I was just going to post when your comment made me rethink the whole thing and write this reply instead.
Having worked in I.T. for 25 years or so now, I'm pretty familiar with the "computer security" marketplace. Most of the time, you've got a combination of "former hackers who decided they could make a living out of selling comp-sec stuff" and big companies seeing $$$$'s by getting behind these initiatives to sell solutions.
Meanwhile, in the rest of corporate America, I.T. expenditures are increasingly under a microscope, because companies have long since been burned by and learned from the old idea that I.T. was an investment in the company's future. These days, I.T. is viewed more like a line item expense on budget spreadsheets. Sure, it's necessary
And guess what? In the majority of situations, the reasonable answer is to say "no" to the expensive new security appliances or software. A lot of that stuff is going to quickly become obsolete anyway. (Quite a bit of it is subscription-based where it receives regular updates from the manufacturer as long as you stay current on your payments. Guess what? When the (often small startup) security company making it gets bought out by someone else or goes belly up, you're often left with a costly paperweight that someone wants MORE $'s to replace with the "new, supported alternative/improvement" to it.)
If your I.T. people are competent enough, they should be keeping up with all the OS and software updates/patches, and that alone seals up quite a few of the security holes at NO extra cost. Other times, the smarter choice may be outsourcing one or more of the services you used to host in-house. Let the "big guys" host it for you and let THEM pay all that money for the fancy security appliances to protect your data AND the data of thousands of other customers of theirs. At scale, those security tools/software purchases make a lot more sense.