Rhetoric, The IT Security Manager, and The Overused "!"

Stamps, Baseball Cards, Coins... Just a Few Common Hobbies.

But I’m gonna let you in on a little secret; I’ve formed a little hobby of my own: collecting egregiously bad internal/enterprise IT communications emails.

Yes, it’s a very exclusive club and yes, I’m very cool.

The tough part is, that many are from the good folk in information security.

Today, I received a (fully scraped and anonymized, of course) example of a recurring, but unfortunate email. The topic? The rollout of a new IT security awareness program. Brilliant! Christmas has come early. Let the criticism commence...

Let's Dive In, Shall We?

Now, before I whip out the red marker, I’d like to deliver a hearty kudos to the IT security team for including an awareness program, and using words like “culture” in the same sentence as “cyber security.” (Seriously, it’s crazy how rare those words are used in the IT collective). It really is noteworthy and a strong few steps forward on the journey towards a people and cultural approach to cyber security.

BUT, (and here comes my red marker) mature and advanced programs (re: SANS 2021 Awareness Benchmark Report) spend more time and have greater skills in communicating well to (and with!) those pesky humans at your organization.

So, what irked me with the forwarded communication I received?  Total supersaturation of one of the best (and arguably, an embodiment of America) types of punctuation- the illustrious exclamation point. It was liberally spread throughout the announcement, as though it was a dare to see how many they could implement.

The Great Exclamation Point

Why am I so hellbent on coming face-to-face with the line and dotted beast? Because, believe it or not, the exclamation point can be used to display a plethora of emotions, not just excitement. It’s also the easy way out for the writer to convey their emotion, which mostly, if not always, tends to make it fall flat.

Don’t believe me? Here are a few examples from the email:

• We’re rolling out a new security awareness program!!

Yes, there were two exclamation points. You immediately got that sour taste in your mouth, didn’t you?

NOTE: The only time you’re allowed to use two is if you’re telling your friend “Let’s go see Fast and the Furious!!”

• We need to have a security-aware culture and that is everyone’s responsibility!

It’s clear the writer is trying (keyword: trying) to get the audience jazzed- but if read the wrong way, could this be seen as threatening? I mean, Infosec communications never sound like that, do they? *Cough cough*

• I know everyone will join me in building a culture of security intelligence! 

Seriously, they won’t. They’re speaking to an empty room and they know it, but they’re hiding behind the exclamation point.

I get it, the Infosecurity Manager at this company was trying to convey excitement, and encourage end-users to embrace security awareness- (yay for Governance?) but the art of rhetoric is about understanding your audience in order to create a compelling argument, not putting your faith towards unstable punctuation. Placing myself in the ‘average end users’ shoes while reading the email- I was feeling about as useless as an Oxford comma.

Let's Change Up The, Dare I say, Rhetoric

Rhetoric (Noun): the art of discourse, wherein a writer or speaker strives to inform, persuade, or motivate particular audiences in specific situations. 

What makes it work? Well, pertaining to all of Infosec, I think we have enough Spock, and we need to work on our inner Kirk.

Here are 5 things to consider when drafting your next IT Security Communication Asset: 

1. Specify your audience. Will this be the whole company or just the executive team? Make them feel addressed WITHOUT actually addressing them.
2. Nail your tone. It should tie into who you are as a team, but also align with company culture and its values.
3. If possible, make it visual. In our increasingly hectic modern work lives, long-winded emails will have a very low read rate, let alone comprehension rate, let alone response rate, etc. Plus, pictures in a corporate email? Sign me up!
4. What’s the Purpose? Here’s where Kirk comes in. Exclamations do not excitement make- you have to tap into who your audience is and what they want. Connect with them: goals, plans, pain points, challenges, struggles, sense of fun or wonder… there are a million ways to find out. But, alas,  ‘proclamation’ isn’t one of them.
5. Write it once. Word vomit, then cut it down by 50%. Use only the words needed to survive. In this type of email, brevity is the soul of wit. (That’s not Aristotle, but the Bard did know a thing or two about rhetoric, but probably not emails...).

Take advantage of the word “Rhetoric.” And hey, give the period a chance, will ya?

WRAPPING iT uP wITH a pRETTY lITTLE bOW

Here at Cyber Maniacs, we know how hard it is to get people excited about Information Security, but wanna know our secret? We love the challenge. It’s kind of our thing.

We freely admit that communication is like cutting down a tree with a fish. Messaging and marketing and getting your voice heard and understood is ridiculously hard. Why do you think companies spend billions of dollars marketing to all of us as consumers? Why is there an entire industry focused on getting out attention and shoving info into our brains about their products? If it was easy getting humans to listen to you- then anyone could do it.

We believe in a guilt-free zone- it’s not IT or Information Security’s fault (to date almost no one I’ve met in these functions has ever had formal marketing training. Maybe some comms, but nothing that is really deep or cutting edge).

Remember:

Excitement for you is not necessarily excitement for them. *Ahem* Remember my exclamation point rant? *ahem*

Last, but not least (and watch me use this exclamation point properly):

I want YOU to be excited.

Good luck, live long, & prosper.