Careers & People

10/16/2017
12:00 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Questions to Ask Yourself before Giving a Security Conference Talk

As cybersecurity continues to become more of a mainstream concern, those of us who speak at industry events must learn how to truly connect with our audience.

While passing through a particular city recently, I stopped in to a security conference that happened to be going on that same day. I enjoyed the opportunity to catch up with old colleagues and network with new ones. But as I listened to some of the presentations, I was reminded of how underwhelming and disappointing many can be. Speaking as both a sometime presenter and sometime attendee, here are 20 questions speakers should ask themselves before giving a security conference talk:

Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.
Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.

  1. Is the material fresh? No one is particularly interested in sitting through a talk rehashing ideas from 5, 10, or even 20 years ago.
  2. Is the topic relevant? That's despite the fact that I've seen some pretty interesting talks that have little to no relevance or practical application.
  3. Is the material clear and easy to understand? It's always a bit uncomfortable when you find yourself in the middle of a talk where you literally have no idea what is being discussed.
  4. Is the talk focused? If you are planning on laying out a potpourri of different topics with no unifying theme connecting them, don't be surprised that listeners tune out.
  5. Does the talk converge? I want you to lead me through a logical progression toward a conclusion.
  6. Are the slides concise? There is nothing I hate more than to see slides overloaded with a cacophony of words. It's even worse if you read me the slides. If you want me to read, then hand me a white paper. It saves us both a lot of time.
  7. Will attendees need to check their eyeglass prescription before they come to your talk? As much as I love diagrams, if your diagrams require a telescope to see, you're doing it wrong.
  8. So what? Have you answered the most fundamental of all questions? If you're going to talk for 30 to 60 minutes, make sure there is a point to it.
  9. Who cares? Perhaps this question sounds a bit harsh, but if no one identifies with or finds relevance in your talk, it missed the mark.
  10. Do you do more than rehash old points? Yes, I know that lots of organizations still don't use multifactor authentication for whatever reason. Unless that data point (and others like it) is critical to the logical argument you're building or you have a solution to the problem, I don't need to hear about it yet again.
  11. Do you do more than simply ask questions? Asking the right questions is important, but it can't be all you do during the course of your talk. (And yes, perhaps it is a bit ironic that this is one of the 20 questions I am asking.) 
  12. Do you merely highlight problems? All of us are capable of sitting around and generating a long list of everything that is wrong in security. There is really nothing novel or illuminating in that.
  13. Do you offer solutions? If you ask people what they are really interested in hearing about, they will likely tell you that they want to learn about how they can solve problems. Talks that highlight problems without offering solutions don't really answer the call.
  14. Do you provoke thought? Pushing people outside of the box and outside of their comfort zone is a good thing, as long as it is done constructively and respectfully. Problems don't get solved by doing nothing, or repeatedly trying the same failed techniques. Dialogue around non-traditional approaches can be a great way to jumpstart these types of efforts.
  15. Do you provide fresh content? I'm talking about new ideas, lessons learned from experience, and interesting data or results. These are quite meaningful as far as content goes. Showing a bunch of stuff anyone could have found with Google and Wikipedia, less so.
  16. Will anyone remember your talk? Have you succeeded in leaving audience members with a meaningful takeaway that they can bring home with them and reflect upon for a year, a month, or even a week?
  17. Have you stayed away from the shiny object of the day? Everyone might be talking about the latest breach, that critical new vulnerability, or that hot new security buzzword. But if all you're doing is regurgitating the same talking points that everyone else is, the presentation will surely be forgettable.   
  18. Do you produce buzzword bingo champions? Buzzword bingo is an old sport at security conferences that has long outlived its purpose (if there ever was one)!
  19. Are you an alarmist? I can guarantee you that this approach will not be effective with anyone who is a serious security professional. It may land you a quote or two in the press, but that's about all.
  20. Are you condescending? You may have knowledge or experience that is rare, sought-after, and valuable, but if you want others to appreciate, respect, and learn from that knowledge or experience, don't talk to them like there is no way they could possibly grasp it.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cybersavior
50%
50%
cybersavior,
User Rank: Strategist
10/23/2017 | 12:27:05 PM
You're the presenter for a reason.
You're in the limelight because you have something truly enlightening to enrich the audience with and an innovative or organized way to do it. 

If you don't have that, sit your self-important, grandstanding self down in the audience an learn from those presenters that do. 
geraldamcdade
50%
50%
geraldamcdade,
User Rank: Apprentice
10/20/2017 | 5:42:05 AM
Write My Dissertation for Me
Thanks for sharing
Mark.Majestic
100%
0%
Mark.Majestic,
User Rank: Apprentice
10/17/2017 | 10:03:19 AM
Boasting about your company's security posture can make you a target.
I like the advice.  Applies to any presentation.

However, be careful when presenting on your security posture/project/prowess.  Unfortunately, It could make you a target from people who want to make a point.
Mr Phen375
100%
0%
Mr Phen375,
User Rank: Apprentice
10/17/2017 | 3:46:39 AM
20 Questions to Ask Yourself before Giving Any Conference Talk
I think these questions are relevant and must be asked before giving any type of conference talk.
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
From DevOps to DevSecOps: Structuring Communication for Better Security
Robert Hawk, Privacy & Security Lead at xMatters,  2/15/2018
3 Tips to Keep Cybersecurity Front & Center
Greg Kushto, Vice President of Sales Engineering at Force 3,  2/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.