The Art of the Presentation (Part 3 of 3)

It has been a while since part 2, we have had BSides and InfoSec Europe, and it has been a busy time in the day job. Nonetheless, here is the last part of three of “Art of the Presentation” (abridged version) for your edification and delight.

Part 3 is about the actual delivery of your presentation. This is where your deck and your practising come together in perfect harmony to deliver something that is memorable, engaging and above all educational. I believe there are seven key areas that need to be taken into account and addressed, either on the day or mentally before you deliver your presentation.

Presentation Aids

The simplest presentation aid you need is a is a ‘clicker’ remote. You can spend anything from £10 to over £100 on one of these. For your time, I would suggest something in between that, by Logitech or Targus who produce good solid devices. Cheaper devices are not always reliable and will often chew through batteries, the last thing you want live on stage. Personally, I use the Logi Spotlight presentation remote, which has a few bells and whistles such as a built in timer. Moving backwards and forwards from your presentation laptop looks amateurish and breaks the flow of your performance.

You may think you need notes or crib cards as well, my one word of advice is “Don’t”. As I have mentioned before they are a crutch that you will rely on far too much and they remove the natural flow of your presentation. If your nerves (see below) are getting the better of you  and you absolutely must have something just in case, have your notes typed up in a large font and very clear markings as to what slide relates to what notes fold them up and keep then on the lectern out of reach (again see below). Once more, avoid this if you can.

Technical Setup

Things to ascertain up front are if you are using your own laptop or the organisers. Using their laptop and sending your Powerpoint or Keynote in advance doesn’t guarantee that your deck will display correctly. Missing fonts, different versions of the software etc.. Making sure you check that your beautifully crafted deck still looks beautiful when up on the screen on stage means you won’t be surprised when you get on stage. Any decent organisers will work with you to find time to not only check if your deck looks good, but also to test your own laptop if need be. If using theirs, they should also provide presentation remotes for their own laptops as well.

If you are using your own laptop, make sure to bring every type of a/v adapter you need, but it boils down to three types:

  • VGA
  • DVI
  • HDMI

These are in increasing order of preference; VGA is an old standard now, but most commonly used. HDMI is the easiest to use and requires the least amount of setup as it operates around a strict standard. More often than I care to recall has the use of VGA and a misconfigured projector or LCD screen resulted in my slides looking stretched and distorted: Heartbroken!

Staging

This may not seem very obvious, but you also try and stand on the stage for a few minutes and walk around it while testing your slides. Set up your laptop if possible so you can see the screen for the next slide etc. and then walk the stage so you know where you can see your screen and where you can’t. The larger conferences will often have a comfort screen at the front that shows your on screen slide, and on rare occasions (when using their own equipment) even have it as a secondary screen.

Walking the stage also ensures your presentation remote will still work at the furthest distance from your laptop; the last thing you want is to lose connection while you are in the middle of your flow. Finally you can also ensure you are at least aware of any trip hazards on there such as loose carpeting or cable runs.

Nerves

man-looking-distressed-without-a-shirt

There is no getting away from it, but except in very rare cases you will be varying levels of nervous prior to your moment in the spotlight. Nerves are good as they will sharpen your performance, but too much and your performance will rapidly tail off. I recall early in my speaking career physically shaking and attempting to come up with an excuse to not present; it took all the energy I could muster to go on and deliver that day!

One exercise I do can be done very easily, either standing or sitting. Start by slowly clenching your fists until you are squeezing them as hard as you can. Hold this for as long as possible or up to 30 seconds, then very slowly start unclenching your hands. As your figures open, feel the tension release in your forearms and slowly breathe out. Do this 2 or three times and you should find the tension in your body ease a little, as well as feeling somewhat calmer. It isn’t a panacea, and you may well have your own trick for this, but I find it can help you prepare your body for the upcoming performance.

Movement and Oral Delivery

Depending on who you talk to, there is conflicting advice on how you should present from the stage. I was involved in some formal public speaking training a few years back, and their guidance was to stand still, and avoid any kind of arm movement. Not my style at all!

With that said, an movement around the stage should be paced and deliberate, as if you are consciously trying to address a different corner of the audience. Pacing backwards and forwards makes you look nervous, as does rocking on your heels, stepping backwards and forwards as if rocking, etc.. Identify a spot on the stage that is your “base” and plant your feet squarely in it. When you walk around, do so, especially when emphasising certain point, and especially when involving the audience. The return to your spot. The trick of course is to try and make sure you don’t look like a wind up toy, but rather a natural sequence of movements.

Using your hands is perfectly acceptable, as you can use them to emphasis you points, and even put across your emotions and feelings about certain areas. Be aware however, that sometimes you will need to use a handheld microphone, and if you haven’t practised not moving your arms it can very easily distract you, especially as your other hand will have a presentation remote in it.

Q&A

There are three things to remember here; firstly don’t expect to know the answer to every question, and say so when you get a question you can’t answer. Promise to follow up with the individual, and if you have social media accounts or other means of sharing further information with your audience then use it to publicly do so.

Secondly, always repeat the question. Not everyone will have heard it and your repeating of it through the microphone will help. This also has the added bonus of giving you more time to consider your answer.

Finally, always do your best to call out “more of a comment than a question” type of questions. depending on your style either call it out as not a question, or say it is too complex to answer easily now so you will catch up with them afterwards. These types of questions will almost always derail any Q&A session.

When it all Goes Wrong

What if you freeze, or your slides stop working, or you get lost in the presentation, or your trousers fall down or something awful happens?, well, always make sure you have a plan. It may be as simple as always going back to the previous slide to pick up where you last knew what you were talking about, or even having your slides on an iPad (with he correct A/V adapters if possible, or having a routine to check your clothing before you walk on stage.

Remember, there will be very few people in the audience willing you to fail. Virtually everyone is on your side, and hoping you will educate and entertain them. They will be very accommodating and accepting of mistakes. This accommodation does not last forever however. If you constantly fail to deliver in subsequent talks because you haven’t learnt anything g or failed to seek help, your reputation will precede you.

Take every mistake as  a learning experience, and over time, you will find yourself learning less and even teaching more.

The Golden Rule

This is part eight of my seven part list. Bear with me.

Never, ever, run over time. Anything more than 30 seconds is going to affect the timings of the rest of the day. Unless an organiser explicitly asks you to continue past your time you need to get off stage so the next speaker can get on.

You can however finish early; a good conference will find ways of filling the gap, either stepping up to ask questions when no one else will, or even filling the space themselves.

So there it is, three parts to help you in your public speaking career. I hope some of you found it useful, and as always you can reach out to argue with me or come up with other tips. Thanks for listening!


The Art of the Presentation (Part 2 of 3)

You’ve created your presentation, now you need to practise. Or as the great Yogi Berra put it:

In theory there is no difference between theory and practise. In practise, there is.

Almost certainly in the early days of your presenting you will need to practise a considerable amount. There are two main reasons for this; firstly you will be presenting your own unique content for the first time in an open forum like a conference, which means you will need to be absolutely sure of what it is you are going to say to ensure you don’t come across as someone who is less knowledgeable than you are. Secondly, you will almost always be nervous. How quickly you overcome your nerves will vary greatly from person to person and a variety of other factors. For me it took just over two years before my nerves stopped kicking in to the point where they were visible.

The key to coming across confidently is to know what you are going to say right from your first sentence, all the way through to your last sentence. You also need to ensure that you don’t learn every single word of the talk parrot fashion. Unless you have a gift for remembering dialogue (in which case you will sound like you are simply reading your verbiage), you will have to employ a few tricks to get around this…

The Opening

Firstly, practise your very first sentence, and make it snappy and to the point, and impactful at the same time if you can. Don’t drone on about how happy you are to be here, what your name is,  thank you all for coming, I hope you like my talk, how you can’t believe you are stood in front of such a talented crowd at this amazing conference etc.. I recall practising in front of a good friend, and before I had got halfway through my introductory sentence he bellowed:

BORRRRRIIIIING! YAWN 

 

His point was that people weren’t there to hear your platitudes, they are here to get their money’s worth and listen to what you have got to say, so just get on with it. Additionally, if people want to know more about you personally they will either read your bio in the conference agenda, or look you up after the talk. Do not spend five minutes establishing your credentials as not only can it come across as egotistical (except in very rare circumstances) but erodes your impact as a confident and knowledgeable speaker.

Slide on the slides

The second trick is to use your slides as a prompt for a train of thought rather than using them as an aid to specific sentences you want to remember. In the first blog on this topic I mentioned using imagery as much as possible; avoiding the use of bullet points or long sentences as much as possible means you won’t be tempted to rely on the text for what you are going to say. Try to sound conversational, and while practising do consider filming yourself or at the very least an audio recording. Running through it a few times will help embed a few key phrases in your head you can move between, and also give your imagination a chance expand further on your thoughts. Having a few Tweetable length phrases ready to roll off your tongue is a useful way of making an impact with few words, as well as encouraging people to potentially tweet your quotes during the talk (an increase your audience). Don’t forget your “story” or the beginning, middle, end structure either.

Variety

This point is also an opportunity to practise varying the tone and pitch of your voice, the use of your hands and even how you want to move around. Practise slowing down your talking , and possible even lowering your volume (more easily achieved if you are going to be using a microphone), when you want to emphasis something of critical importance. You can also speed up and become more animated on sections that you find exciting, fun or revealing. A little bit of humour thrown in as well helps, but be careful here, especially with an international audience. Test it on colleagues and peers first.

The Close

So you have made it through the deck and you are on your last slide; before you know it you have finished your presentation. how do you finish? “And, um, that’s it really…” is not the way to go. See the first point and memorise a closing statement, something straightforward, and again, snappy. “With that, I will close and thank you all for your time and attention. I will now take questions” is a good place to start. Don’t be afraid to make changes to the deck and the story as you go through either; they will evolve as you become more proficient, and the deck should not limit your message; the message dictates the deck.

How often should you run through your deck? In my early days I would practise at least five times, recording it a few times, and often in front of a critical friend or two. This is a very real time commitment, so be aware and plan it into the creation of your presentation to meet your deadline. As you get more comfortable, you will be rehearsing the presentation as you create the deck, and after a few reviews will know what you are going to say (roughly) with each slide and each transition.

Patience

Above all, be patient with the process; like anything it takes thousands of hours to be proficient at something depending upon your natural ability, the circumstances and the topic in hand. If you are not having fun, ascertain what part of the process are you not enjoying? Very often, I talk to people who hate the entire process, including the presenting, until immediately after when they get such a rush they want to do it again. if that is the case, the painful parts do get easier. Also, make sure you find someone who will honestly critique your presentation either in person or after watching a recording. Take their viewpoint very seriously, and if they are a serious speaker then all the better.

So, if you are wondering how you can get to Carnegie Hall, as the violinist turned comedian Jack Benny once answered:

Practise Practise Practise!

Next time, The Art of the Presentation (part 3 of 3) – The Delivery.

 

Note: Look out for a new YouTube series from me coming soon, The Lost CISO!


The Art of the Presentation (Part 1 of 3)

In a post a few years ago I talked about The Art of the Conference, and what conference organisers can do to improve their conferences and make lives easier for their presenters. I was reminded of this post again recently as this is the sixth year that I am mentoring a rookie speaker at BSides London, and in my initial conversation with them I discussed a three stage approach to creating, practising and delivering the talk (the latter of which touches on the content of my previous post).

This post focusses on the first part of this process, the actual creation of the talk.

The Idea

This is actually the hardest part of the entire process (aside perhaps from actually standing in front of 200 people of course). In my experience many people try to not only come up with a wholly unique idea, but then try and explore it in too much detail. Given your talk will probably be competing against many other talks, the easiest way to make yours stand out is with it’s simplicity. Take the core of a topic, and honestly ask yourself what your view on it is; do you agree with it, if not why not, what could be better, what is your experience of it and how have you addressed it? By keeping it simple your audience will have more chance of remembering what you said. This process could take anywhere from minutes to weeks and weeks dependent upon your experience, knowledge and confidence. Don’t assume however that just because you have an opinion that everyone else is fully knowledgeable of it either; if nothing else you are bringing your own unique viewpoint.

The Creative

This is a point at which your approach may differ, but I have always found this the best way of actually inspiring myself and getting my story straight. I fill a sheet of paper with boxes (below) and then start to sketch out, not always legibly) the approach I am going to take on the deck I produce. I do this because it ensures I don’t write any actual prose on the topic; personally when I do this I find it very difficult to then pull myself away from the prose when presenting. It is a mental block of sorts of course, but this approach allows me to sketch out the story of my talk without having to get attached to a certain way of saying things

I try and avoid too many words as they are a distraction to the audience, and focus on high resolution images that help embellish my point or provoke an appropriate reaction from the audience. There are some very good books on creating slides for presentation that I have referenced, Presentation Zen and Slide:ology; I strongly recommend these to anyone who wants to up their game on the visual presentation side of things.

This approach also allows you to build a story; making sure your presentation has a beginning, middle and end help draw your audience in. What talk would you rather watch…

My talk is about a simple technology we used to allow someone to Tweet over a phone call.

or

John Doe is a man who was imprisoned on the flimsiest of evidence and with ludicrously high bail. He had restricted access to legal counsel and even family were not allowed to visit him. His entire campaign for justice was focussed around his significant Twitter followers, and given his elevated fame in his industry was where most of his support would come from. Here is the story of how we used a Raspberry Pi, two cans, a length of string and Python to allow him to live Tweet from his weekly phone call, directly and un-redacted, and ultimately beat the corrupt government that had arrested him.

Your approach needs to be simple, but that doesn’t mean it needs to be dull.

The Timings

Timing a presentation is very difficult, but after some experience I have found I can not only tell roughly what the length of a presentation created like this, but can also vary it in length, sometimes upon to 100%. The other rule of thumb is to dive the number of minutes you have by the number of slides. One slide for roughly every minute is a good place to start, but keep an eye out for when that number increases. Trying to cover more than one slide every 15 seconds is going to be very challenging.

The Takeaways

I often say that people will remember less than 30% of what you said less that 30 minutes after you have finished speaking. Not only is this where the simplicity of your deck is important, but also making sure you leave the audience with clear activities or advice on what to do next is vitally important. If you don’t do this, you will leave the audience somewhat nonplussed even if your content is great. As one close friend of mine said to me after I had asked for feedback:

It was a good talk, but I got to the end and thought “meh, so what?”

Your talk can be interesting, but if it doesn’t have a point, you will always be in the “meh” zone.

Next time (or maybe the time after), The Art of the Presentation (Part 2 of 3) – Practising.


The Power of Silence

Not so many years ago in the dim and distant past, the very first full length public talk I did was called “An Anatomy of a Risk Assessment”; it was a successful talk and one I was asked to present several times again in the following years. Below is a film of the second time I presented it, this time at BSides London:

My presentation style left a lot to be desired, and I seemed unable to stop using note cards until almost eighteen months later despite me not using them for other talks I gave! (Top speaking tip folks, never use printed notes when speaking, it conditions your mind to think it can only deliver when using them.) But that is not the focus of this message.

One of the pieces of “anatomy” that I spoke about in terms of risk assessments was the ears. The principle being that since you have two ears and one mouth, when auditing or assessing you should be listen twice as much as be speaking. This is important for two reasons, the second of which may not be as obvious as the first:

  1. If you are assessing someone or something, you should be drawing information from them. When you are speaking you are not gaining any information from them which is a wasted opportunity. As a consequence of this therefore,
  2. There will be periods of silence which you must not feel tempted to break. Just as nature fills a vacuum so a human wants to fill a silence. Silence therefore will encourage the target of the assessment to open up even more, just so as not to feel awkward!

Interestingly, after my very first presentation of this talk, a member of the audience asked me if i had ever been in the Police Force. “I haven’t” I replied.

Well, some of the techniques you just described are exactly like police interrogation techniques, especially the silence. I should know, I used them every day!

Flattered though I was, I did become a little concerned! Was i taking this risk assessment malarkey a little too seriously? Was i subjecting people to what amounted to an interrogation?

Obviously this was not the case, but it occurred to me that in the many books i have read on risk assessment and audit, never is the softer side of the process covered. We tend to focus on the technology, or the boxes that need to be ticked, when actually we can simply sit back and let others do the talking. I also employ humour very often to help people relax, and even do it when i am on the other side of the table too. It can make a gruelling and mindless activity far more engaging and allow you to connect with the person on the other side of the table more effectively.

It engenders trust.

You can apply many of the techniques described in the presentation in your daily work lives, especially when on a discovery programme or wanting to get to the bottom of an incident. In fact, I can’t think of anything easier than having a (one-sided) chat with someone and getting the assessment completed.

Or as Will Rogers, actor and vaudeville performer in the early 1900’s put it:

Never miss a good chance to shut up


On another note, look out for a new series of YouTube films coming from me in the next few weeks.

I give you, The Lost CISO


What does a CISO actually do?

I read this wonderful article by Helen Patton  a CISO and contributor to Medium, and in it she describes the seven main areas she spends her time as a CISO; Technology, Data, Business, All The Other Internal Stuff, Vendors and Partners, Law Enforcement and Customers. (She also adds an eighth area, her Security Team of course!).

It is a fascinating read and one that tells a lot about the type of work a CISO will find themselves doing, and much of it resonated with me. I do believe however that the viewpoint is constrained by one aspect of her role, and one Helen states upfront:

Given that Cyber Security is about, well, cyber, and given that in my organization my administrative reporting line goes through the CIO, I spend a fair amount of time working on technology strategy.

It prompted me to write this post because I feel a CISO can do so much more once the role is removed from the auspices of IT. This has been a pet topic of mine for a number of years now, and it is a similar challenge CIO’s once faced, i.e. not reporting into the highest level of management possible. even spoke back in 2013 at RSA on just this topic.

This is a very common reporting line of course, largely because information security responsibilities often come out of IT, or the focus is purely on IT security and therefore fits into that service. It does however create potential issues:

  • The infosec message is filtered through the IT lens, and security issues become a smaller part of the overall IT programme.
  • The role is focussed significantly more on technology (the first item on Helen’s list above) and doesn’t take into account other factors, such as physical, people, or even awareness.
  • If the security function is dictating or heavily influencing technology and architecture, a conflict of intents can arise if there are security deficiencies in those aspects. There is no independent perspective on testing the environments, and a conflict of interest in highlighting deficiencies therein.

In these circumstances the role has a tighter focus, is more hands on, and may potentially not bring the benefits to an organisation that it could.

So what should CISO be doing then?

The CISO primarily needs to be a representative of the business, and not of a department. By that I mean that the CISO is not always going to be the best information Security professional in the same way that the CFO is not always the best accountant. They are however the best person to make decisions that span their area of responsibility AND the business, and actually focus on the bigger picture.

My role as a CISO therefore is not to make the company the most secure company in the world. If I did that, it would be out of business in a matter of months; loss of agility, inability to invest, reluctance to accept certain projects etc etc would make the company wholly unprofitable. My role is to help the company sell more, do more, innovate more and earn more… through the judicious application of security as a competitive advantage.

Put simply, a CISO needs to stop saying “No” to projects or requests that on the face of it are high risk, and stop expecting 100% security on rollouts prior to launch. That doesn’t mean we can’t aspire to perfection, or aim to build the very best environment we can, we just have to accept that something that is a high risk to us, may be a low risk to the business overall. Of course the business needs to understand what the security risks are and be cognisant of the risk when taking decisions, but security is not the single most important input here, it is one of many. We are advisors, not dictators.

The CISO therefore not only does many of the things Helen points out in her article, but it goes beyond that; above everything else in my opinion is being able to truly understand the business, it’s challenges, goals and vision, provide performance information, read the company reports and educate the senior leadership on what risks there are without sowing F(ear), U(ncertainty) and D(oubt). In other words then, what does a CISO do…?

Powerpoint and politics.

Everything else is just details.