The organization’s network is a never-ending source of vulnerability information. Whereas, the new systems and applications are constantly being added, making the job of consistent vulnerability identification and risk management difficult.
The penetration testers and other risk management team to find the vulnerability in the system, but the problem that they face is that they are not always successful in getting management to recognize problems and provide resources for remediation.
The focus of security reports should be on current risks, compliance, incident response, attack vector experience and evolving risks that the company needs to prepare for. Security reporting should be relevant, comprehensive, flexible and easy to understand.
Vulnerability assessment programs and management must have executive management buy-in and support. Executive management must be made aware of the importance of the program to manage risk.
As a security professional responsible for establishing this program you need to provide the following information to gain approval:
- Scope (Define the scope of the testing. Will the assessment program scan all ports and services of every device connected to the network each week?)
- Workflow (You need to clearly define who will see the reports and what actions will be taken.)
- Goal (Management must be very clear on the goals of the assessment program. Some goals could include identifying vulnerabilities to ease regulatory compliance audits (such as PCI), and/or help enforce security policies and procedures.)
Know the Background of Board
No matter how critical information you are sharing with the board. It’s useless if they don’t understand the exact point that you are presenting. So, first know the technical background of the board. It will help you to prepare your report accordingly with understandable facts and figure. Types of possible threat and their prevention is may be understandable for the technical guy, but for non-technical or CEO level guy, the facts and figures and mathematical and cost effects will be good to make a clearer image.
This is some of the best advice when writing reports and something that can be challenging for technical staff that tend to focus on technical details. Try to explain the problem in short and concise sections, breaking it down into a brief description of the problem, the effect it could have on the organization, and the remediation steps. If management has questions or requests more information, then a more thorough explanation is warranted.
Use Graphical Representations
A picture speaks a thousand words, however you must be certain to put all of those words in the right context, otherwise this can work against you. The graphs are extremely useful for measuring risk and communicating that risk to others in the organization. However, be certain to quantify the details of the data that is being represented.
Whenever you use graphical representation make sure that you also describe certain details like:
Time – What time period does this graph cover? Days? Weeks? Months? Years?
Ratings – In every report, describe what the vulnerability ratings mean to you. How should your organization treat low level alerts and what do they mean with respect to your corporate policy?
Math – It’s important to describe what the numbers actually mean. A short concise description for every quotation you make.
Relate to Previous Incidents
It is important to relate your findings to what is happening in the real world, and your corporate policy. This is the best type of comparison that can help management to understand threat more effectively. It gives them a real life scenario and outcome to conclude their decisions.
Write Everything Smartly
Presenting a report is the main part of this process. If you are unable to present your report and findings properly in a professional manner, your recommendations will be neglected and your report will end up into the trash. You can find a lot of online services which can write a custom report for you.
These are the basic steps to follow in order to make a remarkable presentation of your finding to be accepted by the upper management. However, it may changes depends on the organizational process and genre.