Creating an informative and readable report is among the many challenges of responding to cybersecurity incidents. A good report not only answers its reader's questions but also instills confidence in the response and enables the organization to learn from the incident. This blog highlights my advice on writing such incident reports. It's based on the presentation I delivered at the RSA Conference, which offers more details and is available to you on YouTube.
Though you probably have your own objective for the incident report, write it with your readers in mind, addressing the questions they want the report to answer in a way that's easy to absorb. In general, people want to know the following about a cybersecurity incident:
Each of these high-level questions conceals other questions--too many to list in this blog post. For more details, see the Report Template for Incident Response, which I created with input from colleagues. This template not only helps you capture the right information in the report but also provides a convenient way for structuring it so the readers can easily find the details they need.
To demonstrate how you can use the template, I created a simplistic report based on a fictional cybersecurity incident. Download it and take a look.
Sometimes, your reports might be as brief as this example. Sometimes, depending on the expectations of your readers, they'll be longer and offer more details.
Having the right information in the report is important, but that's not the only consideration for good writing. As I discuss in the short course I teach at SANS on this topic, good writing incorporates all five of the elements below:
When you combine these elements, your writing benefits your readers and lets you shine as the author of valuable content.
Watch the video of my presentation on this topic to discover additional details, including the following key considerations for good reports:
Here are more free resources I created to help people improve their cybersecurity writing skills:
Updated June 13, 2024
I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.