Why Your Security Assessment Recommendations Get Ignored

Security assessment recommendations get ignored for several reasons: reports go unread due to poor writing or checkbox compliance, readers disbelieve findings that contradict their views, IT staff are overwhelmed with operational fires, or advice isn't politically or tactically practical. Strong reports and balanced recommendations help.

If you’ve ever performed a security assessment, you probably know the frustration of seeing your earnest recommendations get ignored. You may wonder whether the recipient even read your report. If they did, surely they would share your concerns regarding the risks you discovered.

You might be able to do something about this situation if you understand why security assessment findings are often dismissed:

Maybe your report was never read. There could be many reasons for this, including the reader commissioning the assessment to merely mark-off a checkbox to say it was done. Another reason might be that the report was too long, seemed too technical or too high-level, or was otherwise poorly written.

The reader may not have believed you. Perhaps you didn’t provide enough evidence to support your conclusions. Even if you were thorough, people often ignore the arguments that go against their point of view. As the result, your readers might have interpreted your findings in a way favorable to themselves, or disagreed with the recommendations that went against their point of view.

Possibly, the organization hasn’t gotten around to acting upon your recommendations. IT personnel tends to get caught up fighting fires: responding to emergency issues, fixing problems and otherwise doing unplanned work. This might not leave time for remediating security issues right away. Sadly, sometimes remediation doesn’t happen until a security incident.

Perhaps the advice in your report wasn’t practical. You meant well when you advised removing administrative rights from all user accounts, but the security leader might not have had the political power to pull that off. Or maybe you emphasized only the important strategic issues that were too hard to handle without starting with easier, more tactical wins.

As you can see, some of the factors that affect whether the organization will follow your recommendations aren’t under your control. Yet, you can increase the likelihood that your findings will be acted upon if you write a strong report, offer practical advice, substantiate your findings, and balance tactical and strategic recommendations.

For more on the topic of delivering better security assessments, see my cheat sheet with Tips for Creating a Strong Cybersecurity Assessment Report.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →