Careers & People

10/16/2017
12:00 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Questions to Ask Yourself before Giving a Security Conference Talk

As cybersecurity continues to become more of a mainstream concern, those of us who speak at industry events must learn how to truly connect with our audience.

While passing through a particular city recently, I stopped in to a security conference that happened to be going on that same day. I enjoyed the opportunity to catch up with old colleagues and network with new ones. But as I listened to some of the presentations, I was reminded of how underwhelming and disappointing many can be. Speaking as both a sometime presenter and sometime attendee, here are 20 questions speakers should ask themselves before giving a security conference talk:

Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.
Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.

  1. Is the material fresh? No one is particularly interested in sitting through a talk rehashing ideas from 5, 10, or even 20 years ago.
  2. Is the topic relevant? That's despite the fact that I've seen some pretty interesting talks that have little to no relevance or practical application.
  3. Is the material clear and easy to understand? It's always a bit uncomfortable when you find yourself in the middle of a talk where you literally have no idea what is being discussed.
  4. Is the talk focused? If you are planning on laying out a potpourri of different topics with no unifying theme connecting them, don't be surprised that listeners tune out.
  5. Does the talk converge? I want you to lead me through a logical progression toward a conclusion.
  6. Are the slides concise? There is nothing I hate more than to see slides overloaded with a cacophony of words. It's even worse if you read me the slides. If you want me to read, then hand me a white paper. It saves us both a lot of time.
  7. Will attendees need to check their eyeglass prescription before they come to your talk? As much as I love diagrams, if your diagrams require a telescope to see, you're doing it wrong.
  8. So what? Have you answered the most fundamental of all questions? If you're going to talk for 30 to 60 minutes, make sure there is a point to it.
  9. Who cares? Perhaps this question sounds a bit harsh, but if no one identifies with or finds relevance in your talk, it missed the mark.
  10. Do you do more than rehash old points? Yes, I know that lots of organizations still don't use multifactor authentication for whatever reason. Unless that data point (and others like it) is critical to the logical argument you're building or you have a solution to the problem, I don't need to hear about it yet again.
  11. Do you do more than simply ask questions? Asking the right questions is important, but it can't be all you do during the course of your talk. (And yes, perhaps it is a bit ironic that this is one of the 20 questions I am asking.) 
  12. Do you merely highlight problems? All of us are capable of sitting around and generating a long list of everything that is wrong in security. There is really nothing novel or illuminating in that.
  13. Do you offer solutions? If you ask people what they are really interested in hearing about, they will likely tell you that they want to learn about how they can solve problems. Talks that highlight problems without offering solutions don't really answer the call.
  14. Do you provoke thought? Pushing people outside of the box and outside of their comfort zone is a good thing, as long as it is done constructively and respectfully. Problems don't get solved by doing nothing, or repeatedly trying the same failed techniques. Dialogue around non-traditional approaches can be a great way to jumpstart these types of efforts.
  15. Do you provide fresh content? I'm talking about new ideas, lessons learned from experience, and interesting data or results. These are quite meaningful as far as content goes. Showing a bunch of stuff anyone could have found with Google and Wikipedia, less so.
  16. Will anyone remember your talk? Have you succeeded in leaving audience members with a meaningful takeaway that they can bring home with them and reflect upon for a year, a month, or even a week?
  17. Have you stayed away from the shiny object of the day? Everyone might be talking about the latest breach, that critical new vulnerability, or that hot new security buzzword. But if all you're doing is regurgitating the same talking points that everyone else is, the presentation will surely be forgettable.   
  18. Do you produce buzzword bingo champions? Buzzword bingo is an old sport at security conferences that has long outlived its purpose (if there ever was one)!
  19. Are you an alarmist? I can guarantee you that this approach will not be effective with anyone who is a serious security professional. It may land you a quote or two in the press, but that's about all.
  20. Are you condescending? You may have knowledge or experience that is rare, sought-after, and valuable, but if you want others to appreciate, respect, and learn from that knowledge or experience, don't talk to them like there is no way they could possibly grasp it.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cybersavior
50%
50%
cybersavior,
User Rank: Strategist
10/23/2017 | 12:27:05 PM
You're the presenter for a reason.
You're in the limelight because you have something truly enlightening to enrich the audience with and an innovative or organized way to do it. 

If you don't have that, sit your self-important, grandstanding self down in the audience an learn from those presenters that do. 
geraldamcdade
50%
50%
geraldamcdade,
User Rank: Apprentice
10/20/2017 | 5:42:05 AM
Write My Dissertation for Me
Thanks for sharing
Mark.Majestic
100%
0%
Mark.Majestic,
User Rank: Apprentice
10/17/2017 | 10:03:19 AM
Boasting about your company's security posture can make you a target.
I like the advice.  Applies to any presentation.

However, be careful when presenting on your security posture/project/prowess.  Unfortunately, It could make you a target from people who want to make a point.
Mr Phen375
100%
0%
Mr Phen375,
User Rank: Apprentice
10/17/2017 | 3:46:39 AM
20 Questions to Ask Yourself before Giving Any Conference Talk
I think these questions are relevant and must be asked before giving any type of conference talk.
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16470
PUBLISHED: 2018-11-13
There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.
CVE-2018-16471
PUBLISHED: 2018-11-13
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to a...
CVE-2018-6980
PUBLISHED: 2018-11-13
VMware vRealize Log Insight (4.7.x before 4.7.1 and 4.6.x before 4.6.2) contains a vulnerability due to improper authorization in the user registration method. Successful exploitation of this issue may allow Admin users with view only permission to perform certain administrative functions which they...
CVE-2018-17614
PUBLISHED: 2018-11-13
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Losant Arduino MQTT Client prior to V2.7. User interaction is not required to exploit this vulnerability. The specific flaw exists within the parsing of MQTT PUBLISH packets. The issue results from th...
CVE-2018-8009
PUBLISHED: 2018-11-13
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.