13.11 Writing the CISO Report

2–3 hours · Module 13

Writing the CISO Report

The investigation is complete. Containment is verified. Now communicate what happened to an audience that is not technical.

The 5-question framework

Every CISO incident report answers these questions in order:

What happened? Executive summary in 3-4 sentences. Non-technical language.
What was the impact? Data accessed, systems affected, business disruption, regulatory exposure.
What did we do? Containment and eradication actions with timeline.
Are we safe now? Current status, residual risk, monitoring in place.
What needs to change? Recommendations with priority, effort, cost, and timeline.

Example executive summary

“Between 27 February and 1 March 2026, Northgate Engineering was targeted by a coordinated credential phishing campaign using adversary-in-the-middle techniques that bypass standard multi-factor authentication. The campaign comprised five waves targeting 86 employees across all departments. One employee account in finance was briefly compromised, with the attacker accessing 34 emails focused on financial processes over a 25-minute window. No data was exfiltrated, no fraudulent transactions were initiated, and no lateral movement occurred. The attack was detected by automated alerting, contained within 25 minutes of the first compromise, and all subsequent waves were blocked by detection rules deployed during the investigation. Three critical hardening measures have been implemented. Two additional measures are recommended.”

The executive summary is the most important paragraph

Most CISOs read the executive summary and the recommendations. Everything between is supporting evidence. If the executive summary does not clearly communicate severity, scope, and current status, the rest of the report does not matter.

Recommendations table

Priority	Recommendation	Effort	Cost	Timeline	Status
Critical	Require compliant device for Exchange Online	Medium	None (config change)	2 weeks	Deployed during incident
Critical	Deploy FIDO2 security keys for executives and admins	High	£3,200 (40 keys at £80)	6 weeks	Procurement initiated
Critical	Block legacy authentication for all users	Low	None	1 week	Deployed during incident
High	Enable first contact safety tips	Low	None	Immediate	Deployed during incident
High	Implement Continuous Access Evaluation	Medium	None (config change)	4 weeks	Planned
Medium	Deploy token protection policies (preview)	Medium	None	8 weeks	Under evaluation
Medium	Targeted phishing awareness training for finance	Low	£800 (third-party provider)	4 weeks	Planned

Recommendations need effort AND cost

A recommendation without an effort estimate is a wish list. "Deploy FIDO2 keys" without the £3,200 cost and 6-week timeline is not actionable. The CISO needs to know what to budget, what to prioritise, and what they can approve immediately vs what requires board approval.

Regulatory considerations

Depending on your jurisdiction and the data accessed, this incident may require notification:

UK GDPR / ICO: If personal data was accessed by an unauthorised party, notification to the ICO within 72 hours may be required. The 34 financial emails likely contain personal data (names, addresses on invoices). Assess each email for personal data content.
Contractual obligations: Check client contracts for breach notification requirements. Engineering firms often have data handling clauses with clients.
Cyber insurance: Notify your insurer. Even if no claim is filed, many policies require prompt notification of security incidents.

Try it yourself

Write your own 3-4 sentence executive summary for this incident. Include: what happened, the scope, the impact, and the current status. Keep it non-technical — imagine your audience is a board member who understands business risk but not cybersecurity technology.

An effective executive summary covers four elements:

1. What happened: Targeted phishing campaign using techniques that bypass standard MFA

2. Scale: 5 waves, 118 emails, 86 employees targeted, 1 account briefly compromised

3. Impact: 34 financial emails accessed over 25 minutes. No fraud, no data exfiltration.

4. Status: Contained, hardened, monitoring in place. All subsequent waves blocked.

If your summary hits these four points in plain language, it is effective.

Check your understanding

1. The attacker accessed 34 emails containing vendor names and payment amounts. Does this require ICO notification under UK GDPR?

No — no personal data was involved

Yes — any breach requires notification

It depends on the content — if the emails contained personal data (names, addresses, financial details of individuals), notification may be required within 72 hours. A detailed assessment of each accessed email is needed.

UK GDPR requires notification when a personal data breach is likely to result in a risk to individuals' rights and freedoms. The 34 emails need individual assessment: do they contain personal data? Is the data sufficient for identity fraud or financial harm? If yes, notify within 72 hours. Document your assessment regardless of the decision.

← 13.12 Exchange Online Hardening 13.10 Cross-Wave Correlation →