A decade ago, I wrote a White Paper that 10x’d my credibility an open source community that I was otherwise unknown in.

Crazy part? I wasn’t an expert on the subject (but I became one in the process).

Here’s the backstory of the Drupal PCI Compliance White Paper /1
Preface.
This is not a humblebrag. It's a pattern that basically anyone can follow to achieve a similar result.

Tech changes fast, and this creates knowledge gaps. Find a particularly hard and expensive gap, and you can become a valuable resource in a community. /2
Step 1. Identifying a Hard, Expensive Problem

Or in my case, a hard problem found me.

After an uptick of sales, a client received a phone call from their credit card processor that our PCI compliance was being audited. My first question “So what is PCI compliance?” /3
We were screwed. They threatened to refund 100% of our customers if we didn’t comply in 60 days.. This could have killed the business.

So an expensive problem was identified… and I was stressed AF as I barely solved it in the allotted time. /4
Step 2. Verify Others Have This Problem

There were ~50,000 Drupal eCommerce sites at the time. Yet no Google results gave clear guidance on how to achieve compliance.

This was a costly legal requirement that most people were ignoring, so I knew there should be demand. /5
Step 3. Float a Minimal Viable Post

With no expertise on the subject, I put together a proposal that someone (i.e. me) fix the situation. However, knowing that I was ill equipped, I needed help to justify the 100+ hours to research and put together. soundpostmedia.com/article/lets-t… /6
The post clearly struck a cord. Dozens of well-known people in the community commented. Some offered financial and/or technical support. So I knew I hit resonance AND could see this through to completion. /7
Step 4. Enlist Experts

In addition to just the time commitment, I needed to make sure this was accurate and credible. I had no security experience, so I needed help. I also knew they’d be busy, so I had to offer to do all the heavy lifting. I just needed them to check my work /8
This was huge. Their names (while they did maybe 5% of the work reviewing) would give the paper the necessary legitimacy to get accepted and distributed. It worked. Greg and Ned accepted and became coauthors. /9
BTW. Just because their net contribution time was low, the value of having them review it was massive. Without it, I would have never felt comfortable shipping it and advocate others to use. /10
Step 5. Publish and Promote

Once it was done, we didn't just hit publish and call it a day. I worked hard to track down all the key people in the Drupal eCommerce space and ask them to review and link to it. The goal was to reach all 50,000 websites. /11
While I initially hit resistance, eventually it worked. The paper was linked to from the various project pages and the Drupal security team. It became the defacto resource to send people to. /12
My goal was not to win business, but I started to get a significant amount of inbound inquiries from customers as well as event organizers to present on the topic. /13
And while I never actually become a PCI compliance Qualified Security Assessor (QSA), I had a depth of knowledge that could get many people 80-90% of the way on picking a solution that reduced their needs by 90-99%. /14
Step 6. Unexpected Benefits

Long after the paper was published, I ended up being invited on the Drupal Security team. My company also won a signficant amount of eCommerce business simply because they knew their was an internal subject matter expert. /15
I'll wrap this up to say... what seemed like an incredibly daunting problem ended up opening an opportunity to solve a community wide problem. And while I wasn't qualified, I galvanized support and made it happen. The result was helpful to the community and myself. /16
Given how fast and complicated the tech space can be, there are tons of opportunities (big and small) to tackle a gnarly problem, share the result, and benefit from being the leader to make it happen /fin

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with rickmanelius.eth

rickmanelius.eth Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @rickmanelius

29 Jul
Remember John Perry Barlow's "A Declaration of the Independence of Cyberspace" from 1995? Let's see what holds true 🧵

eff.org/de/cyberspace-…
"You have no sovereignty where we gather."

"We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth."
"We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity."
Read 4 tweets
22 Jul
My first (big) breakthrough in the tech startup scene?

It had zero correlation with dev skills and everything to do with presenting on how to solve business problems with techology.

A short story of my "Drupal Means Business" talk. (thread)
First, none of this would have happened without the mentorship from my late friend Rick Nashleanas.

I attended his local presentation on a similar topic, and I immediately approached him asking how we amplify this message to other developers/agencies. /2
Rick's passion was contagious, and rather than try to take my ideas... he volunteered (volun-told?) me to help with the upcoming Drupal conference in Denver. And he specifically asked for me to run an all-day stage called "Drupal Means Business". /3
Read 14 tweets
26 Apr 18
The recent SA-CORE-2018-004 and SA-CORE-2018-002 security advisories have sparked a lot of conversations in the Drupal community regarding all things security. IMHO, it's important to highlight several talking points to keep things in perspective.
1/Timing. In both cases, it is believed that the patches and releases occurred before any publicly known or widely used exploit. This is huge. This means the community had a marked advantage in addressing before mass exploits were attempted.
2/Responsible Disclosure. Individuals finding these vulnerabilities decided to work with the Drupal Security team rather than disclose publicly. This is huge. It allows the community the chance to address proactively versus reactively on a potential 0-day exploit.
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(