So You Want To Write an Infosec Book?

mybooksWhile I don’t consider myself to be a prolific writer of the 21st century, I have had the opportunity to write five different technical books over the past 12 years. I do a little bit of speaking here and there and am always blogging as well, so I frequently meet people or receive e-mails from folks who want to write an information security book. Because of that, and in light of recently finishing my last book project, I thought that now would be the perfect time to share some of my experiences in technical book writing.

*This post was originally written in 2014 but was updated in 12/2017


Before I dive into my lessons learned, here is a brief summary of the books I’ve written to help frame the things I’m going to talk about.

  • “Saving Time and Money with Virtual Server” – Published by O’Reilly in 2005 as an e-book only. This sold very poorly and was my first foray into paid technical writing with a real publisher. Most people don’t even know that I wrote it.
  • “Practical Packet Analysis – 1st Edition” – Published by No Starch Press in 2007 in print. My first print book, released when I was 19. This sold very well but received mixed reviews early on due to some technical issues which were eventually rectified.
  • “Practical Packet Analysis – 2nd Edition” – Published by No Starch Press in 2011 in print. This has been my best selling book. It has been translated to half a dozen or so languages and is used as a textbook by many universities. It is also incredibly well reviewed, having an average rating of 4.5 stars with over 50 reviews on Amazon.
  • “Applied Network Security Monitoring” – Published by Syngress in late 2013 in print. This is my newest book. So far, it has been very well reviewed. I was the lead author of this book but also had contributions from several friends as co-authors, with Jason Smith contributing a few chapters, David Bianco writing a chapter, and Liam Randall contributing in a couple of places.
  • “Practical Packet Analysis – 3rd Edition” – Published by No Starch Press in 2017 in print. This hasn’t been out for too long but is picking up where PPA 2 left off with great sales and multiple translations. It is also incredibly well reviewed, having an average rating of 4.6 stars with over 75 reviews on Amazon. I’ve also built an online class version of it.

As you can see, I have a pretty wide array of experience with several types of books, several publishers, and several models of book writing. I’m by no means an authority on the subject of the business of writing, the grammar/structure of writing (just ask my editors), or even the “best” way to go about getting your first book deal. However, I do have experience to share that I think is useful.

Lessons Learned

Writing a Book is Hard

Writing a book is probably one of the single hardest things you will ever do. If that isn’t the case, then you are probably doing something wrong, or simply not taking enough risk. When you estimate the amount of work that you think a book might take to complete, go ahead and multiply that by five.

The first edition of Practical Packet Analysis took a year to research and write, and that was a bit rushed. Because of this, the quality suffered. The second edition of Practical Packet Analysis took about two years to research and write, keeping in mind it still used 25% of the content from the first edition. Applied NSM took FOUR YEARS to research and write, and that was with the help of co-authors and even cutting some things out of the original table of contents.

If you aren’t strong-willed, dedicated, and goal-oriented, then you aren’t going to be able to successfully write a book. It is very easy to get excited about putting words on paper at the beginning of a project. However, this excitement can begin to wane several months into the project when it seems like you are slogging through content at a snail’s pace and you can’t see the forest for the trees. This is the point in which most books flounder out and never get finished.

As I’ve moved into the content creation business where I work with individuals to develop online courses I’ve learned that some people just don’t have what it takes to dedicate themselves to large projects like this, or they simply just aren’t in a place in life where they can adequately prioritize it. There’s nothing wrong with that if you’re self-aware enough to realize you’re that person.

Don’t underestimate the difficulty of writing a book. It is a massive, consuming task that requires you to possess skills in technical writing, time management, research, and the technology you are writing about. It isn’t too hard to get a book writing contract. It is very hard to finish a book writing project, and it is incredibly hard to write a good information security book.

Assess Your Motivation

Because writing a book is so difficult, you have to possess the right motivation for it to be successful. So what does the “right” motivation look like? Well, ask yourself why you want to write the book. Some good reasons might include:

  • You are a natural teacher and like to share the knowledge you have with others.
  • You have a unique understanding of something technically complex and think others could benefit from your methods and approaches.
  • You have a plethora of experience and you think that you can use your advanced knowledge to better teach the fundamentals of a discipline.
  • You have a lot of knowledge in an area for which no formally written knowledge exists.

With that in mind, I usually hear more bad reasons for wanting to write a book than good ones. Some of these include:

  • “I want to be a big name in this industry.”
  • “I want to bring in some extra income.”
  • “I want to prove my skills so that I can get a better job.”

I could spend a lot of time ranting about each of these bad types of motivation, but I’ll keep it short and say that you should never write a book ONLY to get name recognition, to make money, or to get a better job. While it is possible that the book could result in those things, you should write a book because you care about the topic and you want to help people. It’s part of what some people call “servant leadership.” That is where you gain respect because you serve your constituency. In the case of book writing, this constituency is the information security community as a whole. If you are a good steward of that community, you will have the opportunity to prosper.

You are Responsible for Your Content

This is one of the most important lessons I can share. One of the hardest lessons I’ve learned in my career is that you, as the lead author, are ultimately responsible for the content of your book. I learned this lesson because of a mix-up that occurred when writing the first edition of Practical Packet Analysis. I was pretty young when I wrote this book (I started it when I was 18), and looking back, I probably could have used a few more years of experience before I wrote it. While writing the book, Gerald Combs (the creator of Wireshark) agreed to be the technical editor for the book. This was really helpful for me at the time because I knew that Gerald’s years of experience would certainly catch any technical errors I might make in my writing.

A couple of months after the book was released, it received a very poor review from a very big name in the industry. This would eventually lead to a few more bad reviews right around that time. The reviews were centered on the fact that the book contained quite a few technical errors. Of course, the publisher and I went back to Gerald to see why they were missed. That is when we discovered that there was some miscommunication. Gerald was under the impression that he was only supposed to perform a technical review of the content directly related to Wireshark, and not all of the protocol-specific information and other content. This wasn’t Gerald’s fault — the publisher should have ensured the responsibility was clearly stated and I should have made sure that was done. While I’ve viewed this incident differently at various points through my career, I ultimately see this as an area where the publisher made a mistake but I made a bigger one in not verifying that everyone was on the same page.

Dealing with this was pretty rough. A book isn’t like a blog post that you can go back and make edits. Once it’s out there in print, it’s there forever. We were ultimately able to fix the issues and publish fixes in later print runs of the book and in an errata. Some of them were things that were inaccurately stated, others were facts that were just presented in a way that left too much room for incorrect interpretations, and a few were just production issues that didn’t get caught. However, at this point, the damage was done. It was personally embarrassing and I a dark stain on my career. I didn’t truly consider the issue rectified until I was able to complete the second edition of the book, and I’m thankful that I had the opportunity to do so.

I’m now incredibly cognizant of the technical content of my books. I research to an extreme amount and I also rely on multiple technical editors. Applied NSM was edited for technical content by David Bianco, but I also had technical edits performed by a dozen or so other people based on their expertise in certain content areas. For instance, several members of the SiLK team reviewed the sections about SiLK, and Joel Esler from Cisco/Sourcefire was kind enough to review the chapter on Snort. Not only did the multiple layers of technical editing catch things that were missed, it also helped to provide some additional unique perspectives on the concepts presented in the book.

The key point here isn’t to be scared of technical errors. Every book will have some errors, and that is what an errata page is for. The takeaway here is that every word in your book is ultimately your responsibility. You can’t fully rely on co-authors, contributing authors, technical editors, copy editors, etc. There is no passing the buck in the book writing business. You have to own every word and you have to proofread and research until your eyes bleed.

Don’t Rely Solely on Your Own Expertise

One of the big mistakes I made early on in my writing career was thinking that it was 100% on me to generate all of the knowledge that was put into my book. If you really want to know the difference between the first and second editions of Practical Packet Analysis, this is one of the big ones. In the first edition, all of the content was straight from my head, using techniques that I used in my day-to-day job. While these were useful to me, I didn’t think about studying the techniques used by other people to see how they applied the same knowledge. Quality suffered as a result.

Fast-forward several years when I began researching content for the second edition. This time, I reached out to others to see how they did packet analysis. I asked what techniques they used, what their favorite Wireshark features were, and what additional tools they found useful. Because of this, I was able to incorporate additional perspective into the book, which made it applicable to a lot more people. Not only that, but I learned a lot and strengthened my own practices.

I continued this thread with Applied NSM, even bringing in co-authors with drastically varied experience. A lot of the time there is no “right way” and the “best way” will depend on the environment the knowledge is being applied to. Bringing in the expertise of others can really help the depth and usefulness of your content. This is a statement promoting collaboration above anything else.

You Won’t Make Money Writing Technical Books

If you want to write a technical book to make money then you are going to be in for a surprise. In general, technical books don’t generate a lot of revenue. While there are some exceptions with widely sold books that appeal to a broad mass of people like “Windows 7 for Dummies”, titles like “Applied Cryptography” are going to have a limited audience. No matter how good your book is the audience for it is going to be limited by the number of active practitioners.

People like to see numbers, so let’s do some simple math. My agreement with No Starch Press was for a 12% royalty on all copies of Practical Packet Analysis that were sold (with a higher percentage for subsidiary works and foreign translations). This is standard within their royalty structure menu and something they have publicized in the past, so I have no reservations in publishing that here.

Let’s say that you write a book that costs $30. This means that you see $3.60 from every copy sold (we won’t worry about subsidiary works at the moment – We are also assuming the book sells directly from the publisher and not from a book reseller, which would result in a lesser rate based upon what the publisher sells to the book reseller for). Now, let’s say the book sells extraordinarily well and you’ve sold 10,000 copies. That is a lot of copies for a technical book. If it is an information security book specifically, it’s an even more impressive number. That means you have made $36,000 dollars.

Now, let’s consider how long it took you to write the book. The break down for a smaller book that might sell for $30 bucks could look like this:

  • 6 Months – Initial Research
  • 12 Months – Writing
  • 6 Months – Editing and Marketing

These are pretty fair estimates. Now, let’s say that you are working a full-time job, so you are doing all of this during your spare time, and that averages out to about 4 hours per day. You might skip a day here or there, but you will also probably be working more on the project on the weekends. This averages out to a total of 2920 hours. This sounds like a lot of hours, but if you are going to research and write a proper book, this isn’t too crazy. See the earlier section about how writing a book is hard. If we divide that $36,000 by 2920 hours, that comes out to a bit more than $12/hour. Again, this is if your book sells VERY well. If you write an information security book and it sells a more realistic number, like 5000 copies, then you are only making about $6/hour. That is less than the federal minimum wage. Want to get even more depressed? This money hasn’t been taxed yet. Go ahead and send a third to one half of it to Uncle Sam.

I don’t really know anybody who has made a consistent living exclusively from writing information security books. The folks I do know who don’t have “day jobs” bolster this income with public speaking, training, and consulting. While writing a great book can certainly lead to these things, the royalty income from the book alone isn’t enough.

Personally, I’m a big advocate of donating author royalties to charitable organizations. 100% of the royalties from all of my books go to support a few different charitable organizations, including the Rural Technology Fund.

Have a Strong Stomach

When you write a book and put it out there to the world, you will invariably have to deal with book reviews. These reviews are very important to the success of the book, especially early on. By extension, these reviews are also important to your career, as they will be used to define the quality of your work by a lot of people. Because of that, you should take reviews very seriously. However, with that comes the issue of bad reviews and bad reviewers.

No matter how good your book is, some people won’t like it. Practical Packet Analysis 2nd Edition has an average rating of 4.5 stars on Amazon with over 50 reviews and I know it’s a great book. However, it has gotten at least a couple of bad reviews. Some of these include:

  • A 3 star review from someone who was upset the book only focused on Wireshark, even though Wireshark is in the subtitle of the book and this is made very clear from the beginning.
  • A 2 star review where the reader is upset that I talk about outdated protocols like “Palm OS Protocol.” I’m not sure what he is reading, but I don’t even talk about Pam OS Protocol in the book.
  • A 1 star review because the reader was upset that Amazon didn’t ship the book to him fast enough, which had nothing to do with my writing. Fortunately, Amazon removed this review since it was completely unrelated.

Ultimately, you are going to get a few negative reviews no matter what you do. Some people like to use book reviews as an opportunity to bash people when they think they could have done better, or simply because they think it makes them look like an expert to harshly critique someone else’s work.  There are also people who don’t read the book description before they buy it and are upset that the content wasn’t exactly what they were expecting. Sometimes you also have readers who are very skilled in a particular topic and buy an entry-level book and are upset that the content is too rudimentary for them. These things can all lead to negative reviews. This was incredibly hard for me when I started writing and is still something I struggle with today. When you devote a lot of time and effort to something, you hate to see it torn down in just a few paragraphs. It’s something you just have to learn to stomach. I still get irked when someone raves about how much they love a book but then knock it down to a 3-star rating because there were a few typos.

Write Content Before You Sign the Contract

In most cases, when you want to write a book you will write an abstract with a table of contents and then use that information to pitch the book to a publisher (along with whatever specifics they ask for). If it is accepted, the publisher and the author will agree to terms, contracts will be signed, and then the book actually gets written. While this can be effective, I think that you should start writing the book well before you even think about submitting it to a publisher. As a matter of fact, I wouldn’t sign a publishing contract now without having at least 20% of the book already written. Let me explain why…

When you sign a contract with a publisher, one thing they will want from you is a production schedule that details when you expect to complete certain portions of the book. This is important for the publisher for a variety of reasons, the most of which is that the execution of a contract now means that they are investing money in you and your project. In addition to their paying you for your work, they will also be paying project managers, copy editors, compositors, graphic artists, and marketing staff to ensure that your book is produced effectively and able to be sold. They are also fronting the cost of the initial printing of the book. It takes a lot of work to get the book from your computer to the shelves at Barnes and Noble. Now consider that the publishers will have multiple book projects going on at once, and you can grasp how difficult their job is. They need to be able to effectively schedule the resources used to produce your book so that they are making efficient use of their time and money.

With that said, it is VERY hard to ascertain exactly how long it will take you to write a book until you are already a bit into it. This is hard to explain if you’ve never experienced it, but it holds true for a lot of authors I know for a few reasons. First of all, sometimes it can be very difficult to start a chapter. When I wrote the Snort/Suricata chapter of Applied NSM is took me nearly a week to come up with the first few pages of introductory material. After I was finally happy with that text, I was able to produce the remaining 50 or so pages in relatively short order. Framing introductions and core concepts can be very difficult and if you don’t do it correctly then the reader might get lost while trying to understand more advanced concepts.

Beyond this, I also know several authors who plan to write a book, only to get 50 pages into it to realize that the concept isn’t really going to work out. I can personally tell you that I’ve considered writing three additional books that I never finished because it took my writing quite a bit to realize that their wasn’t enough relevant content to make the book successful.

When you begin writing a book it is your project and you can call the shots. The second you sign a publishing contract it is no longer just your project. You are on the hook and your project has become an investment for other people. No publisher will ever fault you for having too much content already written before you sign the contract. As a matter of fact, it is likely that this additional content will help the publisher better understand your platform, which could lead to an increased chance of getting a writing contract.  If you spend a great deal of time writing content only to realize that the book isn’t going to pan out or that publishers aren’t interested, then that isn’t a total wash. As the late Randy Pausch said, the thing you get when you don’t get what you want is experience.

Have a Backup Plan

While writing Applied NSM, I was a bit shocked when my first chapter came back from copy edit with only one error marked on the manuscript. I’ve written enough to know where my weaknesses are, and I know that there are things editors will usually change in my writing (for better or for worse). So naturally, when the only thing that was brought up was a misspelled word, I was a bit concerned. I reread the manuscript and found a couple of things I had missed in the initial draft that the copy editors hadn’t caught. I was submitting the second chapter soon, so I intentionally placed several errors in the text to see if the copyediting group caught them; and to my dismay they didn’t catch a single one.

I brought this to this attention of my project manager at Syngress, and was shocked to discover that Elsevier (the parent company of Syngress) had recently outsourced their copy editing to a division in India. They admitted that they had just made this switch and were still trying to sort out some quality issues, but that it would take quite a bit of time to do this.

At this point, I was in a bit of a bind because we were on a very tight schedule and I had promised readers a certain release date. Syngress had no ability at this point to provide an effective copy edit (although the PM offered to help where he could). Fortunately, I had a backup plan and utilized the services of my wife (who is now an MD, but originally majored in English and has quite a bit of editing experience) and a third party who will remain anonymous. Through the combined efforts of these two individuals, the book still received the copyedit it needed.

Surprise is a product of complexity. Writing a book is a very complex process, which means that surprise at any given point in the process is likely. This can take a lot of forms: copy editors could do a poor job, a co-author might not be able to complete his contribution, or the publisher might change your deadlines. Think ahead and try to have a backup plan for as many situations as you can.

Leave Wiggle Room

One of the hard things about technical writing is that there are so many “gotchas” to specific scenarios. While something might be true 99% of the time, that 1% can come back to haunt you in your book. For instance, you could write a book about the TCP protocol and definitively say that this is how all of the associated concepts work, writing directly to the RFC specification. However, if you’ve looked at multiple examples of the TCP protocol in action, you will know that not every system implements TCP per specification, meaning that your text could be wrong in some scenarios.

Because of this, it is very important to avoid writing in a “matter of fact” style. You should always leave some wiggle room for interpretation because it isn’t possible to explain every way in which something might be implemented. This means making sure your text highlights the difference between absolutes and indefinites, and you preface descriptions with assumptions you are making about operating environments. This will save your readers some potential headache when they go to try and repeat your techniques.

Don’t Sacrifice Your Tone

The thing that defines you as a writer isn’t your technical knowledge; it is your tone. No matter how much you know about a subject, you must be able to effectively relay that in the written word. Beyond that, it is how you deliver your message that will endear you to readers. I take great pride in that fact that people tell me that I write in a way that makes complex subjects very accessible, and that I can do it in a manner that sounds like me. The people who know me personally will say that when they read my books, they can almost hear me saying the things in it. That is because I have my own unique tone.

At some point in the writing process, you will have to deal with editors. I love editors, and my writing wouldn’t be what it is without them. However, a lot of editors will try to change your tone, especially younger and less experienced ones. This isn’t too different from how programmers work. If you hand a programmer someone else’s code and tell them to work with it, they will probably first try to change it around so it fits their normal coding style. This might involve replacing a few functions, changing how variables are named, or changing how tabs are used. It’s one thing to replace a function with something that is better for reasons of performance or security, but to replace it just because you normally use another one is a different story. Just like this, an editor shouldn’t replace a word because its one they use, they should have a reason. This might include making the sentence clearer or more grammatically correct.

I’ve had the chance to work with a lot of editors. Bill at No Starch is one of my favorites because he truly makes my writing better without changing my tone. They are still my words, but they are delivered more effectively because of his subtle changes. It may take a while, but learn what your tone is. Once you’ve got it locked down, defend it.

Don’t Self Publish the First Time

Self-publishing has never been easier, so I often get asked if you should self-publish or go with a traditional publisher. This is a trade-off. With a traditional publisher, you benefit from their experience and marketing power. With self-publishing, you get more control. If this is your first book, I recommend you go with a publisher. There are a lot of moving parts to a book and while you might be able to do all of them, you won’t be able to do all of them well. You probably also won’t be able to market your book well to audiences outside your immediate circle and many publishers are good at that. Ultimately, you need to learn the process and the industry and your publisher will be your guide.

During this time, you’ll learn that your publisher’s goals don’t always match yours. They want to make money. That doesn’t always correlate to you making money or having the impact you want to have. I’ve had publishers ask me to sign new contracts because they wanted a bigger cut, outsource copyediting to poor English speakers (discussed above), and “encourage” me to add content promoting their other books when I had different material I wanted to recommend. You will inevitably see things your publisher does that you don’t like. Even if you like your publisher now, you might not when they have a leadership change or they take a new direction. I have good and bad things to say about every publisher I’ve worked with. Once you’ve gone through the process the first time, then maybe consider self-publishing for your second book if you decide to write one. It will be a tremendous amount more work but you will have more control. That’s the trade-off.


There are a lot of blog posts and websites that will tell you how to get a writing contract or how to write good technical content. In my opinion, doing those things are the easy part. The hard part of writing a book is all about being prepared, planning ahead, and having the right frame of mind before, during, and after the process. My hope is that this article provides some useful insight into some of these things. While the tone of this article may seem grim at times, I absolutely love writing and plan to continue doing so. If I didn’t scare you too bad and you plan to pursue writing an information security book, then I wish you the best of luck! If you have insight from the book writing process that you’d like to share, then I’d love to hear it, so please feel free to e-mail me or leave a comment.

7 thoughts

  1. Very nice posting! I’m an infosec author myself (I have published a few books in German[1]) and therefore it’s nice to see that others have the same relations. My last book had a 4 star rating on Amazon[2]. One of my readers gave me a 3 star rating but took a lot of time to describe the discrepancies of the book[3]. I was going to track down his mail address and wrote him an email thanking for the solid review. It was funny to see that he was surprised that a) I was able to get his mail address and b) I was not disappointed because of the mediocre rating. If you want to write a book, you’re going to expose yourself and you have to live with other people challenging you. I had to learn to handle this. But if you do so, you might get some good opportunities to connect with smart people.


  2. @Marc Ruef

    Absolutely! When people leave reviews for me I always try to thank them for reading the book (even if they are bad reviews). This will often open up some good dialogue, and I’ve learned things from the reviewers that I can incorporate to make my writing better.

  3. I’ve read Practical Packet Analysis and appreciate the difficult work that went into creating that book. I’m glad someone takes the time to write something easy to follow for super technical products like Wireshark.

  4. “Applied Network Security Monitoring” – lovely book. Half way thru it & loving it. Thank you so much for writing this book in such an absolute brilliant manner.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.