A very important question, not asked often enough. In particular not at conferences around security. Even more when sponsored by companies trying to sell their security product.
At the Secure Munich Conference, somebody asked this question. In a discussion that followed a Sales Engineer presenting their security product, trying to make a sound differentiation between internal and external attackers, as well as trying to explain the difference between malicious and careless.
While the question itself was asked quickly, the following discussion seemed to be a bit disappointing. “Why do companies not procure secure products?” was immediately interpreted in a way a security vendor would phrase it. Yes, of course, companies purchase security products, but not enough. Oh, what if the security product itself was insecure? Well, can’t comment on our competition.
With that, at a security conference, the question feels like it is being marginalized, in particular in the security space. The security industry rotates to much around itself.