How do you plan for a 15 minute discussion about social media security?

The process and notes I used to contribute to a 15-minute panel conversation on social media security at DellWorld in December

“We have a 30 minute panel discussion on securing social media. Are you interested?”

The gears in my brain started turning as I asked about the audience.

“Mixed audience. Oh, and it’ll be broadcast live to people watching around the world.”

I accepted the opportunity, and the challenge.

That meant I needed to plan a panel discussion -- with a co-presenter I’d never met -- to help a mixed (read: not necessarily technical or versed in security), global audience consider social media security.

How would you handle a request to talk about social media security - perhaps in your company - if you had about a month to prepare and 15 minutes to speak as part of a panel?

I invested roughly 8 hours into preparation and delivery for my contribution to the panel. What follows is an overview of my process, my preparation notes and a link to the result. It includes the two last-minute adjustments we made 30 minutes before the discussion.

In another post, I’ll reflect on what I learned as a result of delivering the work live, and an updated framework (or the start of one) to not only discuss the security of social media, but to advance it in any organization.

Step 1: Ask the most important question

Initially, I thought we had up to 30 minutes. Turns out we had a 15-minute broadcast slot.

With an understanding of the time constraint, audience, and topic, the first -- and most important -- question to ask (outlined here): what happens as a result?

We pondered that question during our initial planning session. We agreed that with a mixed audience and limited time, we wanted to be entertaining, but actionable. 15 minutes is not enough time to focus on any specific action. 

Besides, few people actually look forward to discussions about security. Instead, we decided to focus on process and considerations for better, more informed discussions about how to engage in social media.

We kicked around a few ideas and agreed to trade email concepts before the next prep call. After the call, with ideas flooding my mind, I wrote down some ideas and worked through key points, stories, and considerations for how to design the approach of a two-person panel.

We also discussed the potential to craft a small handout or other resource to make available. In the end, we opted against it. Looking back, if we had time to rehearse and really distill our discussion, a handout is a big benefit. For the way we put it together, it worked out not having one.

Step 2: Sampling the security community

A lot of people in our community have experience - and opinions - on social media security. I decided it was fitting to take to social media (Facebook, Twitter, Google+, and LinkedIn) to get insights from others on security concerns. In addition to getting some ideas, it provides an opportunity to showcase others through attribution.

The responses led to some brief discussions, mostly centered on the need for education. The other notable theme was the desire to inflict (my words) controls on people to make sure they can’t do anything.

While the effort didn’t yield any golden nuggets of truth, or anything directly suitable for the panel discussion, it was interesting to learn that we, collectively, don’t seem to have a good handle on engaging in these discussions.

Step 3: Draft notes (attached), check flow, consider outcome

A week before the panel, Ramses (my co-panelist) and I got together with our coordinator to work through the details and plan our talk. It was an opportunity to clarify our approach, key points, and how we’d work together.

Most important was the affirmation to focus on the positive aspects of social media and share strategies that would enable and allow use instead of listing dangers and coming across as negative.

After that call, I sat and drafted out one page of notes to guide the elements I wanted to contribute. A scanned copy is attached [here].

Here’s what I wrote down:

1. Be clear

  • with terms
  • with acceptable behavior -- specifically use stories that model good behaviors instead of focusing on what people cannot do
  • focus on the outcomes - why do people use social media, what are the benefits, and how do we protect those uses and benefits?

2. Protect the accounts

  • passwords (and the need to build, manage, and use better passwords)
  • consider using two-factor authentication if/when available
  • the need for regular audit and review

3. Bave a plan for incident response

Some additional notes:

Social media is a way to overshare

  • stop telling people what they cannot do and start showing them what they can do
  • connect actions to impact; then explain why it matters
  • clarify the purpose (the opportunity) of social media -- and define the bounds

With preparation calls, notes, discussions, and conversations, I felt comfortable that Ramses and I would provide value to anyone who sat in our audience or listened.

Step 4 (optional): Consider the surroundings to make a stronger connection

The morning of our panel, I attended the keynote with Michael Dell. He shared the construct of: transform, connect, inform, and protect. When presented visually, protect was the foundation and touched each of the others.

In the middle of the keynote, it clicked. If we use social media properly, it allows us to transform, connect, and inform -- but it needs to be protected. I saw an opportunity.

We met about 45 minutes before the panel. In addition to having our picture taken at a social media booth, we walked through our outline and discussed wrapping around comments around the framework shared by Michael Dell.

Using the four-part framework from Dell  made sense for two reasons:

  1. We were at Dell World (and Ramses works for Dell); this connects our message to the prevailing theme
  2. Broader than Dell World, Dell spent time and effort to develop a framework to resonate with people; we’d be foolish not to leverage that for our advantage. Same holds for your efforts - it’s a powerful construct of three main drivers of business, all protected.

We were ready. And that’s when the “pink wig challenge” was offered. I’ll explain that story in the follow-up post.

Step 5: Stand and deliver

Literally, for us. Ramses and I decided that if we stood, we’d think and interact better. The camera crew agreed it would work… if we agreed to stand still. I managed to do it without someone nailing my feet to the floor.

It was a true honor to present along Ramses. I look forward to the opportunity to work and learn from him again.

Here’s how it went (embedded below, but here's the link:



Learning from the experience, next steps

We took advantage of the panel (versus keynote) format to play off the energy of the crowd, our costumes, and just engage in a focused and thought-out discussion. That lead to some new insights we hadn’t previously outlined.

As a result, I have some new ideas about how to better structure this approach -- and the importance of these conversations -- in our businesses.

Based on this, how would you handle the opportunity to give a talk within your organization about social media and security?

Let me know how these notes and experience help plan for your discussion. And let me know if you think we could add more, or pick a different focus.

This is our opportunity to engage in the conversations that count with the people who matter. When we get it right, we get more than secure use of social media.

New! Download the State of Cybercrime 2017 report