Know your audience. You need to explain the cost of a resulting incident in relatable ways to the stakeholder(s), and for each person's role, the way this is done can be very different. For some stakeholders this could be explained through financial losses or opportunity cost due to a tarnished name. Others may better relate to the potential legal or regulatory repercussions. Explain the cost of mitigation versus the potential losses due to exploitation. It may not be possible to put in plain numbers what these are, but a sensible person will likely understand the lower cost to mitigate the problem than the higher cost of an incident.

There are a number of important points to use in order to get your message across successfully, the first is to highlight what they have at risk and what could possiblly be lost. This helps them to understand the scale of the risk you are talking about in something they see value in. Next you need to build them a story or analogy of something simple they know. For performance topics I often use a car analogy, and for security I use their house/home. I always try to have a plan B in my back pocket in case they dont understand it. The tone of your voice is important too as you dont want to patronise them.

First and foremost, approach it in a "what's in it for me?" manner. If they don't see value in it, it is unlikely that they will WANT to understand it. Explain the risk, outcomes, and benefits. Even better if you use something relatable to explain it. An analogy is a great way to make them connect technical matters to practical concerns. For example: "That's like closing the door but not locking it. It will not really keep anyone out, if they want to get in."

It’s one of the main components of Cybersecurity, we call it “Human Risk Management”. Simply, it means: The biggest vulnerabilities often come from human error, so making security a habit is key. I believe that Instead of overwhelming stakeholders with technical stuff, show them how simple daily actions—like verifying emails, using strong passwords, and staying alert—can protect the business. When security feels personal and practical, it becomes second nature.

The best way to communicate when you don't have a shared level of concern is understanding where they are at, make the information relatable to them, before you even propose technical solutions. Once you can both agree on the "why it matters", they will be more receptive to the "how" that you are trying to convey.