November 2014 and included responses from 172 IT decision-makers and influencers.

"The respondents to the survey were IT professionals selected from the Osterman Research survey panel," Michael Osterman, principal analyst at Osterman Research, told eWEEK. "We did not specifically use the qualifier of 'IT security professional' for this survey."

Among the report's key discoveries is the finding that, in 2014, out of the $115 that organizations spent per user on security, $33 of the investment was never used or was underutilized.

"We knew going in that there is a big shelfware problem in security," Josh Shaul, vice president of product management at Trustwave, told eWEEK. "We have seen evidence of that problem for years, particularly in our computer forensics and incident response business."

Shaul said he was surprised by how many of the respondents were not only aware of the issues at their own firms, but were willing to admit to it. He noted that working with clients day-to-day, Trustwave sees a mix of under-deployed security products.

There were a number of reasons why security software ended up as shelfware. Thirty-five percent of organizations claimed they lacked the time to properly implement the software. Shaul commented that it's often the grand plans that never get off the ground.

"The low hanging fruit type security projects almost always get rolled out first, not necessarily because they provide the most bang for the buck, but because they allow a severely resource-challenged team to claim some kind of legitimate victory," he said.

In terms of specific types of security products that end up as shelfware, Shaul said Trustwave often sees security information and event management (SIEM) products on the shelf because they're complicated to deploy. Another product category that Trustwave sees people struggling to deploy is the Web application firewall (WAF), he added.

"Sometimes we even see the more basic stuff like firewalls and IDS [intrusion detection system] still sitting in the box unused," Shaul said.

Increasingly, security services are being made available in a cloud delivery model, which might help to mitigate the security shelfware issue. Shaul said the survey leads Trustwave to believe that the primary reasons for the shelfware problem are resource and skill set limitations.

"The move to the cloud doesn't necessarily make the problem go away—we still need to secure our assets in the cloud—but it does create opportunities for change," Shaul said. "If, as part of the move to cloud, organizations also shifted the responsibilities for security onto their cloud service provider—or onto a dedicated security service provider with close ties to the cloud service provider—the problem may begin to resolve itself."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.