Yeah we have the same coworker. He diminishes other people’s result and make it impossible to scale the team by taking over work than others could do and learn from. When he’s expressing his opinion that nobody seems to be able to do the work, it’s pretty much that he’s not willing to train the other engineers to do the work. What does the company do? They either listen to him, fire people, and waste indefinite time trying to hire someone who can match the 10x engineer’s skills, or they try to remove the 10x engineer as the bottleneck that prevents the team from growing (also, if they don’t act fast enough everybody has left except the 10x engineer)
I’m a security engineer and nobody knows what’s best practice. Everyone is making it up at this point, and security is still a nascent field. Most companies don’t even have a security team.
I think it’s still not clear how you should build a security org, and if you should at all (should security be part of normal workstreams of your devs?)
There is a best practice... but the issue is that the "best practice" is something that gets abused for cargo culting and stopping at the discovery of the best practice.
Some time back, I got a copy of "A Practical Guide for Policy Analysis: The Eightfold Path to More Effective Problem Solving" so that I could properly quote back the use of best practices.
With most times people are looking at best practices, they skip to the decide step without defining the problem - that's even been done here. Is there a best practice for non-cybersecurity at private business? Well, yes - but first, what is the problem that is trying to be solved? There's no "get this book of everything to do and you're good". On the other hand a "we have customer data that includes PII data, we need to secure the data and prevent casual examination of it in house" is a problem that can be looked at and a best practice can be found.
The best practices involve a survey of looking at other organizations and seeing what they have done - what worked and what didn't.
> Part IV "Smart (Best) Practices" Research - Understanding and Making Use of Whatlook Like Good Ideas from Somewhere Else
> It is only sensible to see what kinds of solutions have been tried in other jurisdictions, agencies, or locales. You want to look for those that appear to have worked pretty well, try to understand exactly how and why they may have worked, and evaluate their applicability to your own situation. IN many circles, this is known as "best practices" research. Simple and commonsensical as this process sounds, it represents many methodological and practical pitfalls. The most important of these is relying on anecdotes and on very limited empirical observations for your ideas. To some extent, these are - one hopes - supplemented by smart theorizing. This method is never perfectly satisfactory, but in the real world the alternative is not usually more empiricism but, rather, no thoughtless theorizing.
> Develop Realistic Expectations
> Semantic Tip First, don't be mislead by the word best in so-called best practice research. Rarely will you have any confidence that some helpful-looking practice is actually the best among all those that address the same problem or opportunity. The extensive and careful research needed to document a claim of best will almost never have been done. Usually, you will be looking for what, more modestly, might be called "good practices."
---
A "here is a list of all the best practices, follow these" is the wrong way to try to use best practices but rather relabeled cargo cult security.
Building a successful security organization is very easy, it just starts higher up the food chain than whatever experts you hire to do it. Security is a cultural practice, it's not a feature, it's not a bolt-on. To the extent that your security organization influences and receives buy-in from your corporate culture, becoming a part of your organization's identity, it will be successful.
I think this is key. If you don't have a good security culture, where people understand and have ingrained proper security practices, you're toast, no matter who else you hire.
Google has good security practices, can implement those in any big corp as they are very straightforward. Mudge previously worked at Google so I'd assume he was hired to help Twitter security get better by implementing some practices from Google. But maybe he was just hired to look like Twitter cared and they didn't really want to change anything.
Google also has a very good ingrained security culture. They understand that they hold on to people's most private and critical data, and rock-solid security has to be a cornerstone of their business.
If it’s interesting to someone I have a similar pipeline I used to write and deploy my book The Security Engineer Handbook [1].
I basically wrote everything using markdown files, and a pdf/epub/mobi is automatically generated from the folder using a Github Action. The action will also modify the date of the last update on the webpage, which gets deployed via cloudflare pages (although github pages could have been used). On the other side Stripe handles the payments (No server side code for me) and zapier detects new customers and sends the artifacts by email.
It’s magical :) the next time I want to write a book I’ll focus purely on the content and everything else will be taken care of automagically.
I sold around 300 in my first year (which ended recently), which is much less than the other book I wrote via my publisher. Yet, even though it is sold at a lesser price, my self-published book made almost more money. This is essentially because the percentage I make on every sales with my publisher is really low (10%). So for my next book, I'll self publish as well.
Awesome, a really pithy and down to earth workaday style that complements
the exhaustive tomes like Ross Anderson's.
What I've found so important is knowing your keywords and making sure
your work is associated with the right BIC/BIS Subject Category Codes
[1]
"Security Engineering" (a much better term imho) has a lesser impact
in academic sales than "Ethical Hacking" and "Cybersecurity" because
of how courses are named, and therefore how graduates and recruiters
think of the skill namespace. Make sure you get coverage on all the
terms adjacent to yours.
[1] I hear they are being replaced by a new international standard in
2023, so it's a dynamic area for authors to be aware of - kinda SEO
for writers.
The main tradeoff for me is that--rightly or not--going through a major publisher confers some prestige and Good Housekeeping seal of approval in the minds of a lot of people. So, if you're doing a book for reputational purposes rather than cash, that can be a consideration.
I've done it both ways. But if I do more, at this point in my career, they'll probably just be relatively short ebooks.
I like the landing page for the book (is that the right name for it?) except one detail and I wonder if it done so purposely - I don't see any any info about the book (file) format. I assume it is only available as an e-book.
Pragmatic may be worth exploring. The 50% cut is really high compared to rest of publishers, and I believe that 80% of my sales came from their reputation and marketing.
Indeed. Royalties are the issue. I just published a book with a well-known editor and I’m making 10% per copy (ebook or print). The book is priced at more than 50$ and yet I’ll only make this amount by selling 10 copies (of course this is before tax).
Interestingly, if your editor has an affiliate program you can make as much money by advertising some link that leads to purchases. So as a writer, if you do both you end up getting 20% on these. It’s still not that much.
Recently, I wrote a small handbook about security and the mindset you need to care about security in your company (https://www.securityhandbook.io) and I self published it for 20$ using stripe checkout. Every purchase yields me a bit more than 19$, which feels amazing every time as I directly get the money. I actually made more money selling this self published book than with my big editing company.
I have had a 300 page, trade sized (6x9)soft cover book in publication since late 2012. Lightning Source/Ingram Spark handles the printing and distribution. It is a very niche title that has sold about 1500 copies with the only advertising a max $1 daily limit google ad that runs only a few days/hours of the week.
Ingram allows publishers (I wear both hats) to set the wholesale cut and whether or not to take returns. Bricks and mortar book stores require you take take returns and give them at least a 50% cut. I never wanted to go there so do not take returns and give a 26% cut, 1% over the Amazon minimum.
My print cost is roughly $5.25 and I clear a little over $6 a copy. I also have a kindle e-book edition available directly through Amazon at a list of $9.99 that nets me $6.70 a copy. I sell print copies about 3:1 over the e-book.
Unless the title is a tome, it can be printed as b&w with a print cost in the $4-8 range. Everything after that depends on your competition (for retail price) and your wholesale discount.
At the end of the day I don't see anyone getting rich on any book sales, print or electronic, that are not best sellers from known authors/celebrities. However, as supplemental income you can definitely make some coin with little post authorship effort whether print or e-book.
Ok cool, congratulations to the security handbook! I have checked prices for printing books, because I am in the process of writing a regional mountain bike guide book. Although, I only find deals for 3-5$ per book... 1$ seems quite cheap to me.
It's hard to tell based on the material available on the website, but it looks like their book isn't physical. If you go through the checkout process, it doesn't gather shipping information. I assume the <$1 figure was just the Stripe transaction costs.
Can I ask how you went about self-publishing and selling via a website? I'm considering this with a couple of short guidebooks I've written for learning a specific language, among other things, and am very curious how you got started and set it up with Stripe checkout and manage delivery, etc.
- Create a landing page via Github and use Github pages or Cloudflare pages to automatically update your domain when you push to your repo
- set up stripe checkout on the client side only (so you dont have to deal with server logic)
- simply send the book by email when you get a customer
This was my MVP as I didn’t get the time to automate things on the server side. As it’ll get more tedious I’ll find the time to implement that, but so far it’s worked well!
