A large number of organisations are purchasing advanced security software and solutions at a great cost without assessing whether they have the manpower required to run these solutions, specific skills to optimise these assets, or whether they can integrate such solutions with their existing systems.
A recent survey of IT security experts carried out by edgescan has revealed that as many as 39 percent of organisations are spending their precious cyber security budgets on expensive security software and solutions that they have not been able to use and which ended up in the cupboard as a result.
While 39 percent of IT security experts said their organisations wasted money on security software and solutions, 18 percent said that their organisations spend more than £20,000 on solutions out of their cyber security budgets that were never installed or integrated into their security system.
Expensive security solutions emptying cyber security budgets
71 percent of the security professionals also said that the reason why advanced security solutions ended up in the cupboard is that their organisations do not have the manpower, specific skills, or time required to install them or integrate them with their existing systems.
Considering that a large number of organisations are not able to allocate the required money or resources to cyber security, the fact that whatever is allocated is wasted away in precious resources that cannot be exploited indicates that organisations are far from effectively utilising their security budgets to effectively respond to cyber security threats.
"The results of this survey suggest there is still a problem with how security is managed within organisations. Employees’ time and resources are being wasted in an attempt to face an ever-growing threat landscape, but working harder and spending more does not necessarily mean that an organisation is more prepared in the event of an attack," said Eoin Keary, CEO and founder of edgescan.
"What organisations need is an IT security strategy. Visibility over the entire attack surface can be achieved with managed services, that can provide monitoring and intelligence, while the internal security team can have more time to concentrate on what they consider to be higher functions.
"With as many as 68% of the respondents to our survey rating their organisations’ visibility as just ‘average’, there clearly is a need for restructuring and optimising security operations," he added.
False-positives consuming a lot of time and energy to address
The survey commissioned by edgescan also found that 64 percent of IT security professionals still lack complete visibility over web applications and end-points attached to their enterprise networks. 68 percent of them rated their visibility as "average" and said they did not monitor some connected devices as a usual practice.
The problem of manpower shortage in IT security teams is also far from being addressed, with 68 percent of security professionals admitting that their teams need more people to manage their organisations' cyber security and to comfortably deal with vulnerability intellgence.
What's worse is that IT security teams, already shorn of personnel, are spending a lot of time in addressing issues that ultimately turn out to be false-positives. While 60 percent of security personnel spend over three hours a day on validating false-positives, 30 percent of them spend over six hours every day in validating false-positives.
ALSO READ: Too much of a good thing? Security teams are overcome by alerts