The Art of the Presentation (Part 2 of 3)

You’ve created your presentation, now you need to practise. Or as the great Yogi Berra put it:

In theory there is no difference between theory and practise. In practise, there is.

Almost certainly in the early days of your presenting you will need to practise a considerable amount. There are two main reasons for this; firstly you will be presenting your own unique content for the first time in an open forum like a conference, which means you will need to be absolutely sure of what it is you are going to say to ensure you don’t come across as someone who is less knowledgeable than you are. Secondly, you will almost always be nervous. How quickly you overcome your nerves will vary greatly from person to person and a variety of other factors. For me it took just over two years before my nerves stopped kicking in to the point where they were visible.

The key to coming across confidently is to know what you are going to say right from your first sentence, all the way through to your last sentence. You also need to ensure that you don’t learn every single word of the talk parrot fashion. Unless you have a gift for remembering dialogue (in which case you will sound like you are simply reading your verbiage), you will have to employ a few tricks to get around this…

The Opening

Firstly, practise your very first sentence, and make it snappy and to the point, and impactful at the same time if you can. Don’t drone on about how happy you are to be here, what your name is,  thank you all for coming, I hope you like my talk, how you can’t believe you are stood in front of such a talented crowd at this amazing conference etc.. I recall practising in front of a good friend, and before I had got halfway through my introductory sentence he bellowed:



His point was that people weren’t there to hear your platitudes, they are here to get their money’s worth and listen to what you have got to say, so just get on with it. Additionally, if people want to know more about you personally they will either read your bio in the conference agenda, or look you up after the talk. Do not spend five minutes establishing your credentials as not only can it come across as egotistical (except in very rare circumstances) but erodes your impact as a confident and knowledgeable speaker.

Slide on the slides

The second trick is to use your slides as a prompt for a train of thought rather than using them as an aid to specific sentences you want to remember. In the first blog on this topic I mentioned using imagery as much as possible; avoiding the use of bullet points or long sentences as much as possible means you won’t be tempted to rely on the text for what you are going to say. Try to sound conversational, and while practising do consider filming yourself or at the very least an audio recording. Running through it a few times will help embed a few key phrases in your head you can move between, and also give your imagination a chance expand further on your thoughts. Having a few Tweetable length phrases ready to roll off your tongue is a useful way of making an impact with few words, as well as encouraging people to potentially tweet your quotes during the talk (an increase your audience). Don’t forget your “story” or the beginning, middle, end structure either.


This point is also an opportunity to practise varying the tone and pitch of your voice, the use of your hands and even how you want to move around. Practise slowing down your talking , and possible even lowering your volume (more easily achieved if you are going to be using a microphone), when you want to emphasis something of critical importance. You can also speed up and become more animated on sections that you find exciting, fun or revealing. A little bit of humour thrown in as well helps, but be careful here, especially with an international audience. Test it on colleagues and peers first.

The Close

So you have made it through the deck and you are on your last slide; before you know it you have finished your presentation. how do you finish? “And, um, that’s it really…” is not the way to go. See the first point and memorise a closing statement, something straightforward, and again, snappy. “With that, I will close and thank you all for your time and attention. I will now take questions” is a good place to start. Don’t be afraid to make changes to the deck and the story as you go through either; they will evolve as you become more proficient, and the deck should not limit your message; the message dictates the deck.

How often should you run through your deck? In my early days I would practise at least five times, recording it a few times, and often in front of a critical friend or two. This is a very real time commitment, so be aware and plan it into the creation of your presentation to meet your deadline. As you get more comfortable, you will be rehearsing the presentation as you create the deck, and after a few reviews will know what you are going to say (roughly) with each slide and each transition.


Above all, be patient with the process; like anything it takes thousands of hours to be proficient at something depending upon your natural ability, the circumstances and the topic in hand. If you are not having fun, ascertain what part of the process are you not enjoying? Very often, I talk to people who hate the entire process, including the presenting, until immediately after when they get such a rush they want to do it again. if that is the case, the painful parts do get easier. Also, make sure you find someone who will honestly critique your presentation either in person or after watching a recording. Take their viewpoint very seriously, and if they are a serious speaker then all the better.

So, if you are wondering how you can get to Carnegie Hall, as the violinist turned comedian Jack Benny once answered:

Practise Practise Practise!

Next time, The Art of the Presentation (part 3 of 3) – The Delivery.


Note: Look out for a new YouTube series from me coming soon, The Lost CISO!

The Art of the Presentation (Part 1 of 3)

In a post a few years ago I talked about The Art of the Conference, and what conference organisers can do to improve their conferences and make lives easier for their presenters. I was reminded of this post again recently as this is the sixth year that I am mentoring a rookie speaker at BSides London, and in my initial conversation with them I discussed a three stage approach to creating, practising and delivering the talk (the latter of which touches on the content of my previous post).

This post focusses on the first part of this process, the actual creation of the talk.

The Idea

This is actually the hardest part of the entire process (aside perhaps from actually standing in front of 200 people of course). In my experience many people try to not only come up with a wholly unique idea, but then try and explore it in too much detail. Given your talk will probably be competing against many other talks, the easiest way to make yours stand out is with it’s simplicity. Take the core of a topic, and honestly ask yourself what your view on it is; do you agree with it, if not why not, what could be better, what is your experience of it and how have you addressed it? By keeping it simple your audience will have more chance of remembering what you said. This process could take anywhere from minutes to weeks and weeks dependent upon your experience, knowledge and confidence. Don’t assume however that just because you have an opinion that everyone else is fully knowledgeable of it either; if nothing else you are bringing your own unique viewpoint.

The Creative

This is a point at which your approach may differ, but I have always found this the best way of actually inspiring myself and getting my story straight. I fill a sheet of paper with boxes (below) and then start to sketch out, not always legibly) the approach I am going to take on the deck I produce. I do this because it ensures I don’t write any actual prose on the topic; personally when I do this I find it very difficult to then pull myself away from the prose when presenting. It is a mental block of sorts of course, but this approach allows me to sketch out the story of my talk without having to get attached to a certain way of saying things

I try and avoid too many words as they are a distraction to the audience, and focus on high resolution images that help embellish my point or provoke an appropriate reaction from the audience. There are some very good books on creating slides for presentation that I have referenced, Presentation Zen and Slide:ology; I strongly recommend these to anyone who wants to up their game on the visual presentation side of things.

This approach also allows you to build a story; making sure your presentation has a beginning, middle and end help draw your audience in. What talk would you rather watch…

My talk is about a simple technology we used to allow someone to Tweet over a phone call.


John Doe is a man who was imprisoned on the flimsiest of evidence and with ludicrously high bail. He had restricted access to legal counsel and even family were not allowed to visit him. His entire campaign for justice was focussed around his significant Twitter followers, and given his elevated fame in his industry was where most of his support would come from. Here is the story of how we used a Raspberry Pi, two cans, a length of string and Python to allow him to live Tweet from his weekly phone call, directly and un-redacted, and ultimately beat the corrupt government that had arrested him.

Your approach needs to be simple, but that doesn’t mean it needs to be dull.

The Timings

Timing a presentation is very difficult, but after some experience I have found I can not only tell roughly what the length of a presentation created like this, but can also vary it in length, sometimes upon to 100%. The other rule of thumb is to dive the number of minutes you have by the number of slides. One slide for roughly every minute is a good place to start, but keep an eye out for when that number increases. Trying to cover more than one slide every 15 seconds is going to be very challenging.

The Takeaways

I often say that people will remember less than 30% of what you said less that 30 minutes after you have finished speaking. Not only is this where the simplicity of your deck is important, but also making sure you leave the audience with clear activities or advice on what to do next is vitally important. If you don’t do this, you will leave the audience somewhat nonplussed even if your content is great. As one close friend of mine said to me after I had asked for feedback:

It was a good talk, but I got to the end and thought “meh, so what?”

Your talk can be interesting, but if it doesn’t have a point, you will always be in the “meh” zone.

Next time (or maybe the time after), The Art of the Presentation (Part 2 of 3) – Practising.

Direct Hit, Near Miss or Remote Miss? Why you are more confident than you should be.

_39166788_blitz416_gettyIn the years running up to the beginning of the second world war the British government was extremely concerned that in the event of hostilities breaking out, the german Luftwaffe would launch significant attacks against Britain and especially London. With an estimated 250,000 casualties in the first week alone, the consensus was that millions of Londoners would flee, leaving the industrial war engine to grind to a halt. Several psychiatric hospitals were even set up on the outskirts of London to handle the huge numbers of casualties psychologically affected by the bombing.

History tells us this was not the case, despite horrific numbers of casualties and extensive damage to homes, property and businesses throughout London.

A Canadian psychiatrist, J. T. MacCurdy, in his book The Structure of Morale postulated this was because the effect of a bomb falling on a population splits them into three groups:

1. The people killed by the bomb. As MacCurdy puts it

the morale of the community depends on the reaction of the survivors, so from that point of view, the killed do not matter. Put this way the fact is obvious, corpses do not run about spreading panic.

Harsh, but true in this model.

2. The Near Misses, the ones that

feel the blast, … see the destruction… but they survive, deeply impressed. It may result in ‘shock’…and a preoccupation with he horrors that have been witnessed.

3. The Remote Misses. These are the people who hear the sirens, the bombs explode, watch the aircraft overhead, but the bombs explode down the street. For them the experience of the bombing is that they survived easily, unlike the Near Miss group. The emotion as a result of the attack…

is a feeling of excitement with a flavor of invulnerability.

Near miss = trauma, remote miss = invulnerability.

Diaries and recollections of the period certainly support these theories. For instance, when a laborer was asked if he wanted to be evacuated to the countryside (after being bombed out of his house twice) he replied;

What, and miss all this? Not for all the tea in China!

The reason for this attitude, the sense of invulnerability, is that they have been through the very worst of time… and survived. They had faced their fears, and realized they were not as bad as they thought they were going to be, and in fact the result of surviving had given them a sense of elation that made them feel even more alive than before.

This is a very long way of saying that we may very easily view security incidents and breaches like this. Sony (perhaps) are the ones right at the centre of the blast. they are affected directly, and don’t even run around spreading panic because they are too busy dealing with the incident itself.

The near misses, Sony’s vendors, suppliers and partners are probably reeling from the near miss and are probably doing all they can to ensure it doesn’t happen to them. in short why are traumatized.

Finally, there is the rest of us. Yeah baby! Another breach, and it wasn’t us! We are invincible! We don’t need to do anything different at all, because we are survivors!

I think I see an issue here. Every time we are not breached, we become more confidant that we will not be breached, and become over confident and convinced we are having the time of our lives doing great stuff in the infosec world and not being breached. let’s hope that bomb doesn’t drop too close to home to burst that bubble, otherwise Careers is So over ceases to be a funny industry joke and very much a reality. Take the precautions now, take the threat seriously, and do what you can now, before it is too late.

I would strongly recommend reading the Book David & Goliath by Malcolm Gladwell if you would like to read more about this concept as well as others along the same lines.

A personal note…

PubGr_logoI am now under new employment as a result of an acquisition of my previous employer, and I have been fortunate enough to be elevated to Group CISO of the acquiring company. Unsurprisingly this has resulted in a massive new workload, travel schedule and responsibilities, and hence my distinct lack of posts this last few months. Despite this I have still been nominated for European Personal Security Blog 2015 in this years Blogger Awards; thank you!

Additionally, I am so proud to say that not only is my new employer keen to promote this blog internally in the new company, but also thrilled to say we have become the newest sponsor of the European Security Blogger Network.

Finally, I have been on the road a huge amount the last few weeks, including at RSA USA where I was very happy with my presentation at the RSA Studio; I spoke about how we have changed our approach to security awareness, and the use of the Restricted Intelligence product to catalyse it.

There were also talks at Munich Identity Management Conference, although the talks are not public yet.

Next week, Bsides London, InfoSec Europe, European Blogger Awards and RSA Unplugged. I am mentoring a rookie at Bsides, Speaking at infoSec, as well as at the Tripwire booth, sponsoring (and nominated!) at the Blogger Awards, and just watching at RSA Unplugged.

It’s has been a busy few months!

Getting Ahead in Information Security

getting ahead

(Originally Posted on the VIA Resources Blog here.)

Advancing your career in information security, let alone getting a job in it in the first place is challenging and sometimes overwhelming at best. It can often feel like an exclusive club that is hard to break into, and the “elder statesmen” of the community distant and aloof. With these kind of barriers where do you even start to try and network and make contact with people who could not only progress your career but also start it?
The real answer at first appears flippant; if you want to be a part of a community you need to engage with it and join in. Obviously, that is harder than it seems, so here are three ways you can help yourself to getting ahead in Information Security:

1. Start attending the many free events that are held every week.
There are plenty of these around, you just have to look for them, such as (ISC)2 and ISACA events, plenty of sponsor driven events and community driven events. Europe’s largest information security event, Infosecurity Europe is a free three day event which not only gives you access to all of the vendors out there, but also an excellent education programme. Traditionally on the same week there is also BSides London, a free one days event, although this one is ticketed. Not in London? Then consider BSides ManchesterSteelCon and SecuriTay. Seek them out and you will find them. Not in the UK, then Google is your friend.

2. Attend some of the bigger, paid for conferences.
Obviously this is not always easy, especially given the price of the tickets and the whole reason you are reading this is that you need a job! All of these conferences require a huge amount of effort and willpower to get them to run smoothly on the day, and many of them require… volunteers. 44CON has one of the best volunteer crew programmes I have come across, with plenty of perks available. By volunteering for these events you are not only showing yourself to be a stand-up member of the community, willing to help out and contribute, but you will also get unprecedented access to the attendees, speakers and organisers. They are yours for the networking!

3. Contribute to the community.
This could be anything from volunteering (above), blogging, tweeting, offering to speak, writing articles for the various community news outlets, in fact anything that gets your name out there. Submit in the variety of Call for Papers (CfP) and you normally get a free ticket, and sometimes travel expenses paid too. Depending upon your grammatical and public speaking skills, this could be very tough but who said progressing your career was easy? Being able to articulate your personal opinions on the often very contentious issues in the industry is an excellent way of improving your ability to assimilate, process and form your own opinions and views for the benefit of the community. What better way of getting known in the industry?

All of the above require time dedication and effort, but since this is your career we are talking about, are these too much to ask?

Flushing Risk at 44CON

logo-1I have just returned from two long days and two long nights of 44CON, the premier conference in London for technical InfoSec professionals (and even a few of us management types). It saw the debut of by “Flushing Away Preconceptions of Risk” presentation, an expansion of the my recent post for the Analogies Project.

The core messages of the presentation are not necessarily pleasant ones; the correct use of risk in any organisation is one of the most powerful tools in an information security programme, and yet it seems to me that very few of us understand it fully. Many of us struggle with not only identifying what the real risks are in the first place, but also how to measure them and even how to properly treat them.

Doing my bit to advertise 44CON

Doing my bit to advertise 44CON

Identifying risks at first seems like an easy think – identify assets, and then identify what could go wrong. I won’t elaborate the analogy much here (read it at the Analogies Project), but given how we regularly fail to identify risky behaviours correctly in our daily lives it should be no surprise we fail to do so professionally. The same bias applies to when we subsequently try and measure the risks; every mechanism we use introduces potential errors and even vagueness. I was quite proud to introduce the Langford/Malik Risk Model (ver 1.0), an approach that I evolved from one that Javvad Malik introduced in his book. Again, it uses an analogy although this time of a pub fight to not only describe levels of risk but also risk appetite. I do hope that not too many of you will find it useful next Friday and Saturday night.


The Langford/Malik Risk Model ver 1.0

Finally the effective treatment of risk was covered, and how we so often simply do what has been done before, not what is going to be effective now. Just because a risk hasn’t been realised doesn’t mean you have treated it effectively, it just means that an incident hasn’t happened (that you know of).

The slides are below, but since my presentation style has evolved more into storytelling rather than bullet point reading, by themselves they may say little to you, but the session was recorded and when it is released I will make it available here. Like any presentation it barely touches the surface of risk management and its issues, but it was intended to be thought provoking and prompt people to not assume that just because they have always done things in a certain way that it is the best or even correct way.

This slideshow requires JavaScript.

As for 44CON itself, well, any conference that has a “gin o’clock” on each day has to be pretty good in my books! It was a very well organised conference, with an excellent and highly motivated Crew to help support it. SpeakerOps were particularly good providing a personal touch I have not seen at any other conference. The quality of the talks and the speakers was also excellent, but as I alluded to in my introduction, many of them were technically beyond me!

The highlight for me however was a workshop I attended demonstrating the beta version of the Cyber CPR product. This is a virtual machine (that can also be deployed on ultra portable hardware if need be) that builds and entire incident management environment allowing for the discovery, gathering and analysis of evidence during an incident. It build a virtual “war room” environment, where multiple incidents can be tracked at once, in a secure and separate environment from the one that has actually just been breached. With tools built into the backend and access via a browser it even does away to have many of the tools on your own environment, making it great for remote and ad hoc use alike.

The product is in Beta at the moment, and does lack a few features, (they described it as not ready for active duty), but what i saw  was very polished and useful even in it’s beta configuration. Commercially it will be available for free with up to three users, and only $5k GBP for up to twenty (please don’t quote me on these figures though). I would strongly recommend you take a look at this excellent environment that for very little outlay will significantly improve many current incident response teams, and their over use of Excel. The team expects it to be commercially ready by Spring next year.


Obligatory selfie with Jonathon Schiefer

The final highlight was to be able to meet Jonathon Schiefer  the director of the film Algorithm  which had its European debut at 44CON on Wednesday night. It was fascinating to hear about the backstory of the film, his challenges and even how he made the film financially and technically. He was an absolute pleasure to chat with, and I thoroughly regretted my decision to have a curry instead of watching the film. At a stretch you could say we are kindred spirits when it comes to our film making, but he is without a doubt in an entirely different league to me!

44CON will be back next year, but we were also enticed with the news of another 44CON spring conference being planned as well. I would strongly recommend anyone who can get to London to attend both of these conferences. Congratulations to Adrian and Steve and the many people in the crew for putting on a fabulous conference.