Coz you fixated on the technical
My anecdotal experience is that most of the "information security" people I encounter are actually doing PCI compliance work. and a proportion of them were formerly working on ISO 9000, so not exactly deeply technical.
It is the job of managers to understand risk and come up with business-focussed solutions, not IT security people. There does seem to be an attitude that cyber security is a problem that can be compartmentalised - along with the responsibility. It can't. It's pervasive across the business and managers need to get some education themselves - as they ought to do to understand at least the basics of the legal and financial risks to which they're exposed.
Biting the hand that feeds IT
