avatarEd Newman

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

6371

Abstract

ete the work, which I multiply by an hourly rate to come up with a price for the project.</p><p id="f43f"><b>Deliverables</b></p><ul><li>The deliverable for training is a class.</li><li>The deliverable for any other project is a report.</li></ul><p id="799b"><b>Project Billing</b></p><p id="eba1">2nd Sight Lab always bills for a project the same way to keep it simple. We require 50% upfront and 50% on the delivery of a report or class. With training, we need to request the upfront payment at least 2–4 weeks prior to the class to cover the cost of work performed before scheduled class dates. The minimum project fee is 8,000 at this time but is often 15,000 and up. Private 40-hour classes with labs start at 25,000 for 10 students.</p><p id="0f1c"><b>Why No Hourly Rates</b></p><p id="cae8">We do not use an hourly-rate billing model and here’s why. First of all, if you don’t know how many hours you’re going to spend you could end up paying a lawyer 1000 to negotiate a contract and the project lasts two hours. You lost money. Secondly, I used to bill hourly through my software company. Tracking and billing time on invoices created a lot of overhead. I’d rather spend that time helping clients. Finally, it takes time to chase down payments. I had a client who consistently argued with me about every. single. bill. I finally just told her to scratch off what she had a problem with on each bill and just pay the rest. She would mark off something like 300 on a 15,000 invoice. It was very stressful and time-consuming. It’s not worth the hassle.</p><p id="369e"><b>About Cash Flow</b></p><p id="51bb">In addition to the problems I already mentioned with hourly rates, there is too much lag when trying to maintain consistent cash flow. One customer pays in advance. Another pays with a term of 60 days. Now you have a window with no cash flow. Gaps in cash flow impact small business owners more than large companies. Last year I took time off to get my house in Seattle ready to sell. The drop in income over that time period caused by my time off and the contractor’s failure to complete work on time affected my ability to get a loan for my new home. I ended up finding a way to pay cash, but it was not ideal. Even though with the sale of my home in Seattle, I had a higher income than ever in my life, banks will only look at business cash flow with their rigid underwriting formulas. All they see is a gap with no income. There’s your mini business lesson on cash flow for the day. It’s one of the number one reasons startups go out of business.</p><p id="7a86"><b>Focused Deliverables</b></p><p id="6d19">Another reason I focus on fixed-rate projects is that I don’t want to waste customers’ time. I did one hourly rate project, and I would spend hours on-site working for someone revising spreadsheets. I don’t think that was a good use of my time. It also tied me up for a long time doing busy work instead of actively solving security problems. That was an interesting project, and I was grateful to participate, but in the end, I felt like I could deliver what I gave to that client in six weeks instead of three months. I like to work on focused deliverables and get them done as quickly as possible. I’m not one for milking clocks.</p><p id="0d8b"><b>A company, not an employee</b></p><p id="6be1">When you hire me, you <b><i>hire my company,</i></b> not me personally. If you’re working on an hourly rate, you’re basically a short-term employee paid an hourly rate. 2nd Sight Lab offers a product — our classes. We also offer analysis services that include a deliverable — a report. Those products are delivered using the processes, tools, and documentation we have developed.</p><p id="762c"><b>Why I don’t want to be an employee</b></p><p id="b861">One of the reasons I choose not to be an employee of a large company is that it comes with too many restrictions and roadblocks to delivering effective security assistance. I was not allowed to say certain things for political reasons or simply ignored. I couldn’t fix things I wanted to fix. When 2nd Sight Lab assists a company, we provide the analysis and deliver a report or training. When the company receives the deliverable, it is up to them to fix the issues. If they don’t, I won’t be caught up as an employee of the company involved in the next big breach over something out of my control to fix. By coming in as an external advisor we can speak truth to power for employees who hire us to improve security. I often work with CISOs prior to pentests and security assessments to deliver the desired message in our report and provide the data to back it up.</p><p id="b969"><b>Who does the work?</b></p><p id="c41a">I’ve never wanted a large company. I had five employees in my previous company, Radical Software, and that was OK. I managed a team of 30 as director of SAAS engineering for a company. I don’t want to do that again. I spent a lot of time dealing with “people issues” (not to mention politics) instead of getting a project delivered. At this moment, I’m doing the majority of the work. Someone I used to work with helped me create some class labs for the first class I delivered when I was in a time crunch. In the past, I hired interns to help with basic penetration testing, class material review, editing, and accounting.</p><p id="50af"><b>Who are the interns and assistants?</b></p><p id="b7bc">In the past, the people helping me most of the time were my nieces and nephews, but they went off to college to be teachers and doctors and got too busy for me. Cybersecurity was not their passion. Now I’m looking into working with local colleges. I reached out to <a href="https://www.savannahstate.edu/">Savannah State University</a> last year to hire an intern. I never heard back from the department where I sent the job description. I may pursue that again later through some different schools. Other than that, I’ve only received help from people I know personally. If a client doesn’t want anyone else to do the work or see their report, we can work that out.</p><p id="fc88"><b>Security for Interns and Employees</b></p><p id="545e">I am working with a human resources company that performs background and reference checks. When I have someone work on a penetration test for 2nd Sight Lab, they get a separate cloud account and must follow our security sta

Options

ndards and instructions. After they finish, we terminate their access to any customer information on that project. Currently, I’m only using interns who are friends or friends’ kids. They are helping me test new cybersecurity training, proofreading documents, and will review books. Employees receive access through our cloud accounts, and that is one of the reasons we can only do projects from the cloud. It limits the exposure of customer data to other systems and networks.</p><p id="28e6"><b>Ownership</b></p><p id="d3be">2nd Sight Lab owns all training materials we produce or use for client training. We often will revise or rearrange our training material for a client to focus on their specific needs. That material contractually remains the property of 2nd Sight Lab and according to our agreement should remain confidential. In addition, any tools, processes, or materials we use on penetration tests or assessments remain the property of 2nd Sight Lab. However, our clients own the report we deliver. We are obligated to keep reports and any client information confidential unless explicitly allowed in our contract. For example, a customer requesting a product assessment of the efficacy of their product may want 2nd Sight Lab to publish our findings, if we find that it solves a particular problem very well.</p><p id="0ccd"><b>How to contact me about a cybersecurity project — LinkedIn</b></p><p id="c4c5">At this time, the best way to reach me for a project is through LinkedIn. I’ve explained this before but using <a href="https://linkedin.com/in/teriradichel">LinkedIn</a> I can see some information about the person with whom I am doing business. I had some very sketchy people contact me while running my past company, <a href="http://radicalsoftware.com/">Radical Software, Inc.</a> I always wondered if they were legitimate or they were having me perform work for a nefarious organization. That is one of the ways I attempt to verify clients, other than those I meet in person or who are referred by someone else. Unfortunately, I cannot provide training to organizations in certain countries at this time.</p><p id="a890"><b>Starting a cybersecurity project</b></p><p id="2089">Once you contact me on LinkedIn, I’ll send you information to set up a call to discuss your project. I only do phone calls, not Zoom or video calls, until after I have a signed contract. Even then, I require a week’s advance notice for video calls as my network is not set up to handled those at this time. After I understand a bit about the scope, you’ll receive a proposal and a contract for review. We may work to revise it to meet your specific needs. We’ll define a schedule and deliverables and payment terms in the contract. If I need to explain how to get set up for a penetration test or class those instructions come after receipt of the upfront payment.</p><p id="a1d9"><b>Completing a cybersecurity project</b></p><p id="2f1a">Prior to signing a contract we’ll discuss arrangements for communication over the course of the project. Often that will be via email for an on-going penetration test. For a security assessment, I will typically include phone interviews to ask questions up front and further discuss findings after reviewing the assessed environment, but this can vary as needed based on customer needs. Once we’ve completed our work, you’ll receive a report. I try to wait a few days before sending the final invoice to make sure the customer received and could open the report.</p><p id="f3be"><b>Additional support after report delivery</b></p><p id="dd74">Once a class is complete 2nd Sight Lab doesn’t generally provide any additional assistance, though in some cases we had a lab fail and provided a working version after class to the client. I have taken many cybersecurity classes in my time and never had another company do that for me. I usually don’t charge extra for a few questions after the report gets delivered. However, extensive questions or support would require an additional fee. Often, customers will ask us to verify their fixes for findings after completion of a penetration test report. We include that on our penetration report contracts at an hourly rate and can cap the time we spend reviewing the findings as needed.</p><p id="8b7a">If you are thinking of hiring a company to perform a cybersecurity assessment, penetration test, research project, or due diligence related to a cybersecurity investment hopefully this information helps you understand how <a href="https://2ndsightlab.com/">2nd Sight Lab</a> operates. You can reach out to me on <a href="https://www.linkedin.com/in/teriradichel">LinkedIn</a> if you have any additional questions about assessments, penetration test, or training.</p><p id="2373">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2022</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="5a42"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Blogging and Journal Writing, What’s the Difference?

“The writer of any first person work must decide two obvious questions: what to put in and what to leave out.” — Annie Dillard

Annie Dillard doodle contributed for Dandy Yankee Doodle Project. Photo by the author.

I believe the Annie Dillard quote above comes from her book Pilgrim at Tinker Creek. She was referring to her own memoir writing if I remember correctly, and to all memoir writing in general. This was before the era of blogs and blogging.

Blogging has become an interesting phenomenon, a natural outgrowth of the world wide web. It’s popular because it is easy. And with all the various platforms today, it’s accessible to nearly anyone.

I remember when people were criticizing email because it was “destroying language” and wrecking good grammar, good English etc. Then texting came along and academics began to gasp.

Has texting destroyed the language? Everything has a pro and con, including email, texting and blogging. I think it’s great that people are communicating. How many letters would people send in a day if they had to type, print, fold, and insert into an envelope that they must still address and stamp? What a hassle. By email, I can maintain contacts with fifty or more people a day. At the office it used to be a hundred or more.

Email is easy, and nearly anyone can do it.

Blogging, likewise, is a heckuva lot easier than building a website. There are hordes of blog platforms that will host your creative output. Some have gotten a lot of bad press, but maybe it’s because the Press is jealous. I wouldn’t doubt that more people read blogs than read newspapers.

In the mid-nineties I built a website, in part for the experience and in part for the forum where I could display some of my work. I used a software program that was limited in capabilities but easy to use. Ease of use was key.

But even so, most people did not have sufficient motivation to get past the web-weaving learning curve. And although businesses everywhere were soon building websites — almost as necessary as business cards and storefront signage — individuals with a website were probably fewer in number.

Blogs changed all that. Blogs opened new possibilities for self-expression that seemed infinite in scope. Ev Williams, who co-founded Blogger and later Twitter (from which he just now stepped down to give yet more attention to his new child, Medium) has been truly on the forefront in this arena. Kudos to Ev Williams

What I wanted to address here is not the feared destruction of our language. I’m more concerned about the line between appropriate self-revelation and TMI. (Too Much Information.) I don’t want to be guilty of making too many rules, but I do see this as a problem area. Just as the issue of boundaries has increasingly become a problem in recent years, how much disclosure is prudent?

For example, when an employee has a problem with the boss, what is gained by posting a 500-word rant? I once heard about such an account. What the employee gained was a two week suspension without pay. That, I thought, was pretty generous.

Many people have no sense of boundaries with other facets of their lives. I remember being in a chat room in which a woman was upstairs complaining (online, publicly, with strangers) about her husband downstairs in front of the television.

I do not believe blogs are intended to be a replacement for journals. In your journal you can do self-analysis and personal psychological assessments. But do you really need to announce to the world your every neurotic tendency, self-destructive fantasies, anguished self-accusations, prideful declarations or hypersensitive assessments of others? Guess what? There are some things we do not need to know. Work it out in private.

Personally, I would even be careful in a journal with some information. I myself have needed to vent on issues once in a while, but would later tear out the page and destroy it because it could hurt someone I cared about. We definitely need a space for total self-honesty, but that should be a private space, too, shouldn’t it?

I really liked what Mark Twain did when he wrote his autobiography. He wanted to produce something in which he could be totally honest, but he also wanted to not hurt people who were in still in his life. He chose Full Disclosure, but would not permit the book to be published for 100 years. All the main people in the book would be long dead.

When I first began blogging, a lot of what I wrote began with excerpts from my private journals. I remained selective, using ideas and thoughts as a springboard to additional conversation with my readers.

In short, your journal is for you, your blog is for your readers. Or at least that’s how I see it. Feel free to make your own rules, but that’s how I see it.

In the meantime, blog on.

NOTE: The doodle from Annie Dillard at the top of this page was sent to me as part of my Dandy Yankee Doodles Project. More about that during another space in time.

Get to know more about Annie Dillard at www.anniedillard.com You can find a collection of quotes for writers at my own website: ennyman.com/writing

Originally published at pioneerproductions.blogspot.com

Medium
Blogging
Journal Writing
Writing
Psychology
Recommended from ReadMedium