Keeping It Supremely Simple, the NASA way

2 Comments

Any regular reader (hello to both of you) will know that I also follow an ex NASA engineer/manager by the name of Wayne Hale. Having been in NASA for much of his adult life and being involved across the board he brings a fascinating view of the complexities of space travel, and just as interestingly, to risk.

His recent post is about damage to the Space Shuttle’s foam insulation on the external fuel tank (the big orange thing),and the steps NASA went through to return the shuttle to active service after it was found that loose foam was what had damaged the heat shield of Columbia resulting in its destruction. His insight into the machinations of NASA, the undue influence of Politics as well as politics, and that ultimately everything comes down to a risk based approach make his writing compelling and above all educational. This is writ large in the hugely complex world fo space travel, something I would hazard a guess virtually all of us are not involved in!

It was when I read the following paragraph that my jaw dropped a little as I realised  that even in NASA many decisions are based on a very simple presentation of risk, something I am a vehement supporter of:

NASA uses a matrix to plot the risks involved in any activity.  Five squares by five squares; rating risk probability from low to high and consequence from negligible to catastrophic.  The risk of foam coming off part of the External Tank and causing another catastrophe was in the top right-hand box:  5×5:  Probable and Catastrophic.  That square is colored red for a reason.

What? The hugely complex world of NASA is governed by a five by five matrix like this?

Isn’t this a hugely simplistic approach that just sweeps over the complexities and nuances of an immensely complex environment where lives are at stake and careers and reputations constantly on the line? Then the following sentence made absolute sense, and underscored the reason why risk is so often poorly understood and managed:

But the analysts did more than just present the results; they discussed the methodology used in the analysis.

It seems simple and obvious, but the infused industry very regularly talks about how simple models like a traffic light approach to risk just don’t reflect the environment we operate in, and we have to look at things in a far more complex way to ensure the nuance and complexity of our world is better understood. “Look at the actuarial sciences” they will say. I can say now i don’t subscribe to this.

The key difference with NASA though is that the decision makers understand how the scores are derived, and then discuss that methodology, then the interpretation of that traffic light colour is more greatly understood. In his blog Wayne talks of how the risk was actually talked down based upon the shared knowledge of the room and a careful consideration of the environment the risks were presented. In fact the risk as it was initially presented was actually de-escalated and a decision to go ahead was made.

Imagine if that process hadn’t happened; decisions may have been made based on poor assumptions and poor understanding of the facts, the outcome of which had the potential to be catastrophic.

The key point I am making is that a simple approach to complex problems can be taken, and that ironically it can be harder to make it happen. Everyone around the table will need to understand how the measures are derived, educated on the implications, and in a position to discuss the results in a collaborative way. Presenting an over complex, hard to read but “accurate” picture of risks will waste everyone’s time.

And if they don’t have time now, how will they be able to read Wayne’s blog?

 

 

The Art of the Presentation (Part 3 of 3)

4 Comments

It has been a while since part 2, we have had BSides and InfoSec Europe, and it has been a busy time in the day job. Nonetheless, here is the last part of three of “Art of the Presentation” (abridged version) for your edification and delight.

Part 3 is about the actual delivery of your presentation. This is where your deck and your practising come together in perfect harmony to deliver something that is memorable, engaging and above all educational. I believe there are seven key areas that need to be taken into account and addressed, either on the day or mentally before you deliver your presentation.

Presentation Aids

The simplest presentation aid you need is a is a ‘clicker’ remote. You can spend anything from £10 to over £100 on one of these. For your time, I would suggest something in between that, by Logitech or Targus who produce good solid devices. Cheaper devices are not always reliable and will often chew through batteries, the last thing you want live on stage. Personally, I use the Logi Spotlight presentation remote, which has a few bells and whistles such as a built in timer. Moving backwards and forwards from your presentation laptop looks amateurish and breaks the flow of your performance.

You may think you need notes or crib cards as well, my one word of advice is “Don’t”. As I have mentioned before they are a crutch that you will rely on far too much and they remove the natural flow of your presentation. If your nerves (see below) are getting the better of you  and you absolutely must have something just in case, have your notes typed up in a large font and very clear markings as to what slide relates to what notes fold them up and keep then on the lectern out of reach (again see below). Once more, avoid this if you can.

Technical Setup

Things to ascertain up front are if you are using your own laptop or the organisers. Using their laptop and sending your Powerpoint or Keynote in advance doesn’t guarantee that your deck will display correctly. Missing fonts, different versions of the software etc.. Making sure you check that your beautifully crafted deck still looks beautiful when up on the screen on stage means you won’t be surprised when you get on stage. Any decent organisers will work with you to find time to not only check if your deck looks good, but also to test your own laptop if need be. If using theirs, they should also provide presentation remotes for their own laptops as well.

If you are using your own laptop, make sure to bring every type of a/v adapter you need, but it boils down to three types:

  • VGA
  • DVI
  • HDMI

These are in increasing order of preference; VGA is an old standard now, but most commonly used. HDMI is the easiest to use and requires the least amount of setup as it operates around a strict standard. More often than I care to recall has the use of VGA and a misconfigured projector or LCD screen resulted in my slides looking stretched and distorted: Heartbroken!

Staging

This may not seem very obvious, but you also try and stand on the stage for a few minutes and walk around it while testing your slides. Set up your laptop if possible so you can see the screen for the next slide etc. and then walk the stage so you know where you can see your screen and where you can’t. The larger conferences will often have a comfort screen at the front that shows your on screen slide, and on rare occasions (when using their own equipment) even have it as a secondary screen.

Walking the stage also ensures your presentation remote will still work at the furthest distance from your laptop; the last thing you want is to lose connection while you are in the middle of your flow. Finally you can also ensure you are at least aware of any trip hazards on there such as loose carpeting or cable runs.

Nerves

man-looking-distressed-without-a-shirt

There is no getting away from it, but except in very rare cases you will be varying levels of nervous prior to your moment in the spotlight. Nerves are good as they will sharpen your performance, but too much and your performance will rapidly tail off. I recall early in my speaking career physically shaking and attempting to come up with an excuse to not present; it took all the energy I could muster to go on and deliver that day!

One exercise I do can be done very easily, either standing or sitting. Start by slowly clenching your fists until you are squeezing them as hard as you can. Hold this for as long as possible or up to 30 seconds, then very slowly start unclenching your hands. As your figures open, feel the tension release in your forearms and slowly breathe out. Do this 2 or three times and you should find the tension in your body ease a little, as well as feeling somewhat calmer. It isn’t a panacea, and you may well have your own trick for this, but I find it can help you prepare your body for the upcoming performance.

Movement and Oral Delivery

Depending on who you talk to, there is conflicting advice on how you should present from the stage. I was involved in some formal public speaking training a few years back, and their guidance was to stand still, and avoid any kind of arm movement. Not my style at all!

With that said, an movement around the stage should be paced and deliberate, as if you are consciously trying to address a different corner of the audience. Pacing backwards and forwards makes you look nervous, as does rocking on your heels, stepping backwards and forwards as if rocking, etc.. Identify a spot on the stage that is your “base” and plant your feet squarely in it. When you walk around, do so, especially when emphasising certain point, and especially when involving the audience. The return to your spot. The trick of course is to try and make sure you don’t look like a wind up toy, but rather a natural sequence of movements.

Using your hands is perfectly acceptable, as you can use them to emphasis you points, and even put across your emotions and feelings about certain areas. Be aware however, that sometimes you will need to use a handheld microphone, and if you haven’t practised not moving your arms it can very easily distract you, especially as your other hand will have a presentation remote in it.

Q&A

There are three things to remember here; firstly don’t expect to know the answer to every question, and say so when you get a question you can’t answer. Promise to follow up with the individual, and if you have social media accounts or other means of sharing further information with your audience then use it to publicly do so.

Secondly, always repeat the question. Not everyone will have heard it and your repeating of it through the microphone will help. This also has the added bonus of giving you more time to consider your answer.

Finally, always do your best to call out “more of a comment than a question” type of questions. depending on your style either call it out as not a question, or say it is too complex to answer easily now so you will catch up with them afterwards. These types of questions will almost always derail any Q&A session.

When it all Goes Wrong

What if you freeze, or your slides stop working, or you get lost in the presentation, or your trousers fall down or something awful happens?, well, always make sure you have a plan. It may be as simple as always going back to the previous slide to pick up where you last knew what you were talking about, or even having your slides on an iPad (with he correct A/V adapters if possible, or having a routine to check your clothing before you walk on stage.

Remember, there will be very few people in the audience willing you to fail. Virtually everyone is on your side, and hoping you will educate and entertain them. They will be very accommodating and accepting of mistakes. This accommodation does not last forever however. If you constantly fail to deliver in subsequent talks because you haven’t learnt anything g or failed to seek help, your reputation will precede you.

Take every mistake as  a learning experience, and over time, you will find yourself learning less and even teaching more.

The Golden Rule

This is part eight of my seven part list. Bear with me.

Never, ever, run over time. Anything more than 30 seconds is going to affect the timings of the rest of the day. Unless an organiser explicitly asks you to continue past your time you need to get off stage so the next speaker can get on.

You can however finish early; a good conference will find ways of filling the gap, either stepping up to ask questions when no one else will, or even filling the space themselves.

So there it is, three parts to help you in your public speaking career. I hope some of you found it useful, and as always you can reach out to argue with me or come up with other tips. Thanks for listening!

The Art of the Presentation (Part 2 of 3)

3 Comments

You’ve created your presentation, now you need to practise. Or as the great Yogi Berra put it:

In theory there is no difference between theory and practise. In practise, there is.

Almost certainly in the early days of your presenting you will need to practise a considerable amount. There are two main reasons for this; firstly you will be presenting your own unique content for the first time in an open forum like a conference, which means you will need to be absolutely sure of what it is you are going to say to ensure you don’t come across as someone who is less knowledgeable than you are. Secondly, you will almost always be nervous. How quickly you overcome your nerves will vary greatly from person to person and a variety of other factors. For me it took just over two years before my nerves stopped kicking in to the point where they were visible.

The key to coming across confidently is to know what you are going to say right from your first sentence, all the way through to your last sentence. You also need to ensure that you don’t learn every single word of the talk parrot fashion. Unless you have a gift for remembering dialogue (in which case you will sound like you are simply reading your verbiage), you will have to employ a few tricks to get around this…

The Opening

Firstly, practise your very first sentence, and make it snappy and to the point, and impactful at the same time if you can. Don’t drone on about how happy you are to be here, what your name is,  thank you all for coming, I hope you like my talk, how you can’t believe you are stood in front of such a talented crowd at this amazing conference etc.. I recall practising in front of a good friend, and before I had got halfway through my introductory sentence he bellowed:

BORRRRRIIIIING! YAWN 

 

His point was that people weren’t there to hear your platitudes, they are here to get their money’s worth and listen to what you have got to say, so just get on with it. Additionally, if people want to know more about you personally they will either read your bio in the conference agenda, or look you up after the talk. Do not spend five minutes establishing your credentials as not only can it come across as egotistical (except in very rare circumstances) but erodes your impact as a confident and knowledgeable speaker.

Slide on the slides

The second trick is to use your slides as a prompt for a train of thought rather than using them as an aid to specific sentences you want to remember. In the first blog on this topic I mentioned using imagery as much as possible; avoiding the use of bullet points or long sentences as much as possible means you won’t be tempted to rely on the text for what you are going to say. Try to sound conversational, and while practising do consider filming yourself or at the very least an audio recording. Running through it a few times will help embed a few key phrases in your head you can move between, and also give your imagination a chance expand further on your thoughts. Having a few Tweetable length phrases ready to roll off your tongue is a useful way of making an impact with few words, as well as encouraging people to potentially tweet your quotes during the talk (an increase your audience). Don’t forget your “story” or the beginning, middle, end structure either.

Variety

This point is also an opportunity to practise varying the tone and pitch of your voice, the use of your hands and even how you want to move around. Practise slowing down your talking , and possible even lowering your volume (more easily achieved if you are going to be using a microphone), when you want to emphasis something of critical importance. You can also speed up and become more animated on sections that you find exciting, fun or revealing. A little bit of humour thrown in as well helps, but be careful here, especially with an international audience. Test it on colleagues and peers first.

The Close

So you have made it through the deck and you are on your last slide; before you know it you have finished your presentation. how do you finish? “And, um, that’s it really…” is not the way to go. See the first point and memorise a closing statement, something straightforward, and again, snappy. “With that, I will close and thank you all for your time and attention. I will now take questions” is a good place to start. Don’t be afraid to make changes to the deck and the story as you go through either; they will evolve as you become more proficient, and the deck should not limit your message; the message dictates the deck.

How often should you run through your deck? In my early days I would practise at least five times, recording it a few times, and often in front of a critical friend or two. This is a very real time commitment, so be aware and plan it into the creation of your presentation to meet your deadline. As you get more comfortable, you will be rehearsing the presentation as you create the deck, and after a few reviews will know what you are going to say (roughly) with each slide and each transition.

Patience

Above all, be patient with the process; like anything it takes thousands of hours to be proficient at something depending upon your natural ability, the circumstances and the topic in hand. If you are not having fun, ascertain what part of the process are you not enjoying? Very often, I talk to people who hate the entire process, including the presenting, until immediately after when they get such a rush they want to do it again. if that is the case, the painful parts do get easier. Also, make sure you find someone who will honestly critique your presentation either in person or after watching a recording. Take their viewpoint very seriously, and if they are a serious speaker then all the better.

So, if you are wondering how you can get to Carnegie Hall, as the violinist turned comedian Jack Benny once answered:

Practise Practise Practise!

Next time, The Art of the Presentation (part 3 of 3) – The Delivery.

 

Note: Look out for a new YouTube series from me coming soon, The Lost CISO!

The Power of Silence

Leave a comment

Not so many years ago in the dim and distant past, the very first full length public talk I did was called “An Anatomy of a Risk Assessment”; it was a successful talk and one I was asked to present several times again in the following years. Below is a film of the second time I presented it, this time at BSides London:

My presentation style left a lot to be desired, and I seemed unable to stop using note cards until almost eighteen months later despite me not using them for other talks I gave! (Top speaking tip folks, never use printed notes when speaking, it conditions your mind to think it can only deliver when using them.) But that is not the focus of this message.

One of the pieces of “anatomy” that I spoke about in terms of risk assessments was the ears. The principle being that since you have two ears and one mouth, when auditing or assessing you should be listen twice as much as be speaking. This is important for two reasons, the second of which may not be as obvious as the first:

  1. If you are assessing someone or something, you should be drawing information from them. When you are speaking you are not gaining any information from them which is a wasted opportunity. As a consequence of this therefore,
  2. There will be periods of silence which you must not feel tempted to break. Just as nature fills a vacuum so a human wants to fill a silence. Silence therefore will encourage the target of the assessment to open up even more, just so as not to feel awkward!

Interestingly, after my very first presentation of this talk, a member of the audience asked me if i had ever been in the Police Force. “I haven’t” I replied.

Well, some of the techniques you just described are exactly like police interrogation techniques, especially the silence. I should know, I used them every day!

Flattered though I was, I did become a little concerned! Was i taking this risk assessment malarkey a little too seriously? Was i subjecting people to what amounted to an interrogation?

Obviously this was not the case, but it occurred to me that in the many books i have read on risk assessment and audit, never is the softer side of the process covered. We tend to focus on the technology, or the boxes that need to be ticked, when actually we can simply sit back and let others do the talking. I also employ humour very often to help people relax, and even do it when i am on the other side of the table too. It can make a gruelling and mindless activity far more engaging and allow you to connect with the person on the other side of the table more effectively.

It engenders trust.

You can apply many of the techniques described in the presentation in your daily work lives, especially when on a discovery programme or wanting to get to the bottom of an incident. In fact, I can’t think of anything easier than having a (one-sided) chat with someone and getting the assessment completed.

Or as Will Rogers, actor and vaudeville performer in the early 1900’s put it:

Never miss a good chance to shut up

On another note, look out for a new series of YouTube films coming from me in the next few weeks.

I give you, The Lost CISO

Everything that is happening now has happened before

2 Comments

While looking through old notebooks, I found this piece that I wrote in 2014 for a book that never got published. Reading it through it surprised me how much we are still facing the same challenges today as we did four years ago. Security awareness and security training are no different…

So, you have just been given responsibility for your company’s information security awareness programme and you have rolled out an off the shelf training product to the company. Job done? Probably not unfortunately, because like so many things in security, there is far more to an education and awareness programme than meets the eye. The following nine areas presented here are intended to give you guidance when establishing or improving your programme. Some may not be relevant to your organisation, some will be very relevant, but all of them are intended to provide ideas and insight into what is often a very emotive and personal subject.

 

Start at the Top

No business programme, least of all a security awareness one, is going to have any ongoing impact in an organisation if it doesn’t have the full support the senior leadership. Depending upon the type and size of organisation this could be the Board, the senior management team or even the C level executives.

Be wary of them just paying lip service as well, as they are crucial for the ongoing engagement of the company and your programme’s success. If they are the ones that haven’t taken their training then they are not committed to your programme. Senior leadership should be helping to not only communicate the training, but also reinforcing key messages and certainly leading by example.

Finally, make sure you can report back the senior leadership on the value of the training on a regular basis, be it every three, six or twelve months. However you choose to do this, bear in mind that the key purpose is to ensure your awareness programme is aligned with the business goals, and that is seen as a part of your organisations continued success.

Don’t Rely on Compliance

Using compliance as a key driver for acquiring investment for an education programme does work, but it is a short sighted approach that will limit what you can do in the future. This is because compliance is a very specific business problem that awareness addresses, and when the compliance requirement has been met there is no reason for the business to invest more money, investigate alternative approaches or expand the programme. That tick in the box limits the future of your programme.

Instead, use compliance as just one of the many drivers to build your programme, along with profit retention, reputational damage control and a protection against lost billable time for instance. These drivers will help your programme, again, align better with the company’s goals.

Teach Them to Fish

Now onto the content! No training is going to be able to put across the correct response to every single threat, every single implication of regulations and laws, and every single type of social engineering approach. The goal of the training is to arm people with a mindset, not all the answers.

Educating people on the implications of their actions, and not their actions alone is key here. By understanding that clicking on a link could result in something bad happening is more effective than just telling them not to click on links. Helping them appreciate that social engineers use an array of techniques to build a picture of the environment is more important than telling them to mistrust every interaction with every person they interact with.

In your position as an InfoSec professional, how do you know when a link or a question is dangerous? Try to put that across, and you should end up with an awareness programme that educates people not programs them.

Make it Relevant

Off the shelf awareness programmes are often seen as a quick, cost effective and easy approach to educating people. Many of the courses are very good too. However, you should be aware of your own organisational culture. Large, regulated organisations probably couldn’t effectively train through regular lunchtime briefings, and smaller organisations probably wouldn’t receive too well being in a room for three hours and having a PowerPoint shouted at them.

Additionally, there are going to be activities, lexicon and even teams and roles that are unique to your organisation. Try and avoid people having to “translate” the training they are taking to be relevant to their daily lives as much of the impact of the training will be lost.

Make it Useful

Not only should the training be useful in someone’s working lives, but also in their personal lives. In a world of Bring Your Own Device (BYOD) the lines between the workplace and home are increasingly blurred, and home networks, tablets and computers are increasingly being used to deliver into the workplace.

Educating people on how to secure their home network and WiFi, how to use a VPN in a cafe with their personal laptop, and even how to manage their own online lives not only helps secure the workplace, but also gives them a sense of being valued for the contributions they are making to the organisation.

Don’t be Too Serious

Humour is always an awkward subject when it comes to education and awareness, as it is rarely a universally agreed topic. However it is worth bearing in mind that given the often large amounts of “compliance” training often required these days (ethics, anti bribery, harassment etc training) making your course stand out is important.

Wherever possible draw upon the culture of the organisation, use in-house references (so everyone understand them) and try and avoid obscure internet humour as many people in the workplace may not understand it. Never, ever use offensive humour, or even anything that comes close to it. If your grandparents are unlikely to laugh then don’t use it!

Go MultiChannel

Taking a leaf out of the book of the marketeers and advertisers, your awareness program should be multichannel and use a number of different approaches to ensure the message gets across. Consider using videos wherever possible, leaflets, internal blogs, “sponsoring” internal events, using town halls and company meetings to present on specific security awareness projects. Poster campaigns are also a useful method of putting core concepts and points across, although a key part to their success is that they get changed on a regular basis to avoid becoming blind to them over time.

Also consider branding items like stickers, pens and pencils with a tagline or advice that ties in with your overall campaign in order to keep your security message in regularly being reviewed. Again this depends very much on the culture of your organisation as to what may seem like a cheap gimmick versus a good idea.

The core concept with this is to constantly engage with people through different means to maintain their attention and recollection of your security training.

Confirm Their Understanding

Making sure people actually understand the fruits of your hard labour goes beyond asking ten banal and blindingly obvious questions at the end of the training. These questions are table stakes when it comes to meeting compliance requirements but do nothing for actually confirming understanding. Conducting social engineering tests, sending false phishing emails (a whole topic in of itself) and even leaving trackable USB sticks lying around are valid ways to test peoples knowledge. The results of these tests can be written up providing even further educational opportunities in articles for the intranet and email updates.

Get Feedback & Start Again

The only way your awareness programme is going to improve over time is to ensure you gather open and honest feedback from all of those that you engage with throughout every phase of your involvement in your security awareness programme. Feedback from all of the recipients of the training, after every talk or awareness session and certainly feedback from the overall programme on an annual basis is an important way of ensuring good elements are enhanced and bad elements are removed.

Gathering feedback however is only half of the story; providing feedback on the effectiveness of the security awareness programme to senior leadership is also important. Consider metrics and the correlation of elements of the training as they roll out over the year to reported security incidents. Wherever possible do you best to monetise the incidents in terms of cost to the business so that over time, as security incidents decline (which they should do!) you can demonstrate the value of the programme and its contribution to the business.

Not all of these may be applicable to you and your organisation, but they should provide some guidance and ideas for you and your security awareness programme.