Today's article is an announcement with additional commentary about Strategy of Security. I haven't spent much time talking about Strategy of Security itself or the work I've been doing for the past nine months. It's time for a brief look behind the scenes.
I'm going to take some time today to explain the nuances and provide some commentary on this project in general. There is no company or industry analysis today aside from the publication and related projects.
This article is for me as much as anyone else. I've mostly been heads down since I started this project in August 2021. A lot of people have been curious about my work and where I'm headed with it, so I decided to share a few thoughts openly instead of keeping the analysis to myself.
First, the announcement: I'm going to experiment with publishing a new article every two weeks.
This is a decrease in frequency from the weekly pace I've kept since starting Strategy of Security. However, I'm optimistic about this direction and the net impact it should have on the overall body of work I produce here.
A few additional topics I wanted to go deeper on today are:
Approach: Why I'm prioritizing quality over frequency.
Audience: Where I went wrong with my initial assumptions about the audience for Strategy of Security.
Business: The overall set of projects I've been working on.
Future: Where Strategy of Security is headed.
If a deeper discussion about these topics is interesting to you, read on. If not, no worries — I'll be back with regular articles on the new schedule during the week of May 30th.
Approach: Quality takes priority over frequency
First, I want to explain the updated publishing schedule. In my very first article to introduce Strategy of Security, I talked about remaining fluid with the publishing schedule and prioritizing quality over frequency:
I will...update the publishing schedule over time. This process is under no set schedule. Quality takes priority over frequency.
Publishing weekly is a blistering pace — especially with the breadth and depth of topics covered so far. I've enjoyed doing it, so the weekly pace has felt both challenging and rewarding. However, I feel like publishing every other week can make a meaningful difference in the quality of articles.
Nearly every article has (what I would consider) some degree of success. Some have been a lot more successful than others. The clear outliers have been:
Even for articles I consider to be successful, I feel like I am leaving something on the table almost every week in terms of quality, content, data, or visuals. This might be unrecognizable to you as a reader, but it's something I've distinctly noticed as I rush to finalize and hit publish.
When outlining my content approach in the launch article, I talked about my plan to use mixed media:
My work happens through writing, visuals, and data. I believe in the power of mixed media. Using the right form of communication is the most effective way to share ideas.
I definitely have utilized mixed media, but not as consistently as I would like. Writing has definitely taken priority over visuals and data. I'd like to re-balance that, and here are a few thoughts about how I plan to do it.
My use of writing as a form of media is obvious — actually the opposite problem from other forms. I'm probably writing too much. Articles could be more concise with extra time for edits. Depth is important, but I always discover better ways to say something when I'm extra disciplined about editing.
The writing and editing process for a piece like 1Password's Blue Ocean Strategy was extensive. The article itself was nearly 7,000 words long. It took 50+ hours and two weeks to write. I burned the one-week cushion I had in my content backlog to spend extra time on edits, visuals, and data. It showed — this is the one article where I feel like I did everything I could to make it the best piece of content it could be.
I learned something important from that article: you like in-depth content. This is abundantly clear to me now in a way I couldn't have possibly guessed or understood when I started this project. In-depth doesn't necessarily mean ~7,000 words. It means depth and clarity of thought.
I'd like to put this level effort into every article I write. Publishing every other week should give me the time to do it. I know this won't always translate to results (the 1Password article was a special piece on multiple levels — it wasn't just the editing that made it good). However, I would rather publish a smaller number of extremely high quality pieces than more frequent but slightly lower quality pieces.
I expect the difference will be noticeable in terms of readability, clarity of thought, and word density. Like all experiments, we'll see what the results have to say.
Visuals are one part of the mixed media equation where I find myself falling short consistently. Some articles do include visuals, but many don't. It takes more time to produce a great visual than I expected. When I'm trying to finish an article, it's easy to say "this could have been a great visual, but words are good enough" and move on.
You probably wouldn't notice the omission of a visual as a reader. I'd bet you would notice if a great visual was where it should be in an article. It's hard to articulate specifically, but great visuals add a little extra something to an article in a way that more text doesn't.
1Password's Blue Ocean Strategy and The Rise of Security Augmentation are both examples of the effect good visuals can have on a piece. I created all of the graphics in the 1Password article myself and ended up getting requests to use them in all kinds of different ways. I worked with a professional designer and the Human Layer Security content team on the graphics for The Rise of Security Augmentation, and you can clearly feel the polish in the print version of the article.
Going forward, I want to make the time to create visuals where I know they should be included in an article. Doing this should add extra clarity and polish to every piece of content I create.
Data is the another side of the mixed media equation that could be improved. Accessing, compiling and maintaining data (especially even moderately large datasets) is tedious in a way I didn't expect.
The Cybersecurity Ecosystem Mapping is where I have poured most of my data curation efforts to date. This project took a lot of time — hundreds of hours over several weeks. The effort has paid off. The mapping data is so popular that it actually gets more direct impressions than the Strategy of Security homepage itself.
I suspect this data is valuable because it's more than just data. Defining a full taxonomy of the cybersecurity ecosystem requires a lot of judgment and experience. By comparison, other types of industry data sets are more straightforward — they're a factor of how available the data is, plus time and effort invested in creating and maintaining the data.
I could re-balance my prioritization of writing versus data and spend more time curating datasets. That's not the business I want to be in, though. As a solo creator, I believe my limited amount of time is better spent on analyzing data, not producing and maintaining it. (As an aside, I now understand why data services like PitchBook, Crunchbase, Seeking Alpha, and others are so valuable.)
Going forward, my objective is to (primarily) be a user of data, not a producer of data. Although there is a relationship between data and analysis, I feel more clear about the distinction now. The right balance for me is using data to make analysis better. Much like a great visual can explain a concept better than words alone, the right data in the right place can have the same effect.
I now have access to better data than I have had for any article prior to this one. It will take a bit of time and practice for me to explore the data and learn the best way to use and present it. You probably won't notice a difference right away. However, I'm excited about the longer term improvements to quality and insights that better data can make.
I have been inconsistent at sharing thoughts on social media. That's the final content-related area I would like to improve upon.
In the launch article, I planned for daily short-form commentary on social media:
To start, I'm writing free long-form articles weekly with daily short-form commentary on social media.
I've done this, but not at the level of consistency or quality I would like to have. When I'm spending all of my effort finishing an article each week, there isn't much time left for social media commentary. It's another dimension of writing time that I didn't properly account for. Naively on my part, social media seems easy until you try to do a good job at it consistently.
Sharing more short-form commentary on social media has a lot of potential that I'm leaving on the table right now. Every article has salient points that can be summarized and shared on social media. That's beneficial for people who aren't able to make time to read 3,000+ word articles every week.
There are also more topics to discuss than I have time to write about. Not everything can or should be an article. I need to use social media for sharing brief thoughts, data, and visuals instead of taking a black-and-white "article or nothing" approach. That's my plan going forward.
Audience: Who this is for
I don't collect reader demographics to protect your privacy. Anecdotally, I have discovered that people who want to read content like this extend well beyond the traditional InfoSec profession. This has been a pleasant surprise and something I've thought about a lot.
In the launch article, I wrote this in the "Who is this for?" section:
I have a long-held belief that cybersecurity will become an increasingly cross-functional discipline. The ecosystem will grow to include new people: those with a balance of business acumen, technical acumen, and global acumen.
Defining the modern cybersecurity professional is about acknowledging emerging and non-traditional roles in the ecosystem. There is an important place for individuals who understand cybersecurity in context of business, strategy, and the world at large.
These words were written based on a hunch. The publication had exactly zero subscribers when the words were first published. Looking back several months later, I was directionally correct, but not completely accurate.
I still believe cybersecurity is becoming a cross-functional discipline. However, I focused too much on the qualities of a person and not enough on the characteristics of the cybersecurity ecosystem itself.
I tried to neatly summarize my belief about cybersecurity professionals becoming cross-functional using the term "modern cybersecurity professional." That's deceptively narrow and somewhat unfair to the variety of equally great people within the cybersecurity ecosystem. At the time, I did acknowledge the term was an ideal, but my thinking has evolved even further.
Some of us are technical. Some are not. Some prefer hacking, and others like compliance. InfoSec teams protecting their organizations and companies building cybersecurity products are both important roles. Investors and investment bankers finance companies and make deals. Analysts and journalists cover industry news and trends. The list goes on. A lot of different people contribute to the cybersecurity ecosystem, and that's fantastic.
The part I had wrong was the idea that we should become multi-dimensional professionals. Some of us will, and that's fine. The inverse of this idea is more important: the cybersecurity ecosystem is so broad that everyone can make a difference using their own unique set of skills and interests.
This publication isn't actually for the modern cybersecurity professional. It's about understanding and shaping the modern cybersecurity ecosystem. Whether you work in a traditional InfoSec role, at a product company, as an investor, or anywhere else in the ecosystem, my hope is that you can rely on Strategy of Security to understand what's happening and why.
Going forward, my focus is going to be about the value you can expect to get out of being a reader, not trying to appeal to a specific type of person. I'm thrilled to be sharing my thoughts with such a wide variety of people. I want to encourage even more diversity of backgrounds and thinking in the future.
Business: Multiple SKUs
My plan from the beginning has been to work on a handful of small and intentional projects:
I intend to continue consulting and advising in addition to writing. In the words of Hunter Walk, Strategy of Security is one of multiple SKUs I'm working on. I believe in the mutual reinforcement of practice, experience, and study. I started this project because it's a useful (and perhaps unique) combination of the skills and experience I've been so fortunate to gain in my career.
Writing is one part of the equation — one SKU, to continue the metaphor. It's also the most visible. Anyone can read and discover Strategy of Security articles. Subscribers have steadily grown week-over-week since the beginning.
Consulting and advising is a less obvious part of the equation. I'm not able to share much about the projects because they're under NDA, but I can say this: I have had phenomenal consulting clients since the very beginning.
I hoped consulting projects could eventually reach this point. I never expected it would happen this quickly. I have barely mentioned doing consulting work, and I'm not trying to build a consulting company. It's an important part of what I do, though.
Partnering on a focused set of projects has taught me a lot. It gives me a chance to apply some of the analysis I've done here in real-world situations — to have skin in the game, as Nassim Taleb says.
In addition to writing, I expect to continue doing a handful of consulting projects. Privately, I have told people I will likely never become a full-time analyst because it's so valuable to be in the game, too.
It's too early to tell about other types of projects. I have ideas, but I've also had to learn how limited my time is. A curse of being ambitious is continuously wanting to do more than time permits. I've learned to cope with that. However, I plan to be opportunistic and evolve the overall set of SKUs as I continue the work I'm doing here.
Future: Where is this project going?
Finally, I wanted to briefly discuss where Strategy of Security is going. I don't have a specific direction to share, but I do have a few things to say.
Halfway through 2021, I decided to play The Great Online Game and see where things went from there. Everything that's happened since has far, far exceeded my expectations. The personal growth, relationships, opportunities, and enjoyment I have experienced because of this project feels incredible to me.
I'm old enough to have gone through a couple economic downturns, so I'm reluctant to claim victory. However, I am reasonably comfortable saying that Strategy of Security is becoming a sustainable business I can continue building for the long run.
Tactically, a lot of what I want to continue building in the near-term has been discussed already: more visuals and data, better research, broader topics, and more. I also have better opportunities for collaborations. Expect to see more of those in the future.
I have longer term ideas (and great suggestions from readers) for content and beyond. For now, I'm focused on making the specific adjustments I outlined earlier and seeing what the impact is. If I can do this part of the job well, other opportunities will be much more viable later on.
From the beginning, I set this business up to be something I could do for the rest of my career — as long as my work is well received and I enjoy doing it. Sustainability, consistency, and durability were intentional parts of the strategy. I knew there would be adjustments to make and new opportunities to unlock along the way. I didn't know things would work out this well or this quickly, although there's still a long way to go.
I'm both fortunate and grateful that I get to do this. I'm excited to keep going, to keep building, and to continue making Strategy of Security a valuable part of your professional life. Thank you for reading.