5 of 26

Who Am I?

Victoria Mosby

16 years as a cybersecurity nerd having worn many hats - ranging from GRC/Audit, policy writing, government consulting, mobile security and pentesting (mostly adjacent).

I currently work as a Sr. Sales Engineer at PlexTrac.

Personal Hobbies: Storytelling and writing, TTRPGs, TCGs, crocheting and challenging the limits of my HOA’s patience.

Current Obsessions: Finding the best Lobster Roll in Cocoa Beach

I love taking complex topics and reframing them to fit my audiences needs.

6 of 26

Basic Deliverable

Results Driven

System Scoring

Technical Jargon

The translation gap is not a tooling problem. It is a methodology problem.

Reports get filed because they answer questions nobody asked, in language nobody outside security speaks, with no clear path from finding to decision.

2026

7 of 26

Bridging the Gap

Decision Engine

(Report)

Decision Recommendations

Business Context

Audience Language

Shared vocabulary between security and the business.

Layered context, including asset criticality, business impact, risk appetite, and environmental factors.

A conclusion-titled summary, business consequences quantified in dollars and frameworks, and a recommended action with effort estimates and sequencing logic.

2026

8 of 26

Score for the Business, Not the System

Same scoring system. Same numerical scale. Wildly different business priority.

Finding A is a remote code execution vulnerability with a CVSS of 9.8, identified on an isolated test server.

The system has no production data, sits air-gapped from the production network, and has no path to customer impact.

Finding B is a weak authentication finding on a domain controller with a CVSS of 5.3.

The domain controller has admin paths into the enterprise resource planning (ERP) system, which holds $40 million in annual revenue data and falls under Sarbanes-Oxley Act (SOX) scope.

2026

9 of 26

Three Layers of Context

Asset Context

What does the system do?
Who uses it?
What data does it touch?
Is it internet-facing?

Business Impact

What is the financial exposure if this finding is exploited?
What compliance frameworks apply, and what do they require?
What is the organization's stated risk appetite, and where does this finding fall against it?
What operational consequences would follow?

Environmental Factors

What is in the way of exploitation? Compensating controls, real-world exploitability evidence, signs of active exploitation in the wild.

2026

10 of 26

From the Outside Looking In

Use What You Can Observe

Ask During Scoping

Use Industry Benchmarks as Proxies

2026

Now I know what some of you are thinking. That's great if you're the internal team. But I'm a pentester. I'm an MSSP. I don't have access to my client's revenue numbers or their risk appetite statement. How am I supposed to add business context?

Fair question. And here's the honest answer. You can't do *full* business-context scoring from the outside on your own. But that doesn't mean you're stuck with raw CVSS. It means you have to change when and how you gather context.

Three shifts.

First, use what you can observe. Even without client-provided business context, you see things during an engagement. You see whether a system is internet-facing. You see what kind of data you can access. You see whether compensating controls exist. That's not the full picture, but it's leagues beyond raw CVSS.

Second, ask during scoping. Most scoping conversations focus on what's in bounds technically — IP ranges, credentials, rules of engagement. The highest-value question you can add is this: what are your crown jewels, and what business functions depend on the systems we're testing? Ask which systems process the most revenue. Ask which ones are in scope for the next compliance audit. Ask what keeps the CISO up at night. You'd be amazed how willing clients are to share this when you explain that it makes findings more actionable.

Third, use industry benchmarks as proxies. Average cost per breached record by industry, average ransomware recovery costs, regulatory penalty ranges — these are publicly available. Cite your source and note that client-specific data would refine the estimate. That's more useful than a CVSS score and more honest than false precision.

This isn't something I read in a methodology guide. It's something I learned from being in scoping calls and delivery conversations where the client's answer to "what keeps your CISO up at night" completely changed how the findings landed.

11 of 26

Layers + Layers + Layers

Layered together, they produce a business priority rating which often disagrees with CVSS-sorted ordering.

And that’s the point.

2026

12 of 26

Ask the Right Questions

What are the top three to five business-critical systems in scope?

What revenue depends on these systems?

What compliance frameworks apply, and what is your stated risk appetite?

What mitigating controls should we know about? What has changed since your last assessment?

Who receives the report, and what decisions do they need to make?

The audience question is the most often skipped and the most consequential. The audience determines the structure.

2026

13 of 26

Speak the Audience's Language - Vocabulary Matters

If a finding cannot be acted on, it is not a finding.

It is a fact.

The difference is whether the audience has the language and the context to make an informed decision from what they read.

2026

14 of 26

Jargon Glossary

Technical Definition	Business Context
RCE: Remote code execution. Ability to execute arbitrary code remotely.	RCE: Attacker runs any command they choose. Equivalent to handing over admin keys
IDOR: Insecure direct object reference. Authorization flaw exposing other users' data.	IDOR: One customer can read another's data. Privacy violation. Contractual breach.
Risk appetite: stated tolerance for loss across categories.	Risk appetite: how much loss the board will accept before it forces a change in posture (or management)

2026

Place this at the front of every report, before the executive summary.

15 of 26

Risk register as a living artifact

Updated continuously, owned jointly.

Cross-functional readouts

Translation in both directions.

Purple-team feedback loops

The business tells security what they need to hear, not what security thinks they need to know.

2026

16 of 26

Before

Title: SQL Injection in Login Parameter

Severity: Critical (CVSS 9.8)

Description: A SQL injection vulnerability was identified in the login form's username parameter. The application does not properly sanitize user input, allowing an attacker to inject malicious SQL queries.

Recommendation: Implement parameterized queries to prevent SQL injection attacks.

2026

17 of 26

After

Title: SQL Injection Exposes Customer Database. Estimated $3M to $8M in regulatory and litigation risk.

Business Impact: Critical. Exceeds stated risk appetite. The vulnerability exposes 2.4 million customer records including PII and payment data, creating mandatory notification obligations across 14 states and EU jurisdiction.

What's at risk: Customer data confidentiality, PCI compliance status, customer trust, regulatory standing with the FTC and state attorneys general.

Recommended action: Implement parameterized queries (1 to 2 sprint development cycle, ~80 engineering hours). Deploy WAF rules as compensating control within 48 hours (~4hours of operations work). Schedule code review of all input handling within 30 days.

2026

18 of 26

The Formula

Title = asset + business consequence�+

Consequences = regulatory, financial, and operational impact, with dollar ranges�+

Action = fix + effort estimate + sequencing logic

2026

19 of 26

one slide

one finding

one decision

2026

20 of 26

Executive Summary that Writes itself

Risk Exposure Summary - Aggregate dollar range across regulatory, financial, and operational categories. One paragraph.

Priority Decisions Required - Top three to five findings with business impact framing. One short paragraph each.

Remediation Roadmap - Phased and sequenced by risk reduction per unit of effort. Visual where possible.

Risk Trend - For recurring engagements only. Overtime comparison of total risk exposure, mean time to remediate, and findings closure rates against prior engagements.

Finding Summary Table - Sorted by business priority, not by CVSS. CVSS appears as a column, not as the sort key.

2026

21 of 26

Extra Mile for External Providers

2026

Group findings by business function rather than by severity.

Estimate effort

Sequence quick wins first. Flag dependencies so blocking findings are visible.

22 of 26

Quantifiable Risk Reduction

Quantifying risk in financial terms means risk reduction to be quantified the same way.

2026

Total risk exposure decreased 38% since previous engagement.

Mean time to remediate for business-critical findings improved from 47 to 19 days.

Done well, security pays for itself

23 of 26

The Shift

When risk reduction shows up in dollars, stakeholders stop seeing security as a cost center. The conversation shifts from compliance theater to strategic input.

Internal security leaders

Defending the budget stops being a hedge. "We prevented incidents" becomes "we reduced quantified exposure by $4.3M while spend grew $400K." Real argument, real CFO response.

External assessment providers

A vendor who delivers a report is replaceable. A vendor who maintains a longitudinal view of the client's risk in the language the board uses is a strategic partner.

Trust and budget follow from the shift, not the other way around.

24 of 26

Are We Good?

25 of 26

Toolkits

Pre-engagement intake questionnaire - The five-question template, with field descriptions and sample answers from three engagement types.

Business-aligned executive summary template - The five-section structure with prompts and example language for each section.

Before and after finding examples - Three findings, each rewritten from CVSS-sorted technical writeup to conclusion-titled business framing.

Contextual scoring cheat sheet - The three-layer rubric with worked examples showing how CVSS-sorted priorities flip when context is layered on.

Jargon Glossary - Ten technical terms in the two-column format, ready to drop in at the front of any report before the executive summary.

2026

26 of 26

Socials & Goodies

https://linkedin.com/in/victoria-mosby

Personal Website https://www.victoriamosby.com

Toolkits

2026