Security Book Publishing Woes

Practical UNIX and Internet Security, 2nd Ed (pub Apr 96) by Simson Garfinkel and Gene Spafford was the first computer security book I ever read. I bought it in late 1997 after hearing about it in a "UNIX and Solaris Fundamentals" class I took while on temporary assignment to JAC Molesworth. Although I never formally listed it in my Amazon.com reviews, I did list it first in my Favorite 10 Books of the Last 10 years in 2007.

Since reading that book, I've read and reviewed over 270 technical books, mostly security but some networking and programming titles. In 2008 I've only read 15 so far, but I'm getting serious again with plans to read 16 more by the end of the year. (We'll see how well I do. I only read 25 last year, but my yearly low was 17 in 2000. My yearly high was 52 in 2006, when I flew all over the world for TaoSecurity LLC and read on each flight.)

Security books are on my mind because I had a conversation with a book publisher this week. She told me the industry has been in serious decline for a while, meaning people aren't buying books. Apparently this decrease in sales is industry-wide, punishing both good books (those recognized as being noteworthy) and bad (which you would expect to sell poorly anyway).

Some people blame the book Hacking Exposed (6th edition due in Feb 09) for creating unrealistic expectations in the minds of book publishers. McGraw-Hill claims HE is the best-selling security book of all time. I've heard numbers between 500,000 and 1,000,000 copies across the editions (not counting the other titles in the HE line.) That blows away any other security book.

I've got about 50 titles on my reading list for the remainder of 2008 and the first half of 2009. About 1/3 are programming books, 1/4 are related to vulnerability discovery, 1/5 could be called "hacking" books, and the remainder deal with general security topics. I only plan to read what I would call "good books," so from my perspective there's plenty of good new-ish books around. However, thus far this year I've only read two five-star books, Applied Security Visualization and Virtual Honeypots.

What do you think of the security book publishing space? Are there too many books? Are there too few good books? Are books too expensive? What books would you like to see published?