Nobody wants to read your s%!t

Nobody wants to read your s%!t

Robert Wood

I'm hijacking the title of a fun little book I read recently by the same title.

The point of this post (and the book) is that people have a lot going on. They probably don't want to seek out your writing or your work and read it. Therefore, if you want your work to get consumed, adopted, and ultimately add value, you need to make it better and get proactive about engaging with others.

While this little book is about writing with more impact, the principle resonates so strongly with our work in cybersecurity. So this week, we're going to look in the mirror and explore why it's so hard sometimes to get others to listen to us, but more importantly, how to get better at that.


Whenever you're communicating in writing, get to the point.

Is there a new zero-day out? Why should the IT team care to prioritize this over their other work?

Did your pentest find a critical SSRF bug? Why should the developers be putting new feature work on pause for this?

Did you refresh your team's strategic plan? Why should your senior leadership care?

It sounds harsh to think other people don't care about security. The bigger truth is that they've got a million other things to do, and you have to assume it's not top of mind.


Try not to write everything in jargon-heavy boring prose. You are a real person, and you're communicating with other real people.

Tone your message to the right level and make it interesting and relevant for them.

Keep it in the back of your head as your "what's in it for them?" versus "what do I get out of this when they listen?" will take you far.


Recognize that when you're communicating something to other people, they choose whether to donate their time to read it or engage with it. This isn't a given; you shouldn't frustrate yourself thinking it is.

Everyone's role in an organization is important, so it's all about priorities.

Even in incredibly urgent times, like communication around a security incident, articulating business impact (e.g., loss of customer trust, sales, media exposure, etc.) can grab people's attention.


Your communication should have a point. Step back and think about what that is before you send anything or say anything.

Can you explain what that point is in 1 sentence? Try it, and if you can't, maybe you've fallen victim to the all too comfortable place of rambling in your communication.

Concluding thoughts

Communication is one of the most important things we do as cybersecurity professionals. Getting better at it, especially in written form, is a skill that will serve you well throughout your career. As you practice, recognize and accept that nobody has to listen to you. They're choosing to.

So make your writing worth choosing.