The issue experts are continuing to see in various enterprises across all business sectors is the inability to explain the complexity of security problems in a way that executives can understand. Security threats must be parsed down and understandable to the CFOs, the COOs, and the CEOs, or the problem will not be solved.
The difficulty becomes, that the problems are complex, the solutions varied, and the cost... high. Because of this, the importance of simplifying security threats becomes a core part of any effective Cybersecurity Practice.
Stay Directed at the Problem
There may be a temptation to use a specific threat (i.e. a security vulnerability) to solve a lot of problems at once. This can be a productive use of money, but the framing of this needs to be clear. Be clear about what specific problem is being solved (i.e. the specific security threat), and also comment on the convenience of solving these other threats at the same time, especially if it shares a similar solution.
Do not misdirect attention to a slew of problems that require redress, stay specific on the problem that has the attention of the C-suite. This will work in your favor as you are honest and forthright about how you can solve this problem, while also saving resources and handling others at the same time... rather than saying "I can solve all the problems for a bunch of money and resources" - instead say "I have this solution, which will also allow us to solve some similar problems at the same time, saving money and time invested". This will sell better to the C-suite.
Cost DOES matter
Everything involved in the cost matters, down to the labor to accomplish the task, and being forthright and honest about these details can save a lot of heartache. Effectively describing these costs (the labor, the cost of the product, the cost of external engineers to provide assistance) all of these factors should be provided to the C-suite in discussing cybersecurity threats.
Getting all the costs right in advance will show your C-suite that you are on top of the security problems, and not constantly asking for more money to solve (what appears to them) the same problems over and over.
Cybersecurity is seen by many in the C-suite as a huge sinkhole of money, and making sure cost estimates over-estimate while also under-costing and over-delivering will make sure your C-suite is more likely to trust your analysis in the future.
Trust is the most important currency
Cybersecurity teams struggle to get the buy-in from executives on the C-suite because it is difficult for them to understand the complex problems being explained, and further, to trust that the solutions being suggested are the best.
Having a strong relationship with your executive team where they know what to expect from you goes a long way toward having a healthy relationship with management and C-suite.
Always give all the information, just provide it in a clear and concise way. Give the explanations when asked, but have write ups provided for the executive team to peruse, and try and pre-empt considerations or questions they will have. Falling into the practice of "listing in a report" a key problem, that the C-suite is not going to read - is going to not help you when you go to them for funds to resolve the threat.
Telling your CEO that the problem has been in the reports for a month, when the severity of that problem is the Cybersecurity Team's job to explain, puts your CEO in a frustrating position and will not end well for you.
Make sure that critical information is specifically referenced as critical, and separated from the general reports. This will mean that these problems can be addressed properly.