Cyberweekly #220 - Communicating with your staff

Published on Sunday, January 29, 2023

One of the hardest challenges for new managers is learning how to communicate effectively as a manager.

One of the things that makes this difficult is that the career path to management, especially in technology and cyber, is not always straight. Previous roles can have varied from technical specialists like developers or devops, or project managers, or through product management. Most roles in that career path don't require writing clearly and constantly as part of the job. Where it does, it can be to technical audiences, or within specific contexts.

Writing down your vision and communicating it requires a lot of practice. It requires you to be able to articulate your vision well, and it requires you to be able to succinctly summarise it. You'll have to communicate that in writing to people over and over against, until people accuse you of repeating yourself, and even then you'll hear people telling you that they didn't know what it was, or didn't understand it.

But furthermore, you need to be able to take a complex vision and context, and set it out in a memorable fashion, laying out now only what you want to achieve, but providing threads that let the individuals see how their work connects with it.

This isn't a set of skills that one learns overnight, and technical careers often don't prepare you for writing in this formal style. I confess to not being the best writer in the world. I tend to write very informally, with too many words, and it's generally far too discursive for this style of reading. It's a skill I've had to practice over time (and I'm sure going back through CyberWeekly back editions will give you a taste of how my writing has improved... hopefully!).

If you are new to this, look around for examples that others use in your organisation. Use the vision set out by your executives, and learn from stakeholders and partners around you. Listen to your staff, and ask them what motivates them, ask them how their work relates to the company goal, and listen for the gaps.

And then, it's just practice, practice, practice

    The Anatomy of an Amazon 6-pager. A deep dive into writing detailed… | by Jesse Freeman | The Writing Cooperative

    The last thing you should know, which is perhaps the most critical part of the entire process, is that your 6-pager needs to stand on its own. One of the things I admired most at Amazon was their ability to transfer knowledge between different groups. Any time I interacted with a new group, I could ask to see their OP doc and get caught up on everything I needed to know. For this process to work, it means you need to write your 6-pager in a way that allows anyone, even people not familiar with the subject, to know what is going on without additional research. I’ll get into some of the ways you can do that later.


    The main goal of authoring this kind of document is to craft the entire thing as a narrative. That doesn’t mean it needs to be an entertaining story. It merely means there are no bullet-point lists, no graphics, and no fluff in the document’s core 6-pages. Since it’s difficult to sum up the contextual information like data, graphs, or examples in narrative form, you can add it to the end of the document in an appendix. This allows the reader to choose what to look up for additional information as needed. It also allows you to store bulky, complex data visualizations without breaking up the narrative’s flow.

    At this point, we are ready to break down the skeleton of the 6-pager. Again, this might change slightly based on the document’s goal, but for the most part, it works like this:

    • Introduction — This needs to set up precisely what the material is going to cover and to inherently state the general direction of where the document plans on going.
    • Goals — List right up front what the metrics for success are so we can use them as a lens to see the remaining document through.
    • Tenets — This is a very Amazon thing where every action has some clearly define north star. There are a lot of ways to word these. Generally, they are inspirational pillars that the rest of the plan sits on top of (go with me on this one).
    • State of the business — This section is another important one. You need to inform the reader of the current state of the business. There needs to be a lot of detail here, which sets up the points to compare against in the next section.
    • Lessons learned — Amazon is big on data. This section will outline the current state of the business and its influence over creating the goals you need to achieve. It should be a detailed enough snapshot to give the reader all of the data they need to understand the positive and negatives activities in the prior period.
    • Strategic priorities — This is the meat of the document and lays out the plan, how to execute it, and should match up to achieving the goals stated at the top of the document.

    Of course, each of these sections has a specific job in building the narrative of the 6-pager. To pull it all together requires a certain amount of finesse. Luckily, I’ve made it through meetings needing to make only minor changes, and I’ve been in meetings where someone’s entire document is ripped apart line by line. I don’t profess to have the experience to say mine were better than others, but I did have a few good mentors. So here is how I decided to write my sample 6-pager.

    Those of you who have worked in the UK’s Civil Service will have heard of a Sub, or a Ministerial Submission. Although there are lots of issues with a Ministerial Submission, mostly overuse, the basic tenets of writing a good Amazon 6-pager and writing a good submission are very similar.

    Executives and other people in your organisation are never going to know the details of your projects and your plans. So you need to be able to communicate, simply and effectively, what your plans are, how they meet their goals and how they can support it. Therefore, learning to write well is one of the most valuable skills you will learn as a manager.

    How to write an Amazon-style narrative memo

    Ok, so you’ve got the basics of the document structure and writing clearly. But how do you actually make your narrative effective? Here are the four ways that I often see narrative memos trip up:

    1. You don’t give enough context for the situation, so people don’t understand correctly what you’re doing, the magnitude of impact or why they should care
    2. You bury your asks in paragraphs of text so that the reader can’t distinguish what’s important from the other paragraphs
    3. You outline opportunities or asks without situating them in business value so the reader doesn’t care about them
    4. You ask for resources without evidence that you’ll be able to use the resources to meet your goals so you fail to convince the reader that it’s a worthwhile use of funds

    So let’s break these down into four ways you can strengthen your memo and make it more effective:

    Every narrative memo is supposed to have an introduction and a state of the business section. But despite this, it’s often the weakest part of the narrative.

    As we covered in how to make an SEO strategy , good strategy consists of a diagnosis, guiding policy and coherent action. This diagnosis should not be under-estimated - it’s not a simple summary, it’s not a high level snapshot of metrics, it’s not a single chart. It’s a detailed look at the current situation, paired with an expert diagnosis to inform the reader about “what is going on”.

    Because the situation tees up the whole strategy, it’s often one of the last sections that I edit - working on this section ensures that whatever strategy you’re proposing actually relates back to the situation.

    Good general writing advice here. There’s a huge amount of stuff written about the structures of Amazon style memo’s, or their meetings. But the substance is what matters. A 6-page memo is about clarity, good writing, and clear take-aways.

    Triggers & Pivots - by JP Castlin - Strategy in Praxis

    So, something I've seen across many organizations is what I call the “vision chasm”. The leadership believe they need to set a vision and mission, to define what they'd like things to be in three years; usually, this is "all the complaints and restrictions that are annoying us today have magically gone away". Meanwhile, all the people who are doing the work have a clear picture of what they're doing for the next three weeks, but no idea how anything they're doing relates to the magical vision.

    And, crucially, there's rarely anything in-between. That's the vision chasm. People try to fill this chasm with planning, like road mapping. A narrative around social beliefs tends to become the currency that gets work onto said roadmap – which needs a sort of shutting out of reality in order to protect these beliefs long enough to get something done.


    I think Teresa Torres put it well: "You are not one feature away from success and you never will be." But all of this stems from believing that a product is a thing made up of features, and that building a product is about bolting the right set of features together.

    Communicating vision is so much harder than it sounds. I've met many leaders who believe that they are communicating a vision, but in fact they are pointing at features, at things they want. These things cohere in their head to make a vision, but they don't themselves make a vision.

    A vision and goal is more than just the collection of features, but communicating the vision is something that you need to do over and over and over. Repetition, clarity and simplicity is key when trying to get that across.

    How to spend your first 30 days in a new senior-level role | Lara Hogan

    First 30 days: sponge mode

    We’re calling your first 30 days “sponge mode” because your primary job during this period is to soak up information.

    This means, for your first month, you should be in listen-only mode. I’m serious! These first 30 days are the biggest opportunity you’ll ever have in this role to build trust with your teammates. Don’t squander this opportunity by coming in and enacting change right away.

    I totally understand the desire to kick off your new role with a few tiny changes to team processes, meetings, roadmaps, etc. You might be eager to to do this because you want to:

    • prove you were the right choice for the role,
    • demonstrate progress or your impact as soon as possible, or
    • build trust and strengthen these new relationships by enacting the changes your teammates want to see.

    This might come as a surprise: no matter how well-intentioned you are, enacting change within your first 30 days could jeopardize your trust and standing. So if you feel any of those reasons eating at you, please pause. Spend these first 30 days sitting in on team meetings and talking to everybody on the team.

    This is good advice, and not just for a new job, but joining a new team, a new project. It’s always far too easy to look at things from the outside, and come into a new situation thinking you know exactly what to change. But chances are that your instinct is wrong, or at least that you need data to back you up.

    Spend your first 30 days meeting people, understanding what they want, and understanding what the second and third degree implications of any change will be. If you do that, you are far more likely to suggest a successful change.

    Your Best Work – Rands in Repose

    Our devices are full of needy applications and services. Our planet is full of media outlets desperate for our attention. Our politics are orchestrated as entertainment. Combine this with the fact that we’ve spent two years plus working in a distributed fashion where every needy application and delectable headline is sitting in a window directly next to your meeting.

    Just a glimpse. Don’t worry. No one will know.

    Maybe this is easy for you, but two years plus of video conferencing and my already focus-impaired brain needs a profound cleansing reminder. Focus is the entirety of my attention focused on one thing. This person, this meeting, this design.

    But what about this other semi-related thing? Let’s wander in that mental direction for a bit…

    No, all I am doing is this.

    But you’re the people person. Read the room, Rands! What is the intriguing political dynamic of this particular group of humans? I wonder…

    No, I am here to do one thing. The reason why I was invited was to participate.

    But I’ve heard his story before, and he’s going to be talk talk talking for the next five minutes, so you know what I’m going to do? Just check Mastodon real quick. No one will know.

    They won’t, but I will.

    This is a useful reminder to focus. I try my best to focus on one thing at a time, but the world is filled with distractions and deadlines all around. But actually focusing on the thing in front of you is important. It tells your staff that they matter, and it means that you must prioritise.

    Focusing means making choices, which means determining what is important enough to focus on.

    Cyber as statecraft, not war — Defense Priorities

    A continued military-centric approach to cyber issues risks underemphasizing the other core competencies of U.S. statecraft—intelligence, diplomacy, law enforcement, and other tools—necessary to address illicit cyber activity like ransomware and state-backed hacking.

    The most persistent and enduring threats from the cyber domain are best addressed through investments in law enforcement, civil infrastructure, public-private resiliency, and international coalitions—less through military superiority.


    The relatively muted success of Russian cyber operations in achieving its military and political aims in Ukraine in 2022 call into question notions about cyber as a decisive, coercive element of modern war and suggest a more ancillary role.4

    More broadly, in pursuing both battlefield and strategic political objectives, nation-states largely fail to demonstrate in practice the decisive power cyber weapons provide in theory: deterrence, compellence, escalation dominance, or signaling.5 Kinetic weapons offer more speed, control, and intensity6 during a conventional armed conflict.

    The primary threat to the U.S. from both nation-state and non-state cyber actors stems from their increasing capacity to conduct more traditional forms of interstate competition: surveillance, espionage, subversion, deception, and disruption, all of which occur below the level—and often in lieu of—conventional armed conflict.

    This is an interesting thinkpiece, which suggests that the US in particular has over-militarised “cyber”, and needs to focus instead on the other areas in which cyber plays.

    This is a fascinating idea because it really shows in stark relief just how much the cyber domain is a dual purpose domain, far more than any other military domain. Sure, the money we spend on military capabilities also provides civilian capabilities, but generally, the states investment into military capabilities is there to affect other states ability to conduct war, and the sub-threshold levels of competitive advantage are often not as direct (at least, for the worlds superpowers, that isn’t as true for the smaller state powers).

    But the ability to use cyber offensive operations for law enforcement, for espionage and for trade advantage is something unusual about cyber offensive tools. It’s also true that cyber defensive tools can be used to limit other states abilities to support, encourage and control such behaviours themselves.

    Of course, this means that questions that derive from, in particular cyber offensive capabilities, such as equity release processes, attribution and targeting and prioritisation must be considered through a dual lense of both military capabilities and domestic and economic capabilities.

    Why Zero Trust Works When Everything Else Doesn’t

    The overwhelming majority of security professionals believe implementing zero trust is a major priority. But actually, very few organizations have fully embraced it or even begun the transition. One survey found that three-quarters of organizations say zero trust is critically important, but only 14% have implemented a zero trust strategy.

    Why is that?

    The same survey found that a “lack of clarity” or organizational understanding is the main barrier to adopting zero trust. About 94% of organizations say that they face those challenges.

    Another major barrier is simply the time and energy it takes to make such a large transition. Achieving zero trust can take two or three years to implement and mature. The common sticking point is clarity — clarity about what zero trust is exactly and clarity about how to go about implementing it.

    Zero Trust is a huge tradeoff in security for complexity. The added complexity is going to make mistakes far more costly, and makes purchasing equipment, bringing in suppliers and building new systems far more difficult.

    It does work in theory, but one thing we should be careful about is understanding how well a half-baked implementation of zero trust might work. We’ve spent the last 40 years working with the impact of half-baked implementations of DMZ’s and segmented networks.

    TikTok is a National Security Risk, Not A Privacy One

    TikTok has dominated the news cycle for years over the potential that they could abuse user data, despite being able to obtain vastly superior data elsewhere. It’s become a fixation, at extreme detriment to the broader discussion. In the meantime, congress has rolled back privacy laws, done nothing to limit the sale of user data, and current cybersecurity legislation leaves a lot to be desired. Overall, I think the “privacy threat” posed by TikTok is inconsequential, especially against the backdrop of the near constant data breaches, as well as companies trafficking in personal information. But that’s not what this is actually about, not really.


    TikTok is unique in the social media space. Their algorithm is lightyears ahead when it comes to content recommendation. Many platforms are attempting to use machine learning to figure out user’s interest and recommend them content they will like, but TikTok appears to have already mastered this. Whilst platform such as YouTube, Instagram, Facebook, and Twitter are still heavily reliant on people “following” accounts they like, TikTok’s algorithm has excelled to the point where users simply just let it pick what to show them. This is what has put TikTok on course to be the most used social media platform. Users needn’t sift through a vast ocean of garbage to find videos they enjoy, the platform will do all the heavy lifting for them.

    But of course, algorithms can be manipulated. Both from the side of the social media platform, and its from its users. These algorithms run on machine learning models which use computer code to determine the topic of a video, the interests of a users, then match the two together. But what if the platform were to tweak the algorithm to prioritize certain videos? Or someone were to sign up fake accounts and feed the algorithm with bias data? In both cases, the algorithm could be manipulated to control what users see. Such exploits could be used to sway public opinion about anything from which stores to shop at, to which presidents to elect. The results could be catastrophic.

    This was very thoughtful analysis. I think the privacy concerns are bought out here as applying to a large majority of data companies. The national security concerns that tiktok exemplifies is more about the era of global competition that we've entered rather than specific concerns about the access to data. There are of course legal implications at play, and it matters that our laws work well in the global context.