The importance of writing well
I have always enjoyed reading and writing. Coupled with my personality and starting my career at EY, I quickly developed a high standard of quality for my writing. It's been noticed and I've received a lot of positive feedback about it over the course of my career. That being said, I'm no prodigy at writing and I still have a lot to learn. My goal with this post is to bring more attention to the impact your writing has on your career and provide some very tangible and helpful tips to keep in mind.
Why is this worth posting about?
High quality writing is actually pretty rare and doesn't get talked about as a skill in cybersecurity nearly enough. I've never seen it officially mentioned on any HR leveling guide or promotion packet, and yet I've seen people get denied promotions because their documentation and writing wasn't good enough. I see really basic mistakes and issues made all the time. A well written and organized document can truly be the difference between a document that is appreciated and used daily, or never used at all, even with the exact same content.
It's a skill well worth investing time into developing and improving for the sake of your career.
Taking the time to up level your writing skills in any role is important, but for GRC roles in particular, exceptional writing skills are critical and lack thereof will hold you back.
Why do I say this?
The work GRC teams do inherently gets a lot of attention both inside and outside the company. For example:
SOC reports are often the first thing prospective customers see that isn't from the Business Development team. A good SOC report demonstrates quality throughout the organization.
GRC teams create Risk and Compliance reports for the Board of Directors.
We develop risk write-ups and risk treatment plans for review and decision by a Director, VP, or C-suite.
The corrective action plans we write must drive buy-in and prioritization from teams across the organization.
The Internal Security Policies and Standards published and broadcast to the entire company are our responsibility. They are sometimes even shared with customers during their 3rd party risk management process.
Some general tips and things to look out for:
Consistent and logical formatting is a huge part of making a document easy to read and look polished:
Use the same font type and color for the entire document.Keep font size consistent (not counting headings, titles, etc).
Use the same heading structure consistently. E.g. All “heading 1” headings should be the same size and “heading 2” should be organized under a “heading 1” section.
Use consistent indentation for bulleted and numbered lists.
Use paragraph breaks.
Use spellcheck*.
Use appropriate grammar and punctuation:
Avoid run-on sentences.
Use the correct they're, their, there's; effect and affect; it's and its; your, you're; everyone, every one; etc.
For bulleted lists, decide whether you are using a period at the end of each sentence or not and then be consistent. Don’t do both.
Use Oxford Commas! Oxford Commas reduce ambiguity.
Spell out acronyms the first time they're used.
Avoid using the word “that” as a filler word. It gets heavily overused as a filler word and is usually unnecessary. Avoid unnecessary words.
Other tips:
When creating or using a spreadsheet, the native spellcheck does not actively mark issues. You need to manually run spellcheck.
Less is more. If you can get your point across in 1 sentence, don't use 4.
Be super careful about copy/pasting from other places. That is when I see most of the formatting issues pop up. I nearly made a formatting mistake in this post because I was copying from G Docs. I recommend using the "Paste without formatting" option and triple checking everything.
Organize the document logically. This is probably the hardest point to teach. My best advice is to read the document from the perspective of someone unfamiliar with the content and try to proactively answer questions they may have by organizing it logically.
If a document is just not coming together how you envisioned, start over completely. I often find trying to rework an existing document to flow how you envisioned takes more time and is more frustrating than just getting a blank slate to start from.
Familiarize yourself with the SBAR format for organizing and communicating information. It was first developed by the military and has since been adopted in healthcare. The format is super versatile and works really well for many use cases. With slight adjustments, the SBAR format can be used for almost any type of document you need to create.
Use writing tone intentionally. Tone can be formal, casual, funny, inquisitive, sarcastic, etc. There's a time and place for all of these and it's okay to mix different tones into a document, but make sure you're doing it intentionally. Your tone creates a subliminal effect that influences how the reader interprets and feels about the content. One simple example I frequently use is to not capitalize titles and headings, which makes the document tone more casual. I find this particularly helpful for documents like Security Policies or Corrective Action Plans that can be very formal and scary. Making them a little more casual draws the reader in and makes them more approachable. Just make sure you're consistent; if you have some headings capitalized and some not, it will just look sloppy.
Get peer review before you send it for manager or executive review.
Finally, know when to break the rules. I broke some of my own rules in this post.
These might seem obvious, but they are obvious shortcomings I see all the time. As a manager, reviewing work that needs little to no edits is very very much appreciated. It also gives me confidence you're ready to work directly with executives and/ or get promoted.
*For spellcheck, be careful with tools like Grammarly. It's a great tool and you should use it for personal documents. However, it is against policy for many companies because it is essentially a keylogger, sending every single letter you type back to Grammarly. When in doubt, the native spellcheck in G docs, MS Office, etc is usually sufficient.
View this post and associated discussion on LinkedIn as well.
