How much of what an organization spends on security hardware software doesn’t meet its needs? Perhaps as much as 25 per cent, according to survey.
Osterman Research found that of the 172 IT decision makers and influencers in its survey panel who responded to an online questionnaire just over 22 per cent of smaller organizations and 24.5 per cent of enterprises said their security products were “working but could be better.”
Almost seven per cent of large organizations and just under three per cent of small firms said their IT security products were never used and essentially sat on a shelf.
The biggest reason for so-called shelfware (35 per cent) was that IT staff were too busy to implement software properly. Another one-third agreed IT didn’t have enough resources to implement solutions properly.
Conversely, 74.6 per cent of small organizations and 68.6 per cent of large companies said their security products were working as planned.
How do we interpret these results? One might suspect the sample is too small. And judging by the number of successful data breaches reported in 2014 – admittedly they gained big headlines — it could be argued the numbers aren’t close to being right.
Single digits for shelfware suggests IT is getting its purchasing decisions right.
But here’s another way of looking at this survey: A good chunk of companies aren’t happy with what they’re buying in part because it’s too complex – too many parameters need to configured, too many solutions are giving false alarms.
A consultant I talked to a couple of months ago for a feature in Computing Canada urged vendors to make solutions that are more automated. That’s one answer. Another is letting a managed cloud security provider do the lifting.The survey was paid for by Trustwave, which offers cloud-based products. Interestingly only 16 per cent of respondents thought switching to the cloud would make a huge or significant impact on lowering the potential for security-related software not being used in their organization.
The fact is that products alone won’t guarantee a secure company. That will depend on policies like segmenting networks and ensuring staff follow good practices including not opening suspicious attachments and protecting their passwords.