Let me start by saying I’m far from being an expert in writing, publishing, or being an author.

I’m just an experienced Cybersecurity professional who writes a lot, including blogs, articles, and posts, alongside public speaking. A couple of years ago, I found myself having the itch to be an Author and contribute back to the Cyber community that has given me so much.

I’ve recently been approached by several of my security peers, whom I highly respect. They have expertise in various aspects of cybersecurity and are now looking to publish books of their own. Rather than sending them individual messages, I figured I would put my thoughts together in an article to benefit not just them but others in the community who have aspirations to become Authors themselves as well.

For me, the process started in 2021 in the hype of major events such as SolarWinds and the Cybersecurity Executive Order (EO) 14028, shortly followed by others such as Log4j.

At the time, software supply chain security (SSCS) wasn’t a widely discussed topic previously but quickly became one, even establishing itself as a standalone category in security with a slew of investments, startups, innovations, and more. I quickly began to dig into the topic, building on 20~ years of existing security experience, and was surprised to find there were no significant books on the topic yet.

I found myself reading countless articles, papers, publications, blogs, and more, digging incredibly deep into the topic. I wanted to consolidate my insights into something tangible, so I decided to approach a publisher, having never published a book of any sort before.

The first publisher I approached said no, stating they already had someone working on a similar book, which didn’t surprise me, given how hot the topic of SSCS was. The quick lesson here was, failure and disappointment is part of the process, so just keep going.

I quickly approached another major publisher with the pitch, and they said yes. Ironically, I ended up publishing my book alongside my co-author nearly a year ahead of the other book, which led to me initially being told no by the first publisher. Safe to say, we worked hard, wrote a ton, and moved quickly.

My first book was “Software Transparency: Supply Chain Security in an Era of a Software-Driven Society.” published June 2023

While it may have been the “first” book solely focused on the topic, it isn’t, and won’t be the last, as SSCS has now become a critical topic impacting cybersecurity in areas from software vendors, open source, IoT, critical infrastructure, national security, regulation and more.

A couple of other awesome books that have been published on the topic and which I’ve read and keep on my bookshelf are:

• Software Supply Chain Security: Securing the End-to-End Supply Chain for Software, Firmware, and Hardware by Cassie Crossley

• Securing the Software Supply Chain by Michael Lieberman and Brandon Lum

After I published Software Transparency, two things happened. First, I realized I was hooked on deeply researching, studying, and writing about security. Second, in addition to real-world experience, I realized just how fundamentally broken the way we do Vulnerability Management is.

I wrote and published “Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystem” 9 months after Software Transparency.

I wouldn’t necessarily recommend publishing two books so close unless you are obsessive about the topics and comfortable reading, thinking, and articulating those thoughts on paper constantly. Nonetheless, I’m proud of the journey and all I learned.

Now, let’s discuss some key points below for those considering publishing a Cybersecurity book.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 30,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us <-

Why?

One of the first questions any potential author should be asking themselves is why? Why do you want to write a book, why do you, why now, why this topic, and what do you hope to accomplish from doing it?

If you’re looking to publish a book to make a lot of money, don’t. At least not from my personal perspective. Perhaps that dynamic changes depending on the scale of sales, dynamics with the publisher, and whether you self-publish.

Maybe you want to write a book because you are an expert in a specific topic or domain, find a gap in the industry, further establish your credibility as a leader/expert, or more, all of which are valid reasons.

Publishing a book can open many opportunities beyond just initial compensation, such as advisory roles, public speaking, personal branding, industry credibility, and similar opportunities. I have experienced several of these myself. I continue to write and speak frequently on topics around SSCS, VulnMgt, AppSec, and more via my outlet, Resilient Cyber, which you’re reading now, along with other media outlets and avenues.

You also have to be willing to realistically ask yourself if you’re truly committed to the hard work and process it will require, in terms of hundreds of hours of reading/writing, thinking about a particular subject, questioning your own perspective, validating it against existing literature and thought leadership and more.

Writing and publishing is a lot of work, and in the words of Ronnie Coleman, “Everybody wants to be a bodybuilder, but nobody wants to lift no heavy-ass weights.”

While I’m not one to call myself an “expert” in anything due to how complicated our career field is and how fast it moves, there’s no denying that you build deep expertise in whatever you end up writing about, even if you already had deep knowledge and experience going into it.

As they say, the best way to understand a subject is to teach it, and writing and publishing are, in my opinion, a form of teaching the community, at least those who are willing to pick up the book and read it.

When it comes to Why, there also may be deeply personal reasons why as well. For me, of course I wanted to advance my career, open new opportunities, learn, grow and more but I also had personal reasons.

Neither of my parents graduated high school, let alone went to college, and growing up I rarely saw adults picking up and reading books. That said, I realized at a young age to primary way to change my personal and economic situation was through knowledge and education, including informally.

I try to read very often, let my kids see me with a book in my hand and I wanted to show them my own book(s) in my hand, to show them what is possible when you commit yourself to your craft, put your head down and work your ass off.

When?

That was the case with my books, as Software Supply Chain Security was a particularly hot topic in 2021-2022 (and is now), along with a renewed focus on Vulnerability Management in the last several years, as the industry drowns in massive vulnerability backlogs, wrestles challenges around security tool sprawl, runaway attack surface via “productivity” boosts from AI copilots and more.

This made the books timely from an industry trend perspective and made them appealing to readers and potential publishers you will need to pitch your book to (more on that in the How section below).

You should look around and see what topics are currently trending in the industry and what will resonate with publishers and readers.

Personal considerations also come into play, such as your current role and career, time commitments with your family, etc. The flexibility of someone younger without kids or older with grown kids will look different, as it will for individuals who are at different points of their careers with varying levels of responsibilities and demands.

All of this comes into play when determining the right time to write for you.

That said, as someone who finds writing—which is basically thinking—therapeutic, I find it hard to think of a time when writing hasn’t helped me organize my thoughts, commit to my craft, learn, grow, and continue to challenge myself personally and professionally.

How?

Shifting to a more tactical topic, how do you go about publishing a book?

There are basically a couple of paths. You can work with an existing publisher, such as:

• Wiley (who I worked with for both of my books)

• O’Reilly

• Packt

• Others

The list above is far from exhaustive, but is just some of the publishers that come to mind that I think of right away.

You can also choose to self-publish, as some have done successfully, such as my friend Ross Haleliuk of Venture in Security, with his book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup”.

If you do intend to approach a publisher, it will help to have established expertise in the career field, a strong personal brand, examples of your writing, such as articles, blogs, etc., and demonstrable experience in public speaking on relevant topics to help give yourself credibility in the eyes of the publisher.

You also want to think through how you want to approach the book. While my books took more of the traditional approach of being technically dense, diving into a topic, discussing all of the broader implications, and addressing relevant risks or challenges tied to s topic,’s topic, this isn’t the only way.

One unique approach that I really have loved seeing is by George Finney (who has also published with Wiley) in his books such as “Project Zero Trust.” In these, he takes the approach of writing more of a novel format, with hypothetical characters and organizations, while still educating the reader on the topic, such as Zero Trust, or, as his next book will, AI and Agentic AI and its intersection with Zero Trust.

Another key topic is writing alone, or with a co-author. In my case, I chose to have a co-author in both cases, both to avoid entirely shouldering the writing burden all alone, and also bring in additional expertise, experience and perspectives I wouldn’t have otherwise. That said, I do foresee myself going at it alone in a future writing endeavor as well.

Additionally, you want to choose a relevant industry leader for things such as your Foreword. In my case, Dr. Allan Friedman of CISA wrote the foreword for Software Transparency, given all of the incredible work he has done around SBOM and SSCS. In the second book, Ron Gula, the industry legend founder, advisor, and investor wrote the foreword to Effective Vulnerability Managment, given his background with Tenable, a well known leader in vulnerability management.

So you need to decide where and how you want to publish, who you need to engage to help you achieve your publishing goals, and be prepared to demonstrate why you, why the topic, and why now, as we discussed above.

You may be convincing a publisher, potential co-authors, those you want to write a foreword, and hell, you may be convincing yourself - but either way, you need to think through these questions.

Then What?

Now that you’ve published the book, you may be asking yourself, then what?

Well, it depends on your goals. After the first book, Software Transparency, I felt the urge to keep going, and I subsequently published Effective Vulnerability Management.

After the second book, I pivoted and found myself really enjoying working on other writing outlets, such as growing my Resilient Cyber Substack and Newsletter, tackling various relevant industry topics from Cyber Leadership, Market Dynamics, AI, & AppSec.

Throughout this process, the creative juices continue to flow; I continue to think deeply about our industry, trends, systemic challenges, emerging technologies, and more. All of this will, of course, contribute to future creative endeavors related to writing and speaking.

I’ve also enjoyed activities such as advising, working with startups, speaking at industry events, networking, and having thoughtful discussions with fellow cyber and tech practitioners who challenge my assumptions and understanding of our fields and broader society.

If you think writing isn’t for you, you’re wrong.

Writing is a way of thinking. You analyze topics, behaviors, interactions, and more, and putting those thoughts to paper is one of the best ways to hone your critical thinking skills.

One of my favorite quotes is below when it comes to writing:

“I write because I don’t know what I think until I read what I say” - Flannery O’Connor