Balancing Brevity and Verbosity in Business Communications

“The most valuable of all talents is that of never using two words when one will do,” proclaimed Thomas Jefferson a few centuries ago. Succinctness seems more valuable in the 21st century, where we’re bombarded by words in spoken and written forms. However, knowing how to be brief is no less critical as knowing when to be brief.

I generally recommend assuming that the audience lacks the time or the inclination to pay full attention to your communication. Some rules of thumb for being brief:

• Use the elevator pitch approach when presenting to executives
• Describe pros and cons of a situation using a SWOT matrix
• Strive to avoid email messages longer than a paragraph
• Finesse you brevity skills by participating in Twitter discussions
• Keep security policies short and to the point
• When in doubt, include fewer topics in a presentation

While the advice above might apply to many situations, there are certainly cases where being verbose is preferred:

• Provide details when responding to a person who explicitly asked for more information
• Include the necessary supporting figures and data in an appendix to a report
• Keep the public appraised of the situation when handling an incident, such as a data breach
• Offer detailed feedback when seeking to change the behavior of colleagues or other people around you
• Include lots of superfluous, unnecessary or otherwise redundant words when trying to reach the minimum length requirement for your article

The biggest culprit in long-winded communications are, perhaps, presentations that last an hour but feel much longer. I was interested to learn about an approach to presentations that caps the presenter’s time at just a few minutes. If you’ll be in DC this December, you can attend a 1-hour event comprised of such “lightning talks” while watching some top minds in digital forensics and incident response present for just 360 seconds. There will also be an opportunity to tune in remotely.

Hand-picked related posts:

• How to Be Heard in IT Security and Business. 10 Tips.
• 4 Tips for a Strong Executive Summary of a Security Assessment Report
• Troubleshooting Human Communications Cheat Sheet

— Lenny Zeltser

Twitter Social Networking Among Information Security People

Having used Twitter for a couple of years, I can say that its role as social networking medium for members of the information security community has been steadily growing. The value Twitter offers infosec people in three-fold: it helps keep up with interesting security-related content; it offers a forum for interacting with fellow infosec professionals; and it assists in researching current security events and trends.

Finding Relevant and Interesting Content

Twitter users often act as curators of content, helping to identify which news stories, research papers, podcasts, etc. you should be paying attention to on a given day. To benefit from this aspect of the service, it’s best to sign up for Twitter and follow people whose taste in security content matches yours.

Deciding whom to follow on Twitter without being overwhelmed by the number of updates in your stream is a personal matter. A good starting point is to find which of your friends and colleagues are already on Twitter and follow them. Another is the list of “top” security Twitter accounts maintained by the service Listorious. Yet another possibility is the listing of “most powerful voices in security” compiled by Jim Kaskade.

One of the advantages of following on Twitter the people who interest you is that you don’t need to keep up with their updates in real time to benefit from their content-curating activities. Several free services can filter, rank and aggregate the content shared by the Twitter accounts you follow. These include:

• The Tweeted Times
• Paper.li
• Summify
• News.me

You can follow the updates of Twitter users by subscribing to the RSS feed that Twitter generates for them. This works even without you needing to join Twitter; however, this method is only practical when you want to keep up with a small number of Twitter users.

Interacting With Other Information Security Professionals

Technology is making the world smaller, someone said once. Twitter certainly contributes to this dynamic: It’s incredible how many members of the information security community are just a click away on this service.

You might shy away from approaching a particular individual at a conference or worry about emailing the person you don’t know. On Twitter, such social stigmas are almost non-existent. People generally feel contacting each other—making comments, asking questions and providing answers, without much hesitation. This aspect of Twitter makes the site a fantastic source of inspiration and knowledge.

Interestingly, Twitter is even becoming the platform for discussing contents of blogs, with comments being shared as Twitter messages instead of being added to the blog post’s web page directly.

Researching Security Topics

The volume of information posted on Twitter can easily be overwhelming. This aspect of the site makes it a good source of various types of real-time and historical data related to information security.

For instance, you might use Twitter search to check what people are reporting regarding an unfolding security breach or ongoing attack; you might find information about defensive and offensive actors; you might the mention of hashes of malicious executables or suspicious IP addresses, etc. For additional thoughts along these lines, see my earlier posts How to Use Twitter for Information Mining and Monitoring Social Media for Security References to Your Organization.

For more tips on getting the most out of Twitter, see my earlier post Joining The Information Security Community on Twitter. Oh, and you should probably follow me on Twitter: @lennyzeltser.

— Lenny Zeltser

How a Data Security Breach Can Be Used for Good PR

Hershey Corporation sent an email to its customers, notifying them that Hershey’s website experienced a data security breach. This incident was picked up by many online publications after the report surfaced on the Consumerist blog. People were fascinated to learn that the attacker only modified a single baking recipe, leaving the rest of the site untouched. I am interested in this incident because it presents an opportunity to learn from Hershey’s smart PR response to the breach.

Potential Effects on Consumer Data

According to Hershey’s notice, the compromised web server stored “consumer website registration information, including email addresses, birthdates and street addresses as well as passwords used to enter some of our sites.” This is probably the reason why the company notified the public about the breach.

Hershey has “no indication that any of this consumer information was compromised.” It’s very hard for an organization to definitively say that no sensitive data was compromised, which is why this form of describing the scope of the breach is often seen in breach notification reports. The implication is that the company went through reasonable efforts to determine what data may have been affected.

Highlighting the Importance of Recipes

While acknowledging the concerns over the security of consumer information, Hershey’s notice does a great job highlighting the strange circumstances of the breach, where the intruder altered only a single recipe on the compromised website:

“As you know, Hershey’s recipes are built on our legacy of offering the highest-quality products for more than 100 years. Consumers rely on us for this information, and we take the quality of our baking and cooking recipes very seriously. We have corrected the issue and taken steps to enhance the security of this information. We have thoroughly investigated the situation and reviewed the recipes on this site to ensure their quality.”

From a marketing and PR perspective, Hershey is focusing the message on the integrity of its recipes. The implication is that if someone were to bother modifying them, then there’s something truly special about their contents—something that Hershey’s customers have been benefiting-from for more than a century.

Sample headlines related to the breach read:

• Chocolate-obsessed hacker breaks into Hershey’s website to change a recipe (Digital Trends)
• Hackers change Hershey’s chocolate recipe (The Telegraph)
• Hershey’s website hacked, recipe changed (MSNBC)

I see the contents of Hershey’s breach notification notice as an excellent example of how companies can use a potentially negative event, such as a data security breach, for strengthening its brand. The approach of focusing the messaging on the modified recipe—seems to be paying off for Hershey, as the media’s coverage of the incident seems to be emphasizing on that strange aspect of the breach.

Hand-picked related posts:

• Learn Better Security Breach PR from Harold Sun’s Halfhearted Apology
• Could a Data Breach Actually Help the Affected Brand?
• How Not to Respond to a Security Incident

— Lenny Zeltser

Cheat Sheet for Creating Security Assessment Reports

There is surprisingly little information online about creating good information security reports. You’ll easily find tips on performing web applications assessments, policy reviews and penetration tests, but it’s harder to locate advice regarding the best way to analyze the data and communicate the assessment’s findings.

To ameliorate this situation, I created a 1-page cheat sheet with tips for creating an information security assessment report. It includes some of the the assessment advice I’ve shared on this blog as well as additional tips, covering the following areas:

• General Approach to Creating the Report
• Analysis of the Security Assessment Data
• Assessment Methodology Documentation
• Scope of the Security Assessment
• Documenting Conclusions
• Qualities of a Good Assessment Report

It’s available in HTML, PDF and Word formats, so you can print or customize the cheat sheet for your own needs. Thanks to Dave Shackleford and John Strand for their feedback on the draft of this cheat sheet.

The only thing I like better than reading cheat sheets is creating them. That’s why you’ll see a bunch of them on my website. I hope you find the new addition, which focuses on security assessment reports, useful.

— Lenny Zeltser

6 Qualities of a Good Information Security Assessment Report

Not all information security assessment reports equal. Many present irrelevant details and are tedious to read. They often miss the opportunity describe the risks and remediation approaches in a way that the assessment’s beneficiary—be it an external client or an internal group—can understand and act upon.

Even if the execution of the assessment tasks was flawless, the perceived value will be based to a large extent on the quality of the report that represents the project’s deliverable. Here is my list of 6 qualities of a good information security assessment report:

• Starts with a strong executive summary that a non-technical reader can understand. Given people’s short attention span and time limitations, there’s a good chance that most readers won’t get past the executive summary. Moreover, the executive summary is often the part of the report that is distributed internally beyond the group that commissioned the security assessment.

• Provides meaningful analysis, rather than merely presenting the output of assessment tools. The value that an experience assessor brings is in making sense and deriving meaning from the collected data. As the result, the report should narrate the assessor’s observations and conclusions.

• Includes supporting figures to support the analysis. Such details should be included to substantiate the findings, so that the reader can confirm that the observations are based on factual data and, in some cases, to allow the reader to replicate the discovered vulnerabilities.

• Describes assessment methodology and scope. Don’t assume that the reader will be aware of the initial discussions regarding what should be tested and how. Moreover, the report should describe the tools, approaches and techniques that the assessor employed, so that the reader can be confident in the professional and systemic approach to the project.

• Looks professional and is without typos. Though the substance of the report isn’t directly affected by the document’s look-and-feel, it’s hard for the reader to take seriously a document that looks sloppy and unprofessional. Moreover, typos distract from absorbing the text’s meaning and can offer an excuse to cast doubt on the assessor’s capabilities.

• Is structured in logical sections to accommodate the different groups who will need to read and act upon the report. Though some readers will be motivated to pay attention to the whole document, many might only care about some aspect of the assessment (e.g., application or infrastructure security). Also, the recipient might wish distribute the report’s contents on the need-to-know basis.

Of course, there’s more to a good security assessment report than the tips I offered above. My goal was to point out the qualities that I often see lacking missing from the reports that come across my desk. Keep these points in mind when creating a document to describe your findings and recommendations and when evaluating a group you might engage to perform a security assessment.

This note is part of a 4-post series on creating security assessment reports. For more, see:

• Security Assessment Report as Critique, Not Criticism
• 4 Tips for a Strong Executive Summary of a Security Assessment Report
• 4 Reasons Why Security Assessment Recommendations Get Ignored

For more on the topic, see my Tips for Creating an Information Security Assessment Report Cheat Sheet.

— Lenny Zeltser

Explaining Your Progress to Clients or Colleagues

Your non-security colleagues or clients probably have a hard time telling whether you are doing your job well, unless you interact with them on regular basis. After all, they probably don’t understand the intricacies of your work, which makes it hard for them to judge its quality. What can you do about it?

Out of Sight, Out of Mind

As I wrote earlier post, people who don’t understand a specialized skill set estimate the value they receive by assessing the effort (usually time) that goes into the project. Nowadays many employees and consultants work remotely; this makes it harder to know how much people have worked on a given task. This can lead colleagues or clients to assume that the person wasn’t working hard enough.

The solution to this challenge may involve meeting with the relevant people more often by phone or in person. In addition, we should put effort into providing regular status updates electronically regarding both the tasks in progress and recent milestones. (At the same time, we must be careful not to spam people or annoy them with numerous unnecessary calls.)

Posters in the Subway

Consider an example from the world outside of information security:

New Yorkers were grumpy about the apparent lack of improvements in the city’s transit infrastructure. The Metropolitan Transportation Authority (MTA) was asking for additional funding and planned to increase fares; yet, the riders and policy makers didn’t understand how the existing money was being spent.

MTA responded with a PR campaign to highlight the improvements it was making to subways, buses and bridges. The advertisement posters, extolled the hard work of MTA employees and include the tag line “Improving, non-stop.” (It’s too early to say whether the campaign had the desired effect.)

What You Can Do

Perhaps your organization, department or self should launch a PR campaign to make sure that your colleagues or clients understand the work you do and how they benefit from it. Companies use similar tactics as part of a security awareness program or overall marketing campaigns, so this shouldn’t be a completely unfamiliar effort. Who knows, perhaps some day you’ll be receiving thank-you cards from appreciative admirers of your work.

— Lenny Zeltser

6 Reasons Why Business Managers Ignore IT Security Risk Recommendations

Information security professionals get frustrated when their concerns are seemingly dismissed by business managers who accept the risk instead of approving the proposed remediation strategy. There are many reasons why infosec personnel’s IT security risk recommendations may not be accepted, including:

• Business managers may be better-suited for making risk decisions than information security professionals, and are wise to accept the risk. For more on this, see Risk Decision Making: Whose Call Is It? by Jack Jones.

• Business managers may have become immune to security concerns expressed through fear, uncertainty and doubt (FUD). For more on this, see my note When Using Fear to Sell Security Can Backfire and Mike Rothman’s Categorizing FUD article.

• Business managers may be tired of making risk decisions, and find it easier to maintain the status quo instead of acting upon the security concerns. For more on this, see my posting Choice Fatigue Might Affect Information Security Decisions.

• Business managers don’t understand the IT security risk, possibly because the infosec professional presents it in a context to which they cannot relay. For more on this, see Non-Financial “Currency” for Framing Security Discussions.

• Business managers speak a different language, which information security specialists need to adopt to improve how they communicate and discuss IT security risk topics. For some advice, see Strong Communication Skills: 10 Tips for IT Professionals and SWOT Matrix for Describing Security Posture.

• Business managers aren’t presented with practical options for handling IT security risks, and finding the recommendation too costly or otherwise difficult to act upon them. For my perspective on this, see Know the Alternatives When Negotiating IT Risk Mitigation Approaches.

As information security professionals, we can do a lot better at presenting IT security risk recommendations in a more practical, business-relevant and persuasive manner. To improve, we need to first understand why our advice appears to be ignored. The list of reasons that I presented above isn’t complete, but it might be a good starting point.

— Lenny Zeltser

Security Assessment Report as Critique, Not Criticism

The goal of most information security assessments is to identify vulnerabilities and recommend ways to address them. The resulting report tends to be filled with criticism. Even when the document is filled with insightful observations and advice, it’s often viewed defensively by the readers, who feel like they are under a personal attack.

To create an assessment report that is more likely to be accepted by the readers and that provides more constructive advice, write it as a critique rather than criticism.

In an essay What is Critique?, Judith Butler pointed out philosopher Raymond Williams’ concern that the practice of criticism has been unduly restricted to “fault-finding,” which lead him to propose that we find a vocabulary that does not “assume the habit (or right or duty) of judgment.” The notion of critique involves providing a well-rounded assessment of the subject’s structure, rather than personalizing the identified issues.

A security assessment report that offers critique, comments on the factual findings, on the processes that contribute to the security issues and on the structure of the organization that may need to be adjusted to improve security. This means staying away from chastising specific individuals, unless you are prepared to deal with their anger and defensive counter-accusations. An angry reader will ignore the report’s key messages.

Another element of a critique-focused report involves the discussion of positive findings of the assessment. As the saying goes, a spoonful of sugar makes the medicine go down. Furthermore, seeing what aspects of security you liked, will help the organization learn from what is working, so it better understands how to address the processes that aren’t. Positive reinforcement is often even more effective than negative reinforcement in changing behavior.

This note is part of a 4-post series on creating security assessment reports. For more, see:

• 6 Qualities of a Good Information Security Assessment Report
• 4 Tips for a Strong Executive Summary of a Security Assessment Report
• 4 Reasons Why Security Assessment Recommendations Get Ignored

For more on the topic, see my Tips for Creating an Information Security Assessment Report Cheat Sheet.

— Lenny Zeltser