Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10/16/2017
12:00 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Questions to Ask Yourself before Giving a Security Conference Talk

As cybersecurity continues to become more of a mainstream concern, those of us who speak at industry events must learn how to truly connect with our audience.

While passing through a particular city recently, I stopped in to a security conference that happened to be going on that same day. I enjoyed the opportunity to catch up with old colleagues and network with new ones. But as I listened to some of the presentations, I was reminded of how underwhelming and disappointing many can be. Speaking as both a sometime presenter and sometime attendee, here are 20 questions speakers should ask themselves before giving a security conference talk:

Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.
Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.

  1. Is the material fresh? No one is particularly interested in sitting through a talk rehashing ideas from 5, 10, or even 20 years ago.
  2. Is the topic relevant? That's despite the fact that I've seen some pretty interesting talks that have little to no relevance or practical application.
  3. Is the material clear and easy to understand? It's always a bit uncomfortable when you find yourself in the middle of a talk where you literally have no idea what is being discussed.
  4. Is the talk focused? If you are planning on laying out a potpourri of different topics with no unifying theme connecting them, don't be surprised that listeners tune out.
  5. Does the talk converge? I want you to lead me through a logical progression toward a conclusion.
  6. Are the slides concise? There is nothing I hate more than to see slides overloaded with a cacophony of words. It's even worse if you read me the slides. If you want me to read, then hand me a white paper. It saves us both a lot of time.
  7. Will attendees need to check their eyeglass prescription before they come to your talk? As much as I love diagrams, if your diagrams require a telescope to see, you're doing it wrong.
  8. So what? Have you answered the most fundamental of all questions? If you're going to talk for 30 to 60 minutes, make sure there is a point to it.
  9. Who cares? Perhaps this question sounds a bit harsh, but if no one identifies with or finds relevance in your talk, it missed the mark.
  10. Do you do more than rehash old points? Yes, I know that lots of organizations still don't use multifactor authentication for whatever reason. Unless that data point (and others like it) is critical to the logical argument you're building or you have a solution to the problem, I don't need to hear about it yet again.
  11. Do you do more than simply ask questions? Asking the right questions is important, but it can't be all you do during the course of your talk. (And yes, perhaps it is a bit ironic that this is one of the 20 questions I am asking.) 
  12. Do you merely highlight problems? All of us are capable of sitting around and generating a long list of everything that is wrong in security. There is really nothing novel or illuminating in that.
  13. Do you offer solutions? If you ask people what they are really interested in hearing about, they will likely tell you that they want to learn about how they can solve problems. Talks that highlight problems without offering solutions don't really answer the call.
  14. Do you provoke thought? Pushing people outside of the box and outside of their comfort zone is a good thing, as long as it is done constructively and respectfully. Problems don't get solved by doing nothing, or repeatedly trying the same failed techniques. Dialogue around non-traditional approaches can be a great way to jumpstart these types of efforts.
  15. Do you provide fresh content? I'm talking about new ideas, lessons learned from experience, and interesting data or results. These are quite meaningful as far as content goes. Showing a bunch of stuff anyone could have found with Google and Wikipedia, less so.
  16. Will anyone remember your talk? Have you succeeded in leaving audience members with a meaningful takeaway that they can bring home with them and reflect upon for a year, a month, or even a week?
  17. Have you stayed away from the shiny object of the day? Everyone might be talking about the latest breach, that critical new vulnerability, or that hot new security buzzword. But if all you're doing is regurgitating the same talking points that everyone else is, the presentation will surely be forgettable.   
  18. Do you produce buzzword bingo champions? Buzzword bingo is an old sport at security conferences that has long outlived its purpose (if there ever was one)!
  19. Are you an alarmist? I can guarantee you that this approach will not be effective with anyone who is a serious security professional. It may land you a quote or two in the press, but that's about all.
  20. Are you condescending? You may have knowledge or experience that is rare, sought-after, and valuable, but if you want others to appreciate, respect, and learn from that knowledge or experience, don't talk to them like there is no way they could possibly grasp it.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cybersavior
50%
50%
cybersavior,
User Rank: Strategist
10/23/2017 | 12:27:05 PM
You're the presenter for a reason.
You're in the limelight because you have something truly enlightening to enrich the audience with and an innovative or organized way to do it. 

If you don't have that, sit your self-important, grandstanding self down in the audience an learn from those presenters that do. 
geraldamcdade
50%
50%
geraldamcdade,
User Rank: Apprentice
10/20/2017 | 5:42:05 AM
Write My Dissertation for Me
Thanks for sharing
Mark.Majestic
100%
0%
Mark.Majestic,
User Rank: Apprentice
10/17/2017 | 10:03:19 AM
Boasting about your company's security posture can make you a target.
I like the advice.  Applies to any presentation.

However, be careful when presenting on your security posture/project/prowess.  Unfortunately, It could make you a target from people who want to make a point.
Mr Phen375
100%
0%
Mr Phen375,
User Rank: Apprentice
10/17/2017 | 3:46:39 AM
20 Questions to Ask Yourself before Giving Any Conference Talk
I think these questions are relevant and must be asked before giving any type of conference talk.
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19033
PUBLISHED: 2019-11-21
Jalios JCMS 10 allows attackers to access any part of the website and the WebDAV server with administrative privileges via a backdoor account, by using any username and the hardcoded dev password.
CVE-2019-19191
PUBLISHED: 2019-11-21
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.
CVE-2019-15511
PUBLISHED: 2019-11-21
An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed....
CVE-2019-16405
PUBLISHED: 2019-11-21
Centreon Web 19.04.4 allows Remote Code Execution by an administrator who can modify Macro Expression location settings.
CVE-2019-16406
PUBLISHED: 2019-11-21
Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron.