Rafal has a good post on the challenges security folks/sdl folks have when presenting their findings to business folks.
"The presentation the next day kicked off as expected… we presented
our executive summary, the methodology of our product validation and
moved on to the specific findings. In this case, since there was so much wrong
I stripped out only the Critical and Highly Important issues and
bundled the rest into a "non-mission-critical" bucket for the sake of
brevity. My goal was to move through that into our recommendations
section where we would propose what the customer should do next,
including building a security validation program and starting to
integrate into the SDL; let's just say I never got that far…
As soon as I hit the Criticals section I noticed something wrong.
Immediately the faces of the folks in the room started to look…
befuddled I think is the correct word. Some got that glazed-over look
I get when my wife tries to explain the complex relationships of her
friends and such… they were overwhelmed, lost, and confused. I
stopped and asked if there were questions… no one raised their hand
or spoke up so I continued. I got about 1/2 way through the critical
issues section when the CISO, hand half-raised, looked at me and said
"This is way too much … I just don't think we can handle it".
Naturally I thought he was talking about the depth of the
presentation… or the mountain of information I was giving them…
nope – he was referring to the number of things that we had found that
were wrong with the site."
This is probably fair more common than you think.
