Write a Strong Executive Summary for Your Security Assessment Report

Most of the people whom you envision as the audience for your security assessment report won’t read the whole document. But many will read the first page–the executive summary. So put your key takeaways there and remember the following:

  • The summary has to make sense to the non-technical audience. Remember that it’s meant to be read by executive managers. Resist the urge to describe the details of exploits and avoid security jargon. At the same time, make sure that the accuracy of your statements can hold water with the technical audience who will also read the report.
  • The summary should have relevance to the company’s business. Outline the significance of your findings in the context that resonates with an executive manager. That means referring to items such as risks, compliance requirements, metrics, contractual obligations, and business processes. Otherwise, the reader might consider the assessment findings irrelevant.
  • The summary must be brief, hopefully fitting into a single page. It’s much harder to write a short text than a long one, but they call it a “summary” for a reason. Write it in a way that allows the summary to stand on its own, as it might be distributed separately from the rest of the report. Use bullet points.

The summary will be the part of your report that will have the largest reach. Craft its contents to connect with executives who care about business, have little time, and think in terms of actions. The effort you invest into your executive summary will pay off at the end.

For more on the topic of delivering better security reports, see my cheat sheet on creating a strong cybersecurity assessment report.

Updated

About the Author

Lenny Zeltser develops teams, solutions, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more