Congratulations, Sara James, on the publication of your book, Radical Reporting: Writing Better Audit, Risk, Compliance, and Information Security Reports! It was published April, 27 by Routledge. We discussed your background and some of the key insights from the book in our chat together, along with some great stories in the trenches of technical communication. (Video of that chat is below).
But let’s go through your fascinating background and insights a bit more here in a Q&A.
Q: Tell us a little about yourself
I’m a report-writing geek and owner of Getting Words to Work.
My background is, I moved from academia through publishing to industry – IT and finance, with an increasing focus on audit and risk in the latter. I’ve combined my publishing experience and academic specialisation in languages and literatures. Helping people communicate more clearly is a perfect fit, as well as a rare skill set.
I’ve been running training globally now for over 15 years, delivering tailored report-writing courses to teams in various countries and sectors. My languages background helps immensely here, even when the focus is on reporting in English.
My goal is to make everyone’s life a bit easier – to stop writers from getting in their own way, which in turn makes stuff easier to read. Because we all have better things to do in life than read lengthy reports!
Q: What drew you to the space?
I’ve always thought IS people and IT people in particular beat themselves up about not communicating well. They – and others – point to technical terms, but the problem is more widespread. It’s not the tech speak – it’s the corporatespeak.
So I insisted on including IS reports in the title of my book, and asking friends and contacts of mine in IS for their views and experience. We’ve got everyone from the CISO of Connecticut to the IT Director of the Central Bank of Armenia quoted in there!
Q: Is communication important in cybersecurity? (He asks, twirling his moustache and playing Devil’s advocate)
Of course – because it’s everyone’s responsibility. The recent EU CISO report explained – in often mangled language – how important it is for IS professionals to get everyone in an organisation involved. Komitas Stepanyan - IT Director at the Central Bank of Armenia - is excellent at explaining what happens when good IS goes bad, and emphasizes how many breaches come from within organizations. When people aren’t even receiving the message that it’s not cool to put login credentials on a Post-It at the workstation, it’s just a matter of time before…another breach!
Q: What are the typical challenges cybersecurity professionals encounter in communications?
I think the first is of expectations, on both sides. Non-techies expect techies to speak and write impenetrably. Techies often feel they have to ape corporatespeak to be credible in a business setting. Bad habits abound on all sides in organizations, and habit, stress and often tiredness make clear communication even harder. It takes empathy and discipline – both in short supply most days, especially recently!
Komitas Stepanyan points to the common tendency to include too much info and unnecessary data: “CEOs, boards, audit, and risk committees don’t like when it’s unclear what’s expected of them. Sometimes it comes from lots of technical, low-level details, an unclear picture, or not enough research and effort into the options available.”
Q: How can good communications practices overcome those challenges?
By getting people to drop their habits and assumptions about language – that long, convoluted sentences are impressive, or that acronyms will show you’re part of the team – and just talk to each other. People say they’re too busy – but the time they spend clearing up misunderstandings and worse show this is a false economy.
In any organization, tone comes from the top. And far too many boards still don’t have enough people conversant with, let alone comfortable with, technical topics. When IS experts explain things clearly and simply to colleagues at all levels – from board members to new trainees – the whole organization benefits. Emma Smith, Global Security Director at Vodafone, is a huge advocate of clear, concise communication – she says, “Explain risk in real customer and business terms. Remove jargon. Remove or explain acronyms. Put yourself in their shoes. Use story telling. Data wins arguments. Be an enabler, not a blocker.”
Q: What are some practical tips for writing and communicating effectively in the cybersecurity space?
You know, they’re really no different from writing and communicating effectively in any setting. I often encounter people who believe there’s such a thing as “business writing” or “academic writing”, but I associate these terms with the worst sort of caricatures. Business buzzwords, pretentiousness, obscuring messages – these are often what people associate with business or academic writing. And I say that as a former academic who now runs a business.
It doesn’t have to be like this. Let’s just think of “good” and “bad” writing. Bad writing confuses, tires, and irritates readers, and often leads to no action or the wrong action. Good writing explains, clarifies, informs and sometimes even entertains! That's what I try to achieve in my book and in my articles – I regularly publish both industry and scholarly pieces.
The tips are simple – but not easy. Keep words and sentences short and simple. Favor the active over the passive voice. Avoid corporatespeak – what some writers call garbagespeak. (Molly Young wrote a brilliant article that should be required reading for everyone, everywhere: https://www.vulture.com/2020/02/spread-of-corporate-speak.html)
And finally, give yourself and your readers a break. We all get confused, we all make mistakes. If we can take the time to step back, take a breath and think about exactly what we want people to do, we’re likelier to find the fewest, best words to get our point across.
And just maybe, our readers will then stop keeping their log-on credentials on Post-Its. I can dream, can’t I?
You can purchase a copy of Radical Reporting here, from Routledge.
Sara James's book summary and bio:
Most people dread writing reports; they also dread reading reports. What they don't realize is that the techniques that make writing more readable make it more powerful. This is especially relevant for professionals in areas such as audit, risk, compliance, and information security.
This small volume provides the tools and techniques needed to improve reports. It does so through addressing crucial concepts all too often overlooked in the familiar rush to perform tasks, complete projects, and meet deadlines.
These concepts - the role of culture in communication; the link between logic and language; the importance of organizing thoughts before writing; and how to achieve clarity - may seem academic or theoretical. They're not. Unless writers understand their own thoughts, actions, and objectives, they cannot hope to communicate them at all - let alone clearly.
Sara I. James, PhD, CIA, is an internationally recognized expert in audit communications, delivering report-writing and other training to audit, risk, compliance, and information security teams worldwide (www.saraijames.com). With over 30 years' academic, teaching, writing, publishing and corporate experience in the US and Europe, she brings a wealth of varied yet specialist expertise to clients and audiences.