Decide on an Information Security Standard or Compliance Law that is applicable to your fictional organization that is just big enough to have a Chief Technology Officer. Explain to your CTO what the rule/law is and what your organization needs to do to ensure compliance. Feel free to vibrantly describe what can happen if you don’t comply. It’s okay to strike fear into the CTO by referring to examples of punishment for non-compliance, even if those are merely in the court of public opinion.
You can use any type of communication that you feel is appropriate, whether that is a letter, memo, slide deck, infographic, interpretive dance, etc.
You should assume your CTO is technical and communicate accordingly. Remember that CTOs can be either women or men and have names other than “Dear CTO” 🙂 Pretend letterhead is always a worthwhile investment of time.