Delivering bad security news

Working in IT security means that more often than not you’ll be delivering bad news. Conduct a risk assessment and you’ll have to explain all the risks that exist. If you’re a QSA, you’ll have to break the news of how the client isn’t PCI compliant. And if you’re a penetration tester, then… well, there’s usually no easy way to put it.

So, this is a short video I made to take a humorous look at different ways bad news can be broken to clients. Complete with guest appearance by Dave Kennedy.

But this got me thinking about how we actually do communicate findings. You ask a pen tester or security professional what the most boring part of the job is, and often the response will be “documentation”. I mean, it makes sense. The real fun is putting on a hoodie, trying different combinations, cracking vaults, social engineering your way past guards, or escalating privileges.

Everyone enjoys driving a supercar yet nobody enjoys putting fuel in it.

But fuel is perhaps the most essential component. You can drive a car with a flat tyre, a missing door or smashed window. But without fuel, you’re not going to get far.

My daughter has looked over my shoulder and mentioned that you can’t drive a car without a battery or a steering wheel or the keys. But I think she just enjoys tearing apart my flimsy analogies.

Documentation is the legacy that lives on long after boxes have been popped, tests have been completed and staff have moved on. It’s the best way to market your capabilities and set a benchmark against which others will be compared.

Good documentation doesn’t need to be written in the Queens English. Nor does it need to be graphically designed to looked elegant. It needs to convey the facts in an easy and understandable way.

To illustrate with an example. Filing in justifications for expenses can be a boring and mundane activity. But one could make it infinitely more memorable by writing like Hunter S Thompson.

awesome expenses hunter s thompson fear and loathing in america