A decade ago, I wrote a White Paper that 10x’d my credibility an open source community that I was otherwise unknown in.
Crazy part? I wasn’t an expert on the subject (but I became one in the process).
Here’s the backstory of the Drupal PCI Compliance White Paper /1
Preface.
This is not a humblebrag. It's a pattern that basically anyone can follow to achieve a similar result.
Tech changes fast, and this creates knowledge gaps. Find a particularly hard and expensive gap, and you can become a valuable resource in a community. /2
Step 1. Identifying a Hard, Expensive Problem
Or in my case, a hard problem found me.
After an uptick of sales, a client received a phone call from their credit card processor that our PCI compliance was being audited. My first question “So what is PCI compliance?” /3
We were screwed. They threatened to refund 100% of our customers if we didn’t comply in 60 days.. This could have killed the business.
So an expensive problem was identified… and I was stressed AF as I barely solved it in the allotted time. /4
Step 2. Verify Others Have This Problem
There were ~50,000 Drupal eCommerce sites at the time. Yet no Google results gave clear guidance on how to achieve compliance.
This was a costly legal requirement that most people were ignoring, so I knew there should be demand. /5
Step 3. Float a Minimal Viable Post
With no expertise on the subject, I put together a proposal that someone (i.e. me) fix the situation. However, knowing that I was ill equipped, I needed help to justify the 100+ hours to research and put together. soundpostmedia.com/article/lets-t… /6
The post clearly struck a cord. Dozens of well-known people in the community commented. Some offered financial and/or technical support. So I knew I hit resonance AND could see this through to completion. /7
Step 4. Enlist Experts
In addition to just the time commitment, I needed to make sure this was accurate and credible. I had no security experience, so I needed help. I also knew they’d be busy, so I had to offer to do all the heavy lifting. I just needed them to check my work /8
This was huge. Their names (while they did maybe 5% of the work reviewing) would give the paper the necessary legitimacy to get accepted and distributed. It worked. Greg and Ned accepted and became coauthors. /9
BTW. Just because their net contribution time was low, the value of having them review it was massive. Without it, I would have never felt comfortable shipping it and advocate others to use. /10
Step 5. Publish and Promote
Once it was done, we didn't just hit publish and call it a day. I worked hard to track down all the key people in the Drupal eCommerce space and ask them to review and link to it. The goal was to reach all 50,000 websites. /11
While I initially hit resistance, eventually it worked. The paper was linked to from the various project pages and the Drupal security team. It became the defacto resource to send people to. /12
My goal was not to win business, but I started to get a significant amount of inbound inquiries from customers as well as event organizers to present on the topic. /13
And while I never actually become a PCI compliance Qualified Security Assessor (QSA), I had a depth of knowledge that could get many people 80-90% of the way on picking a solution that reduced their needs by 90-99%. /14
Step 6. Unexpected Benefits
Long after the paper was published, I ended up being invited on the Drupal Security team. My company also won a signficant amount of eCommerce business simply because they knew their was an internal subject matter expert. /15
I'll wrap this up to say... what seemed like an incredibly daunting problem ended up opening an opportunity to solve a community wide problem. And while I wasn't qualified, I galvanized support and made it happen. The result was helpful to the community and myself. /16
Given how fast and complicated the tech space can be, there are tons of opportunities (big and small) to tackle a gnarly problem, share the result, and benefit from being the leader to make it happen /fin
• • •
Missing some Tweet in this thread? You can try to
force a refresh
"We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth."
"We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity."
My first (big) breakthrough in the tech startup scene?
It had zero correlation with dev skills and everything to do with presenting on how to solve business problems with techology.
A short story of my "Drupal Means Business" talk. (thread)
First, none of this would have happened without the mentorship from my late friend Rick Nashleanas.
I attended his local presentation on a similar topic, and I immediately approached him asking how we amplify this message to other developers/agencies. /2
Rick's passion was contagious, and rather than try to take my ideas... he volunteered (volun-told?) me to help with the upcoming Drupal conference in Denver. And he specifically asked for me to run an all-day stage called "Drupal Means Business". /3
The recent SA-CORE-2018-004 and SA-CORE-2018-002 security advisories have sparked a lot of conversations in the Drupal community regarding all things security. IMHO, it's important to highlight several talking points to keep things in perspective.
1/Timing. In both cases, it is believed that the patches and releases occurred before any publicly known or widely used exploit. This is huge. This means the community had a marked advantage in addressing before mass exploits were attempted.
2/Responsible Disclosure. Individuals finding these vulnerabilities decided to work with the Drupal Security team rather than disclose publicly. This is huge. It allows the community the chance to address proactively versus reactively on a potential 0-day exploit.