freshidea - Fotolia
Shelfware is a growing problem in the enterprise, often caused by overworked and understaffed IT teams or by multiple groups purchasing different products to accomplish the same things. What is the best way to avoid shelfware? What sort of vendor management system will best manage new product purchases and product renewals?
A study released in January 2015 by the Osterman Research Inc. in conjunction with Trustwave stated that 28% of organizations surveyed are not getting the full value out of their security-related software investments. The report states several of the top reasons for shelfware, and 19% of IT departments do not have sufficient knowledge to implement the software.
Luckily there are some ways to avoid the shelfware issue.
First, don't just buy what you want. If a company is struggling to decide whether it needs or wants a product, it is best not to buy it until it knows. If you do not need a product, don't buy it; it's that simple. If you want the product but have not established the need, take it on a proof of concept or trial basis and determine the need. Unless your company has an abundance of discretionary money or employs people whose job is to perform research on security products, it would be wasteful and irresponsible to purchase a product that would eventually land on a shelf forever.
Next, companies should only buy what they can actually use. In the Osterman Research Survey Report, 35% of respondents stated their IT staff was too busy to implement the security products. Impulsive buying is not limited to the retail consumer. Many times organizations are also swayed by good marketing campaigns or react to trendy news flashes of security "solutions" resulting from recent highly publicized breaches. They create a sense of urgency that causes companies to reactively buy what appears to be the right product, and then the IT staff has too many products and not enough time.
Organizations shouldn't spend money to lose it. Many security departments have experienced the dilemma of having to spend remaining funds in the current budget or face losing the funds, not being carried over to the next year, or having the subsequent year's budget reduced accordingly. As a result they just buy products for the sake of spending the rest of their allotted budget.
Organizations should keep an eye out for bundled products. A common reason for shelfware is that it was bundled with another purchase from the same vendor as a perk or incentive to buy from them. The security package may have been offered at a discounted rate or possibly even at no cost. This does not justify its neglect but does explain its occurrence.
Finally, the best answer for shelfware is the procurement process. All software purchases and renewals, or at least those that have a material cost, should undergo strict procurement procedures that answer the following questions:
- What security product to buy?
- Why buy it?
- How to buy it?
- What purpose does it serve?
- What's the objective of the purchase?
- How much does it cost?
- Does the purchasing agreement allow for returns?
- Where can it be bought?
- What sources are available for this product?
- What's the risk of buying, not buying?
- What's the benefit?
- What's the total cost of ownership?
A centralized procurement process is key to maintaining control of all purchases. It ensures individual departments are not purchasing security software products that are contrary to the enterprise standards, that these products are governed by a single agreement, and that a business justification is required prior to purchase.
Larger purchases should require a request for information, request for proposal and possibly a request for quote. Vendors should be vetted for fiscal soundness, independent product reviews, viable references and procurement practices. Also, a complete software asset inventory should include at a minimum: product, owner, department, vendor, model, version and location. Lastly, an independent vendor management and asset inventory review should be performed at least every three to six months to ensure this procurement process is working effectively.
End-user groups or individuals may still purchase software outside of this process, but requiring all purchases to fall under a centralized procurement process will greatly reduce the shelfware challenge.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Check out how one company used virtualization to help with shelfware
Get help making database security software buying decisions
Dig Deeper on Information security program management
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading