Nobody reading your information security policies? Perhaps they are unreadable.
There is a hard truth many information security professionals must to face: just because you have the title of Information Security Officer (or similar) does not mean people will read or respect your security policies. If you want respect, you must lead. And leadership is persuasion.
However, you can take a hundred professional development courses, attend dozens of SANS courses, and become certified on every NGFW in the world and never hear the most important lesson about leadership communication:
The responsibility of communication is on you, the writer, not the reader.
It is not the readers’ responsibility to untangle your convoluted writing. If a document is inaccessible to a reader they simply will not read it. And if they do not read it, they also do not respect whatever rules are contained within.
Exacerbating this challenge is the changing workplace demographics. As Millennials take over the workforce, they are demanding a more authentic, and open communication style. While stiff, formal, detailed policy documents might assuage nitpicking auditors, the Millennial employees (who are supposed to be following those policies) ignore them.
If you want people to respect your policies, you must write them in a persuasive manner. The content and tone must encourage people to internalize and accept the rules. Even the most accomplished writers struggle with this challenge.
However, there are some simple techniques you can use immediately improve the readability and acceptability of your security policies. Below are ten rules you can use right now for better security policy writing:
| 1. The time is now | Write everything as if it is happening at this exact moment. Furthermore, use action words such as “implement, install, deploy, test, or distribute” to give your words urgency. Avoid past tense whenever possible. |
| 2. Go all in | Never express doubt or uncertainty. It makes you sound clueless. Avoid weak, non-committal words like “could, should, might, try, or hope.” Use strong words such as “do, plan, will, and must.” |
| 3. Just say it | Get to the point, quickly. The more “official” you try to sound, the less authority you actually communicate. If people cannot download apps, just say that: “you cannot download apps on your computer. It is dangerous.” A 5000 word essay on the nature of malware is unnecessary. |
| 4. It’s all about YOU | Write directly to the reader. “You must protect ePHI” rather than “Employees must protect ePHI.” “You” is a more powerful, personal, and direct pronoun. |
| 5. Less is more | Boil everything down to the simplest possible words. Do not use policies to show off your expertise on risk management or compliance. The reader does not care. |
| 6. Lead the reader | Dribble out information slowly. One idea per sentence. Go slow and put things in logical order. |
| 7. Come out swinging | You have two or three sentences to hook the reader. Focus writing strong, concise, and decisive introductory sentences and sections. |
| 8. Table it | Tables organize complex, relational information in a pleasing manner. |
| 9. Living subjects | Whenever possible, make the subject of a sentence a person, group, or company. Avoid making computers or esoteric concepts (like ePHI) the subject. “You must protect ePHI” rather than “ePHI must be protected.” This makes your writing more people-centric. |
| 10. Never by | Never use the word “by.” It usually indicates passive voice, which is difficult to read. |
Will this make you a master cybersecurity writer? It will help. Give it a try.
Of course, the most common reaction to these ideas is: “our auditor will not accept this kind of document.” Perhaps you need a new auditor, not more poorly written policies. A competent auditor, who does not merely check boxes, will understand the intent. You can meet the intent of compliance regulations without resorting to stiff, unreadable content.
