Security tools can find their way into the enterprise arsenal in interesting ways: a CIO who insisted on buying a particular technology after seeing an ad, executives who buy a specific option required to meet a business partner’s prerequisite standards for doing business, teams that carry over all existing product licenses during a merger rather than purging superfluous software.
Alan Brill, who as senior managing director of cyber risk at consulting firm Kroll, has seen all such scenarios. “There are often tool sets being bought that are sometimes not being used at all or they’re used with less than the full capabilities turned on,” he says.
Research backs up Brill’s assessment.
According to CSO’s own 2020 Security Priorities study, 50% of security leaders say they don’t use all of the features included in their security technologies/services. Meanwhile, 26% report that their purchased security technologies and/or services are under-resourced in terms of people, support services, or deployment. Furthermore, respondents report that they only use 72% of the security products or services that are either purchased or contracted for use.
The security function clearly has a shelfware problem, experts say, and the situation comes with consequences. The over-purchasing and underutilization of security tools and technologies is not only expensive and wasteful, but it adds unnecessary complexity, further taxes already busy staff, and hinders more productive security operations.