Though the need for reliable security technology increases daily, IT and security practitioners across a broad range of industries—including the federal government, healthcare, energy, utilities and finance—say their organizations are investing in cybersecurity technologies that are shelved before deployment.
The "Risk & Innovation in Cybersecurity Investments" survey, conducted by the Ponemon Institute and sponsored by Lockheed Martin, found ninety percent of the respondents’ organizations devoted their cyber dollars to technology that was ultimately discontinued or scrapped before or soon after deployment.
In fact, 31 percent of security technologies purchased by the organizations over the past 24 months were never fully deployed.
“As cyber threats increase, it is troubling to see so many cybersecurity tools purchased by organizations end up as shelfware,” said Greg Boison, director of homeland and cybersecurity at Lockheed Martin. “When cyber dollars are scarce, organizations should not only evaluate which tools their enterprise needs, but whether they have the internal and external resources to deploy, maintain and leverage them.”
The technologies most often shelved included data loss prevention, identity and access management, SIEM and security intelligence, Web application firewalls, and intrusion and detection management. Tokenization tools, perimeter or location surveillance, encryption fordata at rest and traditional firewalls were among the technologies least often shelved.
The respondents cited complexity and difficulty in operating as the leading reason behind scrapping security technologies before or soon after deployment, followed by a lack of in-house expertise to deploy and operate the technology. The primary reason for purchasing a technology, on the other hand, was cost and performance. The respondents did not consider interoperability, proven risk reduction and lack of complexity to be as influential.
The report concluded that cost should not be the most important factor when investing in security technologies. With complexity being one of the main reasons behind organizations shelving technologies before they are deployed, organizations should prioritize the “level of complexity, interoperability and proven risk reduction in their decision making.”
In addition, innovation is key to creating astrong cybersecurity posture. The report defines security innovation as, “the use of enabling technologies and personnel in new ways to create a more secure and efficient organization and improve alignment between security initiatives and business goals.”
Seventy-five percent of respondents believe their organizations are innovative because they use existing technologies in an efficient, cost-effective way and sixty-seven percent say they use these technologies to create a more secure and efficient organization. However, only 32 percent of respondents felt their company is achieving a high level of innovation.
“The most innovative organizations have found ways to use existing technologies that are more efficient and cost effective and to create a more secure and efficient organization,” the report concluded.
None of this surprises G. I. “Dutch” Forstater, CEO, COO and chief engineer of Professional Systems Engineering LLC, which he founded in 1986 and which is nationally known for its expertise in design and engineering of integrated systems for complex critical infrastructure projects. Forstater has 35 years’ experience in data communications, including network distribution/control, data center design and protection, advance UPS/ATS/generator design and physical/virtual network security.
In his exclusive report, System Shutdown, in the Dec. 2013/Jan. 2014 Homeland Security Today, he warned that in five years … or less, many access control systems will be legend … and the security issues could be legion.
Forstater wrote, "Obsolescence through time is proceeding to shut down existing security systems from further product or technical support right before our very eyes. By 2015, the computerization of electronics will have increased the capacity of integrated circuits one million fold in just 30 years’ time."
"Electronic chips are already more than three million times lighter and 10,000 times cheaper than an equivalent device 30 years ago," Forstater explained, "But even with this substantial increase in miniaturization, memory management, memory capacity, cloud services and virtualization of the legacy personal computer (PC), the basic X86 processor is still the same old device of 40 years ago. This will pose serious and fundamental problems for access control and other security systems by 2018 because of this simple reality of life cycle, and the consequent costs to continue interim software development until the next X86 version processor is developed."
"By 2018," Forstater warned, "more than 50 percent of all card access systems deployed today will have no support. Nor will replacement parts be available. Nor will the licensing model of Internet protocol (IP) cameras be the same as it is today. IP cameras, encoders and network video recorders/storage area networks (NVRs/SANs) will all be changed and may no longer be supported. And ifthat isn’t enough, the networks required to support these systems will evermore change, become evermore secure, evermore hardened and evermore apt for a failure to occur network-wide."
And, he said, "In this same short time span, a paradigm shift in public safety technologies will occur. And little has been done – or is being done – to warn about these important changes."