Episode 74: The Good, The Bad, and The Ugly of Being an Author
Amrit Williams, BigFix CTO, discusses the ins and outs of writing tech books with author Andrew Hay.
Subscribe in iTunes:
Subscribe with XML:
FULL TRANSCRIPT
Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and today I am joined by Andrew Hay, who describes himself as a “devastatingly handsome author, a sporadic blogger, a BBQ junkie” – that’s barbecue, for those who don’t know — “and a security strongman”.
Andrew, thanks for joining me today.
Andrew Hay: Thanks, Amrit.
Amrit Williams: And I’ve got to say, although we have not met in person, we’ve spoken on the phone often, and I can tell – I hope no one takes this wrong – but you’ve probably are devastatingly handsome. I can appreciate that as a security professional.
Andrew Hay: Must be my sultry, sullen voice (laughing).
Amrit Williams: A little Barry White we were talking about, right (laughing)?
So, Andrew, why don’t we start with a little bit of your background. You actually have written several books, you’ve worked at several well-known security companies, and you’ve done a lot of really cool and amazing things. So why don’t we dig in a little bit, give the audience a little preview of yourself, and then we can move on to some of the other topics we talked about.
Andrew Hay: Sure. Well, I started out in the network-support/network-security space with Nokia. Actually, prior to that, I did the grunt work in the trenches of doing dialup ISP support, which if you haven’t done it, I’d suggest you do it as part of your career to gain a perspective on how horrible a job it is. I came from network-security space. I’ve worked for a major SIM vendor as a support person, trainer, product manager, engineering manager. I’ve lived in Bermuda, working as a security analyst for a bank, and now I’m working as a security analyst for a university in western Canada.
Amrit Williams: Oh, that’s very cool. So before — I do want to get into the books, as I think it’s a fascinating labor of love that folks go through with technology books, and I work with Ryan Russell and he’s written several himself and several people that I know have. I’ve pondered the idea a lot, but quite honestly I think my love would probably lie in some type of fiction novel; but it really is a lot of work, and the returns for the most part are not what people think. So you want to talk a little bit about the mechanics of authoring the technical book and some of the nonromantic aspects of it?
Andrew Hay: Sure. I actually gave a presentation of this, on that topic at San Diego a few months back, and a lot of people go in with the idea of, “Oh, I’m going to be the next Stephen King” or “I’m going to be the next … ” who is it that wrote Harry Potter? I’m drawing a blank now.
Amrit Williams: J.K.
Andrew Hay: Exactly, yeah. She’s so rich, no one has to remember her name.
So if you are going in to write a tech book thinking you’re going to retire and make millions of dollar, odds are you’re wrong. It’s really three months to four months of your life, and if you have a full-time job and if you have a family, you are going to be dedicating a couple of hours a night and at least one weekend day to writing this book. And really, the more people you have contributing to the book, the harder it is, because you have to balance tone of everyone, you have to act as a project manager for the entire book to make sure everyone is committing their deliverables properly and on time. And it’s an awful lot of work; it’s almost a full-time job for four months, in addition to any regular job and family commitments you have.
Amrit Williams: So why do it? I mean, I ask this question of everybody that authors these technical books: why do it? What’s the point?
Andrew Hay: Well, when I decided to write a book, I’d first spoken to Harlan Carvey, who’s written the Windows Forensic Analysis book, now in second edition. I talked to him about it, and he told me that “If you’re going in writing this book thinking you’re going to make a lot of money, you’re going to be really disappointed”.
So I went in eyes wide-open, knowing that I’m not doing this for money; I’m doing this for career, because it looks awesome on a resume and it’s a good sense of personal pride. You can point – someone says to you in an interview, let’s say, “Oh, well, so what have you done? You’re in security, what have you done?” You can point to a bookshelf and say, “Well, I wrote these three books.” And they’re like, “Oh, really?” Like it’s very impressive, but it’s — I did it more from a sense of pride and professional development, and it has really helped me getting known in the security space as, “Oh, he’s Andrew Hay; he wrote the OSSEC book, and he’s a blogger, and he comes to conferences and things like that”. It definitely did help with my public-facing career.
Amrit Williams: And I’m glad people write these books. I read; I’m a voracious reader, and I’m so glad that people are contributing to the community, even though it’s not making them financially wealthy or financially better off. There are definitely benefits to it that you mentioned.
(00:05:01)
But I think one of the greatest benefits is that there is information being shared in the community that becomes very accessible to people, and you can’t get information on the Internet in a lot of the forums and the methods of communication that most people use in the same verbose way that you can get it from a book. So the fact that folks are out there authoring books is really — it should be commended.
Let me ask you this: what is some advice you would have for folks that — I’m reading a lot of people are getting into writing their own books, and getting into working with Syngress specifically more than others because they work really closely with the community. What’s some advice you have for people who are thinking about writing a technical book?
Andrew Hay: I think my number one piece of advice would be to go in knowing the time commitment. Ask the publisher, “How much time can I expect to be dedicating to this?” And if you really can’t dedicate two hours a night every night minimum for three months, four months, then this probably isn’t for you, because that’s a big time commitment. And really, the return? Most of the publishers will give you an advance to kind of whet your palate, saying, “Okay, here’s some money, get started writing the book”; but you have to also keep in mind that that advance counts against any future earnings you are going to get. So you have to burn through that advance before you actually start seeing money back from the book.
And to be perfectly honest, not a lot of authors of technical books will see any sort of return above and beyond that advance. To launch every book is, you write a first edition — let’s say it’s a piece of open-source software – odds are over the course of a year or over the course of two years, that’s going to change significantly, and then your book is no longer going to be as relevant as it once was.
Amrit Williams: That’s an interesting aspect of the technical books is, they certainly have a bounded time that their value is important. I have a basement of books; we’re actually going through moving, I’m trying to get rid of them. It’s hard to give them away.
Andrew Hay: Well, sure, because they mean a lot to you. Like when I moved to Bermuda, I gave away probably about 75 technical books. And those were books that had a lot of knowledge in them and a lot of references in there that, “Okay, I need this information; I won’t search the Internet, I know it’s in this book, I’ll go to it”. And you’re paying $60, $80 for this book, so it kind of means a lot when you’re throwing away hundreds and hundreds of dollars in a move.
Amrit Williams: Oh, yeah. In some of the books I have like specifics on SMT, for example, back in the day. Those were really expensive.
Andrew Hay: Yeah.
Amrit Williams: It’s the shame that I can like barely get pennies on the dollar for these things.
You know, this leads into a great segue. I want to switch gears a little bit and talk about a submission that you have for Security B-Sides, and for those who don’t know you can find out about Security B-Sides. I believe it’s securitybsides.org?
Andrew Hay: .com, actually.
Amrit Williams: securitybsides.com, this was a concept that was a couple of folks got together and I guess some submissions that had then presented to RSA at their conferences were not accepted, and there was this general feeling that there was … it was difficult to hear fresh, new content from bright minds that for whatever reason the communities that want to authorize the talks and go through the panels weren’t allowing some of the content that a lot of people really wanted to be exposed to. And you sort of seize on that, almost I want to call it nepotism, going on in these large conferences.
So Security B-Sides was an opportunity for the industry to get exposed to some folks that may not have a chance to share their great ideas, and one of the submissions you have — I thought it was kind of funny (laughing) — it’s “My Life on the Infosec D-List” and … why don’t you explain a little bit about what that talk is going to be about and the proposal, and we can tell people how they can vote for it?
Andrew Hay: Sure, Well, so I don’t even remember how the term came up. I think it was a conversation with Anton Chuvakin. We were just talking about celebrity status in our industry and how 80% to 90% of us are all on this D-List; we’re just trying to break into security, we don’t know how to do it, we just know we want it. It’s kind of like a Google Wave invite: you don’t know why you want it, but you want it because everyone else wants it.
Amrit Williams: Great analogy, because when I got mine, I did really want it, and then I just sort of looked at it and went, “Okay, now what?” (laughing)
Andrew Hay: Well, I think Google should offer up a bounty for anyone that can figure out what to do with Wave. I think that they’d make a lot of money, or they’d be giving it a lot of money if someone could actually put some thought into it.
Amrit Williams: So anyway, I’m sorry to distract you there, I get a D for it; anyway, back to the D-List.
Andrew Hay: So, really, what I wanted to talk about in this presentation is: what are the steps that I took to get to my mediocre stardom – and it really is mediocre stardom. I’ve gone to conferences, and honestly I can’t remember the guy’s name and I wish I could; but he came up to me at RSA and he’s like, “Oh, wow, you’re Andrew Hay” and he recognized me immediately.
(00:10:06)
He shook my hand, he’s like, “Wow, I bought your OSSEC book; it was great. You know, you’re a great author. I really like the book. I’m telling all my friends about it”. And I just kind of stood there and I was shocked.
And I was there with John Strand and Rob Lee, and they both kind of looked to me, it’s like, “Oh, look, his eyes are rolling up” (laughing). “Look, shut up! No, there’s something in my eye” (laughing).
But it meant a lot to me that someone came up and said that and they immediately recognized me; and I don’t know if it’s because of my crazy Twitter picture or what, but people are recognizing me now, which is both scary and cool.
But they’re associating things that I do — my blog, the books I’ve written with my name – which I kind of consider that deal as celebrity status, because if you’re driving around LA, you’ll notice some guy who may have been an extra in a movie or something; you recognize them, “Hey, you’re that guy from that movie that I like”. And he’ll either say, “Yeah, that’s me. Yeah, my name’s actually this” or “No, I’m not that guy”.
So what I want to talk about in the conference, in the presentation is like: what steps did you take to kind of increase your exposure in our huge circle, because it is really a big circle of people. And it might be actually one of the biggest in any sort of industry. Like the security people seem to be very outgoing and very network-friendly, I’ll say.
Amrit Williams: Well, I don’t know if it’s the biggest gathering of folks within one segment or served by both the technology industry; but it certainly is one of the more vocal, and it has some of the most –
Andrew Hay: For good or bad (laughing).
Amrit Williams: Right. It’s really one of the most vocal, and it has some of the most pervasive characters. There certainly is a lot of characters in the security industry, and if you’ve been around for a long time you have these connections. It used to be quite small, and it used to be folks just moved around and they changed jerseys; but you kept a lot of those connections, and it’s expanding in a very interesting way and has probably over the last five years dramatically where you see this huge influx of people that have in two to five years of experience moving into the security realm, but weren’t there back in the day. And “back in the day” is, you know, back in the day (laughing). Back in the day is really not that long ago; but if you look back to the early ‘90s, for example, when a lot of folks that are now the thought leaders for security or running the companies themselves or driving some of the technology innovation, that’s when a lot of folks cut their teeth in what would become a fairly large and prosperous industry in security.
So I honestly think that Twitter and other social-media communication tools like Twitter are probably the biggest benefit to that communication, because think of how many people you’re connected to on Twitter and who you probably never would have spoken to if you met them at a conference, had you not already been connected to them on Twitter.
Andrew Hay: Oh, it’s fantastic. The other thing I appreciate about Twitter is that I have a large set of people that I communicate with infrequently prior to Twitter, because we just don’t live that close to each other. Folks who live in Boston and New York, for example, on the East Coast or outside of the country that I have strong relationships with, that I have a lot of respect for, would like to communicate more with, but really can’t see myself picking up the phone to have a brief conversation about what I would be having for dinner or if they saw a certain movie, the type of interactions you have on a friendly basis with those around you.
Amrit Williams: Twitter is great for keeping in touch with those folks you just can’t see on a daily basis. It’s great for sharing quick ideas, getting thoughts out there, getting feedback; it’s also probably the snarkiest social-media mechanism I’ve ever seen. They’re like a big sitcom.
(Laughter.)
Amrit Williams: The security networkers are sort of a … they’d be a great sitcom, I think.
Andrew Hay: Yeah (laughing). I was thinking about that, because I’ve got family in Hollywood. My brother is standup comedian and my cousins, both of them, are actors – in fact, my cousin has a movie coming out. But it’s interesting, both of them sort of comment on that desire to become famous, so people recognize them. But as people start recognizing them, I know for Christmas I was out with my brother, we were at a movie theater and this guy came up and he said, “Oh, my god, I saw you on Comedy Central”. And my brother, he was very kind and humbled; but he sort of turned to me and said, “Man, that can become really annoying” (laughing).
(Laughter.)
Andrew Hay: And you have to think about that. I mean, you sort of have to have a certain mindset and a certain mentality to expose yourself publicly that way, because a lot of people by their very nature have egos; it’s natural for us to want to be seen and be known and feel like we’re succeeding. But there is also a side of us that wants to remain private and doesn’t want to share thoughts with others and wants to keep a line between what we would like to share and what we don’t in this. As you become more known, then that line becomes a lot blurrier and people start penetrating into the other side of your life that you may not want to share.
(00:15:05)
Amrit Williams: Yeah. Before we switch gears, I do want to let the audience know how they can vote for your security D-List talk at securitybsides.com: “My Life on the Infosec D-List”. How do they do that?
Andrew Hay: All right, so what you can do is you can either email to info@securitybsides.com and say that you want to hear my talk, or on Twitter you can type “I vote for ‘My Life on the Infosec D-List’ by @andrewsmhay” and then the #BSidesSF. And then what the B-Sides guys’ do is they tally the votes at the end of the day, and I think overall voting will pick who gets to go on (laughing).
Amrit Williams: And if folks want information about Andrew, they can get it; you have a website: andrewnhay.com, is that correct?
Andrew Hay: No, it’s andrewhay.ca.
Amrit Williams: andrewhay.ca; and that’s H-A-Y.
Andrew Hay: H-A-Y. Easy to remember.
Amrit Williams: All right. Well, Andrew, thanks for joining me today. We’ll have a little bit more with Andrew coming soon.
Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.
Thanks for listening!
