The good news is, according to several recent studies, companies of all sizes are looking to get good cyber security by increasing their cyber security budgets in 2015. Across industries, decision makers are taking action to avoid being the next victim of a major data breach or unchecked vulnerability.
The bad news is that this extra spending is likely a waste of money.
A study by Osterman Research, sponsored by Trustwave, found that organizations already have adequate security tools in-house, but most of their security software is sitting on a shelf, uninstalled and unused. This is known as shelfware, and it is not only a budget killer, but it weakens cyber security defenses.
According to Josh Shaul, VP of product management at Trustwave, there are several theories for why shelfware is a growing cyber security concern. First, the vast majority of IT departments purchase security software and hardware the old-fashioned way – in packages that have to be downloaded or connected by someone on staff. “What happens is that companies buy the software this year, and hope to get the budget to actually operationalize the software next year,” Shaul was quoted in a CSO Online article, adding that more often than not, there is no follow through on those plans. “The software is bought to check the box, to calm down the management, to show you're doing something, but now you're just building up more stuff on the shelf that you're going to 'roll out next year.'”
This leads to the second cause of shelfware: IT departments lack the time or proper staffing to install and manage security software and hardware. This is especially true in small and medium-sized businesses with already-overworked IT staff.
In order to get good cyber security and to increase the effectiveness of the security budget, IT departments and decision makers will have to tackle the shelfware issue head on. Admittedly, that can seem like an arduous task at first – especially if shelfware has accumulated because of the lack of time and staff to handle its installation and upkeep. However, to understand where the security budget is being wasted and what security tools are on hand but going unutilized, companies need to do a thorough risk assessment. According to Kevin Bong, Manager, Security and Compliance with Sikich LLP, a risk assessment will identify gaps in security. It may be that the shelfware already on hand will able to fix those gaps, but if not, the risk assessment will allow IT to be more specific about purchasing the right security tools.
Because most industries have to follow strict regulations and compliances, security decision makers can use those rules as a guide to having the right cyber security tools on hand. If your shelfware is necessary to meet compliance measures, then there needs to be a discussion on why it has never been deployed.
Finally, if all else fails, head to the cloud. As the Osterman Research survey discovered, 81 percent of security software is purchased in more traditional manners, while only 19 percent comes through the cloud and security-as-a-service options. With the latter, companies can be sure they are getting the cyber security tools they need, and they can rely on knowledgeable security professionals who are dedicated to this one function. In-house IT staff are free to focus on other pressing job duties, and fewer dollars are wasted on security software solutions that are doing little more than attracting dust.
This article was previously posted on Sungard Availability Services.