Aidan Mitchell

Reporting for Security – Executive Summary

The executive summary for any report acts as a concise overview of the engagement process, the reported findings, and recommendations. The audience for the summary tends to be decision-makers and influential stakeholders, and the summary serves as a tool for them in prioritising risk mitigation efforts, meeting requirements for audit and compliance obligations, and identifying actionable remediation. Getting this section of the report right is crucial for communicating the risks affecting your client and for guiding them towards the solution.

The first question to ask about each section is “who am I writing this for?”.'

Target audience

The target audience for the executive summary typically includes senior leadership, project management, board members, and often an assortment of other non-technical stakeholders in the client organisation.

The audience may also include other interested third-parties such as regulatory and compliance organisations, customers, and vendors or suppliers who are integrated with your clients’ IT estate.

Writing the summary

Firstly, when writing an executive summary, remember that the deliverable component of the vast majority of engagements is the report and the executive summary will usually be the most read and the most shared section of that report. That means it’s important to get it right. It also means that you might consider the executive summary to be the most significant part of what you’re selling to the client. Therefore, the golden rule is communication. Speak to the client, build a rapport and shared vocabulary, and be as clear as you can about what they need from your deliverable. If you make the mistake of assuming you know what the client wants, you’re making things harder for yourself. Save yourself time and effort by just asking.

Conciseness and risk-impact-remediation linking

Keep in mind throughout your executive summary that it is a summary. You don’t need to explore all the specifics of findings. You don’t need to detail the XSS vulnerability you found in the comment submission form, but you do need to highlight the absence of sanitisation in user input. Link the risks to impact by explaining how the business and its customers would be affected if the risk were to be exploited. Explaining that you can use the XSS to facilitate session hijacking should be reserved for the technical finding section. Instead, you should explain how that can impact users of the application, e.g. takeover of user accounts leading to theft of PII, issuance of fraudulent transactions, etc. This sets the stage for linking both the risk and impact to process in your remediation guidance. A lack of user input sanitisation can be addressed through code audit, security best practice guidelines for developers, and deployment guardrails. These controls lay the groundwork for reducing (hopefully, eliminating them altogether) the opportunity for the risk to make it to production environments. Additionally, the controls can then be subjected to scrutiny, which forms the basis for a risk monitoring and reduction process.

In any situation where you have to weigh conciseness against verbosity, I recommend favouring the former. Revise your summary until you’ve said everything you need to say in as few words as possible. Remember that you have a technical summary and findings in which to expand and elucidate. In this same vein, try to zoom out on your findings and see whether you can find common threads which might simplify the summary. By focusing on risks instead of specific findings, you will often find this becomes much easier. You could summarise related findings about weak passwords, another about keys stored on a publicly readable share, and another about easily guessable API tokens by compressing them to a higher level risk regarding secrets management and password policies.

Language and tone

The audience for an executive summary will more often than not consist of non-technical stakeholders. You should strive to avoid alienating them through over reliance on technical language. You should aim to inform the audience about the risks you have identified, identify where those risks are located, describe the impact of those risks to the business, and outline the path to remediating the risk.

Furthermore, the goal should not be to “scare”, regardless of the severity of findings in the report. If your client’s board has a heart attack every time you turn in a report, there will usually be a transitive effect on other stakeholders, process owners, and other staff. This could have a negative effect on your commercial relationship when the person responsible for procurement is the same person who gets roasted by the board. We all know that a blameless culture is the ideal and that processes, not people, are the cornerstone of good security, but that is not the mindset for all clients.

Crafting your summary upon these principles of risk, impact, and remediation gives the audience a firm understanding of what’s wrong, why that matters, and how they can action a solution. Giving the audience the tools to immediately discuss resolution helps leapfrog the blame discussion and get straight into the roadmap for remediation. This works particularly well when the audience also includes regulatory and compliance stakeholders – whether internal or external – because it draws a bright line towards correcting any non-compliance.

Formatting suggestions

The style of your executive summary will be a matter of taste, tempered by any client expectations. If you’re not self-employed, you will likely also be expected to adhere to style guidelines. When there are hard and fast rules about the style you must deliver, make sure to align to them. However, if you have clear ideas about improvements that can be made to a style guide, make sure you share them with the relevant people in your organisation. The vast majority of pentest reports have an insufferably similar style and most firms have been using the same templates for years on end without revision, save for a new logo and some fresh colours. I have had multiple opportunities to influence reporting styles in my career and have never had my suggestions rejected outright. There is always room for growth.

As I said, the style is a matter of taste, so I will speak from experience here. I have found that coherent, narrative-led summaries lead to the best reception. It empowers the audience to use the summary verbatim in discussions with other stakeholders. Lead in with a concise explanation of what the report is, why the assessment was commissioned, and any pertinent details like the dates when it took place. Follow this up with a short paragraph which lays out the primary risks identified by the report in the simplest of terms. Then proceed with the summary of findings.

Some folks like to break up an executive summary with subheadings. I strongly dislike this but remember it’s a matter of taste. You are the best placed to engage with your client and establish expectations. You have the information to determine whether the summary can be broken up into sections, or whether the client would be best served with something more cohesive.

In terms of pure style recommendations, favour short sentences and liberal use of paragraphs. This makes it easier to mentally and verbally chunk the pertinent parts of the summary.

Reports as semi-living documents

Reports can often be treated like stone tablets, unalterable after delivery, but this is rarely the case. Engage with your client, before and after delivery, to find out if what they’ve received is what they expected. Ask whether there are adjustments you could make that would improve its readability or relevance for stakeholders, or that could more accurately colour the remediation guidance. Perhaps you can align it better with existing or upcoming development plans.

This is particularly important regarding the executive summary, as it can regularly be the section of the report shared with the widest audience. Revising and redrafting this section in cooperation with your client is an invaluable exercise which usually helps build a better commercial relationship by guaranteeing that the deliverable matches their needs and expectations.

Quick Rules

  1. Keep it concise.
  2. Summarise and link risks, impacts, and remediation.
  3. Avoid overly technical language.
  4. Inform truthfully, but don’t aim to scare.
  5. Ignore any of these rules if the context demands it.