As some have said, explain the potential cost to the company in terms of $$$, reputation loss, customer confidence erosion, etc.

Start with Impact: "This issue could expose customer data or disrupt operations, costing us money and trust." Show Urgency: "If not fixed quickly, it could cause damage within days." Avoid Jargon: "Hackers can use this to access sensitive systems." Propose Action: "We need approval to fix this immediately." Reassure: "We’re monitoring it and ready to resolve it fast." Focus on business risks and next steps, not technical details.

Tell them the manager they hate at the same level that they’re working at said he could get it sorted and patched it in 48hrs. Sit back and watch them do it in 24. 😉

Como um CISO, eu apresentaria ao Board dentro do Mapa de Riscos atrelado a um Score de Risco, qua ajude no entendimento de priorização de esforços versus investimentos confrontados ao apetite do risco, porém de maneira leve, traduzo os jargões tecnológicos e trago uma exemplificação de um olhar de Guerra, que ajuda muito no entendimento e traz maior apoio a decisão, trazendo sempre bons diagramas lúdicos, gráficos de calor (Heat Map)! Espero poder ter contribuído!

As many have stated here, focus on communicating the impact of the risk. Using potential business failure scenarios with current and future revenue implications and potential regulatory or legal consequences usually works well. Avoid diluting the message with all possible permutations and combinations. If you’re in a leadership position, present clear options, share the actions you’ve already taken, and outline the specific support you need to move forward. Factors such as the company's industry, past incidents, organizational culture, compliance obligations, org structure, and the skill levels of the executives themselves will all influence your approach, so proactively seek feedback and continually refine your approach.

First I would the C-level executive to explain what they consider to be a worst case nightmare IT scenario. Then using non-tech Jargon, in a concise rational manner convey the risk and urgency of the threat they are facing using the situation they provided as a rating matrix and what I believe is their best course of action and next steps.

Financial impact. Reputation impact can also equate to a financial impact. You need to talk business terms to management and not even mention anything technical. What’s wrong, what are the options, what are the scenarios if we do nothing, who is accepting the residual risk, please sign here __________

To convey a critical security risk to a non-technical executive: 1. Impact: Explain the business consequences (e.g., data breaches, revenue loss, regulatory fines). 2. Quantify: Provide tangible figures or examples to illustrate scope and seriousness. 3. Urgency: Highlight why immediate action is crucial (e.g., active exploitation or escalating risk). 4. Solution: Reassure with a clear plan and the required resources. 5. Analogies: Use simple, relatable comparisons if needed. 6. Call to Action: Clearly state what you need from them to proceed.