“Those actually are probably the easiest to manage in that they are only a cost to the organization. The tougher ones are where the product is installed across the estate and then not maintained. It’s a bit like when people go to redecorate their home, and instead of stripping the wallpaper, skimming the wall and starting again, they just put new wallpaper up on the old one and add a coat of paint,” adds Malik.
Thom Langford, CISO at communications company Publicis Group, believes shelfware is often the result of security structure and that age-old concern over reporting lines. “I think the problem very much depends on how the security team is established and governed,” he says. “For instance, if a security team is a part of the IT team, I would suggest that this would exacerbate a shelfware problem as the security problem is looked at through a technology lens potentially leading to needless product purchase. If it sits outside of the IT remit, a more holistic approach can be taken allowing IT to purchase where it makes sense but only where it makes sense.”
Is the problem getting worse?
Malik suggests the problem is getting worse, something Langford agrees with, pointing to the “huge amount of hype and swagger” from vendors often selling products through fear, uncertainty and doubt. “With security budgets increasing, a lot of silver bullets are being invested in blindly before fundamental are in place in their organizations,” Langford adds.
Malik, though, believes the rise of software as a service (SaaS) has some saving grace: “With more services being cloud-based and security increasingly heading to the cloud, the problem is getting less severe as cloud services can be typically easier to deploy and rollback. Also, it’s easier to run a trial, or month to month subscription. It removes the capital expenditure needed for large on premises deployments.”
Phil Cracknell, interim CISO at home repairs company HomeServe, agrees: “Software as a service or a flexible annual licence tariff can help. Insist on a model whereby you pay for what you use. Reject the price breakpoints because they benefit the vendor, not you.”
Fixing the vendor problem
The shelfware problem for many CISOs is not helped by security vendors and their commission-hungry sales teams. Indeed, it's not unusual for infosec pros to complain of vendors doing too much selling and too little educating CISOs in building their security stack.
Cracknell is one of those, saying that today’s vendors sell comprehensive solutions with anti-virus, data leak protection (DLP), host-based intrusion detection system (HIDS) and network access control (NAC) all built in -- even if the customer doesn’t understand the suite’s full capabilities. He believes vendors are now controlling the market. “[The danger is] we let the vendors control the market as they did a few years back. They are starting to again. They define what products and technologies exist and then embark on a campaign to convince us that we need it. We should be defining the requirements we have, risks we see and need addressing and the vendors produce solutions in a way that can be consumed effectively by us. The tail needs to stop wagging the dog.”
Sign up for Computerworld eNewsletters.