Writing for Security: Making it Matter to You

quillIn the last two posts in this series I talked about why writing was painful, and why most people are afraid of it. If you stopped with those you might run away screaming and never write another thing again. Alas, things are going to take a positive turn. In this post I’m going to talk about why writing matters. Specifically, I’m going to talk about why it should matter to you. I’m not talking about fluffy, generic reasons. I’m talking about real reasons that matter like making more money, getting more time to do what you love, and impacting real change in an organization.

Getting a [Better] Job

Simply put, the need to communicate your knowledge effectively on paper isn’t going away. No matter how good you are at the technical aspects of your profession, the ability to relay your expertise in writing can be the difference in succeeding in your current job, getting a promotion, or landing your dream job.

I conducted a survey amongst several individuals I know responsible for hiring and promoting penetration testers and incident responders. I asked two questions:

In candidates you’ve interviewed, what is the primary reason you didn’t choose to hire them?

35% cited a lack of effective communication skills

For existing employees, what is the primary reason you didn’t choose to promote them when a career advancement opportunity was available?

41% cited a lack of communication skills

Of course, communication involves more than just writing. However, after talking to nearly all of these managers after the survey, they all explicitly called out a lack of effective writing ability in the majority of their employees.

One manager went on to tell me, “any time I find someone who has great technical skills and can write effectively, I feel like I’ve discovered a unicorn.”

Another manager said, “I just don’t expect someone with strong technical skills to be a great writer. We just hope they’re good enough, but if someone comes in excelling at both then they’re much more valuable to the organization.”

If you have an ability to write well, it will differentiate you amongst your peers.

Getting more time to hunt, pen test, etc

If spending time writing prevents you from being able to do the fun part of your job, then investing time improving your writing skills might seem counter intuitive, but it shouldn’t. Being a better writer doesn’t simply mean that your work is more fun to read (although that’s another benefit). It also means that you’ll start building a toolbox of writing techniques based on your system.

Let’s put this into perspective. Let’s say that you’ve discovered a SQL injection vulnerability in a web server you’re testing. SQL injection isn’t always super fun to exploit (until you succeed), and writing about it can be even worse. You have to relay how you spent hours painstakingly changing field input one character at a time until you were finally able to find the right combination that allowed you to start dumping database tables. The scope of the engagement is limited so you don’t have time or authorization to show the system owner the real damage that could be done with this type of vulnerability, so you have to find a way to relay the importance of it, along with your recommendations for mitigating the risk.

Instead of writing all of that information from scratch, imagine a scenario where you’ve created two or three methods for effectively relaying the stellar work you’ve done in your report. When you get to this point, you’ve essentially developed variations on a script you can use every time you have to write about web vulnerabilities. We aren’t talking about simple find-and-replace templates here. We’re talking about a dynamic system that allows you to tell the reader a story and make it matter to them.

By assigning roles to your characters (the attacker, the system, and the vulnerability) you can create a sense of plot. While you may not naturally excel at technical writing, most people are good at telling a story. When you can build a system around your writing that simplifies it into story telling, it makes the process that much faster. You won’t waste time anymore and you’ll get to spend more time catching bad guys or breaking things.

Provoking change

Going back to the pen testing example, a simple description of your finding and how it can be exploited might give the report recipient enough information to act on, but will they? My experience tells me they won’t a lot in many cases. If you don’t paint a good enough picture of what could happen if they don’t act, then your next interaction with them could be finding the same vulnerability a year later, or worse, getting a call that they’ve been breached.

All things being equal, the ability to write remarkable content is what separates action from inaction. If your report doesn’t do a good job of explaining why someone should care about a finding or occurrence, then they aren’t likely to take action to mitigate or remedy it. You have to make it real for people, or they won’t care. It’s basic human psychology. If you can appeal to someone’s primary or secondary needs, they are more likely to take action. Primary needs like food, water, sleep, and sex are a bit tricky, but secondary needs are much more approachable. This includes things like employment, resources, morality, family, self esteem, confidence, achievement, and respect. If you want to shift your writing from informative to persuasive, you have to appeal to one or more of these areas.

Remember as well that change doesn’t only come from reports. Your blog is a powerful tool for this as well. In many cases, a highly actionable personal blog that appeals to the needs of an organization will cause more change than all the external assessment reports in the world. With proper motivation, expertise, and experience this is something that we’re all capable of.

At most, great technical writing can help you land a better or hiring paying job, or provoke change in an organization that could help them defend their networks against attackers. At worst, it could help you develop systems for writing that speed up the process and allow you to spend more time doing the parts of the job you really love. I’ll continue to talk about more these systems and ways to make your writing matter more as we go along.

More on Writing

Although you might not enjoy writing, being good at it can have a profound impact on your career. When you choose to embrace this, you can start developing the systems that will allow you to differentiate yourself in positive ways. In the next few articles I’ll start introducing more of my personal strategies for better technical writing so you can get a better job or get more free time as well.

If you’re interested in learning more about my personal systems for better technical writing, I’ll be releasing more articles in that area soon, as well as a couple of videos. You can subscribe to the mailing list below to get access to that content first, along with a few exclusives that won’t be on the site.

Sign Up for the Mailing List Here

Leave A Reply

Your email address will not be published. Required fields are marked *