freshidea - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What's the best way for enterprises to avoid shelfware?

Shelfware is an increasing concern for enterprises, but expert Mike O. Villegas has some suggestions to help combat the problem.

Shelfware is a growing problem in the enterprise, often caused by overworked and understaffed IT teams or by multiple groups purchasing different products to accomplish the same things. What is the best way to avoid shelfware? What sort of vendor management system will best manage new product purchases and product renewals?

A study released in January 2015 by the Osterman Research Inc. in conjunction with Trustwave stated that 28% of organizations surveyed are not getting the full value out of their security-related software investments. The report states several of the top reasons for shelfware, and 19% of IT departments do not have sufficient knowledge to implement the software.

Luckily there are some ways to avoid the shelfware issue.

First, don't just buy what you want. If a company is struggling to decide whether it needs or wants a product, it is best not to buy it until it knows. If you do not need a product, don't buy it; it's that simple. If you want the product but have not established the need, take it on a proof of concept or trial basis and determine the need. Unless your company has an abundance of discretionary money or employs people whose job is to perform research on security products, it would be wasteful and irresponsible to purchase a product that would eventually land on a shelf forever.

Next, companies should only buy what they can actually use. In the Osterman Research Survey Report, 35% of respondents stated their IT staff was too busy to implement the security products. Impulsive buying is not limited to the retail consumer. Many times organizations are also swayed by good marketing campaigns or react to trendy news flashes of security "solutions" resulting from recent highly publicized breaches. They create a sense of urgency that causes companies to reactively buy what appears to be the right product, and then the IT staff has too many products and not enough time.

Organizations shouldn't spend money to lose it. Many security departments have experienced the dilemma of having to spend remaining funds in the current budget or face losing the funds, not being carried over to the next year, or having the subsequent year's budget reduced accordingly. As a result they just buy products for the sake of spending the rest of their allotted budget.

Organizations should keep an eye out for bundled products. A common reason for shelfware is that it was bundled with another purchase from the same vendor as a perk or incentive to buy from them. The security package may have been offered at a discounted rate or possibly even at no cost. This does not justify its neglect but does explain its occurrence.

Finally, the best answer for shelfware is the procurement process. All software purchases and renewals, or at least those that have a material cost, should undergo strict procurement procedures that answer the following questions:

  • What security product to buy?
  • Why buy it?
  • How to buy it?
  • What purpose does it serve?
  • What's the objective of the purchase?
  • How much does it cost?
  • Does the purchasing agreement allow for returns?
  • Where can it be bought?
  • What sources are available for this product?
  • What's the risk of buying, not buying?
  • What's the benefit?
  • What's the total cost of ownership?

A centralized procurement process is key to maintaining control of all purchases. It ensures individual departments are not purchasing security software products that are contrary to the enterprise standards, that these products are governed by a single agreement, and that a business justification is required prior to purchase.

Larger purchases should require a request for information, request for proposal and possibly a request for quote. Vendors should be vetted for fiscal soundness, independent product reviews, viable references and procurement practices. Also, a complete software asset inventory should include at a minimum: product, owner, department, vendor, model, version and location. Lastly, an independent vendor management and asset inventory review should be performed at least every three to six months to ensure this procurement process is working effectively.

End-user groups or individuals may still purchase software outside of this process, but requiring all purchases to fall under a centralized procurement process will greatly reduce the shelfware challenge.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out how one company used virtualization to help with shelfware

Get help making database security software buying decisions

This was last published in August 2015

Dig Deeper on Information security program management