A while back I wrote about Guerilla GRC. Then I spoke about it at a cybersecurity conference. The idea has continued to stick with me — the concepts seem like they could be useful to a lot of people.

So I thought I would write a book. But the more I got into it the more I realized … a typical non-fiction, cybersecurity book isn’t going to work. I read them constantly and they’re pretty dry even for me, and my target market was people getting into the cyber field. How could I create something that got across the point, but kept them entertained?

Obviously, I’d make a movie!

And then I remembered that I’m just one person and I don’t have the funds to make a movie and who knows if anyone would watch it anyway. So I went with the second best plan.

Obviously, I’d write a business novel!

A business novel is just a narrative story that tries to impart some kind of knowledge. Kind of like Orwell’s Animal Farm, but instead of Stalinism we’re talking about like … budgeting.

The idea is to take knowledge or a principle that is kind of complex, and watch as someone goes through the process of learning it in front of you. I think we could take the ideas of Guerilla GRC and put them in a narrative and create something that, frankly, is more likely to actually get read.

As I create the novel I’ll post my thoughts here — this isn’t something I normally would do for a narrative work I’m creating (I especially like to surprise my wife with plot twists as I write), but this is a little different. I’m trying to make something I would consider a good story, but make it appealing and instructive. It’s a tall order.

Before we get into my book, let’s talk about some business novels and what the typical patterns are there. We can then talk about what we can do or not do in our own novel.

A Brief History of the (modern) Business Novel

There have been tons of novels about business in general. Something like the 1885 classic “The Rise of Silas Lapham” could be considered a “business novel” in that it is about business. Likewise something like Ayn Rand’s “Atlas Shrugged” or “The Fountainhead” could be considered “instructional” in that it is trying to convince the user of a specific point of view using ham-handed metaphor (cough). Neither of these books are trying to teach a skill or specific management technique, though.

When we look at books that teach management techniques using a narrative structure — what we’ll call “instructional business novels” — the grandaddy of the modern trend has to be Eliyahu Goldratt’s “The Goal.”

Ironically, The Goal was originally written to help sell some software for a company that Goldratt worked for. In so doing it introduced the concept of the Theory of Constraints (TOC), and people who read the book wound up appreciating the insight about TOC, and skipping the software altogether (which led to Goldratt’s eventual firing).

Goldratt would go on to write a few other instructional business novels (Critical Chain is also worth reading), but a few others picked up the torch and carried it forward.

There’s one author and one book that really became synonymous with this structure. First is Patrick Lencioni, who wrote books like “The Five Dysfunctions of a Team” as “business fables” — the main difference being that, at the end of the book, he writes a little non fiction section to make sure you understood everything.

The most direct descendent is “The Phoenix Project,” a book that introduces “DevOps” as a concept for IT work. The authors (especially Gene Kim) indicated that they had the idea for their book after reading “The Goal,” and that they viewed it as such an important work they did everything to mimic it’s structure — down to having the same number of pages (170) before the beginnings of a solution are found.

There have been a number of business novels, some pretty good (Giving Wings to Her Team) and some pretty … not good (Project Zero Trust). Let’s take a page out of Gene Kim’s book, though, and figure out what the common denominators are — why some books nail it and some are just going through the motions.

What do all these books have in common?

As I’ve been making this list in my mind I’ve realized I’m planning on deviating from most of these, which should be … interesting. So stick around to the end when you find out why I think doing my own thing here is important!

1. Stakes!
   • Like any good book, there is something propelling the action. Usually it is some kind of project that is behind schedule that will cause the business to go under if it fails.
2. A main character who is a leader
   • This is generally because they want someone who is capable of making changes — all these books are, in some way or another, about implementing something new, so having a front-line person as your protagonist and having him get shot down repeatedly by his bosses would make for a boring book. Better to just have the main character be a boss, though ideally not THE boss, like the CEO. They need someone to fire them in case things go wrong, and to tell them they’re on thin ice continually.
3. A B-Plot
   • A sitcom will typically have an “A plot” (say, some drama at school) as well as a “B Plot” (say, a child is hiding a dog in the garage). At the end of the episode, these two plots will resolve, either on their own or together (say, the dog was a teacher’s who was taking their frustrations that their dog was missing out on their students).
   • Many business novels will also have a b-plot (marriage troubles for The Goal, famously), though shorter ones sometimes skip it. Sometimes the b-plot exists to teach a secondary, moral lesson that someone wishes more people knew, sometimes it is a way for the main character to find their solution in a context outside of work (in Critical Chain the main character has their breakthrough while taking his kid to a scout camp).
4. A (mysterious) Mentor
   • In almost every book our protagonist knows or comes across someone who knows more than them — someone they can ask for help or support. This mentor follows a few archetypes:
     • The zen master — this mentor asks a simple, seemingly unrelated question that unlocks the solution whenever the protagonist is stuck.
     • The expert — this person is capable of doing the protagonist’s job, but knows the hero won’t learn anything that way. They’re more pointed and specific than the zen master, but they still typically don’t serve up the solutions on a silver platter. They’ll ask a directed question to get the protagonist on the right path.
     • The professor — this person just explains exactly what the protagonist needs to know as if they were lecturing a class called “What you need to do to save your company, Jeff. 101.” When this type of mentor shows up, we ask ourselves “Why didn’t this person just write the non fiction book they so clearly wanted to? Why bother with a narrative story if you’re just going to excerpt a textbook for five pages every other chapter?”
5. Iterative learning
   • They think they’ve got it figured out. Oh no! They’ve discovered a new problem! Oh good, they figured that one out. Oh no, another problem!
   • I know it sounds like I’m making fun of it, but in my mind that is a really good way to teach. Most people would just follow their first instinct unless you show them “Hey, there’s problems with doing the first thing that comes to mind, you know?”
6. Fixing Relationships
   • I don’t think this is super important to the business novel itself, I think every writer just assumes that someone reading their book could probably work on their communication skills a bit. And they’re not wrong! I mean, Leadership and Self Deception is an instructional business novel just about that!
7. It works! And it has a name
   • They solve the problem with what they’ve learned along the way. They also frequently name whatever they’ve created at this point.
8. You’ve only just begun …
   • These books almost always end up with the character next in line for a big promotion, or getting an opportunity to do a special project, or getting called on to help rescue another doomed project — whatever the case may be, the message is the same. You’ve mastered this skill, and now you will get a raise/promotion/recognition!

Why is Guerilla GRC going to be different?

Let me summarize the idea behind Guerilla GRC as quickly as I can.

1. Small businesses are targets of malicious actors who have vastly more resources than them.
2. Targeted businesses are often destroyed
3. There aren’t many good security solutions marketed at small businesses, plus they lack the expertise to know how to use them
4. It is really hard to get an entry level position in cyber without experience
5. You need an entry level position to generate experience thus
6. It’s very difficult to get into cyber
   BUT
7. People getting into cyber could use their knowledge to help people who own small businesses around them pro bono
   • They get experience
   • The small business isn’t destroyed
   • everyone wins!
8. That experience could then go on a resume, hopefully helping someone land a job in cybersecurity (and at the very least helping some small businesses survive)

That very structure means we’ll have to deviate from the standard in a few key ways. For example, we can’t have a manager as a protagonist — the protagonist isn’t even going to be working in cyber yet.

So let’s look at some key decisions in constructing this story and the rationale behind them. And if you think any of these are terrible ideas, let me know! It’s better to know before I really get down to writing than later.

1. Stakes!
   • Okay, this stays the same. We will have stakes, although it won’t be a project that’s behind schedule. Instead our protagonist(s) will be working at a small business (since high school) that was a victim of a ransomware attack and is now teetering on bankruptcy, while our protagonist(s) is also trying to get a job in cyber so they can move out of their parents house.
2. A main character who is a leader
   • As mentioned above, we can’t really do this. After a lot of the thought I think our main character(s) will be a pair of fraternal twins. That way they can both work at the same high school job, and one or both of them can be trying to get into cyber. This gives us a way to have two people talking through problems with our reader, instead of that mentor/mentee relationship that is so common in other works (more on that later). Plus if we have one in cyber and one in psychology or communication or something we can have an outside perspective on why cyber security is frequently a people problem.
3. A B-Plot
   • The book centers on the lives of our protagonists, who are going to school (or otherwise studying) and trying to get a job to get out of their parents house, which will all serve as the majority of our b-plot. I had thought of including some other topical stuff in there (what if they were struggling with a tik-tok addiction?) but I want to see if it kind of flows organically from the characters. But yes, there will be a B plot, and maybe a C plot.
4. A mysterious mentor
   • I have bounced back and forward on this one. Generally the mentor is the author stand-in, so that would be me, a cyber security executive — someone our protagonist could reach out to and discuss their problems with. Obviously, I would be happy to do that in real life, but …..
     A while back on LinkedIn I read a post from another cyber leader who indicated that they only really talked with younger people they felt were “worthy” of their time. People who really showed potential (as they judged it). This rubbed me the wrong way — who is this guy to decide who can or cannot have a career in cyber? If someone reaches out to me, I do my best to help them out, regardless of who they are.
     But I got thinking … who is more common? Am I the weirdo, or was this other person? My experiences with the cyber community have been pretty positive, but maybe my experiences aren’t typical.
     In the end, I don’t think there should be a “mentor” per se. I do think they’ll occasionally have a job interview, or something, and someone with more experience might provide some insight, but for the most part our protagonists will be on their own. It feels harsh, but it feels like a more accurate reflection of the world at the moment. Tell me if you think I’m wrong. I would be happy to be wrong.
5. Iterative Learning
   • Yup! This is a tried and true way of walking people through your reasoning and getting to the thesis and I’m not messing with it.
6. Fixing relationships
   • Also yes! Communication will be a big part of this book because it’s a big part of cyber security. I’m not sure if fixing relationships will be a whole b plot yet (like they have a bad relationship with their parents or something), but it has to be in there.
7. It works! And it has a name
   • Honestly, I think I will skip part of this. I mean, it will work, but I’m going to take a page out of Lencioni’s book and have a non-fiction epilogue that outlines the basic ideas. That way they don’t have to go “Ah, now I shall discuss why this is called Guerilla GRC!”
8. You’ve only just begun …
   • Probably not! One of the main points of the book is going to be that you can help someone save their business with minimal cybersecurity knowledge. That doesn’t mean they get the job at the end. In fact, they may decide not to pursue cyber at all (I’m undecided) but I want the point of the book to be that the act of helping something with your knowledge is rewarding in-and-of itself.

So, which of those choices are terrible ideas??? I’ll get more into the actual plot and characters in the next post.