A good day down the salt mine
The remaining items for the recycled Information Security 101 module are falling rapidly into place. It will be a bumper delivery with fifty (yes, 50) files already in the bag.
One of the regular end-of-month jobs involves matching up the awareness items - the files - with the contents listing and their descriptions in the train-the-trainer guide. Years back I came up with a simple numeric naming scheme to make it easier to get the files in order and link them with the listings. Good thing too: this afternoon I came across one listed item that I've decided to drop from the module, and about three additions that need to be listed and described. There's still a little time left before delivery to change things further and renumber, again, if we need to ... which emphasises the value of these final quality checks before packaging and despatch.
Another part of the quality assurance process is to open and review the content of all the files. This is our last chance to spot speling mishtakes, errror, omissons and half-finished
I've already made a couple of passes through the materials: the first pass often reminds me of things I've brought up in one item that ought to be repeated or reflected in others, so there's a bit of back-and-forth refinement ... but the looming deadline means eventually I have call a halt to the spit-n-polish phase. It's tough for me to stop when the materials are 'good enough' rather than 'perfect' but I console (or is it delude?) myself by thinking that nobody but me will spot most of what I consider to be the remaining errors, while it's unlikely I will ever find a further tranche of errors due to my inherent blind spots.
So I keep calm and carry on.
In risk terms, I'm consciously making a trade-off. I could carry on checking and refining the content indefinitely but I'd blow the delivery deadline. Alternatively I could stop right now and deliver the module as-is, but I'd be distraught to discover significant problems later on ... which does happen sometimes when I re-read stuff I have written, checked and published some months or years earlier. Some of the problems that catch my beady now are genuine boo-boos that I should really have spotted corrected at the time. Some are things I would put differently now because I've changed and the infosec world has moved on. Few are genuine factual errors, but to be honest that's more a case of me making the same mistakes repeatedly, than the perfection of my writing. Evidently I'm only human. I bleed.
Also in risk terms, I appreciate that despite my best efforts there will almost certainly be things wrong with the finished module, but what of the impacts? I'd be distinctly embarrassed to learn of obvious issues, and I might need to correct them at some cost for rework. Some costs are born by our customers for whom the awareness materials don't quite go to plan, although part of their regular activities on receipt of each new module is to check through and customise the content to suit their organization's specific awareness and training needs, their industry/business situation, their information risks etc. I think we can all live with that. Risk accepted.