I've heard it said many times "cybersecurity people don't get the respect of business leaders because they don't speak the language of business". I'm sure there is some truth in this.
The cybersecurity status quo is partly to blame for this. You won't find many sessions at BlackHat or DEF CON talking about typical business matters. Cybersecurity practitioners like to focus mainly on the "cool stuff" like how to use a flipper to break into cars and perform other magic. The fact is that many cybersecurity people are in their jobs because the are technical types that like to tinker with software, hardware and "unbreakable products", only to prove they are indeed breakable. We like the challenge.
I've been able to "talk the language of business and IT topics, including cyber risk management" because I worked in roles that demanded knowledge of the Energy business and knowledge of IT/OT software technology within the Energy industry since 1990. Serving as Enterprise Architect at ISO New England and having the best boss I ever had as a mentor, Dr. Eugene Litvinov CTO at ISO New England, gave me the best possible opportunity to learn both the business and the technologies used throughout the electricity business from finance to legal to IT/OT and electric systems planning an operations. It was an amazing learning opportunity and I took in everything Eugene taught me. I will forever be indebted to Eugene for his leadership, mentorship and friendship.
But I take what Eugene taught me and put it to good work when I engage within the industry on matters such as industry standards at NAESB/FERC or within a business entity from energy suppliers to generators to regulators, LSE's, Grid Operators, Distribution companies and many others, including consumers, with a role in making the entire electric grid work. Having a holistic understanding about how all the pieces fit together and the important role of technologies in making it all work is invaluable. In fact, I don't see how anyone can walk into an electric company and claim to be a "cybersecurity expert" without knowing how that business works, its mission critical operations and inter-dependencies both within and outside of the organization that make it function, in addition to all the knowledge needed to effect a cyber risk management solution.
So the moral of the story is simply this "Any individual that needs to communicate with business leaders about any topic, including cyber risk management and cybersecurity, needs to understand the business and the challenges those businesses face in order to avoid from being "tossed to the sidewalk". Be prepared, do the leg work and "know your stuff" to be successful when dealing with business leaders. Always be respectful.