Manufacturers should get a penetration test at least annually
There are 5 companies that want your pentest, and they have very different reporting needs
Have your Pentester tune their reports for all of your audiences
Penetration Testing (pentesting) is considered one of the best investments in cybersecurity for your company. Hiring an expert “ethical hacker” to identify vulnerabilities and test whether they can be exploited helps you understand what needs to be fixed first. Partners, regulators, insurance companies and other stakeholders also know the benefits of regular penetration testing, which is why so many require annual penetration testing.
Penetration testing, therefore, is much more than a technical test. It is a way for your company to prioritize gap closure and cybersecurity investments, and it provides assurance to others that you have an effective security program at a fundamental level.
Get reporting wrong and you will raise concerns. Get reporting right and your audience will move on with comfort and confidence.
Think of these reports as various forms of Executive Summary or Attestations from your independent penetration tester. The detailed report (see 5) should be kept private. But these audiences have a legitimate need to understand a level of detail that builds their confidence in your Plan and your security program.
Keep in mind that your independent pentester is not altering their findings in any of these. If you are in dismal shape, then the report will need to say that. But, with fine tuning (and remediation and retesting) you will find you can get much more leverage from your pentest.
This post highlights the 5 audiences at Pension Plans for your penetration test, and the tone and level of detail they need to see.
1. Your Customers
Focus on being compelling
Most manufacturers are being asked for a penetration test by customers and prospects. It makes sense. Critical vendors (ie. you) that have suffer a compromise can have a sever impact on them. A penetration test is considered a first step towards verifying your cybersecurity program.
Your penetration test can do more than just provide assurance. With some refined language, your penetration test can become a sales resource. We’ve even worked with marketing teams to get the messaging on point.
Principles:
Work with your pentester to write a customer-facing report that is factual but compelling.
Be ready to share this report with your customers and prospects. Speed equals confidence, and sharing this report willingly and quickly frequently handles their concerns completely.
Do your competitors do this? Do they respond as quickly and openly as you? This is where your pentest can become a competitive tool. While you are giving your report to them transparently and quickly, your competitors are fumbling around.
Talk about how serious your company takes cybersecurity. Pentesting is just part of your overall cybersecurity.
2. Board of Directors and Owners
Focus on Risk
Board of Directors and owners care about risk. Cybersecurity is a big concern, but most people have very limited exposure to cybersecurity. They know a compromise will cost money and that the organization can be seriously impacted from a serious attack. You don’t need to delve into attack vectors, tools, and methods for this audience. Focus on metrics, risk mitigation, and monetary impacts.
Visual reporting elements such as graphs and charts play a pivotal role in efficiently communicating key results to owners and board members. In addition, this penetration test report should communicate alignment with the organization's overall growth plans. That reinforces the importance of your overall security program.
Principles:
First, think through the growth plans for the company. Are you expanding into a new country? Are you releasing new products or opening new distribution channels? Whatever it is, you can anchor the pentest to initiatives that matter the most.
Work with your pentester to ensure they write this summary in a way that supports the Plan's current environment and doesn’t conflict in any way.
You should write a cover letter to the pentest report that aligns with the organization's goals. You may also reference industry security trends that may matter to their risk discussions.
3. Insurance Providers
Focus on Safety
Cyber insurance premiums continue to rise and the industry’s loss ratio (paid claims to premiums earned) shows no sign of slowing down. With the onslaught of ransomware, insurers offering cyber coverage were initially caught off guard, and they significantly underestimated the cyber risk landscape and expense of cyber-attacks.
Insurance for cybersecurity is not only expensive, you will also have to prove you meet certain standards. It’s almost guaranteed that they will require annual penetration testing. A clear and concise report can provide your insurer with the comfort and reassurance they’re looking for.
Principles:
Make sure you understand clearly what your insurance company requires for pentesting.
The report should be short and factual. If you follow a best practice framework like NIST (and you should), mention it and comment that a pentest is also best practice.
Work with your pentester to write a report on their letterhead and have them offer to speak to the insurance company in the letter. This communicates confidence and transparency.
4. Compliance
Focus on the compliance facts
Compliance requirements for cybersecurity can impact some manufacturers. If your products impact critical infrastructure or take in protected data, you may need to prove compliance to various laws. Stick to the specifics of the rules. Ask us for help if you can't decipher them.
For example, for privacy requirements, don’t comment on other areas, even if they were tested. There is no need to raise alarms with testing that have nothing to do with the compliance requirements. Talk about the compliance requirement specifically, the test methods, and whether your company is currently in compliance. Any other details are superfluous and risky.
Principles:
First, make sure your pentester understands the compliance requirements. These requirements can be esoteric and complicated.
Compliance pentest reports should stick to the requirements only. Nothing extra.
5. For Your Internal Team
Focus on detailed findings and prioritized remediation
Of course, the primary purpose of a pentest is to identify gaps and prioritize remediation. This report provides details on every vulnerability, the attack methods used to exploit it, evidence of success and prioritized remediation recommendations. It is the primary purpose of penetration testing, so the more comprehensive the report can be, the better.
This is the report your IT team, whether in-house or outsourced, will work from to shore up your cybersecurity. Of course, given the details, you would never share it with anyone other than the few people on your team that understand it and will work on remediation. Keep it safe. Keep it private.
Principles:
All findings should be risk-ranked
Every finding should include: the gap in plain language, where it was found, severity ranking, whether it was exploited, evidence of being exploited, description and business impact, how to remediate it.
Closing Thoughts
Penetration testing will continue to prove its worth as an invaluable security tool for manufacturers as the threat landscape becomes even more sophisticated. If you get reporting right and begin every report by bearing your audience in mind, you will drive even more value from your pentest investment.