Also, even for things that are beneficial, there are incentives to make them appear more beneficial potentially at the expense of actual benefit (c.f. various dashboard and extraneous-but-flashy functionality).
Do you think such incentives don't apply to internal security teams, or that they are (relatively) much weaker?
@robryk @GossiTheDog they definitely still apply internally, everybody has an incentive to not get fired, after all. But they are in my experience generally weaker, as people collect a pay check more or less independently of their work.
Of course, this also requires the internal security team to be trusted and have necessary resources to do their work, but in general, they are much less likely to try to sell you something over an external vendor.