Anton Chuvakin

A member of the Gartner Blog Network

Anton Chuvakin
Research VP
2+ years with Gartner
14 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Coverage Areas:

On Buying Boxes and Not Using Them

by Anton Chuvakin  |  November 8, 2012  |  7 Comments

Why do organizations buy security gear (hardware, software, SaaS, etc ) and then not use it? This phenomenon seems truly endemic nowadays, with 6- and 7-digit “investments” sitting on datacenter racks, or even sometimes on actual storage shelves, unused or heavily underused. Essentially, organizations throw away massive amounts of money and then complain about “lack of security funds” and “being insecure.”

Select clients have explicitly told me that “they are better at buying stuff then at using it” or that “they bought it with an intention of keeping it up-to-date and using it, but don’t even have time to upgrade it to the latest signature level, much less use it.” (specific quotes are of course fictitious!) That means some organizations know that they have this problem, but seem powerless to change anything….

Thus, buying security technologies seems to be a much easier task than utilizing them and “operationalizing” them for many organizations. Specific examples of shelfware or “barely-used-ware” are not limited to SIEM and DLP, but span the entire range of security technologies. Of course, those technologies that deliver noticeable value passively (anti-malware or encryption, for example) suffer less from this malaise. On the other hand, monitoring technologies suffer a lot more. Compliance and “checkbox mentality” might have made the problem worse as people read the mandates and only pay attention to sections that refer to buying boxes (“What should we buy to address PCI DSS Requirement 3.4?”, “Do we need to buy a WAF for HIPAA?”, “Will DLP make us SOX-compliant?”, etc, etc)

In fact, there is a lot more guidance on “which tool to buy?” and “how to buy security right?” then on how to actually make use of the tool in a particular environment.  Note that both vendors and enterprises are guilty parties here. For many years, I’ve noted that security products come with user guides that talk about functions and buttons, but not about how to get the product to do what you want. I also noted that some enterprise security managers treat security problems as “solved” by a particular implementation project, with little regard for ongoing operation. As a result, I suspect that solving this problem will require vendors, enterprises as well as consulting services firms to pitch in (and, mind you, some vendors are perfectly happy with being “box shippers” and not “problem solvers”)

Inside the enterprise, it seems that there is a huge skew in the security triangle of “people-process-technology.” Despite all the rhetoric, some CIOs and, yes, even CSOs seem to equate information security with technology. Process and practices, as well as trained personnel, are – to put it mildly- not emphasized.  In reality, the opposite is mostly true: a skilled engineer with an OK tool and ever-improving process will be infinitely more valuable than a monkey, armed with a market leading tool. Think about it, DLP is essentially useless without a process for information owner involvement. SIEM is mostly pointless without a skilled analyst. Vulnerability assessment tools are not useful without a remediation process. While this book sheds some light on why this may be the case at some dysfunctional organizations, I feel that the problem is more complex as even technically adept sometimes end up with piles of shelfware.

As a conclusion, remember, that if you got a $200,000 security appliance for $20,000 (i.e. at a steep 90% discount), but never used it, you didn’t save $180k – you only wasted $20,000!  Security is not something you BUY, but something you DO. And this statement will likely remain true for the foreseeable future!

7 Comments »

Category: philosophy security     Tags:

7 responses so far ↓

  • 1 Andrew Hay   November 8, 2012 at 12:21 am

    Also, ‘water is wet’.

  • 2 Anton Chuvakin   November 8, 2012 at 12:34 am

    Dude, thanks for the comment. However, there is a difference between a) and b) here:

    a) “water is wet”
    b) “you are f*g drowning “

  • 3 Andy Cunningham   November 8, 2012 at 8:40 am

    Could it be because they’d rather spend money on tangible hardware or vague risk analyses that make them feel safe rather than on salaries for security technologists who can actually make this stuff work?

  • 4 Anton Chuvakin   November 8, 2012 at 6:34 pm

    Andy, that seems to be a big part of it yet. Boxes make sense to them (as for some managers security is purely “technical”, however weird it sounds), but highly paid skilled employees freak them out (as you “know”, “the better the training, the faster they leave” :-)

  • 5 On DLP and IP Theft   November 9, 2012 at 10:16 pm

    [...] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← On Buying Boxes and Not Using Them [...]

  • 6 Christophe   November 11, 2012 at 2:33 pm

    To my mind, I see the budgeting of IT security as guilty. As most people see IT security as a dead load, security guys just don’t dare saying something is not working as intended and asking for more money to correct it.
    In the long run, with the same amount of money, they have 15 useless pieces of software/hardware, instead of just 5 useful and mastered ones.
    One could use a simple rule of thumb for budgeting, like 1/3 for purchasing and setting up, 1/3 for admin education and hands-on training and 1/3 for review and enhancement, one year later, with some hindsight.

  • 7 Anton Chuvakin   November 12, 2012 at 4:17 pm

    Thanks for the comment.

    We do often say that 30-35% of security program cost should be on personnel, but some orgs definitely don’t heed that.

    On the other hand, somehow boxes get budget faster than people – despite the fact that boxes do little (some – “nothing”) without people.