Sam DeLucia, Senior Manager, Risk Advisory Services
Why Settle for an Un-actionable Cybersecurity Report?
Here’s the scenario….your organization’s leaders read or hear about recent cybersecurity breach in the news. Sometimes, the breach involves a competitor or a similar business line, where the result was a damaged brand, possible fines, or even lawsuits.
Many leaders fear that they could be the next victims of cybertheft and want to know if their business or organization is safe. Typically, after a rigorous proposal and bid process, they’ll engage a third party to perform an independent assessment of the organization’s cybersecurity posture. The consultant conducts interviews and meetings, collects info, runs scans, and issues a report.
The Fallacies of Typical Cybersecurity Risk Assessments
A typical report includes a discussion about the background, organization’s use of technology, and the amazing assessment process they used to detect the organization’s vulnerabilities.
And typically, the report will identify an abundance of vulnerabilities presented vis a listing of an enormous glut of data organized by server or IP address. Sometimes the list is prioritized by a risk rating; other times the list is prioritized by IP addresses.
After the organization’s leaders sift through the background, risk assessment procedures and 50 plus pages of findings, they’ll meet with their IT department for the “real explanation”. At this point, IT presents their defense for why a server has so many vulnerabilities, or to confirm the expert’s risk assessment.
Most importantly, the organization’s leaders ask for an explanation of what the data in the report really means.
Read our post from our team: Cybersecurity Risk Assessment is More Than Just a Scan
What Results Leaders Want from a Cybersecurity Assessment
It is our belief that organizational leaders want to know five things:
- “What do we do well?”
- “What needs to be fixed?
- “How do we measure up?”
- “What are the recommendations to fix this?”
- “How do we plan this year for fixing this?”
This must be conveyed to three separate audiences – executives, managers, IT staff - who will be looking for insights relevant to their responsibilities within the organization. Consequently, an Assessment Report should contain three sections:
- An Executive Summary, which is a “30 second elevator talk” explaining why the organization needs to dedicate resources to cybersecurity. The best summaries communicate this information on one “bulleted” page.
- Management Findings, that summarize detailed findings so management can create and execute an action plan, make changes and improvements, and drive results. A significant portion of the report will be dedicated to this objective.
- Detailed Findings, containing supporting information and documentation captured during the assessment that will be used by IT team members to address specific findings.
The report should include clear, understandable descriptions of the challenges and opportunities for improvements requiring attention. Each recommended improvement should be weighted and prioritized so the organization can set a path for their teams to begin work. Recommendations in the report should right sized for the organization and its capabilities.
A strategic roadmap should be included in the Assessment Report that helps the organization prioritize work over time.
Connect with Freed Maxick’s Cybersecurity Risk Assessment Experts
Ultimately, leaders want and deserve a clear and actionable Cybersecurity Assessment Report from the consultant they hire. The Cybersecurity Team at Freed Maxick will constructively listen to your wants, needs and concerns. We’ll bring our years of experience to understanding your capabilities, and provide clear guidance and a strategic plan to prioritize and address areas of opportunity.
Our assessments are presented in the right language, using graphical representation, color and an amount of detail relevant for each type of stakeholder. We believe that this is a best practice for preparing an actionable report and plan, especially for executives.
For more information about our cybersecurity assessments and other related programs and services, please connect with us here or call us at 716.847.2651.