Security Assessment Report as a Critique, Not Criticism

The key to a successful cybersecurity assessment report is to write it as a critique, not criticism. This isn’t easy, because assessment reports discuss gaps, weaknesses, risks, and other negative findings. Even when the report offers insightful advice, the recipients often react defensively, feeling like they are under a personal attack.

No Judgement

In an essay What is Critique, Judith Butler pointed out philosopher Raymond Williams’ concern that the practice of criticism has been unduly restricted to “fault-finding,” which lead him to propose that we find a vocabulary that does not “assume the habit (or right or duty) of judgment.” The notion of critique involves providing a well-rounded assessment of the subject’s structure, rather than personalizing the identified issues.

The Situation, Not the Person

A security assessment report that offers critique, comments on the factual findings, on the processes that contribute to the security issues, and on the structure of the organization that may need to be adjusted to improve security. This means staying away from chastising individuals, unless you are prepared to deal with their anger and defensive counter-accusations. An angry reader will ignore the report’s key messages, so focus on the situation, not the person.

Acknowledge the Positive

Another element of a critique-focused report involves the discussion of positive findings of the assessment. As the saying goes, a spoonful of sugar makes the medicine go down. Seeing what aspects of security you liked, will help the organization learn from what is working, so it better understands how to address the processes that aren’t. Positive reinforcement is often even more effective than negative reinforcement in changing behavior.

For more on the topic of delivering better security assessment reports, see my cheat sheet on creating a strong cybersecurity assessment report.


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more