There's a classic book from the 70s entitled On Writing Well. I can't say anything about writing well, but I can offer something on writing better. I'm far from the best writer, but I'm better than when I was a bad writer. As I've written more, I've realized that in order to put myself out there I had to accept, not that I was good, but that I'm "good enough."
What is the relevance to infosec of an article about writing? Information security needs people who can think and articulate efficiently and effectively. Writing helps accomplish this by directing research into thinking-into communicating-into learning-into action. Writing is an umbrella term – no one just simply writes. What is the topic? How long is it? Who's the audience? What's the goal? Improper writing leads to a host of problems when these don't align.
I've been doing part-time volunteer content editing for a cybersecurity professional development platform for almost two years now. When I edit, I don't edit with the idea of making the writing sound like mine, or to match any kind of publishing company standards. I edit with the intent of smoothing out the rough spots.
Sure, at times the grammar is very rough English, so there can be an ample amount of Suggesting that I do, but that's only to do my best at getting across the author's idea in improved English while trying to keep their tone of voice.
Several weeks ago, one of the authors asked me for general advice on how he could improve his writing. The bulk of what's below came from this conversation (edited for various reasons).
I hope that at least one of these tips, from a fellow student of the variegated art of infosec writing, encourages you to write more and, well, better.
- The main tip? Don't give up; keep writing.
- Don't lose your personal touch. Keep your personal phrases – it helps keep your writing yours. On the flip side, avoid overusing phrases. As in speaking, when we overuse a phrase it will be irritating to the listener. Having said that, we still love our friends and put up with their idiosyncrasies! But with public communication, the fewer instances of distraction, the better. Though that search for excellence is always balanced with remaining who we are. The thesaurus is your friend. When you check your writing and you notice that you've overused a word/term/phrase, just search for a synonym.
- Don't try to write like someone else – write like a better you. Along that line, since your primary language is XYZ, don't feel at all that you should correct that. Definitely don't try to be "English", even though the language here is English. Every language has its own colloquialisms, but don't shy away from your own - let English readers be aware of your language and culture. When you've finished something, re-read it out loud to yourself. It could be after every paragraph, or when it's all completed, but reading aloud (or silently, focusing on each word) helps with hearing the flow.
Consider the audience: always ask, "To whom am I speaking?" This helps with the wording and the tone of the writing. Speaking to a beginner in cybersecurity is much different than speaking to a professional. For example: a beginner, without a background in IT, will probably have a very hard time with all of the acronyms, and would like to be introduced to only a few; whereas a pro will easily understand all of the SMTP, DDoS, OWASP, SOC, TTL, and others that you throw at them. Considering your audience will help you tailor your writing. It's not about anyone being dumb or smart, but rather language appropriate.
- Another example: One of my current projects is writing to law firms regarding security, and they have different regulations and considerations than my previous piece, which was to SMB healthcare professionals - different regulations, different industries. Also, the former is to the legal team who doesn't have tech knowledge but is interested in contacting a trusted advisor for infosec advice, and the latter is to the IT and Security influencers in healthcare SMBs, who need some advice for how to proceed on a shoestring budget.
- While cultures vary in musical styles, one thing in common is variation and phrasing. Make one sentence fairly lengthy and somewhat technical if needed. Then make a short one. Mix up the length so that, when read, it has more of a lyrical or musical quality. One long sentence after another is hard to read. And a string of short sentences is unnerving (one gets the sense of almost hyperventilating having to stop so often!). Of course, if the writing is very technical and focused on a technical audience, there's not much to do with that. But for wider audience appeal, think variation.
- Find your own constants. By that, I mean: find your own patterns of things like punctuation and bullets. For bullet points, as just an example, choose to make every bullet a dark circle and end every point with a period. Or make every bullet a - and don't end any point with a period. A major part of writing is being consistent. Use single or double quotes, but use the same throughout the piece. Lists could be 1,2,3 or A,B,C, but keep them the same throughout. Come up with a system for how to make different terms and titles stand out. commands (e.g., ls -al), file types (.exe, .js), menu items (File - Edit), program languages (Python, JS), acronyms (OWASP, SaaS), and so on. Find a way so that, when the reader is looking through your articles, all of those items are easily detected. I know when I get down into an article and the author uses an acronym or term that's new to me, I like to be able to scroll up quickly to see what it means. When it looks the same as all the other words, it's hard to find.
Finally, here's this is something I told an author that's a benefit for me from editing:"I really enjoy reading your and others' articles. I've learned SO MUCH from them all - there's always a new term, technology, idea, link." I've gotten a ton of knowledge from editing, learning about technologies or knowledge that are useful for my job.