I’ll second that. When approaching management with security concerns, many of us fall short on being able to properly communicate with management regarding risk. While it’s helpful that management, specifically upper management, deal with risk every day the downside to that is, you have to present your risk to them in terms they can understand. Using the formula of:
Cost of failure * rate of failure = total cost of failure is actually detrimental to this approach, most notably because the rate of failure for an undiscovered/undisclosed security defect is quite small and yields a total cost of risk that is well within norms for most companies.
What you need to do is familiarize yourself with the upper management, specifically those through which you report up to the CEO, and understand the types of risk they deal with and – more importantly – the total costs of failure they find acceptable. Then, when approaching them – just by way of example - prepare a report which demonstrates this specific risk in terms they both understand and with a gravity that they appreciate. Never say “we could be hacked, it would be awful”, instead “when this defect is eventually discovered (include citations on the rate of remote network probes/scans), the resulting security breach will cost us $X to resolve, further (citations are handy) as this has been in the news lately, expect additional fallout in both news cycles and social media. Instead of facing $X in known risk, by investing $Y in prevention we can address this issue and improve (insert impact on project/product they are personally invested in).”
Lastly, never leave the rate of risk ambiguous – never leave it at “might, may, could or worse still, one in a million” – always represent those uncertainties with math: number of remote attack attempts over time. If your perimeter is anything like mine, it will be read by management as an eventual certainty and *not* like something that can be safely ignored as an unlikely “storm of the century” type event.