There’s a dirty little secret in the security consulting industry that no one really talks about. Most security professionals know it at some level, some admit it aloud, but few do anything about it. The secret? Most security consultants ignore the best practices of risk assessment reporting.
The problem is a two-sided coin: first, it’s not really clear what reporting best practices are to begin with. Second, even if it were clear, most consultants couldn’t meet them even if they wanted to.
The first problem is a matter of standardization. Without objective industry standards for risk assessments, we won’t see standard best practices for reporting. The second problem is a matter of technology. As long as security consultants cling to paper-based reporting methods, they won’t be able to provide the reporting standards clients are looking for.
We’ve tackled the issue of technology before, so I won’t rehash it now. Instead, I’d like to propose seven basic best practices that every security professional should meet with every risk assessment report they provide.
1) Customer-Centered Reporting
The most basic and most important best practice for risk assessment reporting is to be customer-centered. Your clients are paying you good money to give them the information they need to prevent loss and mitigate risk. Often, they’re relying on you to help them stay compliant and avoid heavy fines. Other clients are relying on you to keep their people safe from attack. That’s a big deal.
Either way, always remember that your clients are relying on you to provide real value that they can use to improve their businesses. Tailor your reports to meet your clients’ greatest security needs.
2) Detailed Reporting
No one will hire you to tell them what they already know. But time and time again, consultants churn out reports that are little more than high-level overviews stuffed with basic information the customer already knows: Acme Corp. is a 60,000 sq ft single-building campus comprised of three floors and a 4000 sq ft parking lot on 2.5 acres. Acme has six double-door entrances, 24 security cameras, 18 exterior lights, and three fire escapes….
A report like that doesn’t tell your client anything, and it won’t help them protect their assets. Instead, every risk assessment report needs to list every issue that’s out of compliance or increases their risk:
- What’s the issue?
- Where is it located?
- How do they fix it?
- What’s the priority level?
Without that kind of detail, your reports won’t help your clients reduce their risk.
3) Visual Information
One of the problems with paper-based reporting is that it can take a lot of words to describe a problem, or even the location of a problem. That drops the usefulness of the report, because it takes too much work to get just a little information out of the report. Multiply that by every issue you document, and it’s no wonder most reports just get tossed into a file folder.
But when you have a highly visual report, you can communicate a wealth of information with just a single image. Every report should be loaded with visual information—including embedded photo documentation of each issue, and floor plan-based geolocation if possible.
Not only do images make it easier to communicate efficiently, they also add emotional context. When executive leadership sees dozens of red dots on their floor plan, it drives home the urgent need to make corrective actions immediately.
4) Actionable Items
The value of your risk assessment reports comes in the corrective actions you provide. Even if you list every issue in your report, it won’t do your customer any good if they don’t know how to take action.
Too many security consultants deliver reports without detailed corrective actions, thinking they did a great job. But diagnosis without treatment doesn’t make a patient any less sick. You haven’t helped your customers unless you’ve given them detailed corrective actions that enable them to fix what’s wrong.
5) Project Management
Make it easy for your clients to track their progress as they resolve open issues. Provide reports with project management details like these:
- Priority of issue
- Status of issue
- Person responsable
- Due date to resolve
- Implementation cost of resolution and annual maintenance cost
Built-in project management tools make it easy for your customers to get the most out of your reports, and to track their own progress as they resolve each issue.
Your customers should be able to track their progress over time. If they have multiple facilities, they should be able to compare buildings and spot trends. Reports that provide filtering and searching capabilities can equip your clients to analyze their facilities over time. This isn’t possible with paper-based reports or PDFs. But digital technology can provide rich analytical tools to help your clients succeed.
7) Secure Data
It amazes me that this is still an issue in 2018. Security consultants are constantly sharing unsecure data over unsecure networks. Email is not secure. PDFs are not secure. Your laptop is not secure. Even paper notes aren’t secure. If you’ve ever used public WiFi, you were on an unsecure network.
Every time you use one of those technologies, you’re exposing your client’s sensitive data to risk.
Instead, rely on secure cloud hosting to protect your customers’ information. Store their reports on a secure server that’s maintained by a secure data center, which they can access with a protected password. When you’re dealing with threats and vulnerabilities, anything less
What Will YOU Do?
There aren’t any defined best practices for risk assessment reporting. Yet. It’s time that we change that and establish an industry standard. Our customers deserve it, and the stakes involved demand it.
If you’re ready to start a conversation about reporting best practices, let’s talk! Want to learn more about how digital technology can make these best practices easy to do? See it in action—reserve a personalized demo of Circadian Risk’s software.