Ninety percent of U.S.-based information technology (IT) practitioners said their organization scrapped or discontinued a security technology it invested in before or soon after deployment, according to a Ponemon Institute survey published in April.
The survey also found, on average, 31 percent of security technologies purchased by organizations within the past two years were never deployed.
Risk & Innovation in Cybersecurity Investments, a research report survey, was sponsored by Lockheed Martin [LMT]. Ponemon surveyed 618 U.S.-based information technology and security practitioners involved in determining investments in cybersecurity technologies.
The technologies most often shelved before or soon after deployment are data loss prevention (55 percent), identity and access management (51 percent), security information and event management (SIEM) and security intelligence (49 percent), web application firewalls (46 percent), and intrusion & detection management (44 percent). Technology that is discontinued or shelved is known as shelfware.
The technologies least often shelved include traditional firewalls, encryption for data at rest, perimeter or location surveillance, and tokenization tools.
Most of the technology is discontinued because it is overly complex and too difficult to operate, said 77 percent of respondents. Other major issues are lack of in-house expertise to deploy and operate the technology (55 percent) and the technology being too expensive to maintain (41 percent).
Ponemon noted, “It is interesting that the primary reasons for purchasing a particular technology are cost and performance, when complexity of a system is most to blame for creating shelfware. Thus, level of complexity should become a more important factor in the purchasing decision.”
The survey also found that although 49 percent of respondents believe innovation is essential or very important to achieve a strong security posture, only 32 percent of respondents say their organizations achieve a high level of innovation.
The respondents who believe their organizations are not innovative said it is because they are overly dependent upon vendors to make technology decisions (56 percent), organizational culture inhibits innovation (53 percent), or there is a lock of in-house expertise (40 percent).
Ponemon also found 70 percent of respondents believe return on investment (ROI) and total cost of ownership (TCO) metrics are important ways to measure a technology’s economic benefits. However, 70 percent of respondents said it is difficult or very difficult to calculate an accurate ROI for a specific security technology and 61 percent said it is difficult to calculate a precise TCO.
Ponemon concluded relying on inaccurate ROI and TCO metrics can lead to a poor investment decisions. “Instead, consider such metrics as improvements in the efficiency of security operations, reduction in time to detect security incidents and return on prevention.”
The report highlighted that cost should not be the most important factor when investing in cybersecurity technology. Nevertheless, innovation is very important, it added.
“Companies find themselves investing heavily in technologies that are never deployed because they are overly complex. Yet, only eight percent of respondents say their organizations consider a lack of complexity in the investment decision. Shelfware would become less pervasive a problem if companies prioritized level of complexity, interoperability and proven risk reduction in their decision making.”
“The most innovative organizations have found ways to use existing technologies that are more efficient and cost effective and create a more secure and efficient organization.”
The survey had a 17,228 total sampling frame. In all, 691 practitioners responded, with 618 accepted into the final sample–a total of 3.6 percent of the original sampling frame.
Ponemon acknowledged caveats including the possibility individuals who did not respond are substantially different from those who did, biases based on media coverage or compensation to complete the research within a specified time period, and subjects may not have provided accurate responses despite checks and balances.