Advice for Cyber Authors

I wrote this recently: “To be very honest, the primary technical and architectural means by which world-class commercial identity and access management (IAM) solutions for enterprise groups will migrate to public, virtual cloud services remains largely unknown today by most members of the global cyber security community.” Apart from going on and on . . . and on, this 44-word opus is unreadable.

Here’s what I rewrote: “No one knows how IAM will migrate to cloud.” Now, I hope you will agree that this sentence is more manageable. At nine words, it is succinct, clear, and allows the reader’s brain to process the statement’s meaning, rather than having to sift through all those annoying words and adjectives. Oh, and I got rid of the very. (No one should ever use that very, very unnecessary word.)

Good writing was on my mind this week as I chatted with my New Jersey neighbor, Ben Rothke, a consultant with Nettitude. For the past seventeen years, Ben has spent his free time reviewing InfoSec books, including for the RSA Conference Blog. I joked with Ben that such longevity might make him the most prolific reviewer in our industry. I asked him to share some thoughts on writing and publishing in cyber security:

“Writers don’t have to be Hemingways,” he explained, “but they should try to pick a topic they are interested in, and stay focused. And above all else, they should make sure to avoid including filler. Too many people think that an 800-page book is better than a 300 or 180-page book. But that is usually not true, especially if the larger book includes long reprints of freely available material.”

I asked Ben about his review methodology, and he offered a refreshingly casual response: “I try not to use a formal approach,” he said. “There are a lot of good books and I just try to review ones that cover interesting topics in cyber security.” During our conversation, we took a moment to calculate the number of books he has reviewed, and we came up with roughly 500. That’s a lot of material to digest and review.

Ben shared a tip for new authors that I found particularly useful (including for my own writing): “I can usually tell whether a book is going to be good,” he explained, “within the first fifteen pages or so.” We both agreed that this is something new authors should recognize – namely, that if the first chapter is disorganized (or just plain boring), then readers are likely to set the book aside quickly.

Ben was willing to share that there have been a couple of recent popular books that are not exactly on his Top Ten list – and the problems usually stemmed from the authors not having strong backgrounds in the material they were trying to cover. He also pointed to the more recent challenge of dealing with so many self-published works from authors who might not be well-trained in the art of technical writing.

But Ben was upbeat about an industry he continues to love, and expressed his enthusiasm that the industry remains vibrant. “Publishers such as O’Reilly,” he explained, “continue to produce a steady stream of great books. I think that any reports on the death of print media are largely exaggerated.” And I couldn’t agree more: New cyber security books from excellent authors pop up every day – and it gives me hope.

If you’d like to follow Ben’s reviews, he posts them on Amazon and also tweets when he posts a review. If you follow Ben’s advice on selecting books, my guess is that you’ll improve your understanding of our complex discipline in no time - along with maybe avoiding 44-word nightmares in lieu of their simpler nine-word equivalent. So, here’s my kudos to Ben, along with my best wishes for another productive 17 years of reviews.

(Disclaimer: Ben reviewed my most recent book From CIA to APT: An Introduction to Cyber Security and gave it a largely positive review. If he had panned the thing, I probably would have agreed very, very much with his assessment, and would have gone ahead and interviewed him anyway.)