Communicating About Cybersecurity in Plain English: Haiku!

When cybersecurity professionals communicate with regular, non-technical people about IT and security, we often use language that virtually guarantees that the message will be ignored or misunderstood. This is often a problem for security and privacy policies, which are written by subject-matter experts for people who lack the expertise. If you’re creating security documents, take care to avoid jargon, wordiness, and other issues that plague technical texts.

To strengthen your ability to communicate geeky concepts consider the following exercise:

Take a boring paragraph from a security report or policy and translate it into a sentence that’s no longer than 15 words without using industry terminology. I’m not suggesting that the resulting statement should replace the original text; instead, I this exercise might train you to write more plainly and succinctly.

For example, I extracted and slightly modified a few paragraphs from the Princeton University Information Security Policy, just so that I could experiment with some document written in legalese. I then attempted to relay the idea behind the policy’s paragraphs in the form of a 3-line haiku (5-7-5 syllables per line):

This Policy applies to all Company employees, contractors and other entities acting on behalf of Company. This policy also applies to other individuals and entities granted use of Company information, including, but not limited to, contractors, temporary employees, and volunteers.

If you can read this,
you must follow the rules that
are explained below.

When disclosing Confidential information, the proposed recipient must agree (i) to take appropriate measures to safeguard the confidentiality of the information; (ii) not to disclose the information to any other party for any purpose absent the Company’s prior written consent.

Don’t share without a
contract any information
that’s confidential.

All entities granted use of Company Information are expected to: (i) understand the information classification levels defined in the Information Security Policy; (ii) access information only as needed to meet legitimate business needs.

Know your duties for
safeguarding company info.
Use it properly.

By challenging yourself to explain a complex concept with a single sentence, you motivate yourself to determine the most important point, so you can better communicate it to others. This approach might be especially useful for fine-tuning executive summaries, which often warrant careful wordsmithing.

This is just one of the ways in which you can improve your writing skills with deliberate practice. For more learning opportunities, take a look at my writing course SEC402: The Secrets to Successful Cybersecurity Writing: Hack the Reader.

Updated

About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more