I hope this post's title does not make you feel clickbaited, but I promise I will try to live up to it. I must admit that I am not fluent in the works of Edgar Allan Poe, but I read his essay “The Philosophy of Composition,” and I was amazed by the lessons it can provide to security professionals. In this essay, he details his thought process for coming up with the poem “The Raven.”
Since this is an amazing piece of writing, I want to showcase some of his thoughts on this topic and how they can be applied to the writing of security professionals. Keep in mind that Poe is talking about poetry, and cybersecurity writing is not poetry, and it shouldn’t be. Therefore, not all of this essay can be applied to cybersecurity, and sometimes, it is the case that you should do the exact opposite.
What do I mean when I talk about “Cybersecurity Writing”? Almost every job in the field of cybersecurity will demand writing a report about something.
Examples are:
Pentest and Red Team reports
Cyber Threat Intelligence reports
reporting on an OSINT investigation
audit reports
reporting on a security incident that has occurred
All of these reports usually serve the purpose of summarizing an extensive and highly technical job you and your peers have done and presenting the outcomes to stakeholders ranging from management to IT admins.
I will structure this post along with some quotes from Poe’s essay and will talk about how I think they apply to cybersecurity writing. I still urge you to read the essay in full, and if you haven’t done so yet, you should read the poem “The Raven.” You can find the essay here:
https://www.poetryfoundation.org/articles/69390/the-philosophy-of-composition
Nothing is more clear than that every plot, worth the name, must be elaborated to its denouement before anything be attempted with the pen. It is only with the denouement constantly in view that we can give a plot its indispensable air of consequence, or causation, by making the incidents, and especially the tone at all points, tend to the development of the intention.
This illustrates that before you start to put anything in writing, you should think about your message and the point(s) you want to make. These key takeaways should always be in the back of your head, and all writing you do should aim to serve them. If your goal is to increase the budget for awareness training, the shortcomings and vulnerabilities you talk about should imply that an increased user awareness would reduce the risk of them becoming dangerous to your organization.
Or, as Poe said:
I prefer commencing with the consideration of an effect.
It is my design to render it manifest that no one point in its composition is referable either to accident or intuition—that the work proceeded step by step, to its completion, with the precision and rigid consequence of a mathematical problem.
This is one of the most remarkable quotes in this entire essay. Poe admits that poetry and good writing are essentially mathematical problems, contrary to something that comes from intuition and accident. While this may take the romance out of some poetry, it is great news for all cybersecurity professionals. This means that you can learn good writing. The best thing is that this calls for the use of templates. If there are clear constraints that define good writing, you can put them into a template and reuse them. Doing this will make writing easier and faster and reduce overhead.
If any literary work is too long to be read at one sitting, we must be content to dispense with the immensely important effect derivable from unity of impression.
This explains why all your work should have a “Management Summary.” Someday, somebody wants a five-minute summary of your work, and this person probably is the one calling the shots. If your writing is not able to convey its message in a very short time, all the work that went into your report might be pointless.
What we term a long poem is, in fact, merely a succession of brief ones—that is to say, of brief poetical effects.
Sadly, a report that can be read in five minutes is not always sufficient. If your client has paid thousands of dollars for the work you did and the only tangible result he gets is a PDF, you better make sure he feels that it is worth his money. Sometimes, this can be achieved by writing a big, extensive report. If that is the case, it is a good idea to provide a variety of arguments that support the “story arch” to arrive at your overall conclusion.
I kept steadily in view the design of rendering the work universally appreciable.
This is perfectly highlighting what should be done in terms of “stakeholder communications.” Usually, there will be multiple recipients of your writing with varying degrees of understanding of the topic you are talking about. Make sure that all of them get what they need from your writing. That does not mean that you have to explain recent threat actor activity or cross-site scripting like you are talking to a five-year-old. You can include different chapters in your report aimed at different audiences, but make sure to explain which chapter is intended for which audience.
Always keep your audience in mind and make sure all stakeholders can appreciate your work.
Truth, in fact, demands a precision, and Passion, a homeliness (the truly passionate will comprehend me), which are absolutely antagonistic to that Beauty which, I maintain, is the excitement or pleasurable elevation of the soul.
This separates the writing cybersecurity folks do from the stuff poets produce. Creating beautiful reports is nice to have, but the truth (philosophical question: “Can we get there?”) is what you should aim for. So don’t shy away from telling things like they are.
The sound of the refrain being thus determined, it became necessary to select a word embodying this sound, and at the same time in the fullest possible keeping with that melancholy which I had pre-determined as the tone of the poem. In such a search it would have been absolutely impossible to overlook the word “Nevermore.”
The repetition of the word “Nevermore” is probably the thing that still is in your head, together with a memory of the dark and mystic vibe that the poem had. It will be the same with the reports you are writing. So aim for an overarching tone and repeat your refrain. It probably is not “Nevermore,” but something like “increase the budget,” “defense in depth,” or “there is a high risk because of this event.”
Here, then, immediately arose the idea of a non-reasoning creature capable of speech, and very naturally, a parrot, in the first instance, suggested itself, but was superseded forthwith by a Raven as equally capable of speech, and infinitely more in keeping with the intended tone.
This is a fun insight into Poe’s process of thinking, but also a key message about tone and choice of words. Consider your audience, the vibe, and the message your writing targets. Throwing around terms like MQTT, AES, IoC, and APT is probably a bad idea for a management summary. As well as using terms like “hacker tools” and “sneaky software” ****in chapters written for your security teams. The same applies to general tone. For example: “Our systems are currently under siege by a sophisticated APT, demonstrating indicators of highly skilled adversaries with substantial resources.” tells you, “Shits on fire, yo” On the other hand: “We have identified the potential presence of an APT in our network. This could possibly lead to issues in the system integrity and data security if not looked into.” sounds way less scary.
Writing is a crucial skill for any security professional, and I believe we all should spend some time learning and improving that skill systematically. Communicating your messages and intentions in a clear and audience-appropriate way can save time, advance your career, and improve the perception of your work.
If you have enjoyed this blog, share it with a friend, follow me on Twitter @secbyaccident, and give it a like.
Also published here.