As an analyst, it is important to identify root cause and link it back to security governance strategies. This is dealt with through root cause statements typically. What exactly should you be doing for a root cause statement? How important is it? If you produce a findings report you can count on the root cause statement being read. Other parts of the document may be skimmed through, or even ignored, but the root cause statement is going to draw the attention of a variety of different audiences. Therefore this is something you want to get right. In this episode I’m going to deliver a simple approach you can use.