[johngalt]

I doubt CISA believes that technical and cybersecurity experience is irrelevant. This is their way to say "put someone in charge of it."

Two reasons for this:

1. The failure mode for most SMB operational risks is "no one was behind the wheel. No one thought it was their responsibility." If someone is clearly identified as responsible, they can set the basic guidelines that most people already know should be done.

2. Once the term "responsible for X" is on the table, it will tend to push the business towards hiring skilled personnel. Precisely because no one wants to take that on. Recommend that a business hire a skilled IT security headcount at market rates, and all the stakeholders will vote no. Ask a business "who is responsible for IT security? Who will handle an incident or breach?" And they will hire an IT security person after no one steps forward.