Part of an organization’s IT leadership and consultant’s responsibility is to provide logical explanations of the threats and vulnerabilities that exist – not to mention their potential impact on confidentiality, integrity, and availability of operations. The C-Suite should want to hear about it; if they don’t, there’s a problem.
But it’s also important for the C-Suite and other stakeholders to fully understand the level of effort it takes for your team to mitigate and remediate threats and vulnerabilities so you can evaluate the need for action, such as realignment of staff or introduction of a 3rd party partnership.
While I’ve heard many c-suite executives tell me “I’m just not technical,” I’ve also seen one hour meetings turn into two because the CEO wanted details. The results of a penetration test, for example. I’ve even seen a CEO or two probe for answers to questions we already spent time talking through with the CIO and IT leadership. It was healthy, valuable conversation, and resulted in an actionable plan that quickly improved the cyber security posture of the organization.