When a company invests thousands of dollars in security software, you'd expected the product to be used to protect the company.
However, a recent study produced by Trustwave a security services company, shows that in 2014 almost a third of midsized companies bought software they barely or never even used.
"In the security business, we've known forever that there's this problem with security sitting on the shelf not being used," says Josh Shaul, vice president of product management for Trustwave. "Even though we knew that there was a problem in this department, the numbers that came back about the amount of security spend that's being underutilized was pretty eye popping."
The $16,000 Question: Security Dollars Wasted
The study was conducted by Osterman Research, a third-party research firm, on behalf of Trustwave. They surveyed 172 IT professionals who work in midsized businesses.
According to the survey, 28 percent of organizations are not getting the full value out of purchased software. Of the $115 per person organizations spent on security-related software, $33 was underused or not used at all. This means that a company of 500 wasted $16,000 last year.
"That's a huge amount of security product that's being purchased and just not delivering on value," says Shaul, adding that the actual number could be much higher. "That's just what people are admitting to us or what they're conscious of."
Thirty-five percent of organizations say this under or non-use happened because IT has no time or is too busy to implement the software. Thirty-three percent say that they don't have the workpower to make it happen. Nineteen percent say they didn't understand the software solution well enough.
Shaul says that this is most likely is due to a disconnect between who is doing the buying of the software, and who must implement it. Those decisions are usually made by executive management or even at the board of director level.
"When those approvals happen, the folks that approve them feel like those purchases are going to reduce their risk," he says. "They're not thinking about the details of getting it rolled out, configured and deployed."
David Monahan, research director for security and risk managements for Enterprise Management Associates, agrees. "It's a failure to identify the business requirements prior to purchase. They don't include the right people." That mistake can be "exacerbated by the failure to get the right people involved in project management," he adds.
Letting security software collect dust wastes money, but it also creates a false sense of security on the management level. "They know they bought the stuff. They figured it's being used," Shaul says, when in reality the IT department doesn't have enough training or time to make sure that's the case.
Sign up for CIO Asia eNewsletters.