tl;dr: tl;dr sec is now accepting ads from some sponsors. Ad blurbs will be placed in a clearly marked section, and sponsors will have no other input about what content is included or excluded from tl;dr sec.
We’ve spent some time reflecting, and frankly, stressing, about whether we should accept sponsors on tl;dr sec. We’ve decided to give it a try for now. As long as it doesn’t negatively impact the quality or unbiased nature of tl;dr sec, we don’t believe it will be problem.
To come to this decision we spent awhile reflecting on tl;dr sec’s goals and values and reviewed how other security creators were monetizing their work.
We highly value transparency, so we decided to write this post to give you insight into our thought processes, where we stand now, and where we may head in the future.
tl;dr sec’s Goal and Values
When reflecting on whether to accept ads or otherwise monetize tl;dr sec, I took a step back and thought about what tl;dr sec is and what we stand for.
The goal of tl;dr sec is to be the best, most value-dense security resource that readers see all week.
We focus on ideas and tools to help security professionals do their jobs better and more effectively, so collectively we can protect people’s data and the services they rely on.
tl;dr sec generally avoids topics like the latest breaches and CVEs, infosec drama or posturing, and most things that are not practically useful security content. We do include some random links for fun though 😀
As with anything, these are a work in progress, but as of this writing, these are tl;dr sec’s core values.
Though at times we may be snarky and lightly tease, in general we try to be kind and positive. We assume people have good intentions and are just doing their best unless proven otherwise. We don’t tear other people or companies down. If we have feedback, it should be constructive.
Everyone has more in common than they are different. Having a broad range of backgrounds, experiences, and perspectives make us better and see the world more accurately, so we value diversity. We are thoughtful in what we say and how, because we want everyone to feel like they are welcome and can be successful in the security industry.
Cheerleader for Others
There are so many people doing such great work that the world needs to hear about. We shine a spotlight on the people in the security industry making great contributions and shout their successes from the rooftops. Making others feel good makes us feel good.
We generally do not endorse companies or products. Our purpose is to provide readers with solid technical content and let them make their own judgments. We include newsletter content on its technical merits and usefulness to readers. When the work is good, we include content from competitors to our day jobs.
As much as possible, we try to be unbiased in the content we include. Though this is impossible to do completely, as what we find interesting, the people we interact with, and the news sites we follow all impact the content we see (and thus include), still, we do what we can to be objective.
In many, perhaps most ways, we’re still figuring things out, in security as well as in creating a newsletter. We don’t believe in putting on a strong, overly confident facade. We try to be open about the things we don’t know, what we’re still learning, and openly admit when we later find out we were wrong about something. Where possible, we try to work in the open and share what we create publicly.
Hopefully this isn't you right now 👆
A few reasons.
1. Fixed Costs
Not including the hundreds (or more) of unpaid hours we’ve put into tl;dr sec, there are a number of costs associated with running it.
There’s the domain name, GSuite, MailChimp, some small AWS costs, and other services we use. There’s also an LLC behind tl;dr sec, which has annual registration fees, accounting fees, etc.
Even if we don’t make a lot of money doing tl;dr sec, it would be nice to not lose money 😅
2. Learning Opportunity
Our background is mostly technical, so we thought it’d be an interesting learning opportunity to have to handle marketing, sales, business relationships, navigate pricing, set up taking online payments using Stripe, and more. Basically, forcing ourselves to do all the parts of running a business, at least at a small scale.
We don’t know if we’ll like it (in fact, we might hate it), but it’ll be a useful learning experience nonetheless.
Also, this gives us a low stakes, reversible opportunity to try all these things out. If we mess up, it’s not that big a deal, unlike if we were to do this in our day jobs at a Real Company™ where the impact would be larger and it could negatively affect our colleagues.
3. Potential Career Path?
Absorbing large amounts of current security research and condensing, distilling, and then sharing it with others is one of my (Clint’s) favorite things to do.
I’m not sure exactly what it is, but there’s something intoxicating to me about learning new and clever ideas I’d never thought of before, and see the neat work done by talented security professionals around the world.
If it were possible to build a role for myself that was largely doing security research as well as absorbing and sharing the best security research from others, that would be pretty close to a dream role for me.
So I’m curious to experiment with testing the economic viability of building such a role, even if it’s not feasible to do full time for another 5, 10, or more years.
How do Other Creators Monetize?
So given these reasons, we asked ourselves, “How are others doing it?”
For newsletters and podcasts, at a high level, it appears there are two primary models:
- Audience funded
Most newsletters and podcasts are free but have sponsors.
This usually involves a text blurb in the email or show notes, the podcast host(s) reading a message from a sponsor, an interview with the CEO or a product manager at the sponsoring company, a webinar in which the sponsor describes the benefits of their product and/or gives a demo, etc.
- Podcasts: Risky Biz, Darknet Diaries (also >$10K/month on Patreon), CISO / Security Vendor Relationship Series, Security Weekly (has several podcasts, also does sponsored webcasts and trainings)
- Newsletters: Graham Cluley’s GCHQ (also does paid speaking engagements and a podcast with sponsors)
For these, some or all of the content is not free, and instead of having sponsors place ads, the readers or listeners pay for the content.
To make this discussion a bit more general, we’re going to include industry analyst firms.
- B2B - Analyst firms writing guidance documents / “state of the industry”
type reports which other businesses subscribe to. Usually thousands to tens or
hundreds of thousands of dollars per year.
- e.g. Gartner, Forrester, 451 Research
- B2C - A security professional creating great content that other individual
security professionals subscribe to directly. Usually $100-$300 / year.
- e.g. Daniel Miessler, SheHacksPurple.dev, Stratechery (more tech than security, but same model)
We’ve thought a bit about the various options above and weighed them against our values and goals.
Though the B2B industry analyst angle is quite profitable, at this time we’re not looking to build a crew of full time writers. Also, we’ve heard from numerous sources over the years that these firms can feel a bit “pay to play” at times and that incentives sometimes appear not ideally aligned.
We find the B2C model really compelling - create content people find valuable and they pay you for it; a clear exchange of value. Unfortunately, this isn’t always easy, as many security professionals can find something quite valuable but still not be willing to pay a small amount for it. We admit, we can be the same way too.
We’re inspired by the great work Daniel Miessler and Tanya Janca are doing, and hope to revisit this model at some point.
Given our current size and goals, sponsors seem to make the most sense, as long as what is sponsored and what is not is clearly demarcated, and sponsors receive no unfair control over the contents of the rest of the newsletter.
Experiment, Iterate 🧪
To be honest, for a while we were really stressing about the decision to accept sponsors or not, as if that decision was an irrevocable choice that would fundamentally alter the trajectory and/or perceived nature of tl;dr sec forever.
But then we realized - we don’t need the money, and at any time we can decide to let existing sponsors use up the issues they’ve pre-purchased and stop taking on new sponsors.
So we decided to treat this whole thing like an experiment, start small, see how it feels, and iterate. Nothing is set in stone and cannot be changed in the future.
Thanks for reading! If you have any questions or comments about this decision, or if anything was unclear, feel free to reach out, we’d be happy to chat about it: @clintgibler .