Most of the people whom you envision as the audience for your security assessment report won't read the whole document. But many will read the first page--the executive summary. So put your key takeaways there and remember the following:
- The summary has to make sense to the non-technical audience. Remember that it's meant to be read by executive managers. Resist the urge to describe the details of exploits and avoid security jargon. At the same time, make sure that the accuracy of your statements can hold water with the technical audience who will also read the report.
- The summary should have relevance to the company's business. Outline the significance of your findings in the context that resonates with an executive manager. That means referring to items such as risks, compliance requirements, metrics, contractual obligations, and business processes. Otherwise, the reader might consider the assessment findings irrelevant.
- The summary must be brief, hopefully fitting into a single page. It's much harder to write a short text than a long one, but they call it a "summary" for a reason. Write it in a way that allows the summary to stand on its own, as it might be distributed separately from the rest of the report. Use bullet points.
- The summary should be specific. People put more trust into text that uses concrete statements. Avoid passive voice. Be succinct. Provide numbers instead of using abstract words like "some" or "many." Be clear about your findings and your recommendations for addressing the issues.
The summary will be the part of your report that will have the largest reach. Craft its contents to connect with executives who care about business, have little time, and think in terms of actions. The effort you invest into your executive summary will pay off at the end.
For more on the topic of delivering better security reports, see my cheat sheet on creating a strong cybersecurity assessment report.
Updated January 23, 2019