The Art of the Presentation (Part 2 of 3)

3 Comments

You’ve created your presentation, now you need to practise. Or as the great Yogi Berra put it:

In theory there is no difference between theory and practise. In practise, there is.

Almost certainly in the early days of your presenting you will need to practise a considerable amount. There are two main reasons for this; firstly you will be presenting your own unique content for the first time in an open forum like a conference, which means you will need to be absolutely sure of what it is you are going to say to ensure you don’t come across as someone who is less knowledgeable than you are. Secondly, you will almost always be nervous. How quickly you overcome your nerves will vary greatly from person to person and a variety of other factors. For me it took just over two years before my nerves stopped kicking in to the point where they were visible.

The key to coming across confidently is to know what you are going to say right from your first sentence, all the way through to your last sentence. You also need to ensure that you don’t learn every single word of the talk parrot fashion. Unless you have a gift for remembering dialogue (in which case you will sound like you are simply reading your verbiage), you will have to employ a few tricks to get around this…

The Opening

Firstly, practise your very first sentence, and make it snappy and to the point, and impactful at the same time if you can. Don’t drone on about how happy you are to be here, what your name is,  thank you all for coming, I hope you like my talk, how you can’t believe you are stood in front of such a talented crowd at this amazing conference etc.. I recall practising in front of a good friend, and before I had got halfway through my introductory sentence he bellowed:

BORRRRRIIIIING! YAWN 

 

His point was that people weren’t there to hear your platitudes, they are here to get their money’s worth and listen to what you have got to say, so just get on with it. Additionally, if people want to know more about you personally they will either read your bio in the conference agenda, or look you up after the talk. Do not spend five minutes establishing your credentials as not only can it come across as egotistical (except in very rare circumstances) but erodes your impact as a confident and knowledgeable speaker.

Slide on the slides

The second trick is to use your slides as a prompt for a train of thought rather than using them as an aid to specific sentences you want to remember. In the first blog on this topic I mentioned using imagery as much as possible; avoiding the use of bullet points or long sentences as much as possible means you won’t be tempted to rely on the text for what you are going to say. Try to sound conversational, and while practising do consider filming yourself or at the very least an audio recording. Running through it a few times will help embed a few key phrases in your head you can move between, and also give your imagination a chance expand further on your thoughts. Having a few Tweetable length phrases ready to roll off your tongue is a useful way of making an impact with few words, as well as encouraging people to potentially tweet your quotes during the talk (an increase your audience). Don’t forget your “story” or the beginning, middle, end structure either.

Variety

This point is also an opportunity to practise varying the tone and pitch of your voice, the use of your hands and even how you want to move around. Practise slowing down your talking , and possible even lowering your volume (more easily achieved if you are going to be using a microphone), when you want to emphasis something of critical importance. You can also speed up and become more animated on sections that you find exciting, fun or revealing. A little bit of humour thrown in as well helps, but be careful here, especially with an international audience. Test it on colleagues and peers first.

The Close

So you have made it through the deck and you are on your last slide; before you know it you have finished your presentation. how do you finish? “And, um, that’s it really…” is not the way to go. See the first point and memorise a closing statement, something straightforward, and again, snappy. “With that, I will close and thank you all for your time and attention. I will now take questions” is a good place to start. Don’t be afraid to make changes to the deck and the story as you go through either; they will evolve as you become more proficient, and the deck should not limit your message; the message dictates the deck.

How often should you run through your deck? In my early days I would practise at least five times, recording it a few times, and often in front of a critical friend or two. This is a very real time commitment, so be aware and plan it into the creation of your presentation to meet your deadline. As you get more comfortable, you will be rehearsing the presentation as you create the deck, and after a few reviews will know what you are going to say (roughly) with each slide and each transition.

Patience

Above all, be patient with the process; like anything it takes thousands of hours to be proficient at something depending upon your natural ability, the circumstances and the topic in hand. If you are not having fun, ascertain what part of the process are you not enjoying? Very often, I talk to people who hate the entire process, including the presenting, until immediately after when they get such a rush they want to do it again. if that is the case, the painful parts do get easier. Also, make sure you find someone who will honestly critique your presentation either in person or after watching a recording. Take their viewpoint very seriously, and if they are a serious speaker then all the better.

So, if you are wondering how you can get to Carnegie Hall, as the violinist turned comedian Jack Benny once answered:

Practise Practise Practise!

Next time, The Art of the Presentation (part 3 of 3) – The Delivery.

 

Note: Look out for a new YouTube series from me coming soon, The Lost CISO!

The Power of Silence

Leave a comment

Not so many years ago in the dim and distant past, the very first full length public talk I did was called “An Anatomy of a Risk Assessment”; it was a successful talk and one I was asked to present several times again in the following years. Below is a film of the second time I presented it, this time at BSides London:

My presentation style left a lot to be desired, and I seemed unable to stop using note cards until almost eighteen months later despite me not using them for other talks I gave! (Top speaking tip folks, never use printed notes when speaking, it conditions your mind to think it can only deliver when using them.) But that is not the focus of this message.

One of the pieces of “anatomy” that I spoke about in terms of risk assessments was the ears. The principle being that since you have two ears and one mouth, when auditing or assessing you should be listen twice as much as be speaking. This is important for two reasons, the second of which may not be as obvious as the first:

  1. If you are assessing someone or something, you should be drawing information from them. When you are speaking you are not gaining any information from them which is a wasted opportunity. As a consequence of this therefore,
  2. There will be periods of silence which you must not feel tempted to break. Just as nature fills a vacuum so a human wants to fill a silence. Silence therefore will encourage the target of the assessment to open up even more, just so as not to feel awkward!

Interestingly, after my very first presentation of this talk, a member of the audience asked me if i had ever been in the Police Force. “I haven’t” I replied.

Well, some of the techniques you just described are exactly like police interrogation techniques, especially the silence. I should know, I used them every day!

Flattered though I was, I did become a little concerned! Was i taking this risk assessment malarkey a little too seriously? Was i subjecting people to what amounted to an interrogation?

Obviously this was not the case, but it occurred to me that in the many books i have read on risk assessment and audit, never is the softer side of the process covered. We tend to focus on the technology, or the boxes that need to be ticked, when actually we can simply sit back and let others do the talking. I also employ humour very often to help people relax, and even do it when i am on the other side of the table too. It can make a gruelling and mindless activity far more engaging and allow you to connect with the person on the other side of the table more effectively.

It engenders trust.

You can apply many of the techniques described in the presentation in your daily work lives, especially when on a discovery programme or wanting to get to the bottom of an incident. In fact, I can’t think of anything easier than having a (one-sided) chat with someone and getting the assessment completed.

Or as Will Rogers, actor and vaudeville performer in the early 1900’s put it:

Never miss a good chance to shut up

On another note, look out for a new series of YouTube films coming from me in the next few weeks.

I give you, The Lost CISO

Everything that is happening now has happened before

2 Comments

While looking through old notebooks, I found this piece that I wrote in 2014 for a book that never got published. Reading it through it surprised me how much we are still facing the same challenges today as we did four years ago. Security awareness and security training are no different…

So, you have just been given responsibility for your company’s information security awareness programme and you have rolled out an off the shelf training product to the company. Job done? Probably not unfortunately, because like so many things in security, there is far more to an education and awareness programme than meets the eye. The following nine areas presented here are intended to give you guidance when establishing or improving your programme. Some may not be relevant to your organisation, some will be very relevant, but all of them are intended to provide ideas and insight into what is often a very emotive and personal subject.

 

Start at the Top

No business programme, least of all a security awareness one, is going to have any ongoing impact in an organisation if it doesn’t have the full support the senior leadership. Depending upon the type and size of organisation this could be the Board, the senior management team or even the C level executives.

Be wary of them just paying lip service as well, as they are crucial for the ongoing engagement of the company and your programme’s success. If they are the ones that haven’t taken their training then they are not committed to your programme. Senior leadership should be helping to not only communicate the training, but also reinforcing key messages and certainly leading by example.

Finally, make sure you can report back the senior leadership on the value of the training on a regular basis, be it every three, six or twelve months. However you choose to do this, bear in mind that the key purpose is to ensure your awareness programme is aligned with the business goals, and that is seen as a part of your organisations continued success.

Don’t Rely on Compliance

Using compliance as a key driver for acquiring investment for an education programme does work, but it is a short sighted approach that will limit what you can do in the future. This is because compliance is a very specific business problem that awareness addresses, and when the compliance requirement has been met there is no reason for the business to invest more money, investigate alternative approaches or expand the programme. That tick in the box limits the future of your programme.

Instead, use compliance as just one of the many drivers to build your programme, along with profit retention, reputational damage control and a protection against lost billable time for instance. These drivers will help your programme, again, align better with the company’s goals.

Teach Them to Fish

Now onto the content! No training is going to be able to put across the correct response to every single threat, every single implication of regulations and laws, and every single type of social engineering approach. The goal of the training is to arm people with a mindset, not all the answers.

Educating people on the implications of their actions, and not their actions alone is key here. By understanding that clicking on a link could result in something bad happening is more effective than just telling them not to click on links. Helping them appreciate that social engineers use an array of techniques to build a picture of the environment is more important than telling them to mistrust every interaction with every person they interact with.

In your position as an InfoSec professional, how do you know when a link or a question is dangerous? Try to put that across, and you should end up with an awareness programme that educates people not programs them.

Make it Relevant

Off the shelf awareness programmes are often seen as a quick, cost effective and easy approach to educating people. Many of the courses are very good too. However, you should be aware of your own organisational culture. Large, regulated organisations probably couldn’t effectively train through regular lunchtime briefings, and smaller organisations probably wouldn’t receive too well being in a room for three hours and having a PowerPoint shouted at them.

Additionally, there are going to be activities, lexicon and even teams and roles that are unique to your organisation. Try and avoid people having to “translate” the training they are taking to be relevant to their daily lives as much of the impact of the training will be lost.

Make it Useful

Not only should the training be useful in someone’s working lives, but also in their personal lives. In a world of Bring Your Own Device (BYOD) the lines between the workplace and home are increasingly blurred, and home networks, tablets and computers are increasingly being used to deliver into the workplace.

Educating people on how to secure their home network and WiFi, how to use a VPN in a cafe with their personal laptop, and even how to manage their own online lives not only helps secure the workplace, but also gives them a sense of being valued for the contributions they are making to the organisation.

Don’t be Too Serious

Humour is always an awkward subject when it comes to education and awareness, as it is rarely a universally agreed topic. However it is worth bearing in mind that given the often large amounts of “compliance” training often required these days (ethics, anti bribery, harassment etc training) making your course stand out is important.

Wherever possible draw upon the culture of the organisation, use in-house references (so everyone understand them) and try and avoid obscure internet humour as many people in the workplace may not understand it. Never, ever use offensive humour, or even anything that comes close to it. If your grandparents are unlikely to laugh then don’t use it!

Go MultiChannel

Taking a leaf out of the book of the marketeers and advertisers, your awareness program should be multichannel and use a number of different approaches to ensure the message gets across. Consider using videos wherever possible, leaflets, internal blogs, “sponsoring” internal events, using town halls and company meetings to present on specific security awareness projects. Poster campaigns are also a useful method of putting core concepts and points across, although a key part to their success is that they get changed on a regular basis to avoid becoming blind to them over time.

Also consider branding items like stickers, pens and pencils with a tagline or advice that ties in with your overall campaign in order to keep your security message in regularly being reviewed. Again this depends very much on the culture of your organisation as to what may seem like a cheap gimmick versus a good idea.

The core concept with this is to constantly engage with people through different means to maintain their attention and recollection of your security training.

Confirm Their Understanding

Making sure people actually understand the fruits of your hard labour goes beyond asking ten banal and blindingly obvious questions at the end of the training. These questions are table stakes when it comes to meeting compliance requirements but do nothing for actually confirming understanding. Conducting social engineering tests, sending false phishing emails (a whole topic in of itself) and even leaving trackable USB sticks lying around are valid ways to test peoples knowledge. The results of these tests can be written up providing even further educational opportunities in articles for the intranet and email updates.

Get Feedback & Start Again

The only way your awareness programme is going to improve over time is to ensure you gather open and honest feedback from all of those that you engage with throughout every phase of your involvement in your security awareness programme. Feedback from all of the recipients of the training, after every talk or awareness session and certainly feedback from the overall programme on an annual basis is an important way of ensuring good elements are enhanced and bad elements are removed.

Gathering feedback however is only half of the story; providing feedback on the effectiveness of the security awareness programme to senior leadership is also important. Consider metrics and the correlation of elements of the training as they roll out over the year to reported security incidents. Wherever possible do you best to monetise the incidents in terms of cost to the business so that over time, as security incidents decline (which they should do!) you can demonstrate the value of the programme and its contribution to the business.

Not all of these may be applicable to you and your organisation, but they should provide some guidance and ideas for you and your security awareness programme.

Ground Control to Major Thom

Leave a comment

I recently finished a book called “Into the Black” by Roland White, charting the birth of the space shuttle from the beginnings of the space race through to it’s untimely retirement. It is a fascinating account of why “space is hard” and exemplifies the need for compromise and balance of risks in even the harshest of environments.

Having seen two shuttles first hand in the last nine months (the Enterprise on USS Intrepid in New York and the Atlanta at Kennedy Space Centre), it boggles my mind that something so big could get into space and back again, to be reused. Facts like the exhaust from each of the three main engines on the shuttle burn hotter than the melting temperature of the metal the engine ‘bells’ are made of (they ingeniously pipe supercooled fuel down the outside of the bells to not only act as an afterburner of sorts but also cool the bells themselves) go to show the kind of engineering challenges that needed to be overcome.

There was one incident however that really struck me regarding the relationship between the crew onboard and the crew on the ground. On the Shuttle’s maiden flight into space, STS-1 also known as Columbia carried out 37 orbits of the earth with two crew on board, mission commander John W. Young and pilot Robert L. Crippen. Once orbit was achieved an inspection of the critical heat tiles on the underside of the shuttle showed some potential damage. If the damage was too extensive the return to earth would (as later events in the Shuttle’s history proved) be fatal.

The crew however were tasked with a variety of other activities, including fixing problems onboard they could address. They left the task of assessing and calculating the damage to those on the ground who were better equipped and experienced to deal with the situation. This they duly did and as we know Columbia landed safely just over two days later.

It struck me that this reflects well the way information Security professionals should treat the individuals we are tasked with supporting. There is much that individuals can do to help of course, and that is why training and awareness efforts are so important, but too often it is the case that “we would be secure if it wasn’t for the dumb users”. The sole purpose of the Columbia ground crew was to support and ensure the safe return of those on board STS-1 so that they could get on with their jobs in space. Ours is the same.

Just because te crew had extensive training to deal with issues as they arose, the best use of their time was to focus on the job in hand and let ground crew worry about other problems. The people we support should also be trained to deal with security issues, but sometimes they really need to just get on with the deliverables at hand and let us deal with the security issue. They might be trained and capable, but we need to identify when the best course of action is to deal with their security issues for them, freeing them to do their work.

Never forget that we support our organisations/businesses to do their jobs. We provide tools to allow them to be more effective in their end goals but it is still our responsibility to do the heavy lifting when the time comes. Except in very rare cases we are there because of them, not in spite of them.

(Photo courtesy of William Lau @lausecurity)

“And the winner is… Compliance!”

1 Comment

real-men-real-men-demotivational-poster-1221782347Disclaimer: My comments below are based upon quotes from both Twitter and The Times of London on the UK’s TalkTalk breach; as a result the subsequent investigation and analysis may find that some of the assertions are in fact incorrect. I will post clarifying statements should this happen to be the case.

I am not normally one to pick over the bones of company A or company B’s breach as there are many people more morbid and qualified than me to do so, and I also hate the feeling of tempting fate. All over the world i would guarantee there are CISOs breathing a sigh of relief and muttering to themselves/psychoanalyst/spouses “thank god it wasn’t us”. Bad things happen to good people, and an industry like ours that tends to measure success on the absence of bad things happening is not a great place to be when those bad things appear to happen far more frequently than ever before.

So it took me a while to decide if I should write up my feelings on TalkTalk’s breach, although I had Tweeted a few comments which were followed up on.

Quentyn W Twitter 1

(that original quote I Tweeted from the Times)

that original quote I Tweeted from the Times dated 25th October 2015

Initially I was shocked that people are still using the same password across so many crucial accounts. After a ten minute rant in the car about it with my wife, she calmly (one of the many reasons I married her) explained that not everyone thinks like me as a security professional, and that I should remember my own quote of “convenience eats security for breakfast”. Having calmed down a little, I was then shocked by something else.  That something else was when the TalkTalk CEO, Dido Harding was on national television looking clearly exhausted (I can only imagine how much sleep she had been getting the last few days) giving out unequivocally bad advice such as “check the from address on your emails, if it has our address it is from us”. Graham Cluley’s short analysis was spot on here:

As if TalkTalk’s customers hadn’t gone through enough, they are then being given shoddy advice from someone in a supposed position of trust that is going to put them at even more risk. The scammers and phishers must have been rubbing their hands with invisible soap and glee as they prepared their emails and phone calls.

Now, the attack it seems did not disclose as much information as was first though, which is good news. So credit card numbers were tokenised and therefore unusable, so no direct fraud could be carried out there (again dependent upon the form of that tokenisation which I am sure there will be more details on in the coming months). Bank details were however disclosed, but again, there is a limited amount of damage that can be done there (there is some I acknowledge, but it takes time and is more noticeable… another time for that discussion). Here is the Problem Number One though; with Harding’s poor advice, many people subsequently (and allegedly) fell for phishing attacks through either phone calls or emails, and lost hundreds of thousands of pounds. TalkTalk’s response? Credit monitoring.

And then we move to Problem Number Two; Why weren’t the bank details stored safely? Why were they not encrypted? Armed with the knowledge of customers bank account details scammers can make a much more convincing case that they are actually from TalkTalk, especially if other account information was also lost (time will tell). TalkTalk’s response?

TimesTalkTalk

Dido Harding talking to The Times, 24th October 2015

So TalkTalk was technically compliant? Shouldn’t this kind of thinking be consigned to the same mouldering scrapheap where “we’ve always done it this way” and “we’re here to secure the business, not help it” lay? I sincerely hope that this episode will at the very least highlight that “compliance” and “security” are two very different things and that the former most certainly doesn’t automatically result in the latter. What has transpired is the perfect storm of a breach, unforgivably poor advice, and complacency based upon compliance and resulted in the pain of a lot of people involving large amounts of money.

If an example like this does not spur you into doing more as regards your own security awareness activities, then please go back to the beginning and start again. Why? I have been accused of “victim blaming” somewhat (see the above Tweets), but if individuals had an ounce of sense or training they wouldn’t have fallen for the subsequent scams and been more careful when responding to email supposedly from TalkTalk. I will leave the last word to Quentin Taylor, and as you carry on with your internet residencies, don’t forget you need to wear protective clothing at all times.

Quentyn W 2