What infosec people think $vendor email security solutions are going to solve phishing attacks? I was under the impression that the people that buy those solutions (like many security solutions) are primarily non-infosec people that want to paper over their real problem without fixing it.
Granted, there is a place for some of these things temporarily while working to fix the actual problem, but that's a mitigation, not a solution.
Nope, seasoned pros I respect think trainig+$vendor is good enough. If it isn't, blame the user or the vendor!
There are shops where the goal is to have someone to blame when you get owned and there are rare shops where the goal is to do it right to catch/stop bad guys even if it means you get blamed (because management understand security is not absolute)
That's exactly how they think and it's b.s.! The whole point of this comment thread is that most people will fall for a phish if the phish is good enough.
FWIW email security training is something you'll probably be forced to provide, to some degree, as a matter of compliance. It's another case of compliance wasting time by driving companies to do security work that isn't meaningful.
Granted, there is a place for some of these things temporarily while working to fix the actual problem, but that's a mitigation, not a solution.