Effectively Measuring and Communicating PenTest Results: A CISO Perspective (W33) - Pentestmag

The access to this course is restricted to Pentest Premium or IT Pack Premium Subscription

During this course you will learn the major aspects of the penetration testing process that provides the most value to a security technician’s organization to improve its overall security posture. Much more goes on behind the scenes after the pentest report is delivered to various elements of the information security team, including the CISO. It’s important that the pentest is conducted and formatted in a manner in which senior leadership can make business decisions as a result of the pentest.

This course is self-paced and pre-recorded

You will learn:

  • Steps, tips and different ways of how to describe your work in an efficient way,
  • How to create good presentation: what should it contain and what to avoid,
  • How the PenTest results will be used to reduce risk to the organization,
  • How to convert Technical Speak into Business Talk.

After completing this course the you will be able to:

  • Understand how to set expectations for the CISO before conducting a PenTest.
  • Understand how to communicate PenTest results to the CISO and senior leadership.
  • Understand how to present recommended remediation actions to the CISO and senior leadership.
  • Understand how the PenTest results will be used to reduce risk to the organization.

You will need:

  • Anyone can join this course who want to gain a better understanding from a CISO perspective.
  • There are no technical requirements needed for this course.
  • Any operating system that can support Microsoft Windows and PowerPoint will suffice.

Before you join you should know:

  • The student should have an in-depth knowledge of pentest fundamentals.
  • This course is designed for security technicians who either conduct pentests or coordinate pentests on behalf of their organization.
  • It is assumed the student has extensive knowledge and experience in conducting pentests and developing pentest reports.

Course Syllabus:

Module 1:  Expectations

Module 1 Description: Setting expectations for the CISO before conducting a PenTest

Module 1 Covered Topics:

  • PenTest Value to the Organization
    • Business Objectives
    • Business Challenges
    • Expectations
  • Understanding the Scope of the PenTest
    • Legal Restrictions
    • Ethics
  • Defining the Goals and Success of a PenTest
    • Threats
    • Attack Targets
    • Characteristics of a PenTest that Constitutes Success

Module 2:  Recommendations

Module 2 Description: Presenting recommended remediation actions to the CISO and senior leadership

Module 2 Covered Topics:

  • Converting PenTest Report Vulnerability recommendations into Risk Mitigation recommendations

Module 3: Reducing Risk

Module 3 Description: Understanding how the PenTest results will be used to reduce risk to the organization

Module 3 Covered Topics:

  • Implementing mitigating security controls
  • Measuring effectiveness of security controls
  • Defining metrics
  • Preparing to do it all over again

Module 4: Communicating

Module 4 Description: Communicating PenTest results to the CISO and senior leadership

Module 4 Covered Topics:

  • Typical PenTest Report
    • Formats
    • Contents
  • Converting Vulnerabilities to Risk
    • Who Conducts the Risk Analysis
    • Security Risk Models
  • Associating Risk to Business Objectives
    • Prioritizing Risks
    • Converting Technical Speak into Business Talk 

Your Instructor: Tony Buenger (CISSP, CISM, CGEIT, C|CISO)

tonyOver the past 25+ years, Tony Buenger has had the opportunity to work at progressively complex organizational levels, with increasing responsibilities involving the information technology (IT), enterprise architecture, and cyber security fields. He has fulfilled the roles of information security architect, information security engineer, information security risk analyst, information security auditor, information security consultant, and Chief Information Security Officer (CISO).

Tony is currently a CISO for a major hospital system in the United States. He previously worked as a senior information security analyst and certifying authority for U.S. Air Force information technology systems.

More information can be found at www.vigilantraven.com and www.linkedin.com/in/tonybuenger

Questions? Reach out to us at [email protected]

Course Reviews


  • 5 stars0
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0

No Reviews found for this course.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023