Consistency, consiztency, consistancy…

It will come as no surprise to most of you that I travel a lot to other countries, and as such I am a frequent visitor of airports and more memorably, the security procedures of those airports.

Every country has their own agency that manages this process, either outsourced or kept within government. Given the complexities of international and aviation law, I can well imagine the difficulties of staying abreast of the latest advice from a variety of different sources and applying it in a globally consistent way. But surely it can’t be that difficult, especially when it comes to the basics?

Here are just some of the more egregious examples of inconstancy that I have encountered around the world:

  • One airport that confiscated my nail scissors, despite the fact I had been carrying them (and had the case searched) through numerous security checkpoints before. The blade size was within accepted norms, except at this airport.
  • The security official that made me take my 100ml or less liquids out of the clear plastic case/bag I was using and put them into a clear plastic ziplock bag for scanning. I had been using that case for months, and continue to use it without issue to this day.
  • The security line where I din’t have to take off my shoes or belt, nor remove laptops or liquids from my bag because “we have a sniffer dog”. In fairness they did have a dog running up and down the line, but I started to doubt it’s ability to smell knives or similar in my case.
  • Having travelled through five airports in four days, the final airport insisted that I take the camera out of my bag, as it is “standard practise in our country to do this”. Not before or since has it been a practise I have experienced, let alone a standard one.
  • Finally, the multiple security personnel who tell me to leave my shoes on, only to be told as I go through the scanner to take my shoes off and put them on the belt to be x-ray’ed.

It goes without saying that I approach every security checkpoint with a mixture of hope, despair and disdain, and always leave with one of those feelings prevalent. Obviously this is an analogy to our world of infosec, perhaps even a tenuous one, but I do feel it is one worth expressing.

How we guide our organisations to interpret and carry out the policies and regulatory requirements they are beholden to is vital to the attitude and approach the employees will take. Uncertainty breeds many things, in this case doubt and anxiety about how to behave. If a policy is not implemented consistently then how can it be observed consistently? If we are constantly surprising our users then we can’t blame them for feeling jumpy, anxious or unsure, and therefore critical of the service being provided.

Cat-Cucumber-Gif-Gifs-Youtube-Video

Consistency is a very powerful tool to ensure people understand the policies, the purpose and the even the vision of an security organisation. As soon as there is doubt the very purpose of your security organisation is thrown into doubt. For example, why is BYOD allowed for senior execs and not for the rest of the organisation? Or why is a Mobile Device Management solution enforced on some parts of the business and not the other? In both these cases it only encourages the working around of the restrictions that subsequently weaken your security posture.

That is not to say exceptions cannot be made, that is why every policy etc. should have an exceptions statement. After all, expecting a policy to cover all eventualities is simply wishful thinking.

I dare say we all have inconstancies, but it is in all of our interests to drive them out of our organisation wherever possible. Otherwise, you will have people like me wondering what kind of ordeal I am going to have to endure just to get my day job done, and that doesn’t help anyone.

 


The Art of the Presentation (Part 3 of 3)

It has been a while since part 2, we have had BSides and InfoSec Europe, and it has been a busy time in the day job. Nonetheless, here is the last part of three of “Art of the Presentation” (abridged version) for your edification and delight.

Part 3 is about the actual delivery of your presentation. This is where your deck and your practising come together in perfect harmony to deliver something that is memorable, engaging and above all educational. I believe there are seven key areas that need to be taken into account and addressed, either on the day or mentally before you deliver your presentation.

Presentation Aids

The simplest presentation aid you need is a is a ‘clicker’ remote. You can spend anything from £10 to over £100 on one of these. For your time, I would suggest something in between that, by Logitech or Targus who produce good solid devices. Cheaper devices are not always reliable and will often chew through batteries, the last thing you want live on stage. Personally, I use the Logi Spotlight presentation remote, which has a few bells and whistles such as a built in timer. Moving backwards and forwards from your presentation laptop looks amateurish and breaks the flow of your performance.

You may think you need notes or crib cards as well, my one word of advice is “Don’t”. As I have mentioned before they are a crutch that you will rely on far too much and they remove the natural flow of your presentation. If your nerves (see below) are getting the better of you  and you absolutely must have something just in case, have your notes typed up in a large font and very clear markings as to what slide relates to what notes fold them up and keep then on the lectern out of reach (again see below). Once more, avoid this if you can.

Technical Setup

Things to ascertain up front are if you are using your own laptop or the organisers. Using their laptop and sending your Powerpoint or Keynote in advance doesn’t guarantee that your deck will display correctly. Missing fonts, different versions of the software etc.. Making sure you check that your beautifully crafted deck still looks beautiful when up on the screen on stage means you won’t be surprised when you get on stage. Any decent organisers will work with you to find time to not only check if your deck looks good, but also to test your own laptop if need be. If using theirs, they should also provide presentation remotes for their own laptops as well.

If you are using your own laptop, make sure to bring every type of a/v adapter you need, but it boils down to three types:

  • VGA
  • DVI
  • HDMI

These are in increasing order of preference; VGA is an old standard now, but most commonly used. HDMI is the easiest to use and requires the least amount of setup as it operates around a strict standard. More often than I care to recall has the use of VGA and a misconfigured projector or LCD screen resulted in my slides looking stretched and distorted: Heartbroken!

Staging

This may not seem very obvious, but you also try and stand on the stage for a few minutes and walk around it while testing your slides. Set up your laptop if possible so you can see the screen for the next slide etc. and then walk the stage so you know where you can see your screen and where you can’t. The larger conferences will often have a comfort screen at the front that shows your on screen slide, and on rare occasions (when using their own equipment) even have it as a secondary screen.

Walking the stage also ensures your presentation remote will still work at the furthest distance from your laptop; the last thing you want is to lose connection while you are in the middle of your flow. Finally you can also ensure you are at least aware of any trip hazards on there such as loose carpeting or cable runs.

Nerves

man-looking-distressed-without-a-shirt

There is no getting away from it, but except in very rare cases you will be varying levels of nervous prior to your moment in the spotlight. Nerves are good as they will sharpen your performance, but too much and your performance will rapidly tail off. I recall early in my speaking career physically shaking and attempting to come up with an excuse to not present; it took all the energy I could muster to go on and deliver that day!

One exercise I do can be done very easily, either standing or sitting. Start by slowly clenching your fists until you are squeezing them as hard as you can. Hold this for as long as possible or up to 30 seconds, then very slowly start unclenching your hands. As your figures open, feel the tension release in your forearms and slowly breathe out. Do this 2 or three times and you should find the tension in your body ease a little, as well as feeling somewhat calmer. It isn’t a panacea, and you may well have your own trick for this, but I find it can help you prepare your body for the upcoming performance.

Movement and Oral Delivery

Depending on who you talk to, there is conflicting advice on how you should present from the stage. I was involved in some formal public speaking training a few years back, and their guidance was to stand still, and avoid any kind of arm movement. Not my style at all!

With that said, an movement around the stage should be paced and deliberate, as if you are consciously trying to address a different corner of the audience. Pacing backwards and forwards makes you look nervous, as does rocking on your heels, stepping backwards and forwards as if rocking, etc.. Identify a spot on the stage that is your “base” and plant your feet squarely in it. When you walk around, do so, especially when emphasising certain point, and especially when involving the audience. The return to your spot. The trick of course is to try and make sure you don’t look like a wind up toy, but rather a natural sequence of movements.

Using your hands is perfectly acceptable, as you can use them to emphasis you points, and even put across your emotions and feelings about certain areas. Be aware however, that sometimes you will need to use a handheld microphone, and if you haven’t practised not moving your arms it can very easily distract you, especially as your other hand will have a presentation remote in it.

Q&A

There are three things to remember here; firstly don’t expect to know the answer to every question, and say so when you get a question you can’t answer. Promise to follow up with the individual, and if you have social media accounts or other means of sharing further information with your audience then use it to publicly do so.

Secondly, always repeat the question. Not everyone will have heard it and your repeating of it through the microphone will help. This also has the added bonus of giving you more time to consider your answer.

Finally, always do your best to call out “more of a comment than a question” type of questions. depending on your style either call it out as not a question, or say it is too complex to answer easily now so you will catch up with them afterwards. These types of questions will almost always derail any Q&A session.

When it all Goes Wrong

What if you freeze, or your slides stop working, or you get lost in the presentation, or your trousers fall down or something awful happens?, well, always make sure you have a plan. It may be as simple as always going back to the previous slide to pick up where you last knew what you were talking about, or even having your slides on an iPad (with he correct A/V adapters if possible, or having a routine to check your clothing before you walk on stage.

Remember, there will be very few people in the audience willing you to fail. Virtually everyone is on your side, and hoping you will educate and entertain them. They will be very accommodating and accepting of mistakes. This accommodation does not last forever however. If you constantly fail to deliver in subsequent talks because you haven’t learnt anything g or failed to seek help, your reputation will precede you.

Take every mistake as  a learning experience, and over time, you will find yourself learning less and even teaching more.

The Golden Rule

This is part eight of my seven part list. Bear with me.

Never, ever, run over time. Anything more than 30 seconds is going to affect the timings of the rest of the day. Unless an organiser explicitly asks you to continue past your time you need to get off stage so the next speaker can get on.

You can however finish early; a good conference will find ways of filling the gap, either stepping up to ask questions when no one else will, or even filling the space themselves.

So there it is, three parts to help you in your public speaking career. I hope some of you found it useful, and as always you can reach out to argue with me or come up with other tips. Thanks for listening!


The Art of the Presentation (Part 2 of 3)

You’ve created your presentation, now you need to practise. Or as the great Yogi Berra put it:

In theory there is no difference between theory and practise. In practise, there is.

Almost certainly in the early days of your presenting you will need to practise a considerable amount. There are two main reasons for this; firstly you will be presenting your own unique content for the first time in an open forum like a conference, which means you will need to be absolutely sure of what it is you are going to say to ensure you don’t come across as someone who is less knowledgeable than you are. Secondly, you will almost always be nervous. How quickly you overcome your nerves will vary greatly from person to person and a variety of other factors. For me it took just over two years before my nerves stopped kicking in to the point where they were visible.

The key to coming across confidently is to know what you are going to say right from your first sentence, all the way through to your last sentence. You also need to ensure that you don’t learn every single word of the talk parrot fashion. Unless you have a gift for remembering dialogue (in which case you will sound like you are simply reading your verbiage), you will have to employ a few tricks to get around this…

The Opening

Firstly, practise your very first sentence, and make it snappy and to the point, and impactful at the same time if you can. Don’t drone on about how happy you are to be here, what your name is,  thank you all for coming, I hope you like my talk, how you can’t believe you are stood in front of such a talented crowd at this amazing conference etc.. I recall practising in front of a good friend, and before I had got halfway through my introductory sentence he bellowed:

BORRRRRIIIIING! YAWN 

 

His point was that people weren’t there to hear your platitudes, they are here to get their money’s worth and listen to what you have got to say, so just get on with it. Additionally, if people want to know more about you personally they will either read your bio in the conference agenda, or look you up after the talk. Do not spend five minutes establishing your credentials as not only can it come across as egotistical (except in very rare circumstances) but erodes your impact as a confident and knowledgeable speaker.

Slide on the slides

The second trick is to use your slides as a prompt for a train of thought rather than using them as an aid to specific sentences you want to remember. In the first blog on this topic I mentioned using imagery as much as possible; avoiding the use of bullet points or long sentences as much as possible means you won’t be tempted to rely on the text for what you are going to say. Try to sound conversational, and while practising do consider filming yourself or at the very least an audio recording. Running through it a few times will help embed a few key phrases in your head you can move between, and also give your imagination a chance expand further on your thoughts. Having a few Tweetable length phrases ready to roll off your tongue is a useful way of making an impact with few words, as well as encouraging people to potentially tweet your quotes during the talk (an increase your audience). Don’t forget your “story” or the beginning, middle, end structure either.

Variety

This point is also an opportunity to practise varying the tone and pitch of your voice, the use of your hands and even how you want to move around. Practise slowing down your talking , and possible even lowering your volume (more easily achieved if you are going to be using a microphone), when you want to emphasis something of critical importance. You can also speed up and become more animated on sections that you find exciting, fun or revealing. A little bit of humour thrown in as well helps, but be careful here, especially with an international audience. Test it on colleagues and peers first.

The Close

So you have made it through the deck and you are on your last slide; before you know it you have finished your presentation. how do you finish? “And, um, that’s it really…” is not the way to go. See the first point and memorise a closing statement, something straightforward, and again, snappy. “With that, I will close and thank you all for your time and attention. I will now take questions” is a good place to start. Don’t be afraid to make changes to the deck and the story as you go through either; they will evolve as you become more proficient, and the deck should not limit your message; the message dictates the deck.

How often should you run through your deck? In my early days I would practise at least five times, recording it a few times, and often in front of a critical friend or two. This is a very real time commitment, so be aware and plan it into the creation of your presentation to meet your deadline. As you get more comfortable, you will be rehearsing the presentation as you create the deck, and after a few reviews will know what you are going to say (roughly) with each slide and each transition.

Patience

Above all, be patient with the process; like anything it takes thousands of hours to be proficient at something depending upon your natural ability, the circumstances and the topic in hand. If you are not having fun, ascertain what part of the process are you not enjoying? Very often, I talk to people who hate the entire process, including the presenting, until immediately after when they get such a rush they want to do it again. if that is the case, the painful parts do get easier. Also, make sure you find someone who will honestly critique your presentation either in person or after watching a recording. Take their viewpoint very seriously, and if they are a serious speaker then all the better.

So, if you are wondering how you can get to Carnegie Hall, as the violinist turned comedian Jack Benny once answered:

Practise Practise Practise!

Next time, The Art of the Presentation (part 3 of 3) – The Delivery.

 

Note: Look out for a new YouTube series from me coming soon, The Lost CISO!


The Art of the Presentation (Part 1 of 3)

In a post a few years ago I talked about The Art of the Conference, and what conference organisers can do to improve their conferences and make lives easier for their presenters. I was reminded of this post again recently as this is the sixth year that I am mentoring a rookie speaker at BSides London, and in my initial conversation with them I discussed a three stage approach to creating, practising and delivering the talk (the latter of which touches on the content of my previous post).

This post focusses on the first part of this process, the actual creation of the talk.

The Idea

This is actually the hardest part of the entire process (aside perhaps from actually standing in front of 200 people of course). In my experience many people try to not only come up with a wholly unique idea, but then try and explore it in too much detail. Given your talk will probably be competing against many other talks, the easiest way to make yours stand out is with it’s simplicity. Take the core of a topic, and honestly ask yourself what your view on it is; do you agree with it, if not why not, what could be better, what is your experience of it and how have you addressed it? By keeping it simple your audience will have more chance of remembering what you said. This process could take anywhere from minutes to weeks and weeks dependent upon your experience, knowledge and confidence. Don’t assume however that just because you have an opinion that everyone else is fully knowledgeable of it either; if nothing else you are bringing your own unique viewpoint.

The Creative

This is a point at which your approach may differ, but I have always found this the best way of actually inspiring myself and getting my story straight. I fill a sheet of paper with boxes (below) and then start to sketch out, not always legibly) the approach I am going to take on the deck I produce. I do this because it ensures I don’t write any actual prose on the topic; personally when I do this I find it very difficult to then pull myself away from the prose when presenting. It is a mental block of sorts of course, but this approach allows me to sketch out the story of my talk without having to get attached to a certain way of saying things

I try and avoid too many words as they are a distraction to the audience, and focus on high resolution images that help embellish my point or provoke an appropriate reaction from the audience. There are some very good books on creating slides for presentation that I have referenced, Presentation Zen and Slide:ology; I strongly recommend these to anyone who wants to up their game on the visual presentation side of things.

This approach also allows you to build a story; making sure your presentation has a beginning, middle and end help draw your audience in. What talk would you rather watch…

My talk is about a simple technology we used to allow someone to Tweet over a phone call.

or

John Doe is a man who was imprisoned on the flimsiest of evidence and with ludicrously high bail. He had restricted access to legal counsel and even family were not allowed to visit him. His entire campaign for justice was focussed around his significant Twitter followers, and given his elevated fame in his industry was where most of his support would come from. Here is the story of how we used a Raspberry Pi, two cans, a length of string and Python to allow him to live Tweet from his weekly phone call, directly and un-redacted, and ultimately beat the corrupt government that had arrested him.

Your approach needs to be simple, but that doesn’t mean it needs to be dull.

The Timings

Timing a presentation is very difficult, but after some experience I have found I can not only tell roughly what the length of a presentation created like this, but can also vary it in length, sometimes upon to 100%. The other rule of thumb is to dive the number of minutes you have by the number of slides. One slide for roughly every minute is a good place to start, but keep an eye out for when that number increases. Trying to cover more than one slide every 15 seconds is going to be very challenging.

The Takeaways

I often say that people will remember less than 30% of what you said less that 30 minutes after you have finished speaking. Not only is this where the simplicity of your deck is important, but also making sure you leave the audience with clear activities or advice on what to do next is vitally important. If you don’t do this, you will leave the audience somewhat nonplussed even if your content is great. As one close friend of mine said to me after I had asked for feedback:

It was a good talk, but I got to the end and thought “meh, so what?”

Your talk can be interesting, but if it doesn’t have a point, you will always be in the “meh” zone.

Next time (or maybe the time after), The Art of the Presentation (Part 2 of 3) – Practising.


The Power of Silence

Not so many years ago in the dim and distant past, the very first full length public talk I did was called “An Anatomy of a Risk Assessment”; it was a successful talk and one I was asked to present several times again in the following years. Below is a film of the second time I presented it, this time at BSides London:

My presentation style left a lot to be desired, and I seemed unable to stop using note cards until almost eighteen months later despite me not using them for other talks I gave! (Top speaking tip folks, never use printed notes when speaking, it conditions your mind to think it can only deliver when using them.) But that is not the focus of this message.

One of the pieces of “anatomy” that I spoke about in terms of risk assessments was the ears. The principle being that since you have two ears and one mouth, when auditing or assessing you should be listen twice as much as be speaking. This is important for two reasons, the second of which may not be as obvious as the first:

  1. If you are assessing someone or something, you should be drawing information from them. When you are speaking you are not gaining any information from them which is a wasted opportunity. As a consequence of this therefore,
  2. There will be periods of silence which you must not feel tempted to break. Just as nature fills a vacuum so a human wants to fill a silence. Silence therefore will encourage the target of the assessment to open up even more, just so as not to feel awkward!

Interestingly, after my very first presentation of this talk, a member of the audience asked me if i had ever been in the Police Force. “I haven’t” I replied.

Well, some of the techniques you just described are exactly like police interrogation techniques, especially the silence. I should know, I used them every day!

Flattered though I was, I did become a little concerned! Was i taking this risk assessment malarkey a little too seriously? Was i subjecting people to what amounted to an interrogation?

Obviously this was not the case, but it occurred to me that in the many books i have read on risk assessment and audit, never is the softer side of the process covered. We tend to focus on the technology, or the boxes that need to be ticked, when actually we can simply sit back and let others do the talking. I also employ humour very often to help people relax, and even do it when i am on the other side of the table too. It can make a gruelling and mindless activity far more engaging and allow you to connect with the person on the other side of the table more effectively.

It engenders trust.

You can apply many of the techniques described in the presentation in your daily work lives, especially when on a discovery programme or wanting to get to the bottom of an incident. In fact, I can’t think of anything easier than having a (one-sided) chat with someone and getting the assessment completed.

Or as Will Rogers, actor and vaudeville performer in the early 1900’s put it:

Never miss a good chance to shut up


On another note, look out for a new series of YouTube films coming from me in the next few weeks.

I give you, The Lost CISO