Thursday, January 4, 2018

Tips for success: Writing an Executive Summary V 1.4

An executive summary should be included on most cybersecurity reports, proposals, analysis papers, and research papers. Points to consider when creating one include:

- Brevity and conciseness. It should target 200 - 300 words. That takes practice.

- Recommendations. If the paper is addressing a problem it should briefly mention immediate, medium and long term time frame actionable recommendations.

- Supportable and defensible. While the executive summary is designed for easy reading and digestion of information, supporting data should be easily available. This could be in the form of the accompanying paper, or appendices as appropriate.

- WIIFM. Whenever we communicate from someone else, we need to answer the question What's In It For Me. The C-suite will want to be briefed on why this information is important to the business.

- Well written. If it scores below 90 on Grammarly, you have work to do. Consider the "Napoleon's Private" test, ( have someone else read it and tell you what they feel it means).

- On topic. State the topic, problem, recommendation as needed. Do not put extraneous information in the executive summary.

- No humor. This is not a place for jokes or humor, they can be misinterpreted.

- Avoid acronyms and "techo babble". As techies we speak a different dialect of English than management. Avoid writing anything that is hard for them to understand.

- Designed to be scanned or read rapidly. In general, when you produce an executive summary, it is for someone above your pay grade. Don't make them work to get the message, Make it plain.

- Readable fonts and font sizes. It is very likely your organization has a style guide. Use it. Executives are accustomed to various formats. Under no circumstances shrink the font to make the executive summary fit on one page; your audience very likely has older eyes than you do.

Change history:
Version 1.1 don't use acronyms
Version 1.2 why do I care :)
Version 1.3 1/4/18 alignment with GSM 200 - 300 words, recommendations
Version 1.4 stress actionable

8 comments:

  1. Avoid the use of acronyms. One CEO told me it made him feel stupid.

    ReplyDelete
  2. Thanks Stephen - this is a great value.

    Frame your summary in the context of the things the executives care about. For example - execs are often concerned about organization reputation and potential fines. Make sure you tie those concerns into your content. But do it at a very high level - I agree with Jon that you can't use acronyms - learn to translate that technical jargon into business-speak. Execs don't care what port is open and leading to a vulnerability. They want to understand that we have some holes in our infrastructure, we're aware of them and have a deadline to fix it (and not allow it in the future!)

    ReplyDelete
  3. Stephen,

    I'd recommend including more guidance on framing communications in terms of overall organizational risk. You touch on that in a couple of places, but don't talk about risk explicitly. Might be a good addition for the WIIFM bullet. Although things have improved at the executive and board levels, many still think of technology risk as something "different" or "other" from the types of risk they are accustomed to managing, such as financial. Bring it together, and demonstrate how a weakness, gap or vulnerability in the technology will impact the organization. When possible, communications should also be tied to something that executives may be hearing about, like risk management frameworks, or when appropriate, examples taken from public incidents at other organizations that make it more "real".

    Keep up the great work!

    -John Banghart

    ReplyDelete
  4. Use data to support the paper position, but at the macro level. Verizon Data Breach report does an excellent job of this.

    ReplyDelete
  5. Make sure you clearly state the risk in plain english, stated as a risk to the business, and quantified as a tangible risk (some dollar loss, some asset loss, some information compromised). The C-Suite may not understand XSS, XSRF, or SQL Injection, but the will understand, "This exploit allows a malicious user to become an administrator", or "This exploit allows a malicious user to access our customer records which industry estimates to be $X/per record (I think Poneman has it around $100/record). If the executive can understand a tangible risk to the business (s)he runs, then they can make and informed risk-based decision, and you have been successful.

    ReplyDelete
  6. All great suggestions. I would say that C-suite want to understand how it would effect bottom line, or shareholder equity, but not just numbers. It is great to discuss risk but what is the potential risk to the shareholders, or bottom line. That puts it in the context of the decision they will have to make. Also don't just present one side, offer good, better, best, or best and worst case. It is generally better to let them make a decision and just present the facts and your recommendation.

    ReplyDelete