avatarJulia E Hubbel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

6371

Abstract

ete the work, which I multiply by an hourly rate to come up with a price for the project.</p><p id="f43f"><b>Deliverables</b></p><ul><li>The deliverable for training is a class.</li><li>The deliverable for any other project is a report.</li></ul><p id="799b"><b>Project Billing</b></p><p id="eba1">2nd Sight Lab always bills for a project the same way to keep it simple. We require 50% upfront and 50% on the delivery of a report or class. With training, we need to request the upfront payment at least 2–4 weeks prior to the class to cover the cost of work performed before scheduled class dates. The minimum project fee is 8,000 at this time but is often 15,000 and up. Private 40-hour classes with labs start at 25,000 for 10 students.</p><p id="0f1c"><b>Why No Hourly Rates</b></p><p id="cae8">We do not use an hourly-rate billing model and here’s why. First of all, if you don’t know how many hours you’re going to spend you could end up paying a lawyer 1000 to negotiate a contract and the project lasts two hours. You lost money. Secondly, I used to bill hourly through my software company. Tracking and billing time on invoices created a lot of overhead. I’d rather spend that time helping clients. Finally, it takes time to chase down payments. I had a client who consistently argued with me about every. single. bill. I finally just told her to scratch off what she had a problem with on each bill and just pay the rest. She would mark off something like 300 on a 15,000 invoice. It was very stressful and time-consuming. It’s not worth the hassle.</p><p id="369e"><b>About Cash Flow</b></p><p id="51bb">In addition to the problems I already mentioned with hourly rates, there is too much lag when trying to maintain consistent cash flow. One customer pays in advance. Another pays with a term of 60 days. Now you have a window with no cash flow. Gaps in cash flow impact small business owners more than large companies. Last year I took time off to get my house in Seattle ready to sell. The drop in income over that time period caused by my time off and the contractor’s failure to complete work on time affected my ability to get a loan for my new home. I ended up finding a way to pay cash, but it was not ideal. Even though with the sale of my home in Seattle, I had a higher income than ever in my life, banks will only look at business cash flow with their rigid underwriting formulas. All they see is a gap with no income. There’s your mini business lesson on cash flow for the day. It’s one of the number one reasons startups go out of business.</p><p id="7a86"><b>Focused Deliverables</b></p><p id="6d19">Another reason I focus on fixed-rate projects is that I don’t want to waste customers’ time. I did one hourly rate project, and I would spend hours on-site working for someone revising spreadsheets. I don’t think that was a good use of my time. It also tied me up for a long time doing busy work instead of actively solving security problems. That was an interesting project, and I was grateful to participate, but in the end, I felt like I could deliver what I gave to that client in six weeks instead of three months. I like to work on focused deliverables and get them done as quickly as possible. I’m not one for milking clocks.</p><p id="0d8b"><b>A company, not an employee</b></p><p id="6be1">When you hire me, you <b><i>hire my company,</i></b> not me personally. If you’re working on an hourly rate, you’re basically a short-term employee paid an hourly rate. 2nd Sight Lab offers a product — our classes. We also offer analysis services that include a deliverable — a report. Those products are delivered using the processes, tools, and documentation we have developed.</p><p id="762c"><b>Why I don’t want to be an employee</b></p><p id="b861">One of the reasons I choose not to be an employee of a large company is that it comes with too many restrictions and roadblocks to delivering effective security assistance. I was not allowed to say certain things for political reasons or simply ignored. I couldn’t fix things I wanted to fix. When 2nd Sight Lab assists a company, we provide the analysis and deliver a report or training. When the company receives the deliverable, it is up to them to fix the issues. If they don’t, I won’t be caught up as an employee of the company involved in the next big breach over something out of my control to fix. By coming in as an external advisor we can speak truth to power for employees who hire us to improve security. I often work with CISOs prior to pentests and security assessments to deliver the desired message in our report and provide the data to back it up.</p><p id="b969"><b>Who does the work?</b></p><p id="c41a">I’ve never wanted a large company. I had five employees in my previous company, Radical Software, and that was OK. I managed a team of 30 as director of SAAS engineering for a company. I don’t want to do that again. I spent a lot of time dealing with “people issues” (not to mention politics) instead of getting a project delivered. At this moment, I’m doing the majority of the work. Someone I used to work with helped me create some class labs for the first class I delivered when I was in a time crunch. In the past, I hired interns to help with basic penetration testing, class material review, editing, and accounting.</p><p id="50af"><b>Who are the interns and assistants?</b></p><p id="b7bc">In the past, the people helping me most of the time were my nieces and nephews, but they went off to college to be teachers and doctors and got too busy for me. Cybersecurity was not their passion. Now I’m looking into working with local colleges. I reached out to <a href="https://www.savannahstate.edu/">Savannah State University</a> last year to hire an intern. I never heard back from the department where I sent the job description. I may pursue that again later through some different schools. Other than that, I’ve only received help from people I know personally. If a client doesn’t want anyone else to do the work or see their report, we can work that out.</p><p id="fc88"><b>Security for Interns and Employees</b></p><p id="545e">I am working with a human resources company that performs background and reference checks. When I have someone work on a penetration test for 2nd Sight Lab, they get a separate cloud account and must follow our security sta

Options

ndards and instructions. After they finish, we terminate their access to any customer information on that project. Currently, I’m only using interns who are friends or friends’ kids. They are helping me test new cybersecurity training, proofreading documents, and will review books. Employees receive access through our cloud accounts, and that is one of the reasons we can only do projects from the cloud. It limits the exposure of customer data to other systems and networks.</p><p id="28e6"><b>Ownership</b></p><p id="d3be">2nd Sight Lab owns all training materials we produce or use for client training. We often will revise or rearrange our training material for a client to focus on their specific needs. That material contractually remains the property of 2nd Sight Lab and according to our agreement should remain confidential. In addition, any tools, processes, or materials we use on penetration tests or assessments remain the property of 2nd Sight Lab. However, our clients own the report we deliver. We are obligated to keep reports and any client information confidential unless explicitly allowed in our contract. For example, a customer requesting a product assessment of the efficacy of their product may want 2nd Sight Lab to publish our findings, if we find that it solves a particular problem very well.</p><p id="0ccd"><b>How to contact me about a cybersecurity project — LinkedIn</b></p><p id="c4c5">At this time, the best way to reach me for a project is through LinkedIn. I’ve explained this before but using <a href="https://linkedin.com/in/teriradichel">LinkedIn</a> I can see some information about the person with whom I am doing business. I had some very sketchy people contact me while running my past company, <a href="http://radicalsoftware.com/">Radical Software, Inc.</a> I always wondered if they were legitimate or they were having me perform work for a nefarious organization. That is one of the ways I attempt to verify clients, other than those I meet in person or who are referred by someone else. Unfortunately, I cannot provide training to organizations in certain countries at this time.</p><p id="a890"><b>Starting a cybersecurity project</b></p><p id="2089">Once you contact me on LinkedIn, I’ll send you information to set up a call to discuss your project. I only do phone calls, not Zoom or video calls, until after I have a signed contract. Even then, I require a week’s advance notice for video calls as my network is not set up to handled those at this time. After I understand a bit about the scope, you’ll receive a proposal and a contract for review. We may work to revise it to meet your specific needs. We’ll define a schedule and deliverables and payment terms in the contract. If I need to explain how to get set up for a penetration test or class those instructions come after receipt of the upfront payment.</p><p id="a1d9"><b>Completing a cybersecurity project</b></p><p id="2f1a">Prior to signing a contract we’ll discuss arrangements for communication over the course of the project. Often that will be via email for an on-going penetration test. For a security assessment, I will typically include phone interviews to ask questions up front and further discuss findings after reviewing the assessed environment, but this can vary as needed based on customer needs. Once we’ve completed our work, you’ll receive a report. I try to wait a few days before sending the final invoice to make sure the customer received and could open the report.</p><p id="f3be"><b>Additional support after report delivery</b></p><p id="dd74">Once a class is complete 2nd Sight Lab doesn’t generally provide any additional assistance, though in some cases we had a lab fail and provided a working version after class to the client. I have taken many cybersecurity classes in my time and never had another company do that for me. I usually don’t charge extra for a few questions after the report gets delivered. However, extensive questions or support would require an additional fee. Often, customers will ask us to verify their fixes for findings after completion of a penetration test report. We include that on our penetration report contracts at an hourly rate and can cap the time we spend reviewing the findings as needed.</p><p id="8b7a">If you are thinking of hiring a company to perform a cybersecurity assessment, penetration test, research project, or due diligence related to a cybersecurity investment hopefully this information helps you understand how <a href="https://2ndsightlab.com/">2nd Sight Lab</a> operates. You can reach out to me on <a href="https://www.linkedin.com/in/teriradichel">LinkedIn</a> if you have any additional questions about assessments, penetration test, or training.</p><p id="2373">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2022</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="5a42"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

The Best Ways to Create Followers on Medium

Photo by Aaron Burden on Unsplash

The gold standard for community creation, and how to do it.

Who you and I are in real life, or IRL as my younger friends would write, is how we show up on line. There is no “other” mantle that we suddenly become when we sit down to read or write or highlight here on Medium. So where you and I have the propensity to support, share, be inclusive in our everyday lives, that is what shows up here.

That said, you can also build the habit. Given quarantine, not a bad idea. This is safer.

Couple questions:

  1. Is your writing all about the money? I’m not your author. What I suggest will help, but if making money is the only thing you want out of Medium, first, don’t quit your day job. Second, don’t quit your day job. I’d say it again but I think you got it. Lots of people out there happy to pilfer your wallet so that they can, as a good friend of mine put it very succinctly the other day, “shove their dick into your mouth” about how to make money on Medium. And BTW, if frankness offends you, I’m not your author either. Cause honey, if those morons were making that much money on Medium why on earth are they on Medium? Elon Musk doesn’t have a How to Get Rich as Croesus workshop plan on here.
  2. If writing is a means by which you grow yourself, and by virtue of that organically and steadily grow a business along with yourself and others, I am your author. Not an expert, but I do have a useful take once in a while.

So. If you naturally and organically like to support and include, Medium is for you. Here’s how this works, based on what I do regularly. I do NOT discuss stuff I don’t do regularly:

READ. By this I mean read other authors’ stuff. You want people to read you, READ THEM.

HIGHLIGHT. Your highlights are gifts, just as those passages I take the time to highlight for you are gifts. This is the fundamental message of community collaboration. This is how we grow together, learn together, and teach each other what’s important. Highlights on your material are the direct conversation to YOU that a reader is telling you: this is meaningful, important, I like it, you made a typo, whatever. Highlights are teacher. You do not get a better insight into what your readers find important in your work than highlights. Same goes when you do that for others. Look for highlight trends. I find lots of things in common when Medium shows me other readers who highlight what I have highlighted on certain articles. HELLO! That’s someone whose material might interest you. Check them out. Read their stuff. Highlight it.

Highlights say: I see you. I hear you. This touched me moved me pissed me off whatever. We writers die without feedback. Highlights are feedback. Before this, we writers would kill for this kind of two-way conversation all day every day with our audiences. You want to grow as a writer? Highlight and read your highlights, then attend to the messaging. You want engagement?

Give it first.

COMMENT without being a dick about it. Comment to grow, uplift, expand. Comment to add value. READ your comments and respond without being a dick about it. And to that:

If a commenter-kindly not a troll- says something that gets your goat, sit that shit down right now. Back off. Look at what part of you just rose. Are you defensive? Angry? Offended? Why? Before you take out the acid to toss on someone, first look at whatever came up for YOU. Usually if I have this reaction, there was a modicum, maybe a lot, of truth in their words. This is when I get to ask:

  1. What on earth is THAT all about?
  2. What part of this might be true?
  3. If so, what does it say about me that I feel (angry, defensive, etc.)?
  4. What part of this comment is a gift?

Because that comment might just be forcing you to look at some shit you got in your bucket and you can’t smell it. That is a fucking GIFT.

Photo by Clay Banks on Unsplash

Comments are so often more about the commenter than about you, but also, comments are also critical feedback. Not only do I take the time to offer private grammatical suggestions, I will often offer the author a link to a related story or piece of information that I think they might find useful. That adds value. Adding value gains respect. Respect earns you eyeballs. Eyeballs can turn into friends.

Link to other folks’ material. Make sure it’s all right if the material is sensitive, NEVER NEVER NEVER NEVER NEVER use anything anyone else wrote without attribution. That just makes you a plagiarizing asshole. Please see these by Clay Rivers:

Do not take other people’s shit, people. Not only is that illegal, it’s immoral, and folks will come after you for it. Stupid move.

However, DO link to and show off other folks’ good work like I just did for Clay. Clay’s articles stand on their own and he’s an excellent writer. I want you to get the benefit of his material, and perhaps you might choose to follow him. Everyone wins. You steal, everyone loses. It’s called copyright law.

Photo by Thirteen .J on Unsplash

If someone said something unbelievably good and you want to steal it, ask permission, get it, then attribute UNLESS, as happened to me, folks don’t want to be acknowledged. Point is that lots of folks are tickled pink to have their words used as headlines, or a paragraph or story used to make a bigger point, complimentary please. Talk about making friends and loyal readers.

Why? Because folks like my Medium buddy Katie Andrews loves it when I retell her weight loss story, not only because it’s highly motivational, but also because I love acknowledging folks publicly. People notice when you are kind. They notice when you uplift. They notice when you take care to give attribution to the author of a great line. They learn that you are moral, safe, respectful, and you are not going to rip them off. If anything, these days I’ve got lots of folks asking me to link to and highlight their work. I don’t have enough time to do that, but that honor didn’t happen by accident. People are watching how you show up.

Photo by Nsey Benajah on Unsplash

Have I been a public jerk at times? You betcha. I usually try to erase that shit, but over time I’ve learned to be a lot more mindful. My excuse, and you may not steal it, is that I’ve had twenty-two concussion (you can tell). I have wicked-ass bad days, and sometimes it shows. That means I have to work even harder to sit that shit down.

Wanna go even bigger? On many occasions, I’ve used success stories that I read in my comments to turn into articles about those folks. I ask permission, then someone else’s tale, which they didn’t feel comfy writing about, ends up being the core story line of a piece I do on everyday heroes, aging vibrantly, courage.

THAT is how you uplift others.

Photo by Philippa Rose-Tite on Unsplash

A number of my favorite Black writers have learned to trust my intentions because first, I love their work, second, I’ve been able to introduce a few to each other and third, they are well aware that I am wholly on board with what they’re trying to do. In some cases I’ve sent their work to some of my corporate contacts. That is part of what allyship looks like. Those relationships do not happen overnight, they grow quietly and over time. What you do and how you show up consistently demonstrate your character and conviction.

I got accused once by someone on Medium that I thought I could trust of using her stories and ideas to make money. Not only was that utterly untrue, it hurt deeply. However it caused me, and here’s the point, to be far more careful before I punch Publish. We make mistakes. Sometimes mistakes hurt people. And people choose to write your story without your permission. Doesn’t matter that it wasn’t what I intended. It is how it landed. Happens. Not much you can do other than learn from it.

You can see why if all you want to know is how to make money, this isn’t your article. There isn’t a single word in here about how to monetize the sacred souls who read our work. Because if we treat their eyeballs and attention as sacred, for again, they do not get that time back, then they will give us more time and attention. That is how we earn money on Medium, unpredictable staff notwithstanding.

I regularly make fun, not without some frustration, of how often I’ve had to rebuild my community because of structural changes inside Medium. Because of how those changes affected my earnings I am being forced to head elsewhere, but I am going to use precisely the same methods to grow an audience. I will keep writing here, but at some point you and I have to decide if we want to trade time for infinitesimal fractions of a cent, or if we are going to build our own thing. For me it’s the latter. At my age I am running out of runway.

But I haven’t run out of patience, or respect for Dear Reader. Writing is a sacred art. Let’s not abuse the right to reach other people by reducing them to dollar signs. These days, those of us who stand out, stand up for each other.

Illumination
Writing
Writing Tips
Success
Life Lessons
Recommended from ReadMedium