Layer 8

The importance of langwidge.

Language is vital to me in my role as a security manager.

I rely heavily on it when I’m interviewing a job candidate. I can tell pretty quickly what someone’s IT background has been and whether he knows what he’s talking about by the words he uses.

Can he explain something in little teeny words? Then he really does understand it. Does he insist on using the textbook terms, and sound like he’s quoting rather than owning the words? Danger sign.

“batch job” == mainframe background
“cron job” == Unix background

“information assurance” == DoD background
“IT security” == corporate background

“cyber”-anything == law enforcement or federal gummint background

using “risk assessment,“ “vulnerability assessment,“ and “penetration testing” interchangeably == clueless

And I hate it when people are sloppy in their writing, especially when they’re vendors. If I see too much evidence of rote copying and pasting in a proposal, I suspect the vendor is just phoning it in and doesn’t really want the contract. If I see less-than-literate language, it depends on its character: I can tell when something is simply written by a non-native English speaker and I cut him some slack. (Sometimes I can even tell the writer’s native language based on the English mistakes he makes.) If they’re the kind of mistakes made by someone who grew up in this country and should know better, my opinion of his services plummets dramatically.

In security, details count. I can tell whether a brochure was written by a marketroid or by someone who really understands and cares about the product. If I’m going to hire services, the most important thing I want to do is have a conversation with the staff who will actually be performing them. I can tell by talking to them whether they’re going to be competent, diligent and trustworthy.

I’ve had wonderful employees who were smart as the day is long, but I had to translate their emails whenever I forwarded them outside of the group. For those who were non-native English speakers, it was even worse: you tend to use smaller words when you’re not using your native language, and that often makes you sound blunt. (For Germans who ARE blunt, it’s even worse. ) I’ve had to resolve many a misunderstanding between colleagues that came from an unluckily phrased email message, especially when they’d never met in person.

Language counts when I’m trying to write policies, troubleshoot problems, define risk, sell ideas, and educate users. It’s amazing how much of my time is spent arguing semantics in functional specifications.

By the way, did I mention that I’m an INTP?

Posted by shrdlu on Friday, May 18, 2007
(3) Comments • Permalink •

Next entry: My first text messaging attack.

Previous entry: In celebration of Mother's Day ...

Comments

on 05/19 at 09:17 AM:

I am a non-native English speaker, who has worked a lot in international projects. Stories like this always remind me of this high-up project manager for a “global financial organization”, who kept on referring to his “family jewels” in a project review session with an EU commissioner.

Of course, he actually meant to refer to this crown jewels. And in this case: he should have known better

BTW: I read this post three times before I noticed the little twist in the title! Keep up the great posts!

LonerVamp

on 05/19 at 11:58 PM:

I can definitely be a grammar snob; while I don’t correct most people, I try to maintain my own correctness while not quite compromising any style I may have (I have a small background in creative/personal writing). But in this new world we live in where I can speak as easily with someone in India as in the States on mailing lists, forums, and emails, I have definitely made my own disdain of language mangling much smaller. Every day I see posts or news or emails that have broken and/or poor English, but that’s the nature of our realms these days. My own biggest problem is keeping things short and concise now that I’ve been initiated into the corporate world after leaving college.

On, and I’m an INFP.

Riskable

on 05/21 at 04:11 PM:

Crap, does this mean that I shouldn’t change the words I use depending on who I’m speaking to? hehe

Example IT manager question: “So, how did the security, er, test go?“
Me, trying to dumb it down for him: “The… TEST resulted in many findings which will have an impact on… Your IT Security.“

The conversation might not be very fruitful but at least he’ll get a decent report… With the results of auditing *and* penetration testing *along with* recommendations for remediation. Assuming they paid for all that, of course. Sometimes no matter what you say they only want to pay for “A security consultant to come in and look at things.“

Then there’s the folks who just want a report to file away so they can fill in some checkbox. It is often very difficult to explain to these people that if they *are* audited regarding that checkbox they’re going to be asked why they didn’t “fix” the issues outlined in the report. Sigh.

I should also mention that I use an entirely different “language” when communicating with the technical people stuck managing these systems depending on their reaction…

Angry: “Yes, that is a real vulnerability. Yes, these vulnerabilities were always there. No, if you turn to page 5 you’ll see that you have *not* ‘just been lucky’ this whole time.“

Sad/Pathetic: “Oh don’t feel bad. I’ve seen MUCH worse than this.“ (which is always true since it is the angry folks who have the worst reports)

Indifferent: “Well, even if you don’t plan to do anything about ‘admin/password’ on twelve critical systems I highly recommend you get rid of the trojan/FTP server installed on host X and that you at least turn off those 10 Windows 95 machines you’re not even using (which are infected by so much stuff the machine report runs for pages).“

Excited: “Yes! IT Security! Is! Possible!“

Nervous/Concerned: “You have the right attitude. Now let’s prioritize fixing these problems before they come back to bite you.“

-Riskable
http://riskable.com
“A closed mind cannot open another.“