Why do organizations buy security gear (hardware, software, SaaS, etc ) and then not use it? This phenomenon seems truly endemic nowadays, with 6- and 7-digit “investments” sitting on datacenter racks, or even sometimes on actual storage shelves, unused or heavily underused. Essentially, organizations throw away massive amounts of money and then complain about “lack of security funds” and “being insecure.”
Select clients have explicitly told me that “they are better at buying stuff then at using it” or that “they bought it with an intention of keeping it up-to-date and using it, but don’t even have time to upgrade it to the latest signature level, much less use it.” (specific quotes are of course fictitious!) That means some organizations know that they have this problem, but seem powerless to change anything….
Thus, buying security technologies seems to be a much easier task than utilizing them and “operationalizing” them for many organizations. Specific examples of shelfware or “barely-used-ware” are not limited to SIEM and DLP, but span the entire range of security technologies. Of course, those technologies that deliver noticeable value passively (anti-malware or encryption, for example) suffer less from this malaise. On the other hand, monitoring technologies suffer a lot more. Compliance and “checkbox mentality” might have made the problem worse as people read the mandates and only pay attention to sections that refer to buying boxes (“What should we buy to address PCI DSS Requirement 3.4?”, “Do we need to buy a WAF for HIPAA?”, “Will DLP make us SOX-compliant?”, etc, etc)
In fact, there is a lot more guidance on “which tool to buy?” and “how to buy security right?” then on how to actually make use of the tool in a particular environment. Note that both vendors and enterprises are guilty parties here. For many years, I’ve noted that security products come with user guides that talk about functions and buttons, but not about how to get the product to do what you want. I also noted that some enterprise security managers treat security problems as “solved” by a particular implementation project, with little regard for ongoing operation. As a result, I suspect that solving this problem will require vendors, enterprises as well as consulting services firms to pitch in (and, mind you, some vendors are perfectly happy with being “box shippers” and not “problem solvers”)
Inside the enterprise, it seems that there is a huge skew in the security triangle of “people-process-technology.” Despite all the rhetoric, some CIOs and, yes, even CSOs seem to equate information security with technology. Process and practices, as well as trained personnel, are – to put it mildly- not emphasized. In reality, the opposite is mostly true: a skilled engineer with an OK tool and ever-improving process will be infinitely more valuable than a monkey, armed with a market leading tool. Think about it, DLP is essentially useless without a process for information owner involvement. SIEM is mostly pointless without a skilled analyst. Vulnerability assessment tools are not useful without a remediation process. While this book sheds some light on why this may be the case at some dysfunctional organizations, I feel that the problem is more complex as even technically adept sometimes end up with piles of shelfware.
As a conclusion, remember, that if you got a $200,000 security appliance for $20,000 (i.e. at a steep 90% discount), but never used it, you didn’t save $180k – you only wasted $20,000! Security is not something you BUY, but something you DO. And this statement will likely remain true for the foreseeable future!