What is your biggest concern when communicating risk?

One of the biggest concerns when communicating risk is the audiences ability to comprehend the significance of the risk and ramifications if a budget is not properly defined to mitigate those risks. Most C-Level Senior Executives don't want to know or understand the risk, they just want to make sure you don't allow it to happen. Good or bad, they expect you to manage the risk and they don't want to hear about the negative effects from it.

With Boards there are always similar lines of questions regarding round, how do we know and how do you know we're doing all the right things? I also worked alongside the risk teams at prior companies, especially being a leader of IT or having a large component of the technology platforms we viewed and focused on the industry specific risks.  The question always is "How do you balance the risk against your business objectives? How do you ensure that you're managing that to the best of our ability or within the funding portfolio of the company?"

We are trying to get into a conversation about how we quantify risk. We've done all this stuff and we think it's all the right things, but in speaking with executive leadership and the CIOs, they say, "Well, how do we know if it's good enough? How do we know if what we've done is good?" There's all kinds of benchmarking data you can find to say, okay, against this single thing, how do I compare to others? But how do you really look across your entire landscape and all the different security practices and controls you have in place? How do you assess security operations versus all the projects you're doing, to try and put together a set of measurements, to really understand and be able to articulate at an executive level where you have prevented and controlled risk, where you've got your residual risk, and where you still have your unknown.