Assessment reports deliver bad news, and a reader who feels personally attacked stops listening. Frame your findings as a critique of the situation rather than criticism of individuals, acknowledge what's working, and pair each problem with a path forward.
The key to a successful cybersecurity assessment report is to write it as a critique, not criticism. This isn’t easy, because assessment reports discuss gaps, weaknesses, risks, and other negative findings. Even when the report offers insightful advice, the recipients often react defensively, feeling like they are under a personal attack.
No Judgement
Critique and criticism aren’t the same thing, and the difference is older than cybersecurity. In her essay What is Critique, Judith Butler revisits Raymond Williams’ worry that criticism too often means just “fault-finding.” Williams wanted a vocabulary that doesn’t, in his words, “assume the habit (or right or duty) of judgment.” That’s the spirit to bring to an assessment report. You assess how the organization’s security is structured rather than handing down a verdict on the people behind it.
The Situation, Not the Person
A security assessment report that offers critique comments on the factual findings, on the processes that contribute to the security issues, and on the structure of the organization that may need to be adjusted to improve security. This means staying away from chastising individuals, unless you are prepared to deal with their anger and defensive counter-accusations. An angry reader will ignore the report’s key messages, so focus on the situation, not the person.
This gets harder when an AI tool drafts the report for you. Such tools are good at listing gaps and weaknesses, but they don’t know your reader. Editing a bare list of faults into a critique of processes rather than people is work the reports’ human authors must remember to do.
Acknowledge the Positive
Another element of a critique-focused report involves the discussion of positive findings of the assessment. As the saying goes, a spoonful of sugar makes the medicine go down. Seeing what aspects of security you liked will help the organization learn from what is working, so it better understands how to address the processes that aren’t. Positive reinforcement is often even more effective than negative reinforcement in changing behavior.
Suggest a Path Forward
Readers act on findings they know how to fix. Pair each finding with a realistic way to address it, so the report reads as a plan rather than a list of complaints. When you frame a gap as an improvement opportunity rather than a failure, the reader finds it easier to act without feeling defensive.
For more on writing assessment reports that readers act on, see my report template, what makes a good assessment report, and why recommendations get ignored.
