Therein lies ruin
The trick is to understand how to align business strategy to security architecture. Unfortunately having a rough idea and using goggle means you end up with a firewall and some boxes that often inhibit the business and security is thus seen as "the boys that say NO"
I'm sorry Trevor; "Proper information security requires defence in depth: layers of technologies, techniques, best practices and incident response woven together into the tapestry of everyday operations" may be correct for some businesses - but for most this approach is old-hat, and means kludging their architectures to take advantage of BYOD, Cloud, IoT and other such technologies that gives them strategic advantage.
The most agile companies are 100% cloud, using Chromebooks and BYOD; where is your need for firewalls, layers of technology etc.?? Then actually you need a CISO that understand Cloud Identity and entitlement, not layers defence.
But then you get what you pay for......