I picked up the phone to talk to an old friend: “Let me buy you lunch,” he said. “I’d like to chat with you for an hour or so.”
“That sounds good to me,” I replied. “Let’s lock in the date.”
Who doesn’t like the offer of a free lunch? I hadn’t talked to my old colleague Jim in more than two years. He and I had worked together a decade earlier when we were both in uniform. The call was unexpected, but I was certainly happy to talk old times over a meal — especially one where I wasn’t going to pick up the check. We made our plans for the following week.
When Jim and I met for lunch, we spent several minutes catching up on our professional lives and made the obligatory references to mutual friends and coworkers. I knew he had something else on his mind, and simply spent the time in this desultory exchange until he got to the point of the lunch.
“I’ve got an idea for a book,” he finally blurted out. “I know you do a lot of writing, and I thought we could collaborate on a security book. It would be great. We could get our pictures on the cover. It would be a real career boost!” he exclaimed with heady enthusiasm.
I smiled inwardly as the real reason for our meeting became apparent. I had been working on my textbook for a couple months already, and as far as I knew, only my wife, my editor and my upcoming publisher knew about it. I decided I would keep it that way, and asked what he thought the subject should be.
“You know — a security and risk management type of book,” he said, as if we shared other professional interests.
As we talked over his idea, he waxed eloquently about his plans for the book — from how to get it published to how he could help market it. Jim pointed out the benefits of being published and talked about the credibility it would bring to our professional lives. He certainly made the prospect sound exciting.
The longer we talked, however, it became apparent that Jim had become enamored with the expectations of being published. He wasn’t interested in actually writing a book. He wanted to give me his ideas, and he was looking forward to reviewing my drafts so he could provide constructive comments.
After the table was cleared and the check paid, I explained to Jim that I thought he had a really good idea, but I had a lot of writing projects already on my plate. I explained that I was working on a national-level policy committee, teaching a graduate class and still had all the documentation requirements for my day job. I told him I would mull over his book concept, and would discuss it with him again as I completed some of my ongoing projects. We shook hands as we left for the parking lot, both promising to stay in touch.
Jim was looking more for a ghost writer than a co-author. He had apparently tried his hand at writing, and discovered the inherent difficulties of producing a marketable text. He wanted to hum me a tune, then have me write the lyrics — lots and lots of lyrics. In his world, we would be co-authors — his concept and my writing.
Writing truly takes a lot of effort. Writing can force you to synthesize your thoughts, focus your fuzzy ideas and define abstract concepts. It’s an ages-old practice that those of us raised on the half-hour television dramas and PowerPoint presentations may find archaic and unnecessarily demanding. Good writing is nothing short of work.
When I was assigned to the Joint Staff (a paperwork-heavy gig), one of my fellow staffers once told me that 90 percent of the documents we had to produce had already been written by someone else. He was a true believer in recycling the written word. He never lied about the sources for his documents, and he always gave appropriate credit, but it was always his primary mission to search high and low before ever putting pen to paper — or fingers to keyboard.
I’ve noticed the same trend recently with organizational security policies and requests for security products and services. Many government agencies and commercial enterprises are opting to simply copy language from other sources in lieu of developing their own policies. I have seen innumerable instances of incongruous citations or even unrelated federal or state statutes to satisfy the requirements for a security policy. In other cases, these sources are cited as the basis for establishing requirements for products and services these organizations are looking to purchase.
When it comes down to defining your policies and spending large amounts of money for security technology and services, the cut-and-paste method of writing may not be adequate. Only your organizational decision-makers can adequately define their risk tolerance and the value they place on their data resources. If you don’t have the in-house resources or expertise for such an undertaking, it might be best to hire a professional to help you build your security policies. In any case, someone will have to do the writing, and there’s no free lunch.
John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: [email protected].
