krishnacreations - Fotolia

Wasted spending on security shelfware affects small businesses more

Osterman Research and Trustwave report that organizations waste money on underutilized security software because IT often doesn't have enough time or resources to use it.

A new survey indicates that shelfware is a growing problem in the enterprise, often caused by a lack of time and resources in IT. Experts see various causes and warn that small businesses need to be more careful to avoid wasted security software purchases.

According to the survey by Black Diamond, Wash.-based Osterman Research Inc., which conducted the survey on behalf of security and compliance vendor Trustwave Inc., organizations are spending more on security software -- $115 per user in 2014 compared to $80 in 2013 -- but most of that new spending ($33) is being invested in software that is either not working as well as it can or hasn't been used at all.

Josh Shaul, vice president of product management at Chicago-based Trustwave, said that while the survey specifically assessed security-related products, the shelfware issue is one that goes beyond information security.

"This is not an industry-specific problem, it does seem to be pretty pervaisive," Shaul said.

The survey responses from IT decisionmakers puts the blame for the shelfware problem on a lack of time and resources. Among respondents, 35% said that IT was too busy to properly implement the software that was purchased, while 33% noted that IT didn't have enough staff. Other problems reported were a lack of understanding the software (19%); lack of technical training (17%); and not understanding the problem well enough (12%).

Organizations need better communication

The causes of these problems aren't clear, but Shaul believes that part of the issue is a matter of intraoffice communication and various teams not properly understanding either the security threat or software purchased. He said that there tends to be an "understanding gap" between the security team and the operations team within an organization, which leads to disagreements over the best ways to deal with security threats.

Additionally, security teams may purchase software on mandates from upper management in order to appear proactive, even though management may not necessarily understand a particular security threat or what is needed to respond effectively.

Michael Osterman, president of Osterman Research, said this can happen because of the difficulty security professionals have in explaining a potential threat to management, who is more likely to demand a response to a threat after the fact than to agree to preventative spending. Osterman urges companies to be more proactive, but he aslo acknowledges the difficulty that IT teams can have in prioritizing threats.

"IT in a lot of organizations tend to be fighting fires, and don't have time to be looking at the big picture," said Osterman. "Cyber criminals are very active in developing new techniques. Bad guys are getting very sophisticated and well-funded, and IT in SMBs can't necessarily keep up, and when they can, it's hard to sell the risk to management."

This can be a big cause of the reported shelfware issues involved with having security software installed that isn't working as well as it could. Because IT can often be pulled in so many directions, regular maintenance -- like policy management and updating policy engines -- can be missed. Osterman suggests that one option to help alleviate this problem is better education of end-users within an organization. If employees are more aware and skeptical of phishing schemes, that will mean IT can spend less time dealing with those smaller issues and have more time to focus on bigger issues.

How smaller businesses can get help

Shaul and Osterman said shelfware exists in organizations of all sizes, but that small businesses have additional troubles, especially in terms of cost.

The survey shows that with $33 per user being spent on underperforming or unused security software, an organization with 500 usesrs would see over $16,000 in security software investments wasted. This will affect small businesses more because they cannot take advantage of economies of scale, and will end up paying substantially more on security software -- $157 per user -- than larger businesses ($73).

Shaul said there may be an opportunity for SMBs to form an industry interest group in order to increase overall purchase power and drive down these costs, but both Shaul and Osterman agree that the easiest option would be to enlist outside help either through cloud service or managed security service providers (MSSP).

"Smaller organizations know fundamentally what to do, but need more help with expertise," said Osterman. "They tend to rely on consultants more, and don't have the experts to deal with specific issues, including questions of regulatory requirements like PCI, when dealing with sensitive user data."

It is also more expensive for SMBs to have in-house experts, said Shaul. They have to pay relatively higher costs to hire IT staff and deploy software correctly. In the end, it tends to be more cost effective to partner with outside sources.

The survey seems to show a trend in that direction, with 79% of respondents saying that moving to a cloud or managed service would have some impact on eliminating shelfware. The number of users served by cloud or managed security could increase by 43% in 2015, according to the survey, and the more companies turn to those solutions means less in terms of security software left unused on the self.

Next Steps

Experts say that demand for managed security services is on the rise.

Dig Deeper on Security industry market trends, predictions and forecasts