How Important is the Review of a Penetration Test Report by Senior Executives?

Aug 20, 2020

HTCT Senior Executive Cybersecurity Leadership Perspective Series #3

Review of an Organization’s Penetration Testing Report

As a corporate director or senior executive, have you previously received a penetration testing report from your organization’s executive management team (i.e., Chief Information Officer (CIO) and/or Chief Information Security Officer (CISO)) and fully understood what was in the report?  Before answering this question, let’s provide some background on what a penetration test is.

Penetration Testing

A penetration test is a cybersecurity service offered by a cybersecurity vendor whereby an organization’s executive management authorizes certified ethical hackers (known as penetration testers) to test the organization’s technology, operations, and personnel.  The penetration tester’s objective is to find and exploit vulnerabilities in a controlled environment before any cyber threat actors find and exploit these vulnerabilities and gain unauthorized access to the organization’s enterprise.

The objective of this penetration testing is to identify the business risk to the organization by using tactics, techniques, and procedures (TTPs) of today’s most sophisticated cyber threat actors at a single point in time.

As a result of this penetration testing, a report is provided by the cybersecurity vendor to executive management and the board of directors, which usually includes the following:

  1. An executive summary section which provides executive management with the most significant findings of the project.
  2. An introduction section which provides an overview of the penetration test such as the scope, timing, and personnel involved.
  3. A section on the methodology and the scope of activities conducted by the penetration testers.
  4. A findings section that provides a list of the actual findings identified by the penetration testers in the organization’s environment with an associated risk rating (Critical, High, Medium, and Low) and a detailed technical description for each finding.
  5. A conclusion section which provides recommended actions for executive management to consider as a result of the penetration test.

How Important is the Penetration Testing Report?

The importance of a penetration report is to provide executive management and the board of directors with a snapshot in time as to the critical, high, medium, and low cybersecurity vulnerabilities  that have been found currently impacting the organization’s operations, personnel, and technology.  These identified vulnerabilities mean your organization currently has multiple vulnerabilities that can be exploited today by a cyber threat actor to gain unauthorized access.  If any of these identified vulnerabilities has either a “critical” or “high” risk finding, this means a cyber threat actor can exploit these “critical” or “high” risk vulnerabilities and gain access with no user interaction required.

So take a moment to self-reflect on how important this report is in providing corporate directors and senior executives with a roadmap of vulnerabilities that can compromise your organization.  What actions must be taken to mitigate these vulnerabilities?  What actions need to be monitored for corrective action, and ensure that all known cybersecurity vulnerabilities are mitigated in the organization?

Great questions to start a discussion with but how does a corporate director or senior executive continue with a base of cybersecurity knowledge to have a robust discussion on this topic with executive management or the CIO/CISO to ensure the best cybersecurity posture for the organization.

Penetration Testing Reports for Corporate Directors and Senior Executives

As a corporate director or senior executive, you may have received a penetration testing report of a penetration test conducted of your organization (as authorized by your organization’s executive management) to review as part of your governance responsibilities.  Did you find this report quite challenging to understand and comprehend?

Over the last ten years, I have served as an FBI cybersecurity executive, FBI cybersecurity leadership instructor, and Big 4 accounting firm cybersecurity consultant for board of directors and senior executives.  On many occasions, I have posed the following two questions to corporate directors and senior executives who were provided a penetration testing report as part of their governance or executive management responsibilities:

  1. Did you read the penetration testing report?
  2. Did you understand what you read?

As to the first question, the corporate directors and senior executives all responded yes as to having read the penetration testing report.

After the first response was given, and the second question was posed, there was usually a pause prior to responding.  The majority of the responses to the 2nd question was that although the corporate director or senior executive had read the report, they did not understand what they had read.

Some of my readers may be surprised by this second response.  So let me provide some perspective as to a possible explanation to the 2nd question answers.

A quality penetration testing course for cybersecurity professionals offered by some of today’s most reputable cybersecurity vendors (i.e., SANS Institute) can range in duration from five to six full days in class, cost approximately $7,000, and additional expenses for the certification exam, travel, hotel and per diem.  This course covers in great detail the penetration tester methodologies required to prepare, engage, scope, conduct, and report on their penetration test activities for a client.

Now consider there are separate penetration testing courses for each of following cybersecurity focus areas:

  1. Network penetration testing;
  2. Web application and web infrastructure penetration testing;
  3. Wireless penetration testing;
  4. Mobile application and mobile device penetration testing; and
  5. Cloud penetration testing

As one can see, there are five to six days of full days for each class covering the detail associated with each of these separate focus areas.  So a qualified and certified penetration tester in multiple focus areas has heavily invested in time, money, and learning in just this one discipline of cybersecurity.

What’s Your Training to Understand a Penetration Testing Report?

Now let’s consider cybersecurity education or training for corporate directors and senior executives. There are a few senior executives who have taken a cybersecurity graduate program, cybersecurity oversight certificate, or a cybersecurity leadership course where this specific topic was covered in detail.  But in my ten years of providing cybersecurity leadership training to senior executives and corporate directors, this is more the exception than the rule. 

It is probable that penetration testing was not a topic covered in the undergraduate or graduate studies of today’s corporate directors or senior executives. The organization’s CIO, CISO, cybersecurity expert on the board, or a cybersecurity consultant may have provided a brief explanation as to what a penetration test and its accompanying report is during a quarterly, semiannual, or annual cybersecurity presentation.

So how does a corporate director or senior executive fully understand the full implications of the findings of a penetration testing report?  Some possible solutions include 1) enrolling in an undergraduate or graduate cybersecurity program; 2) enrolling in a cybersecurity vendor’s five or six-day course which covers penetration testing as part of the course; 3) take a short cybersecurity leadership course for executives or 4) hire an independent cybersecurity advisor for executives.

If today’s corporate director or senior executive does not have the time to take an undergraduate or graduate cybersecurity program or a five or six-day class on one focus area of cybersecurity to understand this topic better, consider the next two possible solutions.  The third potential solution is to take a short cybersecurity leadership course for executives which can readily assist today’s corporate director or senior executive to better understand the different facets and disciplines of cybersecurity, including penetration testing. 

Now, if a corporate director or senior executive is still too busy to do the above three possible solutions, another solution for consideration is to hire an independent cybersecurity advisor for executives.  An independent cybersecurity advisor can assist a corporate director or senior executive in better understanding the various areas of cybersecurity, which will assist them in the performance of their cybersecurity responsibilities.  In addition, an independent cybersecurity advisor can serve as a trusted cybersecurity executive coach to advise on tactical, operational, and strategic cybersecurity issues as it relates to a corporate director or senior executive’s cybersecurity responsibilities.

So the next time you are presented with the latest penetration testing report for your organization, will you be better prepared to review, understand, and have a robust discussion with executive management and/or the CIO or CISO?  Will you have thoughtful questions to consider and pose during this robust discussion to ensure the best cybersecurity posture for your organization? If you answered no to either of these two questions, consider engaging an independent cybersecurity advisor for executives to assist you in preparing you for your next penetration testing report or any other cybersecurity discussion