A small subset of the audience for which a security assessment report is intended will actually read the whole document. The majority will only have the patience for the first page. That’s why it’s important that the report start with a strong executive summary. Here are 4 tips for writing an executive summary that gets read, understood and (hopefully) acted upon:
- The summary has to make sense to a non-technical audience. Remember that it’s meant to be read by “executive” managers. Resist the urge to describe the details of exploits and avoid security jargon. At the same time, make sure that the accuracy of the statements you make there can hold water with the technical audience who will also read the report.
- The summary should to have relevance to the company’s business. Outline the significance of your findings in the context important to an executive manager. That means referring to items such as risks, compliance requirements, metrics, contractual obligations, business processes. Otherwise, the reader might label the assessment’s findings irrelevant.
- The summary must be brief, in most cases fitting into a single page. It’s much harder to write a short text than a long one, but they call it a “summary” for a reason. Write it in a way that allows the summary to stand on its own, as it might be distributed separately from the rest of the report. Use bullet points.
- The summary needs to be specific. People put more trust into text that uses concrete statements. Avoid passive tense. Provide numbers rather using abstract words like “some” or “many.” Put effort into sounding confident, so that the reader accepts your findings. Be clear about your findings and your recommendations for addressing the issues.
The executive summary will be the part of the security assessment report that will be read most often. Take time to craft it so that it is readable by executives who care about business, have little time, and think in terms of actions. The effort invested into creating a strong executive summary will pay off at the end.
This note is part of a 4-post series on creating security assessment reports. For more, see:
- 6 Qualities of a Good Information Security Assessment Report
- Security Assessment Report as Critique, Not Criticism
- 4 Reasons Why Security Assessment Recommendations Get Ignored
For more on the topic of delivering better security assessments, see my Tips for Creating an Information Security Assessment Report Cheat Sheet.