Early in my career I gave a risk briefing I was proud of. Threat vectors, control gaps, a heat map with satisfying reds and yellows. The executives were polite. Nothing happened. It took me embarrassingly long to understand why: I had answered a question nobody in the room was asking.
Leadership and investors don't want a tour of your controls. They want answers to three questions, and only three. What could hurt us badly? How likely is it? What are we doing about it? Everything else — the taxonomy, the framework names, the technical mechanism — is your supporting work, not your message. If your briefing leads with the mechanism, you've made them do the translation, and they won't.
So I translate first. Not "we have unpatched instances in a subnet," but "there's a path that could take down the service our partners depend on; here's how likely we think it is and here's the plan and timeline to close it." Same fact. One version makes the listener work; the other lets them decide. The decision-maker's job is to allocate attention and money against risk, and you make that easy by speaking in their currency: business impact, likelihood, and the cost of action versus inaction.
Two more things I've learned. Quantify when you honestly can, and admit uncertainty when you can't — a confident fake number is worse than an honest range. And never bring a problem to that audience without bringing the shape of a response. They're not there to solve it; they're there to back you. Give them something to back.
