Originally Posted by lupin
Just going back to the C-Level comments.
What we like to do in our reports is aim the Exec Sum squarely at those C-Level types. This is the place for all those fluffy words that they like to hear. It is very important that they understand the importance and impact of what we are telling them in the report. We have found the best way to do this is by speaking in their terms. Let them know of the potential monetary or reputation risk etc. It needs to be all about "Business Impact" for these guys. Find what will motivate the execs and then apply leverage.
Basically the Exec Sum is for the Execs and the rest of the report is for the techies (note: Not all techies are created equal. Try and gauge your audience prior to writing the report so you can shape it appropriately).
It's also very important provide leverage for our techie counterparts. We have found that in most orgs, the security guys just don't have the weight needed to get a lot of security projects off the ground. The amount of times I have heard something like, "I have been telling them about this problem for years and never gotten funding to fix it.. your report did it in 5 mins!!" is amazing.. (for some reason Execs hire staff so they can ignore their advice...). If you get the chance (depending on the engagement), talk to the techies about what they think are the general problems related to the site. Ask them what they feel should be addressed as a matter of priority. If these findings fit with your findings then emphasis them to the execs. You will make the techie feel good, possibly get them the funding they are after.. and more often than not, you will receive repeat business as it will be the techie driving the next audit so he can use your report as leverage again
.
