Every security leader knows that translating technical risk into business impact can be one of the toughest parts of the job, but not all risks are created equal. Some are far more difficult to explain, quantify, or justify at the executive level.

We want to know: which risk is hardest to communicate to your board or executive team?

For governmental agencies and large enterprises, nation-state threats and APTs are a major challenge. These risks are high-impact but often abstract, involving geopolitical motives and complex intelligence indicators that are difficult to condense into business language.

Others struggle with cloud misconfigurations and shadow IT, where security blind spots often arise from the speed of innovation. It can be hard to convey how one small misstep, or an unsanctioned SaaS deployment, can open the door to exposure.

Then there’s third-party and SaaS supply chain risk, which continues to grow as organizations lean on more external platforms and integrations. Communicating the cascading impact of a single vendor compromise can feel like trying to map a web with invisible threads.

Some CISOs point to internal threats and human error as the toughest conversation of all. It’s an uncomfortable reality that the biggest vulnerabilities may come from within through mishandled data, misused credentials, or well-intentioned mistakes.

And now, AI-generated phishing and social engineering are adding a new layer of complexity. These attacks are faster and harder to detect, making it difficult to illustrate just how quickly threats are advancing.

So, when you step into that boardroom, which risk is hardest to explain in business terms and get alignment on?

Cast your vote and help us understand where security leaders face the greatest communication gap.