A security analyst needs to communicate the business impact of a newly discovered critical vulnerability to the executive team. Which of the following is the BEST approach?
Trap 1: Send the raw vulnerability scan report.
Raw reports are too technical for executives.
Trap 2: Recommend immediate patching without further context.
Executives need justification for resource allocation.
Trap 3: Provide a detailed CVSS score and exploit code.
Executives need business impact, not technical details.
- A
Send the raw vulnerability scan report.
Why wrong: Raw reports are too technical for executives.
- B
Explain the vulnerability in layman's terms and estimate potential financial loss.
This translates technical risk to business risk.
- C
Recommend immediate patching without further context.
Why wrong: Executives need justification for resource allocation.
- D
Provide a detailed CVSS score and exploit code.
Why wrong: Executives need business impact, not technical details.