Businesses are managing more data than ever—and spending more money, year after year, to protect that data. Yet spending money on security doesn’t equate to actually being secure.

A recent study by Osterman Research discussed how prevalent the “shelfware” problem is becoming. The report showed that businesses spent an average of $115 USD per user on security software, hardware and services in 2014, an increase of 44% from 2013, yet nearly 30% of that security investment was underutilized or never implemented.

Small businesses, those with less than 1,000 users, were impacted more, with an average spending of $157 per user, yet the same underutilization pandemic still exists.

“The numbers were pretty eye popping,” said Josh Shaul, Trustwave’s vice president of product management. “We expected some security software on the shelf. What we found was companies are pouring money down the drain, while the folks approving these purchases are getting a false sense of security.”

Considering the security landscape we currently live in, CEOs, CISOs and board members have taken notice. Cybersecurity is now just as important in the board room as the bottom line. The problem is now important enough to where non-technology business leaders put more emphasis on security. No one wants their company to be the next Sony or Anthem (from a data breach perspective). Budgets are being allocated and money is being spent on protections, but, as the Osterman Research study shows, a large part of that security investment is sitting around doing nothing—it’s unimplemented shelfware.

As you’re reading this, you’re probably looking over at your white board thinking “Yeah, we still have to implement that”. Trust me, you’re not alone.

So why are security solutions sitting around collecting dust?

The main reasons – IT departments are just too busy to properly implement what was purchased. Revenue generating tasks and keeping the engine running take precedence over something that may happen. This is followed closely by not having enough staff available and not understanding the purchased software well enough. According to the same report, the year 2014 finished with 49% of security positions left unfilled.

Interestingly enough, the least serious reason contributing to not getting security properly implemented was the IT staff not understanding the security problems they faced. On the contrary, IT understands the security problems and threats to the organization very well, they just lack the resources to implement the right solutions.

So how do you solve the problem?

Vendor professional service groups and security service providers can help ensure security technologies are properly installed, monitored and maintained throughout their lifecycle. The report surveyed that 79% of IT professionals believe leveraging managed services would reduce or eliminate the possibility that security goes unused in their organization.

XYPRO’s Professional Services Team is regularly brought in by Fortune 1000 companies to perform security assessments of HPE NonStop server environments. Our XYPRO PS team ensures XYGATE security products such as Merged Audit and User Authentication, which have been shipped with the operating system as part of the NonStop security bundle on all new HPE NonStop servers since late 2010, are properly configured and deployed to address your organizations specific needs. Whether those needs are auditing, compliance, monitoring, or help with your overall security initiative, XYPRO’s PRO Services Team can be an invaluable partner to protect your business and the investment you’ve made in security.

And that can help everyone sleep better at night. Unless you have one of those elves. They’re creepy.

Steve Tcherchian, CISSP
XYPRO Technology