Vendors are doing their job: they try and sell security solutions and services. Ideally, they prefer to sell solutions rather than services. It's more concrete, more helpful to convince non-security people and it implies additional services in order to implement and maintain them.
In order to do so, they demonstrate the profitability by showing critical examples of security breaches and/or outages. This could be a kind of Awareness if it weren't so biased. It's biased to:
- Concentrate fear on the subject that's addressed by the solution they're trying to sell. (Whereas the subject may not be a major concern for the company nor even a concern at all.)
- Concentrate fear on the little points in the whole subject that the solution actually helps solving. (Letting 95% of the actual subject unsolved.)
So, in order to still sell "solutions", vendors attack easier targets: high placed executives outside of IT Security. More precisely, they try and sell solutions wherever the CISO cannot constantly reach:
- IT managers of remote sites where there is no permanent security team,
- Users of packaged "IT tools not considered IT" like Telephony, Document Management, Technical Services from Logistics...
- People interested in closely related matters: Quality, Compliance.
- And sometimes even through service providers!
- Ill-centered on minor points,
- Duplicate with what's already implemented,
- Sometimes completely irrelevant...
- Communicate around what you already do, → no more duplicates
- Communicate around what you don't do and why (we'll do it later, we don't do it because it's not relevant, it's not a major concern), → no more irrelevant solutions.
- De-mystify buzzwords, → no more ill-centered solutions.
- Communicate about real threats and the associated risk.→ no more haste resulting in cost-ineffectiveness.