7. Explain why the outcomes of cyber security testing must be reported (AC 1.7)

Reporting the outcomes of cyber security testing is essential for few reasons, including ethical responsibility, regulatory compliance, and maintaining an organisation's reputation. Without reporting in a proper way, security testing isn't as effective, as organisations may act on incomplete or false information and this leads to the increase of cyber risk. Ethical responsibility Ethical hackers and cyber security professionals think it their duty to report their findings to help organisations strengthen their security. It is a fundamental part of ethical hacking. If they find vulnerabilities and do not disclose them, the testing didn't serve any real purpose. If not reported through the proper channels, it could even be considered unethical or illegal. To motivate hackers who might be on the fence about reporting their findings, some companies offer bug bounty programs that financially reward those who report bugs or vulnerabilities. Google bug bounty program, Microsoft Bounty Program Regulatory compliance Many industries are required by law to conduct cyber security testing and report the findings. GDRP mandate that organisation take steps to identify and fix vulnerabilities, especially after a data breach. Organisations might be required to conduct testing by a regulator. A well documented cyber security report can help reduce legal penalties and fines by showing that the organisation took proactive steps to prevent breaches. Reputation and customer trust Cyber security breaches can seriously damage an organisation's reputation. Stakeholders, clients and customers need to know and trust that their data is safe. By reporting the results of security tests, especially after a breach, can greatly reassure the public. Hopefully the results, will be positive and say that they have identified and fixed vulnerabilities. Transparency is key, it helps to rebuild trust and demonstrates a commitment to security.