If you’ve had the opportunity to perform a security assessment, you probably know the frustration of seeing your earnest recommendations being ignored. You may wonder whether the recipient even read your report. If they did, surely they would share your concerns regarding the risks you discovered. You are not alone in your grief.
You might be able to do something about this situation if you understand why security assessment findings are often dismissed:
- Maybe your report was never read. There could be many reasons for this, including the reader commissioning the assessment to merely mark-off a check box to say it was done. Another reason might be that the report was too long, seemed too technical or too high-level, or was otherwise poorly written.
- The reader may not have believed you. Perhaps you didn’t provide enough evidence to support your conclusions. Even if you were thorough, people often ignore the arguments that go against their point of view. As the result, the reader might have interpreted your findings in a way favorable to himself, or disagreed with the recommendations that went against his point of view.
- Possibly, the organization hasn’t gotten around to acting upon your recommendations. IT personnel tends to get caught up fighting fires: responding to emergency issues, fixing problems and otherwise doing unplanned work. This doesn’t leave time for remediating security issues. Sometimes remediation doesn’t happen until a security incident.
- Perhaps the advice in your report wasn’t practical. You meant well when you advised removing administrative rights from all user accounts, but the security leader might not have had the political power to pull that off. Or maybe you emphasized only important strategic issues that were too hard to handle without starting with easier, more tactical wins.
As you can see, some of the factors that affect whether the organization will follow your recommendations aren’t under your control. Yet, you can increase the likelihood that your findings will be acted upon if you write a strong report, offer practical advice, substantiate your findings, balance tactical and strategic recommendations, and go over your conclusions and remediation approaches in person or on the phone.
This note is part of a 4-post series on creating security assessment reports. For more, see:
- 4 Tips for a Strong Executive Summary of a Security Assessment Report
- Security Assessment Report as Critique, Not Criticism
- 6 Qualities of a Good Information Security Assessment Report
For more on the topic of delivering better security assessments, see my Tips for Creating an Information Security Assessment Report Cheat Sheet.