RSA and BSidesSF 2012: A bad talk ain't the end of the world

With RSA and BSidesSF in just a few weeks, I find myself putting more thought into good talks vs. bad talks than usual. It's probably because I'm moderating a panel at RSA this year. I've heard it said that it's hard to screw up a panel, but I don't want to be the guy who pulls it off.

For those who have never done a talk or panel at RSA, I am learning that it's a far more rigorous process than other events I've presented at. They go over your PowerPoint  presentation very carefully and suggest tweaks along the way (I did find the feedback helpful). They also have a lot of call-in workshops on ways to give a great presentation. I haven't called in yet, but I will. 

All this thinking brings me back to a lesson I learned a couple years ago: You CAN give a lousy talk and live to fight another day.

Some background: I've been giving the occasional security presentation for about five years. I always approach them as a journalist -- framing an issue based on what has come out of my reporting. I tell the audience that I'm not presenting my opinions, but those of security practitioners who I learn from along the way.Most of the time it goes well. I'm not the most dynamic speaker in the world and my slides aren't nearly as good as some of those I've seen others present. But I lost the fear of speaking in front of people a long time ago, and my confidence -- or appearance of confidence, at least -- pulls me through.

I used to think journalists should stay away from public speaking. People would rather hear from famous keynoters like Bill Clinton or Bill Gates, or folks who do the same job they wrestle with every day. Journalists? We're just observers. How boring is that?

My mind has changed, obviously. Now I see speaking as an extension of being a good journalist. I should be able to talk to people about what I've learned as well as write about it. So I've sought out opportunities to do so. I've given talks at MIT, the Boston NAISG chapter (I was on board of directors for five years) and various other small events around the country.My audiences have been good to me. I try to make each talk interactive, because a lively discussion is always better than a lecture, in my opinion.But in 2010, I gave a talk that bombed.I didn't stammer or shake. I didn't bring the wrong slides. But this crowd didn't want to hear from a journalist. In fact, the second I got to the slide that said who I am and what I do, people got downright hostile.The talk was in New York in a building next to Ground Zero, and the topic was DDoS attacks. I was asked to give the talk at the last minute, and I tossed the slides together a couple days before the event.I did what I usually do, presenting slides like stories, with quotes, a nut graph, etc. I tossed in a few images I thought were humorous.When I got to those slides, my audience sat collectively stone faced. That's never good.I moved to the discussion part probably too quickly, and I asked if anyone wanted to share a story about suffering a DDoS attack. Not the best ice breaker, it turns out.

That's when the hostility really boiled to the surface.

"What could we possibly gain by talking about DDoS attacks against our companies?" one fellow asked.I stressed that nothing discussed in that room would be written about. What was said in the room would stay in the room."Why would we tell this stuff to a journalist?" someone else asked.To that, another guy said, "The second you said you were a journalist I lost all interest in this presentation."Game over, I thought.I thanked everyone for their time and wrapped it up. The event organizer came up to me and half-apologized. Then I got in the elevator and took off.I've given four talks since then, and they went well. The audiences seemed to appreciate it.But once in awhile, someone who was at the DDoS talk comments on one of my articles or blog posts, and it's always a game of bomb throwing.Each time, the commenter hides behind the anonymous shield. Last time was during RSA and B-Sides San Francisco 2011. I wrote a blog post announcing that I would be on a panel later that day to talk about FUD in security. To that the anonymous reader wrote: "I've heard your talk about DDOS, Bill. You spread more FUD than any journalist I know. You should try and be more like Brian Krebs."I didn't totally disagree. I'm a big fan of Brian Krebs and agree security journalists should follow his example.Otherwise, I dismissed the rebuke. My name is on everything I do and say, and if the critic doesn't have the courage to show him or herself, I have trouble taking them seriously.I responded to the comment, thanking the reader for the feedback and inviting them to e-mail me and give examples of where the DDoS talk went wrong. I value that kind of feedback because I can always do better, and the offer still stands. 

My e-mail is Use it, and be as harsh as you want to be.

I never heard back from my anonymous friend. I don't regret giving the DDoS talk. I learned some valuable lessons that day. The biggest lesson was that there's no excuse for diving into a talk without doing your homework on the event and the audience first.The responsibility is all mine.I bring all this up because every speaker bombs at least twice. But the good ones don't cower and run from future speaking opportunities.That's one of the many things I've learned from covering the security crowd. When you fall down -- be it a data breach or a botched presentation -- you get up, brush off your pants and move on.

If my upcoming panel goes over like a balloon with an anvil stuffed inside, life will go on. No one will think any less of me.

Of course, I don't intend to bomb this one. I think it's going to go very well. I have an excellent panel to discuss the pros and cons of "Big Data": 

-- Rich Mogull, Securosis

--Adam J. O’Donnell, Sourcefire

--John Adams, Twitter

-- Andrew Jaquith, Perimeter, E-Security

With a group like that, how can I fail?

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline