Blog post

On Buying Boxes and Not Using Them

By Anton Chuvakin | November 08, 2012 | 6 Comments


Why do organizations buy security gear (hardware, software, SaaS, etc ) and then not use it? This phenomenon seems truly endemic nowadays, with 6- and 7-digit “investments” sitting on datacenter racks, or even sometimes on actual storage shelves, unused or heavily underused. Essentially, organizations throw away massive amounts of money and then complain about “lack of security funds” and “being insecure.”

Select clients have explicitly told me that “they are better at buying stuff then at using it” or that “they bought it with an intention of keeping it up-to-date and using it, but don’t even have time to upgrade it to the latest signature level, much less use it.” (specific quotes are of course fictitious!) That means some organizations know that they have this problem, but seem powerless to change anything….

Thus, buying security technologies seems to be a much easier task than utilizing them and “operationalizing” them for many organizations. Specific examples of shelfware or “barely-used-ware” are not limited to SIEM and DLP, but span the entire range of security technologies. Of course, those technologies that deliver noticeable value passively (anti-malware or encryption, for example) suffer less from this malaise. On the other hand, monitoring technologies suffer a lot more. Compliance and “checkbox mentality” might have made the problem worse as people read the mandates and only pay attention to sections that refer to buying boxes (“What should we buy to address PCI DSS Requirement 3.4?”, “Do we need to buy a WAF for HIPAA?”, “Will DLP make us SOX-compliant?”, etc, etc)

In fact, there is a lot more guidance on “which tool to buy?” and “how to buy security right?” then on how to actually make use of the tool in a particular environment.  Note that both vendors and enterprises are guilty parties here. For many years, I’ve noted that security products come with user guides that talk about functions and buttons, but not about how to get the product to do what you want. I also noted that some enterprise security managers treat security problems as “solved” by a particular implementation project, with little regard for ongoing operation. As a result, I suspect that solving this problem will require vendors, enterprises as well as consulting services firms to pitch in (and, mind you, some vendors are perfectly happy with being “box shippers” and not “problem solvers”)

Inside the enterprise, it seems that there is a huge skew in the security triangle of “people-process-technology.” Despite all the rhetoric, some CIOs and, yes, even CSOs seem to equate information security with technology. Process and practices, as well as trained personnel, are – to put it mildly- not emphasized.  In reality, the opposite is mostly true: a skilled engineer with an OK tool and ever-improving process will be infinitely more valuable than a monkey, armed with a market leading tool. Think about it, DLP is essentially useless without a process for information owner involvement. SIEM is mostly pointless without a skilled analyst. Vulnerability assessment tools are not useful without a remediation process. While this book sheds some light on why this may be the case at some dysfunctional organizations, I feel that the problem is more complex as even technically adept sometimes end up with piles of shelfware.

As a conclusion, remember, that if you got a $200,000 security appliance for $20,000 (i.e. at a steep 90% discount), but never used it, you didn’t save $180k – you only wasted $20,000!  Security is not something you BUY, but something you DO. And this statement will likely remain true for the foreseeable future!

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Andrew Hay says:

    Also, ‘water is wet’.

  • Dude, thanks for the comment. However, there is a difference between a) and b) here:

    a) “water is wet”
    b) “you are f*g drowning “

  • Andy Cunningham says:

    Could it be because they’d rather spend money on tangible hardware or vague risk analyses that make them feel safe rather than on salaries for security technologists who can actually make this stuff work?

  • Andy, that seems to be a big part of it yet. Boxes make sense to them (as for some managers security is purely “technical”, however weird it sounds), but highly paid skilled employees freak them out (as you “know”, “the better the training, the faster they leave” 🙂

  • Christophe says:

    To my mind, I see the budgeting of IT security as guilty. As most people see IT security as a dead load, security guys just don’t dare saying something is not working as intended and asking for more money to correct it.
    In the long run, with the same amount of money, they have 15 useless pieces of software/hardware, instead of just 5 useful and mastered ones.
    One could use a simple rule of thumb for budgeting, like 1/3 for purchasing and setting up, 1/3 for admin education and hands-on training and 1/3 for review and enhancement, one year later, with some hindsight.

  • Thanks for the comment.

    We do often say that 30-35% of security program cost should be on personnel, but some orgs definitely don’t heed that.

    On the other hand, somehow boxes get budget faster than people – despite the fact that boxes do little (some – “nothing”) without people.