This is a personal blog. My other stuff: book | home page | Twitter | prepping | CNC robotics | electronics

August 29, 2011

So you want to write a security book?

Now that I am done with my side project, I wanted to post a note about something that my colleagues frequently ask about: the reality of publishing a security-themed book.

The most important advice I can give is to start with a reality check: writing for technical audiences will probably not make you rich. You will invest somewhere between 200 and 1,000 hours of work over the course of several months. In the next two years, you will likely sell from 1,000 to 50,000 copies (10,000 is pretty good already). Your cut is between $2 and $5 per copy (that's 10-20% of the actual sale price, which in turn is usually around 50% of the cover price); proportionally less if there are multiple authors involved.

The bottom line is that your motivation needs to be something other than money. If there are no quality, up-to-date reference materials in your field of expertise, or if you just have something interesting to share, go for it. If you just want to earn some cash, random consulting gigs would net you more.

If you are still serious about the plan, the next step is choosing between a traditional publisher, and doing all the work yourself. I recommend the former. There are some reputable self-published security books (say, Fyodor's), and if you pursue this route, you will be able to get a slightly larger slice of the revenue pie. That said, you lose some important benefits:

  • You will not get professional editorial feedback. Having an independent sanity check from a person who publishes books for a living helps you set the style and flow of the chapters, and arrange them reasonably. This is harder than it seems. Even the best ideas look bad when presented poorly.

  • You will have to take care of technical illustrations, page layout, indexes, and so on - requiring some talent, and easily adding 50-100 hours of work into the mix.

  • You will have to pay for technical editing and proofreading - or ship the book with typos and grammar errors, which never helps.

  • You will have to invest some effort into marketing, accounting, etc.
If you have a decent proposal, you can approach publishers out of the blue, and pick the one you want to work with; for time being, the demand for infosec authors seems to be higher than the supply. All the publishers will all offer you roughly the same financial terms, but there are some interesting differences in what you will get in return. I know quite a few authors signed up with one of the major publishing houses, and very unhappy about not receiving any editorial attention past the first chapter or two; or not being able to get an illustrator assigned to the project, and having to do the work themselves. In these cases, one has to wonder what the publisher is doing to earn its fees.

So, ask around. For example, in comparison to said publisher, my experiences with No Starch Press have been very good.


  1. Too true, as I've experienced over the past decade. Technical manuals, certification guides, enteprise and security architecture books, even articles and such I have found that you do more for fun than for the $$$. Corporate contracts can pay more but they just get consumed in other projects and you don't get to show those off, while law-enforcement only cyberterrorism and cyber crime stuff you pray nevers comes up in the wild and never gets read outside of very closed circles. I do like writing college courses, though, as you can try to make an otherwise-boring class more interesting for the students.

  2. For what it's worth, my notes on the same subject: