This is the kind of requirement Johnston thinks a team should push back on --because it only sets the organization up for more vulnerability, rather than less.
"As a security professional you have two jobs: compliance and security," said Johnston. "Sometimes they overlap. You have to do what you can to make the overlap. A compliance auditor might be suspicious. If they are, push back. On the other hand, some parts of compliance are worthwhile. Take what you can from the good parts of compliance and run with it. Go above and beyond in the parts you agree with."
Walters said after many assessments, he's had outside consultancies simply "drop off a three-ring binder full of problems and leave."
This is a perfect example of bad, ineffective reporting.
"We want people to shake the trees," said Walters. "But if the reporting just focuses on the problems, they are not providing answers."
Johnston thinks mistakes in reporting come when teams are too critical of mistakes they find in assessments.
You likely may find a lot of mistakes being made. That's OK. Security is hard. But you don's have to fire anyone. Instead of finding people to blame, focus on fixing the mistakes. Also, keep in mind that all risk management is ultimately subjective -- even when you're using numbers. I'm not opposed to assigning numbers, but don't go overboard with assigning them."
Failing to bring what you've learned into the corporate culture
You know what vulnerabilities the assessment uncovered, but do the employees in your organization?
Of course, there may be many things you can't disclose to them. But what can you share that brings the issue of security to the forefront for everyone? How can you invest them in being part of the solution to the problems?
"Most regular employees see security as compliance thing," said Johnston. "They don't see it as something relevant to them. We need to motivate regular employees and answer the question of 'What's in it for me?'"
Johnston suggests a conversation that includes not only lessons learned from the vulnerability assessments, but that also includes examples of headline-making security incidents in other organizations.
"You're trying to build a culture, not a department," he said. "Security is everybody's job. It sounds cliché, but I don't think that resonates in many organizations."
Sign up for CIO Asia eNewsletters.