Study after study has shown that organizations are talking about security. Board directors want to know what is being done and senior executives are getting serious about security projects. Congress is holding hearings and proposing bills, the president has unveiled a series of proposals. But what’s the point of all this investing in cybersecurity technology if the organization is just going to leave it sitting on the shelf?

This isn’t a facetious question but a fairly widespread scenario, according to a joint report by Trustwave and Osterman Research. The “Security on the Shelf” report found that many companies are not using software they bought, or not taking advantage of all the protective features offered. Of the 172 IT professionals at small-to-midsized businesses and enterprises surveyed in the report, 28 percent said their organizations were not getting the full value from their security software investments. 

In the average organization, “only” 4.8 percent of security-related software was not being used at all, and 23.5 percent was working, but could be better, the report found. One company claimed 60 percent of its security software was shelfware.

In an earlier conversation about CSO wishlists, Rick Howard, CSO of Palo Alto Networks, noted that many security initiatives go awry because the tools aren’t set up correctly. “We spend gazillions of dollars to buy the latest and greatest, and yet fail to squeeze as much efficiency out of it as possible,” Howard said.

Examples of underutilized technologies include firewalls that are installed but not configured with the up-to-date settings, database monitoring tools and SIEM platforms logging alerts no one has time to look at, and data leak prevention software with no rules defining what data to block, Trustwave said.

 Almost all businesses have shelfware that is never used, and the problem isn’t just relegated to security software The problem is not specific to security. Nearly 96 percent of organization said at least some of the software they’ve purchased was shelfware, according to joint research by Flexera Software and IDC late last year. A little less than 40 percent said about a fifth of more of their enterprise software spending is wasted on shelfware in the same study. “It’s very easy for shelfware to accumulate when organizations don’t proactively implement best practices and technology to track, manage and optimize their software estates,” Amy Konary, a research vice-president for software licensing and provisioning at IDC, said at the time of the report’s release. 

The report also looked at hard numbers. Organizations spent $115 per user in 2014, which is significantly more than the $80 per user spent in 2013. But of the $115 per user spent on security software in 2014, $33 wasn’t used at all, or underutilized. In an organization with just 500 users, that’s more than $16,000 in security-related software partially or completely wasted, Trustwave said. The figures vary slightly by company size, as smaller companies are spending as much as $157 per user, compared to larger companies spending $73 per user. It’s disconcerting that despite increased spending, organizations aren’t necessarily getting more security than previous years.

If organizations are spending—and wasting—significant amount of dollars on security, it doesn’t make sense why so much of it is being wasted. The reasons all boiled down to IT resources and time, the Trustwave report found. About 35 percent of respondents said IT staff had no time or was too busy to implement the software properly. The second most common reason, at 33 percent, was the lack of manpower. 

“Many of us fall a bit short on that last hurdle,” Howard said, noting the actual detailed configuration of the device is left to later because there are other things that need to be done right away. “The problem is that later hardly ever comes.”

Other reasons included IT not understanding the technology well enough. The IT staff understood the security problems—it was the technology that required extra expertise.

One way to address the shelfware problem is to consider cloud services and managed services providers, the report suggested. Organizations in the survey said they 19 percent of its security infrastructure was cloud based or managed services in 2014, and expect that figure to change to 28 percent in 2015. Switching to cloud and managed services would give organizations with needed security expertise while reducing the time and resource constraints on internal IT teams. 

About 51 percent of the respondents said they expected cloud and managed services would have “some positive impact,” “significant impact,” or “huge impact” on the amount of unused and underutilized security software in their organization.

“I would like to have all of the security controls that I have installed in the past couple of years to be configured to run the way that I thought they would be configured when I purchased them in the first place,” Howard said.