You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. The security assessment team has completed penetration testing as part of the risk assessment which identified some significant vulnerabilities. You are reviewing the assessment report. Which of the following will you expect the most in the report?
A. Prioritized vulnerabilities based on CVSS
B. Business impact analysis in terms of monetary value
C. Business case
D. Threat scenario analysis
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Business case.
Think like a Manager/CISO
Executive management typically won’t dive into the technical details or aim at the problem itself. They focus on values, outcomes, objectives, and solutions. Prioritized vulnerabilities, threat scenario analysis, and business impact belong to the problem domain, while the business case is a solution, which mitigates risks and results in residual risks. As a CISO, you typically have the authority to decide whether to accept a risk or residual risk in terms of information security and sponsors the project.
Recommendations in Pen Testing Report
Pen Testing is part of the risk identification process. The identified vulnerabilities are further analyzed, exploited, and prioritized. The pen testing project may be contracted to external partners or conducted by the internal team. Either way, the pen testing team will generate a pen testing report, in which recommendations are the most crucial.
Recommendations can be general or as specific as business cases. A business case proposes alternatives or solution options with cost/benefit analysis to initiate improvement action, task, or project. External pen testers typically won’t include a business case in the pen testing report, but they definitely will give recommendations. It’s a good practice for the security assessment team to prepare a business case based on the pen testing recommendations.
A business case captures the reasoning for initiating a project or task. It is often presented in a well-structured written document, but may also come in the form of a short verbal agreement or presentation. The logic of the business case is that, whenever resources such as money or effort are consumed, they should be in support of a specific business need. An example could be that a software upgrade might improve system performance, but the “business case” is that better performance would improve customer satisfaction, require less task processing time, or reduce system maintenance costs. A compelling business case adequately captures both the quantifiable and non-quantifiable characteristics of a proposed project.
Business cases can range from comprehensive and highly structured, as required by formal project management methodologies, to informal and brief.