Whether anyone acts on your security findings is only partly in your control. You can shift the part that is through clearer writing, stronger evidence, and severity rated by real risk.
If you’ve ever performed a security assessment, you probably know the frustration of seeing your recommendations get ignored. You may wonder whether the recipient even read your report. If they did, surely they would share your concerns regarding the risks you discovered.
You might be able to do something about this situation if you understand why security assessment findings are often dismissed:
-
Maybe your report was never read. There could be many reasons for this, including the reader commissioning the assessment to merely mark off a checkbox to say it was done. Another reason might be that the report was too long, seemed too technical or too high-level, or was otherwise poorly written. A report that mostly reproduces raw scanner or AI-generated output has the same problem, because it lacks the analysis the reader needs to judge which findings matter most.
-
The reader may not have believed you. Perhaps you didn’t provide enough evidence to support your conclusions. Or you rated findings by a tool’s worst-case score rather than the risk they posed to the reader’s organization, so the severities looked inflated. Even if you were thorough, people often ignore the arguments that go against their point of view. As a result, your readers might have interpreted your findings in a way favorable to themselves, or disagreed with the recommendations that went against their point of view.
-
Possibly, the organization hasn’t gotten around to acting upon your recommendations. IT, DevOps, and engineering teams tend to get caught up fighting fires: responding to emergency issues, fixing problems and otherwise doing unplanned work. This might not leave time for remediating security issues right away. Sadly, sometimes remediation doesn’t happen until a security incident.
-
Perhaps the advice in your report wasn’t practical. You meant well when you advised removing administrative rights from all user accounts, but the security leader might not have had the political power to pull that off. Or maybe you emphasized only the important strategic issues that were too hard to handle without starting with easier, more tactical wins. When the people weighing your advice are executives juggling competing priorities, winning their support takes more than a well-written report, as I discuss in when executives say no.
As you can see, some of the factors that affect whether the organization will follow your recommendations aren’t under your control. Yet, you can increase the likelihood that your findings will be acted upon if you write a strong report, offer practical advice, substantiate your findings, and balance tactical and strategic recommendations.
For more on delivering better security assessments, see my report template and what makes a good assessment report. To rate each finding by its risk to the organization rather than a tool’s worst-case score, read about risk-based prioritization.
