Shelfware is the big security problem that no one wants to talk about. Loosely defined as technology that remains unused, underutilized or implemented incorrectly, it is the elephant in the room for many chief information security officers (CISOs).
A 2015 survey by Osterman Research, sponsored by Trustwave, illustrated just how bad the problem is. In a report of 172 small-, medium- and large-sized enterprises, researchers found that those investing in new security controls often ended up underutilizing the technologies in which they just invested -- or simply not using them at all.
Osterman found this to be true with at least 30 percent of the respondents. In some companies, survey respondents said nearly 30 percent of all new security investments were not being used at all or were underutilized. One company surveyed said 60 percent of its security software was shelfware.
"We expected some security software on the shelf,” said Josh Shaul, Trustwave's vice president of product management at the time. “What we found was companies are pouring money down the drain."
How common is shelfware?
Shelfware is a common concern for many businesses, and it is often the result of little to no vendor consultation, too much emphasis on compliance before security and an unawareness of what the technology can truly do.
Indeed, a previous 451 Research report suggested that shelfware often resulted from over-hyped products, or solutions lacking features, and pointed to security information and event management (SIEM) and intrusion detection system (IDS) solutions as the most underused technologies. Many believe SIEM has long failed to live up to its marketing hype, while Target supposedly spent over $1 million on an anti-malware solution poorly configured at the time of its 2013 data breach.
This brings the question as to how such hi-tech solutions end up gathering dust. “The top three reasons from a customer perspective that security software ends up on the shelf is they only purchased it to satisfy a compliance or regulatory demand; internal organizational politics got in the way (or a lack of clarity of use and business alignment), and not enough time or expertise to implement properly,” says Javvad Malik, security advocate at Alienvault.
He argues it’s hard to change as far as compliance is concerned but says for the other two reasons, “It illustrates tactical purchasing or inheriting security technologies that have no place in the overall security strategy. There’s some shelfware that I’ve seen that literally has never been deployed and only purchased to satisfy an auditor.”
Sign up for Computerworld eNewsletters.