Advisory Report
When advising on security matters, it is crucial to substantiate recommendations with facts, data, or insights from previous phases. You must support your choices with, for example, risk assessment results, vulnerability scan data, security testing outcomes, industry best practices, or relevant security frameworks.
In addition to what you advise, how you present it on paper is also important. You must be able to write a clearly structured security advisory report, in which the threats, vulnerabilities, analysis data, options, and final security recommendations are presented clearly. This written skill means that you build your advice logically (introduction with context, risk assessment results, comparison of security controls, recommendation, and implementation plan) and explain technical security jargon when necessary.
In the context of security, this could be a document for executive leadership or a client, in which you recommend particular security controls or technologies with all underlying arguments. The security advisory report must also be understandable for the target audience (e.g., board members versus IT staff) and to-the-point.
Starting Points
Key Points
- Use a logical structure: start with context and problem statement, then present analysis/alternatives, and end with a clear recommendation.
- Base your advice on concrete findings (figures, research, examples) and explicitly refer to them in your justification.
- Alternatives are substantiated and the pros and cons per alternative are clear.
- Write clearly and concisely; avoid unnecessary jargon and long, woolly texts.
- Check if the document is tailored to the reader.
- Ensure your advice document is visually clear (use headings, lists, possibly diagrams) so the reader can quickly understand the core.