Practical Security for Busy People

The proactive guide to preparing for and preventing security disasters

Our customers work at


Prepare and Prevent Security Disasters

Most of the marketing employed by the security industry tends to rely on a bit of fear-mongering. It's an easy sell sensationalism -- to say that "everything is broken" and cause a sense of alarm and hopelessness.

The goal of this book is not to impart fear, but knowledge.

Informed individuals are less likely to panic when scary things happen.

They're more likely to understand what's going on and how to respond appropriately.

They're more likely to prepare and prevent disasters when they understand the real risks they might face.

The goal of this book is to inspire confidence in the reader and understanding that, despite the overwhelming perception that everything is broken, the future is not doomed because everything can be fixed.

What's in the book

Security from Zero is the busy person's guide to running a security program.

1What a security framework is and how to use one
2How to track vulnerabilities in your software stack
3How to run Threat Modeling sessions with your team
4How to run a bug bounty program (and why)
5How to make the case for preventative security work
6How to create a detailed plan for your security budget
7How to instill a healthy security culture - where everyone wears their "seatbelt"
8How to prioritize security work for maximum impact
9What to look for in your first security hire
10How to respond if you do get hacked

Meet Eric Higgins

Ex-Google, Optimizely

After hearing too many war stories from friends in the industry, I've realized that everyone has the same problems when it comes to cybersecurity.

I've had a successful 20+ year career as a software engineer in Silicon Valley. I worked for Google and led the security team at Optimizely.

I currently run a consulting firm to help business leaders understand how to start a security program at their company - and how to help it be successful.

When it comes to cybersecurity, everyone makes the same mistakes and everyone does too little, too late. But it doesn't have to be that way.

In this book, Security From Zero, we make these decades of practical security knowledge available to everyone.


This is a book of strategy, not a technical book.

I wrote this book for leaders who are busy and just need someone to tell them how to protect their investment.

It's not a deep-dive into the nitty-gritty details of:

  • ❌ network layering
  • ❌ system administrations
  • ❌ server hardening or
  • ❌ how to reverse engineer the latest CVE

This book will tell you:

  • ✅ how to build a proactive security culture
  • ✅ how to organize a security program
  • ✅ how to use data and metrics to set goals and measure success
  • ✅ how to incorporate secure practices into the things that you already do

This book won't help you to earn any kind of security certification or badge of honor. Those are things that matter to other people.

Instead, this book will help you do something much more useful and important: make meaningful changes that will protect your business against threats and the peace of mind that the work you're doing matters to you.

Table of Contents

  • What is Security?1
  • Information vs. Operational Security 
  • Kickstarting Your Security Program2
  • When to Start Thinking About Security 
  • Getting Buy-In and Support from Leadership 
  • Event Emitters and Streams 
  • The Importance of Security Culture3
  • Instilling Healthy Security Culture 
  • Practices of Security Culture 
  • Your First Security Hire4
  • Your Job Description is Terrible 
  • The Skillset You're Looking For 
  • Setting Them Up For Success 
  • Prioritizing the Work5
  • Fibonacci Scale & The Eisenhower Matrix 
  • Level of Effort vs. Level of Impact 
  • Turning off Easy Mode 
  • Workload Management with Issue tracking6
  • Ranking Issues 
  • Remove Obstacles 
  • A Data-Driven Security Program7
  • Making Data Presentable 
  • Terrible Data Examples (and Some Good Ones) 
  • Metrics Aren't Goals 
  • Leveraging Security Frameworks8
  • How A Security Framework Will Help 
  • Choosing a Security Framework 
  • Establishing a Baseline 
  • Regulation and Compliance9
  • Keeping Up With New Rules 
  • Business Case for Compliance 
  • Tracking Vulnerabilities10
  • CVE: Common Vulnerabilities and Exposures 
  • Vulnerabilities Workflow 
  • Planning Your Security Budget11
  • Your First Year 
  • Example Budgets 
  • Responding to Incidents12
  • Goals of Incident Response 
  • Conducting Post-Mortems 
  • Threat Modeling13
  • Methodologies and Techniques 
  • The Worst Case Scenario 
  • Effective Bug Bounty Programs14
  • What Similar Companies are Doing 
  • The Skillset You're Looking For 
  • Comparison of Bug Bounty Service Providers 
  • Security Audits & Penetration Tests15
  • When should I get a security review? 
  • Finding reputable researchers & consultants 
  • Least Privilege & Access Controls16
  • Onboarding & Offboarding 
  • Layered Security with MFA 
  • Monitoring & Alerting17
  • Smoke Alarms and Monitoring 
  • Modern Infrastructure for Monitoring 

Security from Zero vs. Being Unprepared

As you can see below, Security from Zero will help you be proactive, save money, save time, and reduce the risk of being unprepared.

Security from Zero

Winging it

Time Saving

You have a step-by-step plan on what to focus on, why it matters, and how to have an impactYou waste time, energy, and money on things that don't matter

Reduced Uncertainty

You'll understand (and measure) the real risks your company is facingYou won't know which security measures are right for you, or what else is at risk


Written guidance from industry-veteran Eric Higgins who has designed real-world security programs for both startups and large companiesYou'll try to hire a security export or consultant in a pinch (and you don't know what to look for)


$99Security consulting contractors can often cost more than $8,000 per week. Additionally, the upper-limit cost of a breach is unbounded


Doing the right work, the right way, at the right time provides real protectionDoing it wrong provides false confidence without the protection

Purchase the book today


The basic book
For busy people

  • 📕 PDF
  • EPub
  • Mobi (Kindle)
  • Incident Response Framework & Template
  • Leveraging Security Frameworks Worksheet
  • Threat Modeling Exercise Template
  • Access Control Audit Template
  • One-time price of $49


The book plus worksheets
For the busy person who will put plans into action

  • 📕 PDF
  • EPub
  • Mobi (Kindle)
  • Incident Response Framework & Template
  • Leveraging Security Frameworks Worksheet
  • Threat Modeling Exercise Template
  • Access Control Audit Template
  • One-time price of $99
Most popular!

Team license

The book and worksheets for the team
Perfect for getting everyone on board

  • 📕 PDF
  • EPub
  • Mobi (Kindle)
  • Incident Response Framework & Template
  • Leveraging Security Frameworks Worksheet
  • Threat Modeling Exercise Template
  • Access Control Audit Template
  • License for up to 10 users
  • Invoice billing available
  • One-time price of $599
Team & save $400+

I'm wondering...

What happens after I buy the book?

You'll be able to download the book and source code after checkout. You'll also receive an email from Gumroad giving you instructions on how to download it at any time.

Is the book complete?


Are there free updates?

Yes! Buying now entitles you to free updates for at least one year after purchase

How do I download the book and updates?

If you've purchased the book, you can download it from your Gumroad library.

What format is the book?

The book is in PDF, epub, and mobi format. It also comes with a large folder of example code

What if I don't like it?

If you're unhappy with the book for any reason, just reach out to us and we'll give you a full refund. There's no risk.

Take a proactive approach to security

Download the first chapter and get an introduction to professional, proactive security for your organization.
Click the button below to get started.