A long time ago in a galaxy far, far away, every piece of documentation at 38North Security was written by a world-class security advisor. At first blush, it sounds like a great idea.
But those were actually the dark ages, friends. As it turns out, documentation is needlessly expensive when produced by an ISSO. (Also, they hated it.)
As an experiment, I was brought on as the team’s first technical writer. Fast forward to today, and we now have a strange little group of people who produce and maintain high-quality documentation, freeing up our advisors and engineers to focus on what they do best.
Here’s what we’ve learned from that experiment: the value cybersecurity tech writers bring, the tasks in which they shine, and how to identify the good ones.
Beyond Documentation–Why You Should Use Tech Writers
Writers write. They put fingers to keyboards and somehow come up with a well-flowing narrative of how exactly a system complies with security requirements. That’s a given.
However, that’s not the only value a cybersecurity technical writer will bring to the table.
- Writing, editing, and formatting skills: Tech writers are, by definition, great at writing up accurate, professional, easy-to-understand security documentation. They also know their authoring tools inside and out, speeding up formatting tasks and coming to the rescue (for example, when the header text on page 73 inexplicably won’t move to the next line).
Learn more: I’m a Cybersecurity Technical Writer—Here are My Best Tips on Documentation Development
- Document management expertise: Tech writers are experts at document management: organizing documents, understanding repositories, tracking revisions and approvals, maintaining version control, and much more.
The importance of document management can hardly be overstated. Every documentation development project I’ve worked on, every single one, has run into document management issues. For example, someone may have updated or uploaded the wrong document, forgotten to use Track Changes, or created a local copy without telling anyone.
Tech writers have learned from experience to anticipate these issues, coordinate and educate their teams to avoid them, and leave breadcrumbs to follow back when a document inevitably goes astray.
- Cross-functional collaboration experience: Interviewing SMEs is an integral part of tech writing. Tech writers are accustomed to working across departments, gathering and documenting information from your technical engineers and architects as well as your HR and physical security personnel. Skilled tech writers can serve as the “glue” holding your teams together and keeping everyone on the same page.
- Relief for overburdened security teams: Burnout is a well-known problem in the cybersecurity industry, with overwhelming workloads and pressure to perform outside core skillsets cited as the leading causes. Shifting documentation responsibilities to dedicated tech writers relieves your security pros of an oft-hated task and lets them focus on other priorities. Reformatting a table, for example, is probably not the best use of your ISSO’s time.
- Cost savings: Tech writers are often cheaper than other specialized security personnel, offering a cost-effective approach to reducing the persistent cybersecurity workforce gap. In 2024, budget constraints, rather than lack of talent, became the primary cause for growing security staffing shortages.
Each organization is different, but talented tech writers are versatile with skillsets that are easily transferrable to governance, risk, compliance, and other security activities.
Where Else Do Tech Writers Shine?
Writing documentation is a large enough task that hiring a tech writer should make a huge impact to your organization. However, there are less obvious but just as valuable areas where tech writers can shine:
- Template development: Invest in reusability by having tech writers develop (and maintain) standardized documentation templates. Robust templates help ensure consistency across your document set and provide a starting point for security personnel who often don’t know where to begin when selecting information to include in a policy or procedure.
- Document management: Put your librarians in charge of the library. Keeping track of all the various policies, standards, procedures, and diagrams that need to be regularly reviewed, updated, and approved is a tremendous headache, particularly for busy security teams trying to focus on a hundred other things. Dedicated tech writers, who work with your document set day in and day out, quickly learn where everything is. They can tell you what needs to be reviewed, where the latest version is, who still need to approve, and nag them to do it right up until the audit deadline.
- Project management: Documentation isn’t just formal deliverables; as any project manager can tell you, documenting project scope, requirements, action items, timelines, and risks can be just as important and challenging. Tech writers are excellent note-takers (they have to be) and can provide invaluable project management support, improving communication, efficiency, and transparency among their teams.
- Quality assurance: Technical writing is detail-oriented work, focusing on accuracy, consistency, and usability. It’s always a good idea to run your documents by a tech writer for thorough review prior to submission.
- Support role: Tech writers are most effective in a complementary support role on technical and project teams. Just as you wouldn’t assemble a basketball team with all point guards, you shouldn’t staff your projects with only tech writers. Your writers should be supported by SMEs to ensure accuracy and relevance, while your SMEs and PMs should rely on tech writers for efficiency, quality, and usability.
Unfortunately, it’s not enough to decide to add tech writers to your security program. Not all tech writers are created equal. For every tech writer who crushes it, there are two who want to hold another 30-minute meeting to discuss whether “data” should be treated as a singular or plural noun. You need to hire the right ones.
What to Look For in a Great Tech Writer
Of course, tech writers with a solid track record of cybersecurity success are the safest bet, but those can be hard to find. Writers with general experience in IT or highly regulated industries, like healthcare, can often learn the cyber stuff on the job or through supplemental certifications. Other things to keep an eye out for include:
- Project Management Experience: Tech writing is all about collaboration and meeting deadlines. Tech writers can make great project managers, and writers with experience playing that role are much less likely to miss the forest for the trees.
- “Slash” Tech Writers: Look for hybrid roles like Tech Writer / Business Analyst, Tech Writer / Developer, or Tech Writer / QA Tester. Good tech writers are constantly learning new things, working with a wide variety of experts and business functions. Those who pick things up quickly tend to lead versatile careers, taking on new responsibilities to support their teams and developing expertise in their subject matter.
- Policy and Procedure Writing Experience: Policies and procedures are the bread and butter of cybersecurity writing. Experience writing these types of documents, even in other fields, goes a long way.
- Regulatory / Compliance Writing Experience: Whether we’re talking about ISO 9001 for a factory, HIPAA in a hospital, PCI DSS at a bank, or FedRAMP in the cloud, you’re still mapping requirements, assessing compliance, and documenting evidence. Tech writers with regulatory writing experience, regardless of the industry, can often transfer those skills to a security compliance environment.
- Work Samples: The proof is in the product. Always ask for work samples. Tech writers should be able to provide examples of their work to demonstrate proficiency and versatility.
Need Help Now?
Do you have an annual assessment coming up and need your docs updated immediately? Is your security team swamped with other priorities with no time left for documentation? Our experienced tech writing team, backed by our expert cloud security advisors, is here for you. Speak to a cybersecurity expert today to learn how 38North Security can support your documentation development.