How do you talk to the board or your CEO to get budget for reducing risk?

Nowadays, the Information security risk is very familiar to everyone. So, talking about the budget is not an unknown flyer. CISO and head of InfoSec must be mindful before about the info security risks, and business impact ( especially on the customer experience, users experience, system performance etc) if these cases are taken care off; getting the budget is easier compared to earlier.
I also believe post covid it become much easier.  

The CISOs role is to educate, assess and communicate.  The CISO doesn’t “get” budget but instead is given budget based on a business need.  So to answer the question to be given budget there must be a risk that is communicated to the business that the organization feels needs remediation.  This can be done through risk assessment findings, maturity assessments, compliance needs or just by putting forward an effective business case.

The SEC proposed an update to their rules around cybersecurity and one interesting aspect is that they're proposing that public companies report on their board of directors’ cybersecurity expertise, if there is any. That signals the fact that they're trying to integrate cyber risk into general governance. We have HR risk, forex risk, and all of these other risks that we manage as a function of growing a business. Cybersecurity is just another one of those. It's not this special kind of risk that sits off to the side demanding budget. Even in terms of raising the possibility of the conversation, it can help to go through that and show that this is where the market is going, and help the CEO understand that this is what the SEC thinks about it. Eventually the CEO will be put in a position where stakeholders will probably ask them the same questions, which is a pretty compelling conversation starter.