Complexity Halts Security: Report

Wednesday, May 20, 2015 @ 02:05 PM gHale

By Gregory Hale
Security solutions and programs need to be easy to use and not force complexity on users or they will end up pushed aside and become ineffective, new research showed.

Shelfware is every organization’s problem, with 90 percent of respondents saying their organization invested in a security technology that ultimately ended up discontinued or scrapped before or soon after deployment, according to the Ponemon Institute’s “Risk & Innovation in Cybersecurity Investments” industry survey sponsored by Lockheed Martin and released Wednesday.

Cyber Insurance Debate Heating Up
Breach: Subsea Cable Operator’s IT Network
Oil Industry Under Attack
Financial Institution Attacks Uncovered

Complexity and difficulty in operating was the main reason the security technologies ended up scrapped before or soon after deployment (77 percent of respondents), the survey said. A lack of in-house expertise to deploy and operate the technology (55 percent of respondents) was the second issue.

It is interesting the primary reasons for purchasing a particular technology are cost and performance, when complexity of a system is most to blame for creating shelfware, the survey said. Thus, level of complexity should become a more important factor in the purchasing decision.

The technologies most often shelved are data loss prevention (55 percent), identity & access management (51 percent), SIEM and security intelligence (49 percent), Web application firewalls (46 percent) and intrusion & detection management (44 percent), the survey said.

Conversely, technologies least often shelved: Tokenization tools (10 percent), perimeter or location surveillance (9 percent), encryption for data at rest (8 percent) and traditional firewalls (5 percent), the survey said.

On average, 31 percent of security technologies purchased by organizations represented in this research over the past 24 months never ended up fully deployed.

Ponemon Institute and Lockheed Martin pulled this research together to understand how people, processes and the desire to be innovative affect cyber security technology investment decisions.

The survey connected with 618 U.S.-based information technology (IT) and security practitioners involved in determining investments in cyber security technologies.

And when it comes to security, business objectives are most influential in deciding on a specific technology (73 percent of respondents) with security risk a close second (68 percent of respondents), the survey said. Compliance with regulations is least influential.

In the context of this research, security innovation ended up defined as “the use of enabling technologies and personnel in new ways to create a more secure and efficient organization and improve alignment between security initiatives and business goals.”

The survey asked respondents to rate their organizations’ level of security innovation. The response came in with 32 percent of respondents feeling their company is achieving a high level of innovation.

One of the big questions regarding security is what kind of return on investment comes out of implementing a solution.

Return on Investment
Relying solely on Return on Investment (ROI) and Total Cost of Ownership (TCO) metrics can lead to poor investment decisions, according to the survey.

Seventy percent of respondents believe ROI and TCO are important metrics for investment and measuring a technology’s economic benefits. However, the same percentage said it is difficult to calculate an accurate ROI for a given security solution or technology. TCO is also difficult to determine, according to 61 percent of respondents.

By including other metrics into the decision process could result in smarter investments, the survey found.

The survey found 15 percent of respondents said their organizations do not use ROI or TCO at all. These organizations are most likely to look instead at improvements in the efficiency of security operations (56 percent of respondents) or reduction in downtime (50 percent of respondents) as ways to determine a technology’s viability.

Security investments end up driven by cost. The survey found 64 percent of respondents said cost and 56 percent of respondents said performance and vendor support are the most important factors when investing in security technologies.

Features such as interoperability, proven risk reduction and lack of complexity do not appear to be as important (39 percent, 11 percent and 8 percent, respectively), the survey said.

The study explored how organizations are making decisions that will have a significant impact on their ability to prevent and detect cyber threats.

The report found out how organizations can avoid the problem of shelfware and invest instead in technologies that will pay dividends by reducing cyber security risks.

Users should also understand dependency on ROI and TCO to make investment decisions is not the way to go. Rather they should metrics such as improvements in the efficiency of security operations, reduction in time to detect security incidents and return on prevention.

Cost should not be the most important factor when investing in a security technology. Rather, companies find themselves investing heavily in technologies that end up not deployed because they are overly complex. Yet, 18 percent of respondents said their organizations consider a lack of complexity in the investment decision.

By understanding the complexity issue, shelfware would become less pervasive a problem if companies prioritized level of complexity, interoperability and proven risk reduction in their decision making.

Click here to view the report.

Leave a Reply

You must be logged in to post a comment.