Monday, July 19, 2010

The Biggest Problem

By far, the biggest problem I run into during my time as an information security person is not: misconfigured firewalls, unencrypted USB drives or a poor risk management program. The biggest problem is communications.

I don’t know that I have the answer, but I will tell you that I get a lot of emails that I don’t care about and others that I probably do need to care about but aren’t written in a manner that is useful. I imagine that this guy has some interesting idea regarding email management. But that isn’t all.

It is all about knowing your audience. It sounds basic, I know, but don’t confuse basic with simple. Many people don’t totally understand things like FISMA, FIPS and the 800-series documents. Even those that do may interpret different ideas and concepts in a conflicting manner.

We deal in a complicated and ever-changing space, so do us all a favor and maintain a project glossary and acronym list. Use your snazzy Document/Content management systems or MediaWiki.

I also like to provide standard process documents that back up a project plan. A project plan is telling for some, but here again is an opportunity for failure. One-line entries in a spreadsheet or MS-Project are prone to misinterpretation given their short nature. My process documents are not tasks, but an explanation of activities. It is in plain speak usually one to two paragraphs that talk about what is going to happen during a phase of the project (not necessarily tied to 800-37 or SDLC frameworks). Especially when it comes to short engagements, it is difficult to spin up a lot of collateral or spend time with education.

Learn how to write. I know I’m not the best writer, but damn. Spell check is not a fix for the “they’re/their/there” issue. Some of this can solved with taking an extra two minutes to read your writing again.

Lastly (and something that I intend to try out in soon), is to spend the time to copy and paste. I am one of those people who think I impress someone with my ability to reference an appendix or section of a document. No more. I estimate that 90% of the time, the recipient(s) of my reference didn’t bother to go look at it. Therefore, they still don’t know what you’re talking about, but worse you think that they do. It also gives you an opportunity to apply to explain the relevance or your interpretation of the selection.

This is only some small hints, but sometimes the smallest gains in productivity are the best (because they are the most annoying).

No comments: