Writing for Security: Why You Hate It

quillOver the next couple of weeks, I’ll be sharing a multi part series about technical writing for security professionals. If your job requires you to write reports of any kind, or you enjoy blogging, then I think you’ll enjoy it. We’re going to talk about some of the underlying reasons you probably don’t like writing as much as you could, how good writing can help you further your career, and some tactical tips for being a better writer.

I recently conducted an open-ended survey of information security practitioners to ask them what their biggest pain point was. I was fortunate to get a ton of responses and ended up with a list just short of a mile long. The list was very diverse, but there were a few themes that emerged. One that I wasn’t surprised to see was that many expressed their disinterest for the part of their job that involves writing.

Let’s dig into why so many people hate writing.

I’d rather be hunting, pen testing, etc

This was by far the most common thing I’ve heard, and I’m sure you can relate. Most of us get the thrill in our job by catching bad guys or pretending to be them. You probably got into this business because you want to help people be more secure, you love solving puzzles, or you just love breaking things. When you have to write up your findings it really just takes time away from that. This is especially painful when you can’t get ahead of your alert queue or you can’t find enough time to go hunting as it is. For consultants, you also have to contend with the limitation on hours for the gig. If you have to spend 50% of your hourly budget writing a report, that’s time that could be spent actually doing the job.

I’m not good at it

Many practitioners simply aren’t good at putting their actions and findings into words. We all know great investigators and pen testers who can do truly amazing things, but have the communication skills of a rock. To make things worse, many experience imposter syndrome where they perceive their writing is poor when it really isn’t. The only thing worse than being bad at writing is thinking you’re bad at it. After all, who wants to spend time doing something they believe they suck at?

Nobody listens to my findings and recommendations

Perhaps the most bone crushingly painful part of writing occurs when you spend a lot of time validating something and coming up with specific recommendations, only to find out they were ignored. You might have experienced this when you perform a pen test a year after performing another one, only to find the same vulnerabilities still exist. Worse yet, you might respond to a breach only to find the recommendations for preventing similar breaches weren’t followed, resulting in another one.

These are just a few of the reasons you probably hate writing. I don’t blame you. They are all legitimate pains and over time they can crush your soul. It might surprise you, but at one time in my life I hated writing, too. I avoided it like the plague and while I wasn’t horrible at it, I certainly wasn’t very good.

Moving Past the Hate

If you knew me then, you’d have a hard time believing I was capable of writing a few books and hundreds of articles, let alone a PhD dissertation. Luckily, when I was earlier on in my career I quickly figured out that writing was an important part of it. So, how did I turn something I hated and wasn’t great at into one of my biggest strengths? I did what, most hackers do, I broke it down into parts that made sense and developed a system.

I sat down and thought about things I liked to read, and how I could relate those to the things I had to write. I’m a big fan of modern authors like Tom Clancy, John Grisham, and Stephen King. I broke down what I liked about their work and started thinking about what they did successfully and how it could relate to technical writing. Eventually I was able to produce a repeatable system that I owe a lot of my career success to.

I’m not going to go in depth on my system here (I’m going to be sharing that later), but in the next post I’ll share some reasons why hackers hate writing that they may not realize.

More on Writing

The truth is that most of us don’t really enjoy the part of our job that requires writing reports. However, no matter what area of security you work in, a great deal of your success will be determined by your ability to do this thing. Fortunately, writing doesn’t have to be as painful as it is. By spending some time up front, hacking the process a bit, and setting up a repeatable system, you can speed up the writing process and gain back the time you can spend breaking things and hunting the adversary. Not only that, you can also become a much more effective agent of change, helping your network or your clients network become more secure. It can even help you become a better teacher and build your community resume by learning how to share your expertise better through a public blog.

If you’re interested in learning more about my personal systems for better technical writing, I’ll be releasing more articles in that area soon, as well as a couple of videos. You can subscribe to the mailing list below to get access to that content first, along with a few exclusives that won’t be on the site.

Sign Up for the Mailing List Here


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.