The Art of the Presentation (Part 3 of 3)

It has been a while since part 2, we have had BSides and InfoSec Europe, and it has been a busy time in the day job. Nonetheless, here is the last part of three of “Art of the Presentation” (abridged version) for your edification and delight.

Part 3 is about the actual delivery of your presentation. This is where your deck and your practising come together in perfect harmony to deliver something that is memorable, engaging and above all educational. I believe there are seven key areas that need to be taken into account and addressed, either on the day or mentally before you deliver your presentation.

Presentation Aids

The simplest presentation aid you need is a is a ‘clicker’ remote. You can spend anything from £10 to over £100 on one of these. For your time, I would suggest something in between that, by Logitech or Targus who produce good solid devices. Cheaper devices are not always reliable and will often chew through batteries, the last thing you want live on stage. Personally, I use the Logi Spotlight presentation remote, which has a few bells and whistles such as a built in timer. Moving backwards and forwards from your presentation laptop looks amateurish and breaks the flow of your performance.

You may think you need notes or crib cards as well, my one word of advice is “Don’t”. As I have mentioned before they are a crutch that you will rely on far too much and they remove the natural flow of your presentation. If your nerves (see below) are getting the better of you  and you absolutely must have something just in case, have your notes typed up in a large font and very clear markings as to what slide relates to what notes fold them up and keep then on the lectern out of reach (again see below). Once more, avoid this if you can.

Technical Setup

Things to ascertain up front are if you are using your own laptop or the organisers. Using their laptop and sending your Powerpoint or Keynote in advance doesn’t guarantee that your deck will display correctly. Missing fonts, different versions of the software etc.. Making sure you check that your beautifully crafted deck still looks beautiful when up on the screen on stage means you won’t be surprised when you get on stage. Any decent organisers will work with you to find time to not only check if your deck looks good, but also to test your own laptop if need be. If using theirs, they should also provide presentation remotes for their own laptops as well.

If you are using your own laptop, make sure to bring every type of a/v adapter you need, but it boils down to three types:

  • VGA
  • DVI
  • HDMI

These are in increasing order of preference; VGA is an old standard now, but most commonly used. HDMI is the easiest to use and requires the least amount of setup as it operates around a strict standard. More often than I care to recall has the use of VGA and a misconfigured projector or LCD screen resulted in my slides looking stretched and distorted: Heartbroken!

Staging

This may not seem very obvious, but you also try and stand on the stage for a few minutes and walk around it while testing your slides. Set up your laptop if possible so you can see the screen for the next slide etc. and then walk the stage so you know where you can see your screen and where you can’t. The larger conferences will often have a comfort screen at the front that shows your on screen slide, and on rare occasions (when using their own equipment) even have it as a secondary screen.

Walking the stage also ensures your presentation remote will still work at the furthest distance from your laptop; the last thing you want is to lose connection while you are in the middle of your flow. Finally you can also ensure you are at least aware of any trip hazards on there such as loose carpeting or cable runs.

Nerves

man-looking-distressed-without-a-shirt

There is no getting away from it, but except in very rare cases you will be varying levels of nervous prior to your moment in the spotlight. Nerves are good as they will sharpen your performance, but too much and your performance will rapidly tail off. I recall early in my speaking career physically shaking and attempting to come up with an excuse to not present; it took all the energy I could muster to go on and deliver that day!

One exercise I do can be done very easily, either standing or sitting. Start by slowly clenching your fists until you are squeezing them as hard as you can. Hold this for as long as possible or up to 30 seconds, then very slowly start unclenching your hands. As your figures open, feel the tension release in your forearms and slowly breathe out. Do this 2 or three times and you should find the tension in your body ease a little, as well as feeling somewhat calmer. It isn’t a panacea, and you may well have your own trick for this, but I find it can help you prepare your body for the upcoming performance.

Movement and Oral Delivery

Depending on who you talk to, there is conflicting advice on how you should present from the stage. I was involved in some formal public speaking training a few years back, and their guidance was to stand still, and avoid any kind of arm movement. Not my style at all!

With that said, an movement around the stage should be paced and deliberate, as if you are consciously trying to address a different corner of the audience. Pacing backwards and forwards makes you look nervous, as does rocking on your heels, stepping backwards and forwards as if rocking, etc.. Identify a spot on the stage that is your “base” and plant your feet squarely in it. When you walk around, do so, especially when emphasising certain point, and especially when involving the audience. The return to your spot. The trick of course is to try and make sure you don’t look like a wind up toy, but rather a natural sequence of movements.

Using your hands is perfectly acceptable, as you can use them to emphasis you points, and even put across your emotions and feelings about certain areas. Be aware however, that sometimes you will need to use a handheld microphone, and if you haven’t practised not moving your arms it can very easily distract you, especially as your other hand will have a presentation remote in it.

Q&A

There are three things to remember here; firstly don’t expect to know the answer to every question, and say so when you get a question you can’t answer. Promise to follow up with the individual, and if you have social media accounts or other means of sharing further information with your audience then use it to publicly do so.

Secondly, always repeat the question. Not everyone will have heard it and your repeating of it through the microphone will help. This also has the added bonus of giving you more time to consider your answer.

Finally, always do your best to call out “more of a comment than a question” type of questions. depending on your style either call it out as not a question, or say it is too complex to answer easily now so you will catch up with them afterwards. These types of questions will almost always derail any Q&A session.

When it all Goes Wrong

What if you freeze, or your slides stop working, or you get lost in the presentation, or your trousers fall down or something awful happens?, well, always make sure you have a plan. It may be as simple as always going back to the previous slide to pick up where you last knew what you were talking about, or even having your slides on an iPad (with he correct A/V adapters if possible, or having a routine to check your clothing before you walk on stage.

Remember, there will be very few people in the audience willing you to fail. Virtually everyone is on your side, and hoping you will educate and entertain them. They will be very accommodating and accepting of mistakes. This accommodation does not last forever however. If you constantly fail to deliver in subsequent talks because you haven’t learnt anything g or failed to seek help, your reputation will precede you.

Take every mistake as  a learning experience, and over time, you will find yourself learning less and even teaching more.

The Golden Rule

This is part eight of my seven part list. Bear with me.

Never, ever, run over time. Anything more than 30 seconds is going to affect the timings of the rest of the day. Unless an organiser explicitly asks you to continue past your time you need to get off stage so the next speaker can get on.

You can however finish early; a good conference will find ways of filling the gap, either stepping up to ask questions when no one else will, or even filling the space themselves.

So there it is, three parts to help you in your public speaking career. I hope some of you found it useful, and as always you can reach out to argue with me or come up with other tips. Thanks for listening!


Everything that is happening now has happened before

While looking through old notebooks, I found this piece that I wrote in 2014 for a book that never got published. Reading it through it surprised me how much we are still facing the same challenges today as we did four years ago. Security awareness and security training are no different…

So, you have just been given responsibility for your company’s information security awareness programme and you have rolled out an off the shelf training product to the company. Job done? Probably not unfortunately, because like so many things in security, there is far more to an education and awareness programme than meets the eye. The following nine areas presented here are intended to give you guidance when establishing or improving your programme. Some may not be relevant to your organisation, some will be very relevant, but all of them are intended to provide ideas and insight into what is often a very emotive and personal subject.

 

Start at the Top

No business programme, least of all a security awareness one, is going to have any ongoing impact in an organisation if it doesn’t have the full support the senior leadership. Depending upon the type and size of organisation this could be the Board, the senior management team or even the C level executives.

Be wary of them just paying lip service as well, as they are crucial for the ongoing engagement of the company and your programme’s success. If they are the ones that haven’t taken their training then they are not committed to your programme. Senior leadership should be helping to not only communicate the training, but also reinforcing key messages and certainly leading by example.

Finally, make sure you can report back the senior leadership on the value of the training on a regular basis, be it every three, six or twelve months. However you choose to do this, bear in mind that the key purpose is to ensure your awareness programme is aligned with the business goals, and that is seen as a part of your organisations continued success.

Don’t Rely on Compliance

Using compliance as a key driver for acquiring investment for an education programme does work, but it is a short sighted approach that will limit what you can do in the future. This is because compliance is a very specific business problem that awareness addresses, and when the compliance requirement has been met there is no reason for the business to invest more money, investigate alternative approaches or expand the programme. That tick in the box limits the future of your programme.

Instead, use compliance as just one of the many drivers to build your programme, along with profit retention, reputational damage control and a protection against lost billable time for instance. These drivers will help your programme, again, align better with the company’s goals.

Teach Them to Fish

Now onto the content! No training is going to be able to put across the correct response to every single threat, every single implication of regulations and laws, and every single type of social engineering approach. The goal of the training is to arm people with a mindset, not all the answers.

Educating people on the implications of their actions, and not their actions alone is key here. By understanding that clicking on a link could result in something bad happening is more effective than just telling them not to click on links. Helping them appreciate that social engineers use an array of techniques to build a picture of the environment is more important than telling them to mistrust every interaction with every person they interact with.

In your position as an InfoSec professional, how do you know when a link or a question is dangerous? Try to put that across, and you should end up with an awareness programme that educates people not programs them.

Make it Relevant

Off the shelf awareness programmes are often seen as a quick, cost effective and easy approach to educating people. Many of the courses are very good too. However, you should be aware of your own organisational culture. Large, regulated organisations probably couldn’t effectively train through regular lunchtime briefings, and smaller organisations probably wouldn’t receive too well being in a room for three hours and having a PowerPoint shouted at them.

Additionally, there are going to be activities, lexicon and even teams and roles that are unique to your organisation. Try and avoid people having to “translate” the training they are taking to be relevant to their daily lives as much of the impact of the training will be lost.

Make it Useful

Not only should the training be useful in someone’s working lives, but also in their personal lives. In a world of Bring Your Own Device (BYOD) the lines between the workplace and home are increasingly blurred, and home networks, tablets and computers are increasingly being used to deliver into the workplace.

Educating people on how to secure their home network and WiFi, how to use a VPN in a cafe with their personal laptop, and even how to manage their own online lives not only helps secure the workplace, but also gives them a sense of being valued for the contributions they are making to the organisation.

Don’t be Too Serious

Humour is always an awkward subject when it comes to education and awareness, as it is rarely a universally agreed topic. However it is worth bearing in mind that given the often large amounts of “compliance” training often required these days (ethics, anti bribery, harassment etc training) making your course stand out is important.

Wherever possible draw upon the culture of the organisation, use in-house references (so everyone understand them) and try and avoid obscure internet humour as many people in the workplace may not understand it. Never, ever use offensive humour, or even anything that comes close to it. If your grandparents are unlikely to laugh then don’t use it!

Go MultiChannel

Taking a leaf out of the book of the marketeers and advertisers, your awareness program should be multichannel and use a number of different approaches to ensure the message gets across. Consider using videos wherever possible, leaflets, internal blogs, “sponsoring” internal events, using town halls and company meetings to present on specific security awareness projects. Poster campaigns are also a useful method of putting core concepts and points across, although a key part to their success is that they get changed on a regular basis to avoid becoming blind to them over time.

Also consider branding items like stickers, pens and pencils with a tagline or advice that ties in with your overall campaign in order to keep your security message in regularly being reviewed. Again this depends very much on the culture of your organisation as to what may seem like a cheap gimmick versus a good idea.

The core concept with this is to constantly engage with people through different means to maintain their attention and recollection of your security training.

Confirm Their Understanding

Making sure people actually understand the fruits of your hard labour goes beyond asking ten banal and blindingly obvious questions at the end of the training. These questions are table stakes when it comes to meeting compliance requirements but do nothing for actually confirming understanding. Conducting social engineering tests, sending false phishing emails (a whole topic in of itself) and even leaving trackable USB sticks lying around are valid ways to test peoples knowledge. The results of these tests can be written up providing even further educational opportunities in articles for the intranet and email updates.

Get Feedback & Start Again

The only way your awareness programme is going to improve over time is to ensure you gather open and honest feedback from all of those that you engage with throughout every phase of your involvement in your security awareness programme. Feedback from all of the recipients of the training, after every talk or awareness session and certainly feedback from the overall programme on an annual basis is an important way of ensuring good elements are enhanced and bad elements are removed.

Gathering feedback however is only half of the story; providing feedback on the effectiveness of the security awareness programme to senior leadership is also important. Consider metrics and the correlation of elements of the training as they roll out over the year to reported security incidents. Wherever possible do you best to monetise the incidents in terms of cost to the business so that over time, as security incidents decline (which they should do!) you can demonstrate the value of the programme and its contribution to the business.

Not all of these may be applicable to you and your organisation, but they should provide some guidance and ideas for you and your security awareness programme.