I think the fundamental problem is that security professionals do not know how to speak to the business professionals. Simply if we stopped clamoring about "cybersecurity" (which itself is an exercise in questionable diction vs. the less-hip "information security"), and instead talked about quality and business improvement, we might get somewhere. Even the concept of risk, very rarely do you come across a security professional who can translate risk into business drivers. Just because something is risky doesn't mean it is a bad idea or needs to be mitigated. Bear in mind most entrepreneurs out there are burning through capital toward the goal of capturing overwhelming market share and/or investment attention. Getting them to think about something like data classification, for example, is like getting a firefighter to think about water conservation at an inferno. If instead, we get them to think "data classification will make it easier to move into the cloud or AI," then they might start listening.
Over the decades we have turned security into a series of specializations to the point where we produce largely people who focus on the trees and not the forest. What we are losing is that broad understanding of information, technology, and also business.
