In-Reply-To: <[EMAIL PROTECTED]>
Darian,
Hopefully, I can share a few experiences on my
own in writing skills and how it involves. I try to be
as "bi-lingual" as I can, i.e. being able to speak techie
and being able to speak the analytical/decision maker
actionable items. It is a tricky and winding path, but
personally very interesting and rewarding. As such, I
have emphasized analyzing on the very technical
aspects of an issue and the "big picture" or very
consise threat/actionable item needs.
There are numerous areas within INFOSEC that
require a clear and concise explanation of threats and
the ability to communicate these effectively to a broad
audience. For example, national-level threat
documents require detailed analysis and the
audience can vary from a single individual to senior
decision makers. Each audience has their own
interests and needs, and the document must
communicate effectively to all by guiding the reader to
a clear, actionable conclusion. Usually, this has to be
all within one document!
As such, some of the areas I would recommend
that you get involved with in either creating or at least
assiting with would be:
- Analytical threat documents
- Security advisories
- Risk assessments
- Senior executive/decision maker briefings
- User advisories
- Standards and Guidelines
- "Technical/analytical observations"
The last part takes some explaining. In the great
teams I've been involved with, there's an "informal"
reporting system that we use. For example,
everyone typically forwards a news story to a
colleague, friend, etc. These simple opportunities
can be a great way to share your personal unique
knowledge on an item by offering up some advice or
observations on the impact of the change, an
evolving trend, or simply a recommendation on an
action.
I'm not sure which area your organization focuses
on, but hopefully one of these areas will be available
for you to gain experience in.
In addition, many times, a threat will require an
immediate briefing or analytical product to This not
only applies to government, but to industry,
education, any service involved in systems in
general. The pervasiveness of computers and the
speed at which systems can be affected require
clear, immediate attention to the threats. As an
engineer, you may be tasked to provide the technical
portion of the threat that may need to be distributed to
the entire organization.
Any or all of these areas would be excellent to hone
your developing writing skills. Each of these areas is
a unique challenge to communicate the problems we
all face getting our message across to decision
makers. For each of these areas, there are
numerous examples I can recommend offhand taking
a look at (some of which I've been involved with):
- NIPC Advisories:
http://www.nipc.gov/publications/highlights/highlights.h
tm
- CIAO (several threat documents):
http://www.ciao.gov/
- NIST Security Guidelines (NIST is tasked with
creating security guidelines and standards):
http://csrc.nist.gov/publications/drafts.html
- NIPC CyberNotes:
http://www.nipc.gov/cybernotes/cybernotes.htm
- CERT (the obvious advisories): http://www.cert.org/
- Any of the many security mailing lists
- This site!
Reading and studying the writing styles in each of
these publications is a great way to learn the writing
skills necessary for INFOSEC publications.
.At any rate, hope this helps somewhat in where to
find information INFOSEC examples of "strong
writing skills"! Good luck!
Regards,
Andrew Boncek
UNISYS
Senior INFOSEC Engineer
