226 A Practical Guide to Security Assessments
report can be very long, it is not worth spending the time to go over the actual
document. It is best to pick out the key points from the report and discuss them with
the group. The key points that should be covered include:
• Scope
• Methodology
• Findings, risks, and recommendations
The bulk of the time should be spent discussing the findings, risks, and recom-
mendations; this is really what the client is interested in. The reason for going over
the scope and methodology is to make sure that everyone is on the same page
regarding what was covered in the assessment and how the results were obtained.
Because there is a time lapse between the kickoff meeting and the final presentation,
it is worth clarifying the scope and methodology for the group.
If you focus on discussion of the findings, risks, and recommendations, client
management will have a good sense for the “security roadmap” and the opportunity
to ask any questions regarding it. It is important for client management to understand
the nature of the findings, the risks facing the organization, and the remedies pro-
posed to address the risks because client management will ultimately make the
decisions about what initiatives to pursue.
When developing the presentation for client management, specifically the find-
ings, risks, and recommendations, focus on how they impact the business. Remember
that the audience might not fully understand the technical nuances of security and
they probably do not care to. They are interested in what risks the company faces
from a business perspective.
In delivering the presentation, you should be prepared to answer detailed ques-
tions about the findings and risks and specifically on the cost-benefit analysis related
to the recommendations. You should be prepared to answer the question “So what?”
when discussing a finding. The final presentation is absolutely critical in the security
assessment process. As stated several times in this book, when clients purchase
security assessment services, they are purchasing expertise. The final report docu-
ment and the presentation to the client are your main opportunities to show your
value.
POTENTIAL CONCERNS DURING THIS PHASE
As with the last two phases of the security assessment, there are some potential
concerns during this phase that you should look out for, including the following:
• Links between findings, risks, and recommendations are not clear. This is
something that might happen when you lose focus and the discussions
related to findings, risks, and recommendations go off on tangents. The
way to ensure that there is a clear link between findings and risks and
recommendations is to take a step back and put yourself in the client’s
shoes and see if it makes sense. You can also have someone else not
connected with the security assessment review the report as if he or she
AU1706_book.fm Page 226 Tuesday, August 17, 2004 11:02 AM