To those who have given security talks and bombed

Anyone who gives security presentations will relate to the time I gave a talk that went badly.

Some background: I've been giving the occasional security presentation for about five years. I always approach them as a journalist -- framing an issue based on what has come out of my reporting. I tell the audience that I'm not presenting my opinions, but those of security practitioners who I learn from along the way.

Most of the time it goes well. I'm not the most dynamic speaker in the world and my slides aren't nearly as good as some of those I've seen others present. But I lost the fear of speaking in front of people a long time ago, and my confidence -- or appearance of confidence, at least -- pulls me through.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

I used to think journalists should stay away from public speaking. People would rather hear from famous keynoters like Bill Clinton or Bill Gates, or folks who do the same job they wrestle with every day. Journalists? We're just observers. How boring is that?

My mind has changed, obviously. Now I see speaking as an extension of being a good journalist. I should be able to talk to people about what I've learned as well as write about it.

So I've sought out opportunities to do so. I've given talks at MIT, the Boston NAISG chapter (of which I'm on the board of directors) and various other small events around the country.

My audiences have been good to me. I try to make each talk interactive, because a lively discussion is always better than a lecture, in my opinion.

But last year, I gave a talk that bombed.

I didn't stammer or shake. I didn't bring the wrong slides. But this crowd didn't want to hear from a journalist. In fact, the second I got to the slide that said who I am and what I do, people got downright hostile.

The talk was in New York in a building next to Ground Zero, and the topic was DDoS attacks. I was asked to give the talk at the last minute, and I tossed the slides together a couple days before the event.

I did what I usually do, presenting slides like stories, with quotes, a nut graph, etc. I tossed in a few images I thought were humorous.

When I got to those slides, my audience sat collectively stone faced. That's never good.

I moved to the discussion part probably too quickly, and I asked if anyone wanted to share a story about suffering a DDoS attack. Not the best ice breaker, it turns out.

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

That's when the hostility really boiled to the surface.

"What could we possibly gain by talking about DDoS attacks against our companies?" one fellow asked.

I stressed that nothing discussed in that room would be written about. What was said in the room would stay in the room.

"Why would we tell this stuff to a journalist?" someone else asked.

To that, another guy said, "The second you said you were a journalist I lost all interest in this presentation."

Game over, I thought.

I thanked everyone for their time and wrapped it up. The event organizer came up to me and half-apologized. Then I got in the elevator and took off.

I've given two talks since then, and both went well. The audiences seemed to appreciate it.

But once in awhile, someone who was at the DDoS talk comments on one of my articles or blog posts, and it's always a game of bomb throwing.

Each time, the commenter hides behind the anonymous shield. Last time was during RSA and B-Sides San Francisco. I wrote a blog post announcing that I would be on a panel later that day to talk about FUD in security. To that the anonymous reader wrote: "I've heard your talk about DDOS, Bill. You spread more FUD than any journalist I know. You should try and be more like Brian Krebs."

I didn't totally disagree. I'm a big fan of Brian Krebs and agree security journalists should follow his example.

Otherwise, I dismissed the rebuke. My name is on everything I do and say, and if the critic doesn't have the courage to show him or herself, I have trouble taking them seriously.

I responded to the comment, thanking the reader for the feedback and inviting them to e-mail me and give examples of where the DDoS talk went wrong. I value that kind of feedback because I can always do better, and the offer still stands.

My e-mail is bbrenner@cxo.com. Use it, and be as harsh as you want to be.

I never heard back from my anonymous friend.

I don't regret giving the DDoS talk. I learned some valuable lessons that day. The biggest lesson was that there's no excuse for diving into a talk without doing your homework on the event and the audience first.

The responsibility is all mine.

I bring all this up because every speaker bombs at least twice. But the good ones don't cower and run from future speaking opportunities.

That's one of the many things I've learned from covering the security crowd. When you fall down -- be it a data breach or a botched presentation -- you get up, brush off your pants and move on.

--Bill Brenner

Copyright © 2011 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline