One of the common questions we get asked is how to effectively communicate penetration testing results to senior leaders, including C-suite executives and the board of directors. Below are some pointers on how to best navigate these often slippery slopes.
Communicating Good Results
Your penetration test came back and your firm performed exceptionally well, with just a few low priority findings. That’s great! Now for the hard part; explaining that while your firm is currently performing well, you need to maintain or even increase your teams budget to ensure that you continue to perform well. Here are some ways to help handle this conversation:
- Complacency – Be sure to emphasize the ongoing importance of avoiding complacency when it comes to security. In an ever-changing industry like information security, it takes a lot to stay protected and it only takes 1 hack to have a significant impact on a firm. According to a report by the SEC, over half of the small businesses that experience a data breach will be out of business within 6 months.
- Moving Target – Security hardware, software, processes, and techniques are constantly improving. However, the attackers methods and tactics are also getting more advanced. Resources are constantly required to ensure that as attackers improve, so does your firm’s security posture. After all, an attacker only has to get lucky once while you’re defenses have to be perfect.
- Preparation – Being prepared to explain how your department will maintain and enhance your security posture, growing and improving in an effort to meet continually advancing industry best practices. Showing the security projects and assessments you have planned with your existing/proposed budget and explaining what types of threats these changes will help mitigate can strengthen your case.
Communicating Bad Results
Your penetration test results came back and they were underwhelming, to say the least. You thought you had your network shored up, but you come to find out that there are still quite a few vulnerabilities that require your attention. While it is important to communicate this up the chain, you shouldn’t worry that it will look like you have not been doing your job. Context is always key to effectively communicate penetration testing results.
- Practice Make Perfect – Remember, penetration tests are valuable benchmarks that help show where your security program is at on the maturity curve. This isn’t meant to be a pass/fail situation, but rather to help make meaningful changes that have a positive impact on our organization’s security posture.
- Have a Plan – While some folks may be more taken aback by a significant number of findings than others, laying out the solutions to these problems on how you plan to address them over the coming months can help ease minds. This shows you are taking the results seriously and have specific actions planned to mitigate the risks identified.
- Fix and Re-assess – Ensure that your penetration testing firm is available to re-test the identified vulnerabilities after you’ve had a chance to fix them. By doing so, you can get third-party verification that shows your hard work and demonstrates the progress made towards a more secure business.
If you’ve got questions about how to frame findings to an executive-level audience, do not be afraid to ask your penetration testing firm for help. Oftentimes, they’ve got quite a bit of experience communicating information security-related vulnerabilities, their associated risks, and detailed remediation plans to top-level executives that may or may not have a technical background. We find that as a third party, we are able to provide objective feedback tailored to the specific audience to ensure they can understand what’s being said. We are more than happy to help prepare these kinds of presentations or even be present to help give the presentation.
While every firm, management team, board of directors, etc. are different, we hope these tidbits will help you navigate the different conversations you may need to have following a penetration test. Regardless of the results, you are always better off knowing what risks you have as opposed to trying to prepare for the unknown. At Triaxiom, we ensure all of our engineers are capable of explaining vulnerabilities to both the most technical people in the room and non-technical senior leaders. If you have a question on how to handle your specific situation or want some additional tips on how to communicate penetration testing results to anyone in your organization, please reach out to us today!