Sketchnoting – getting out of the comfort zone

In the beginning of this week I had the opportunity to attend and speak at Testing Cup in Poland! For the third time I did my talk about the GDPR and the 100 year old boat accident that almost killed my great grandfather, and it’s really interesting how I get all these different kinds of questions with different audiences. Doing the same talk this Saturday I realized that according to Swedish transparency law, some types of automatic processing of personal data is actually illegal, only because it’s automated. The questions I got at Testing Cup made me (re-)realize how much I love the problem set of the Internet of Things, especially medical IoT.

An hour later, I was really happy to find this sketchnote made my a Belgian tester named Zeger van Hese (@testsidestory on Twitter). Wow! Now I never have to do the talk again, just show this picture to anyone who wonders 🙂

I had contemplated attending his workshop on visual notetaking, but decided against it because I can’t draw. The lottery of life decided that I’m an excellent musician and a decent writer, but I believe myself to have no creativity when it comes to drawing. Not trying is of course the best way to ensure that it stays true… so I spent last night and this evening watching Verbal to Visual on Youtube. Then I started creating a visual vocabulary on security related words:

As you see, it’s not super easy. Some words, like authorization and trust, don’t have an icon yet. Confidentiality looks like someone picking their nose, not someone hushing… I am very happy with Availability simply being symbolized by a happy face – after all the whole point of the Internet is to ease our lives. An asset is a diamond, and security is someone blissfully sleeping – peace of mind.

So, on to the real excercise. This is some kind of wordcloud describing my view of my speciality, my work, my hobby: security testing.

There are more words than icons in this picture, but it’s still a lot more visual than I usually do.

The Hacker Mindset is in the centre, closely linked with Exploratory testing. Curiosity and investigation are key words. Then there are two domain knowledge bubbles: security in itself, and knowledge about specific platforms and languages. Communication skills is a big part – and here is where we usually fail the most. Security business has a huge issue explaining why we’re needed. Partly because we are only “needed” if something goes wrong, but also because we tend to be obnoxious douche bags. A bit of extra empathy goes a long way!

Finally at the bottom, we have the tooling. Test tools are great and important, but only when we’ve scoped the problem. A spade is a nice tool for digging… but only if we actually know where the pirates hid the treasure!

Many think that security testing IS Kali Linux or penetration testing, but that’s not true. Those are an important toolset and an important methodology, but it’s not where 85% of the work is done. Do you think I succeeded in conveying that with this sketchnote?