@thegrugq wrote a brilliant piece a while back on the state of infosec conference talks.
Essentially (most) security cons are comic / star trek conventions, butwith less cosplay and even fewer girls. The conference talk might bestyled (somewhat) on the academic lecture, but realistically theaudience would rather a Steve Jobs style product unveiling than a lecture. They want some background info to ground themselves and align expectations, then they want the big product reveal at about 40 minutes in; and for a real treat, a “one more thing”. (for product unveilingsee demo; and don’t forget the tool release: “available right now, you can download this today,… and hack the shit out of something”)
This is entertainment, it is not knowledge transfer.
Source: Episode 17 – Hacker OPSEC
And it reminds me of some struggles I’ve been having regarding presentation formats. Here are some of those ideas:
- I agree with @thegrucq that there’s too much of an entertainment aspect to most security talks today. We seem to be copying a copy of a copy, having forgotten what the original looks like.
- I have been experimenting with more essay-like talks, going so far as to think of presentation as performed, visual essays.
- Dan Geer delivers essays for his talks (or at least the ones I’ve seen), and I much prefer it. I think he just outright reads essays that he’s written, which is considered heresy in the mainstream infosec world, but I think it’s far superior.
- I’ve been employing short, well-written statements in my slide notes, and reading them like an essay performance. Not really sure how we’ll they’ve gone, but I feel far better about my talks when I do this. It’s more like I had an idea and I presented it, rather than crafting a series of memes with an infosec theme.
- I’m starting to believe that most talks (of most any kind really) should be about 20 minutes. This isn’t just where attention begins to flag, but perhaps it’s where the content stops and the fluff begins? Or maybe that’s just an out-of-control obsession with brevity.
- My favorite talk type is one that challenges assumptions and results in a shift in understanding. Notice that these aren’t usually technical, which I’m becoming more comfortable with.
- I’m increasingly feeling like (for me at least) technical talks should be cool filler talks for the real ones, which are based on new ideas. So ideally I’d have like one or two big idea talks every couple of years (which may have a tool associated or not), and then 2-4 short technical talks in-between.
So, here’s a question:
What are we actually trying to do with an InfoSec presentation?
I explored this a bit a while back with my hierarchy essay. Without rehashing that one, let me make a fresh attempt:
- You’re introducing a new way to attack
- You’re introducing a new way to defend
- You created a tool that does one of those two
- You describe a technique that works for you, new or otherwise
- You have an interesting perspective or story that you want to share that you think will improve the practice of InfoSec
Do these really need to be 40-50 minutes like they are at most cons now?
How often do you feel, or have you felt, that you aren't elite enough to be in the information security field?— # Daniel Miessler (@DanielMiessler) May 9, 2016
I think we should use @thegrugq’s points to promote a new conference paradigm:
- Twice as many speakers per conference
- Reduce the pressure to entertain. Maybe that’s why there’s so much imposter syndrome?
- Standardize on 20 minute talks. Longer slots available where appropriate, of course, but let’s lock in on 20 minutes
- Make it clear that you can have talks that: tell a story, give a perspective, present a new attack/defense idea, OR describe/release a new/existing tool or technique. Make these categories clear, so people realize that they too can get up there and present
- Let people read if they want to. Ideally there would be some visuals to accompany them, but if you present ideas best by reading crafted language, then let’s open ourselves to that
More presenters. A lower psychological bar for entry. Less pressure to be an outgoing comedian, rather than just presenting something interesting.
We have a force field up that only allows like .1% of our community to get on the stage, and that’s hurting all of us. It’s hurting the people who are too afraid to present. It’s hurting the conference attendees. And it’s hurting the conferences themselves because they’re only seeing a fraction of the great content that’s out there.
Think about how many great ideas, concepts, perspectives, and techniques that people in the audience have that we’ve never heard because they are too frightened to get on the stage.
I’m no good at cat memes. All I know how to do is parse Nmap results in this really interesting way.
Well, I’d love to hear a 20 minute talk about that! Don’t stress the memes, and don’t worry about creating 40 minutes of content. Man that’s a lot. Just tell us your idea and I’ll be happy!
Anyway, really love @thegrucq’s post, and I hope we can make something happen here. Our community needs this type of shift towards more presenters doing more than just one type of talk.
- Before you ask, we’re lowering the bar on requiring charismatic, energetic, funny, presenters and their comedy gold slide decks–NOT on the quality of the content. These two things are not the same.