In my vlog I started talking about books that influenced the way I think about information security, like "The Black Swan", "Irrationality, the Enemy within" and "How to Measure Anything".
Note: Original author unknown this was collected around 15 years ago.
Popular as it is, the web is not the most-used Internet application by transaction volume. Email is. It's also the most misused. Since it's such an important and often overlooked component of our online lives, I'm going to step away from preaching about the web for a moment and focus on simple steps to make your email discussions more effective.
If you grew up like I did, you were taught how to write a letter. You learned how to write business and casual headings and salutations, state your purpose, make a request, set expectations for a response, and wrap it up with a Very Truly Yours.
But an email is not a letter, and you're not typing at a Selectric II typewriter. You may look at the days of formal graces in written communication with some sadness, but rest assured that they are as dead as Dillinger. If your purpose is to solicit information or action from another person via email, you must make that clear to them at the earliest possible point in the message.
I get hundreds of emails a day, not counting spam. I know I'm not alone. Email overload is a problem, and it will probably only get worse.
It's tempting for geeks like me to propose some kind of microformat as a solution: begin subjects with these words, format the first line like that. But email is too widely distributed to corral into a any kind of structure now. All we can do is focus on quick, concise, effective communication.
People differ in how they manage their inboxes, but attention to a few details can help make your messages more usable for everyone. These are the factors I've identified that will help you get a quick and valid response:
It's the soul of wit, you know.
Short emails rule. When I get an email that's several pages long, I have to make some decisions: do I have time to handle this now? Is it important enough to come back to? Can I pass it on to someone else? If I can't say yes to any of these, I will probably never get back to it.
You may have lots of information to share, but in email you are in a long list of others competing for your recipient's attention. Keeping it brief is a sign of respect, and it's less likely to cause added stress to your reader.
Supporting material or other important info can be attached, but keep it separate from who you are, what your issue is, and what you want from me.
If you're passing a thread along, trim what isn't needed. Why make the email look longer than it really is?
If I don't know you by name, tell me how you came to contact me. We talked about mixers at a podcasting meetup. You saw a panel I was on last year. You divorced me and married my best friend from high school. Something I would remember. I don't need or want a resume, but I do need to know where you're coming from.
Getting a lot of responses asking, "What do you mean?" Context is your problem. When you're asking a question, anticipate any missing details that could cause an extended back-and-forth. Each time someone sends you a reply, you've gone to the back of that person's line. Do what you can to make your emails count the first time.
And for god's sake, have a subject line. One that makes sense. Some of the most important emails I've received didn't have a subject, and they almost fell through as a result. Don't waste that space with words like "Important" or "Re: Re: Re: Re: Re:". If the topic changes, change the subject line to match it. Remember that on recipients' screens, your subject competes with a large number of others for their attention.
Something to act on
Make your requests clear.
You should set them apart from the rest of the message by paring them down to one sentence, with white space before and after. Make lists with dashes, asterisks, or bullets if you use HTML email. Closed-ended (yes or no, this or that) questions are preferred; open-ended questions can get long and involved, reducing their overall relevancy and the likelihood that you'll get the response you desire.
Don't give people an excuse to misread you. If you've written a request at the end of a long paragraph, or been passive ("it'd be nice if somebody could..."), it's likely to have been missed on the receiver's end. If you sent an email, you have a point. Get to it.
- Can I call you tomorrow morning at 10am PT?
- Here is my contact info for your address book.
- Would you send me any links you have where I can read more about x?
- Would you forward this to person y?
- I need your travel itinerary by end of day.
Given that most of us have several current projects to keep up on, it's not very likely that we're be able to spend more than 10 minutes at a time helping someone who is emailing me out of the blue. My ability to draft my famous page-scrolling expositions of a given issue is limited. If I've already written something that covers it, I might just send you a link. Otherwise, if you can frame the question such that a lengthy answer isn't required, you're apt to get a quicker response.
There comes a time when the response you seek is no longer useful. If you know when that is, tell your recipient. This can be a good way both to prompt a speedy turnaround, and to let people off the hook in the long term. When someone sees that, for example, you need a proposal in a timeframe they can't make, they will probably bow out, rather than leaving you hanging. Everybody wins. Especially whoever it is you end up choosing in their place.
You can't win them all. If you need to send a single reminder, do so, but if that doesn't do the trick, pick up a phone. If it's not important enough to call the person directly, then let it go.
Daily reminders suggest to recipients that they're being bossed around, and that's not the best way to manage people, and certainly no way to treat casual contacts. They may be too busy, or away from the computer, or actually working on your last request. If you're forcing the issue, you don't improve your chances of success with that person in the long term.
Review of the books "Inviting Disaster" and "The Logic of Failure"
In this entry we introduce two very interesting books for information security practitioners.
Accreditation of an ISMS can give you several choices. One choice is your Risk Assessment method, another is your Scope, expressed in the Statement Of Applicability, and you can choose to leave some controls out as well, if you can explain why they don't apply to you.
Choice is generally speaking good. But for accreditation, this brings a reputation issue. The reputation of a certificate holder is as good as the market perception of the performance of the worst of all certificate holders. Education certifications and diplomas, for example, carry more reputation the LESS choice you have in your studies, not the more choice you have. Doctors can't choose not to take Anatomy, but Arts can study nearly anything (depending on what country are you based)
The existence and significance of the Statement Of Applicability is well beyond anyone how is not a specialist. This means it is possible to choose a very narrow SOA, totally unrelated to your critical systems for the sake of getting accredited, regardless of your real information security posture. This is bad for certificate holders that choose real SOAs, as their competition can get the same reputation for a far smaller investment. Another side effect of choice (SOA et al) is that a big financial company with several sites get as easily certified as a small technology company with only one site. I think that is BAD, as the effort, resources and quality of implementation can be quite different. If I ran a big company I wouldn't specially like to spend a lot time, effort and resources to get a certificate that just anyone can have, doing far less. Another side effect of wild choice is that a big financial company with several sites get as easily certified as a small technology company with only one site. Again, I think this is BAD, as simple technology infrastructure should be simpler to secure than a complex one.