Decision-makers decide how to act on your findings based on what they see in the executive summary. Write it deliberately, with your readers' priorities and needs in mind.
Most of the audience you envision for your security report won’t read the whole document. But many will read the first page—the executive summary. So put your key takeaways there and remember that the summary should be:
-
Understandable by the non-technical audience: Resist the urge to describe the details of exploits and avoid security jargon. At the same time, ensure that your statements can withstand scrutiny from the technical audience who will also read the report.
-
Relevant to the company’s business: Show why your findings matter to executive managers. Frame the findings and recommendations around risks, compliance requirements, metrics, contractual obligations, and business objectives. Otherwise, the reader might consider the findings irrelevant.
-
Brief, hopefully fitting into a single page: It’s much harder to write a short text than a long one, but they call it a “summary” for a reason. Write it in a way that allows the summary to stand on its own, since you may distribute it separately from the rest of the report. Use bullet points.
-
Specific: People put more trust into text that uses concrete statements. Avoid passive voice. Provide numbers rather than using abstract words like “some” or “many.” Be clear about your findings and recommendations.
Your executive summary is the part of your report with the largest reach. Craft its contents to connect with executives who care about business, have little time, and think in terms of actions.
