Q – When did the industry turn into a churn and burn machine?

A – since DAY 1, you did reference a big word there – INDUSTRY – ever since the firewall, IDS/IPS, and AV vendors marketing groups figured out that the market for early adopters is extremely limited, they learned to focus 99.5% of all their marketing funds towards filling a Need (be it real or assumed). In the past 5 years the security industry as a whole went from the folks with a clue (aka the early adopters) to the world of regulations or the regulatory have toos (aka the folks who didn’t really care until they were told to).

With this environment as your customer base, you have to work with places that are simply checking a box. Do you have a firewall – check, do you have a IDS/IPS – check – do you have AV on your servers – no? oh well then you need XYZ’s antivirus solution.

As we all know security is a process – and only education will lead these folks to nirvana – They are looking to their trusted vendors/advisers to help educated themselves. So if it takes them buying a checkbox to get my foot in the door to help them get their learn on then so be it.

As with anything in the business world – until you show impact to the bottom line – your spinning your wheels. Its up to you to educate them on why having those products is a stop gap measure, but if they don’t teach their programmers not to write crappy web apps they are just going to continue the trend.

So my long winded message is simply – take what you can get to start educating them on what they truly need. That means teaching them that security is a continual process that includes People, Processes, Policies, and Products.