Skip to content

Fixing the Culture of InfoSec Presentations

magic-show-2

@thegrugq wrote a brilliant piece a while back on the state of infosec conference talks.

He wrote:

Source: Episode 17 – Hacker OPSEC

Spot on.

And it reminds me of some struggles I’ve been having regarding presentation formats. Here are some of those ideas:

  • I agree with @thegrucq that there’s too much of an entertainment aspect to most security talks today. We seem to be copying a copy of a copy, having forgotten what the original looks like.
  • I have been experimenting with more essay-like talks, going so far as to think of presentation as performed, visual essays.
  • Dan Geer delivers essays for his talks (or at least the ones I’ve seen), and I much prefer it. I think he just outright reads essays that he’s written, which is considered heresy in the mainstream infosec world, but I think it’s far superior.
  • I’ve been employing short, well-written statements in my slide notes, and reading them like an essay performance. Not really sure how we’ll they’ve gone, but I feel far better about my talks when I do this. It’s more like I had an idea and I presented it, rather than crafting a series of memes with an infosec theme.
  • I’m starting to believe that most talks (of most any kind really) should be about 20 minutes. This isn’t just where attention begins to flag, but perhaps it’s where the content stops and the fluff begins? Or maybe that’s just an out-of-control obsession with brevity.
  • My favorite talk type is one that challenges assumptions and results in a shift in understanding. Notice that these aren’t usually technical, which I’m becoming more comfortable with.
  • I’m increasingly feeling like (for me at least) technical talks should be cool filler talks for the real ones, which are based on new ideas. So ideally I’d have like one or two big idea talks every couple of years (which may have a tool associated or not), and then 2-4 short technical talks in-between.

Stepping back

So, here’s a question:

What are we actually trying to do with an InfoSec presentation?

I explored this a bit a while back with my hierarchy essay. Without rehashing that one, let me make a fresh attempt:

  1. You’re introducing a new way to attack
  2. You’re introducing a new way to defend
  3. You created a tool that does one of those two
  4. You describe a technique that works for you, new or otherwise
  5. You have an interesting perspective or story that you want to share that you think will improve the practice of InfoSec

Do these really need to be 40-50 minutes like they are at most cons now?

How often do you feel, or have you felt, that you aren't elite enough to be in the information security field?

I think we should use @thegrugq’s points to promote a new conference paradigm:

  • Twice as many speakers per conference
  • Reduce the pressure to entertain. Maybe that’s why there’s so much imposter syndrome?
  • Standardize on 20 minute talks. Longer slots available where appropriate, of course, but let’s lock in on 20 minutes
  • Make it clear that you can have talks that: tell a story, give a perspective, present a new attack/defense idea, OR describe/release a new/existing tool or technique. Make these categories clear, so people realize that they too can get up there and present
  • Let people read if they want to. Ideally there would be some visuals to accompany them, but if you present ideas best by reading crafted language, then let’s open ourselves to that

More presenters. A lower psychological bar for entry. Less pressure to be an outgoing comedian, rather than just presenting something interesting.

We have a force field up that only allows like .1% of our community to get on the stage, and that’s hurting all of us. It’s hurting the people who are too afraid to present. It’s hurting the conference attendees. And it’s hurting the conferences themselves because they’re only seeing a fraction of the great content that’s out there.

Think about how many great ideas, concepts, perspectives, and techniques that people in the audience have that we’ve never heard because they are too frightened to get on the stage.

I’m no good at cat memes. All I know how to do is parse Nmap results in this really interesting way.

Well, I’d love to hear a 20 minute talk about that! Don’t stress the memes, and don’t worry about creating 40 minutes of content. Man that’s a lot. Just tell us your idea and I’ll be happy!

Anyway, really love @thegrucq’s post, and I hope we can make something happen here. Our community needs this type of shift towards more presenters doing more than just one type of talk.

Notes

  1. Before you ask, we’re lowering the bar on requiring charismatic, energetic, funny, presenters and their comedy gold slide decks–NOT on the quality of the content. These two things are not the same.