How can security leaders more effectively communicate risks to the business and board?

Tell them in simple terms what can happen to the business if risks exposure is realized and the organization's ability to meet its financial and strategic goals.  Sometimes the worst case scenario, like ransomware infection on the organization's computer systems and data.  Risk is a very tricky thing to address because it is so many that can affect an organization. Depending on your business, you may need a separate group/department to manage and address it.  A key partner should be the internal audit department.

Security must be on every team's agenda of the organization, either it is building security, data security, infrastructure security, people security. How to influence it? CISOs should bring awareness to their peers, people up and down the hierarchy, knowledge center, policy enablement and separation of duties between teams and within teams. A continuous periodic exercise of security reevaluation is a must in the organization.

Should make sure that cybersecurity is a standing board agenda item.

Finance is probably the best way to communicate risks to business and board. Real-life examples will go along a long way in communicating these risks.

It’s an exercise in influence. First, identify the top priorities set by the business and specific points where better security enables or poor security blocks meeting these goals. Security is only 1 of many types of risks that businesses and boards face, and they must all be considered in the context of reaching critical company goals. You may never be able to convince them to care about security risks for the same reasons you do, instead align security with their existing motivations. They don’t need to join the band in order to play your song.