While passing through a particular city recently, I stopped in to a security conference that happened to be going on that same day. I enjoyed the opportunity to catch up with old colleagues and network with new ones. But as I listened to some of the presentations, I was reminded of how underwhelming and disappointing many can be. Speaking as both a sometime presenter and sometime attendee, here are 20 questions speakers should ask themselves before giving a security conference talk:
- Is the material fresh? No one is particularly interested in sitting through a talk rehashing ideas from 5, 10, or even 20 years ago.
- Is the topic relevant? That's despite the fact that I've seen some pretty interesting talks that have little to no relevance or practical application.
- Is the material clear and easy to understand? It's always a bit uncomfortable when you find yourself in the middle of a talk where you literally have no idea what is being discussed.
- Is the talk focused? If you are planning on laying out a potpourri of different topics with no unifying theme connecting them, don't be surprised that listeners tune out.
- Does the talk converge? I want you to lead me through a logical progression toward a conclusion.
- Are the slides concise? There is nothing I hate more than to see slides overloaded with a cacophony of words. It's even worse if you read me the slides. If you want me to read, then hand me a white paper. It saves us both a lot of time.
- Will attendees need to check their eyeglass prescription before they come to your talk? As much as I love diagrams, if your diagrams require a telescope to see, you're doing it wrong.
- So what? Have you answered the most fundamental of all questions? If you're going to talk for 30 to 60 minutes, make sure there is a point to it.
- Who cares? Perhaps this question sounds a bit harsh, but if no one identifies with or finds relevance in your talk, it missed the mark.
- Do you do more than rehash old points? Yes, I know that lots of organizations still don't use multifactor authentication for whatever reason. Unless that data point (and others like it) is critical to the logical argument you're building or you have a solution to the problem, I don't need to hear about it yet again.
- Do you do more than simply ask questions? Asking the right questions is important, but it can't be all you do during the course of your talk. (And yes, perhaps it is a bit ironic that this is one of the 20 questions I am asking.)
- Do you merely highlight problems? All of us are capable of sitting around and generating a long list of everything that is wrong in security. There is really nothing novel or illuminating in that.
- Do you offer solutions? If you ask people what they are really interested in hearing about, they will likely tell you that they want to learn about how they can solve problems. Talks that highlight problems without offering solutions don't really answer the call.
- Do you provoke thought? Pushing people outside of the box and outside of their comfort zone is a good thing, as long as it is done constructively and respectfully. Problems don't get solved by doing nothing, or repeatedly trying the same failed techniques. Dialogue around non-traditional approaches can be a great way to jumpstart these types of efforts.
- Do you provide fresh content? I'm talking about new ideas, lessons learned from experience, and interesting data or results. These are quite meaningful as far as content goes. Showing a bunch of stuff anyone could have found with Google and Wikipedia, less so.
- Will anyone remember your talk? Have you succeeded in leaving audience members with a meaningful takeaway that they can bring home with them and reflect upon for a year, a month, or even a week?
- Have you stayed away from the shiny object of the day? Everyone might be talking about the latest breach, that critical new vulnerability, or that hot new security buzzword. But if all you're doing is regurgitating the same talking points that everyone else is, the presentation will surely be forgettable.
- Do you produce buzzword bingo champions? Buzzword bingo is an old sport at security conferences that has long outlived its purpose (if there ever was one)!
- Are you an alarmist? I can guarantee you that this approach will not be effective with anyone who is a serious security professional. It may land you a quote or two in the press, but that's about all.
- Are you condescending? You may have knowledge or experience that is rare, sought-after, and valuable, but if you want others to appreciate, respect, and learn from that knowledge or experience, don't talk to them like there is no way they could possibly grasp it.
- 20 Questions to Help Achieve Security Program Goals
- 20 Tactical Questions SMB Security Teams Should Ask Themselves
- 20 Questions for Improving SMB Security
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.