Written by Dave Stelzl CISSP

Ditch The Big Report – Security Assessments Done Right

Businessman sinking in heap of documentsHere’s What Business Leaders Are Saying They Want in An Assessment Report (in Two Words).

“Security Intelligence”…

Will the CISO actually read your security assessment report? What about the small business owner? Law firm partner? Doctor running a clinic (where HIPAA is required)?

The likelihood of anyone reading your report is nearly ZERO!, unless you do this one thing first…

Separate the Technical from the Business Risk,…

That’s right, you need two reports. One written in the language of leaders, the other technical. But don’t just create a new report just yet…here’s a simple process that creates ONE REPORT, with two parts, giving your report better flow, while at the same time appealing to both audiences.

(Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

Executive Reports Should Not Have Stop Lights In Them

Let’s start with the executive summary. First, drop the word summary…and delete that one page summary page in your report. Call it the Executive RISK ANALYSIS…with an appropriate subtitle.

I’m 99% confident your current one-page summary will not speak to executives…and if it has the RED STOP LIGHT on it…well, check out what one CISO said in a recent interview…

Tom Watson, CISO for Sealed Air Corp, told me just a couple of weeks ago, “The stop light approach is meaningless”.

Having a red light on the summary page does not lead to immediate action or follow-on business for the consultant. There is no business justification in a red light. PERIOD.

The CISO’s job, according to Watson is, “To bridge the gap between technical and the board.” “My seat at the table,” says Watson, “Is where risk gets delivered in business terms to board members and my C-Level Peers.”  In other words, the stoplight diagram does not quantify risk…the board won’t be moved by blinking lights.

Red Lights On Risk Reports = Idiot Lights On Your Dash

If you have an older car, the red light comes on when something is wrong… that could mean your gas cap is off, your catalytic converter malfunctioning (and you might not pass your next emissions test), or your entire transmission system is about to fall off while driving down I-95 and 70 mph.

In other words, anything from a simple 2-second turn of the gas cap, to the $3500 transmission replacement project will satisfy the red light. But which is it? No one seems to know. So the new cars tell you what’s wrong (in one of N languages).

Your executive risk report is the same. The light justifies nothing…instead, you need an explanation…(in one of two languages).

So what will you explanation look like?  A quantification of risk…a measure of Impact vs. Likelihood…Language ONE is BUSINESS…Consider the following…

  1. What assets were identified as having an associated risk? And what are the relevant threats, posing risk, which must be addressed?  Are you aware many companies don’t even know where their data is? And so figuring out where the assets are, what threats exist, and how big those threats are can bring tremendous value to your C-Level contact before meeting the board.
  2. What are the odds data will be affected? Going back to the three pillars of security: Confidentiality, Integrity, Availability…it makes sense to find out which of the three matter for any given digital asset, and to quantify the risk (as a percent likelihood) in a graph.
  3. Finally, what is the trend? Is business risk increasing? Or is the firm’s security posture improving over time? As the company adopts next-gen technologies, leadership need someone watching risk levels. As IoT projects, mobility, collaboration, etc. evolve, are business threats growing, remaining constant, or shrinking?

The report should be short, graphical, and written in business-eze. I highly recommend having someone with business-savvy right this report. But don’t stop there… have a copywriter review and edit it.

Copywriters will take a boring report and turn it into engaging content. They’ll trim it down, bring out the headlines, and bring it to life, keeping your overworked reader engaged.

With one solid report in hand, it won’t be difficult to duplicate. If you look at the popular business books on the NY Best Seller List, you’ll see they have a readable style unlike any college text book or legal document. It’s that level of readability you are looking for in your report.

NOTE: This means, when you use vendor-reports coming from SIEM, firewalls, etc. The reports they give you (while colorful and complete) will not land new business…Keep reading to see where your colorful-vendor report goes…

The Technical Stuff (Including the Vendor-Report) Belongs in Appendix A

While you might be tempted to combine your executive report with the details, handing in the 100 page (War and Peace) report is not going to bode well for you. No one in the C-Suite has time to read 100 pages!

Business owners are even less likely to read a report that looks like a 5 hour project.

At least a CIO or CISO is responsible for risk as a primary job function. The small business owner, while responsible for computer security, is more likely to be focused on today’s invoices, a major customer-sat issue, or this month’s cash flow crisis.  The 100 page report is likely going on a shelf…or in the round file.

If you create two reports, another problem emerges…the executive has one report, technical has another…are they different? Do they conflict?

The Solution is Easy…Appendix A!

Most of us skip the appendix when reading a book.  But knowing the data is there gives us assurance that there’s research behind the author’s claims. The technical team will have access to the main report, but will likely find the details in you appendix more interesting.

Here’s What You Should Include (Notice there’s no stop light here either):

  • Network diagrams
  • Applications / Digital Assets (Prioritized)
  • MTD/RPO requirements (Data they don’t have up to this point)
  • Any important business level requirements
  • Technical details on malware, configuration problems, etc.
  • Gap analysis against whatever standards you measure against – XTZ compliance, NIST, etc. (I highly recommend you base your assessment on something such as NIST to give your findings more credibility)
  • Major issues to address (project recommendations – keep this list short)
  • The punch list of everything else that should be addressed.  Prioritize this list, and segment by functional area.

Between these two reports, you have what you need – however, the move to remediation has more to do with your presentation than it does in these two documents.  Look for a future article on,…

“How to Master The Board Room Presentation, When Presenting Risk Findings…”

© 2017, David Stelzl

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s