As the (security) conference season draws nearer, my thoughts return to the many presentations I've suffered and inflicted over the past three decades. (Don't get me wrong: there have also been many I've enjoyed.)

Fortunately for the world, my presentation on testing at Virus Bulletin in 2017 may well have been my last public appearance in the security context, as travelling isn't particularly easy at my age. Unfortunately, that means I'll miss some important presentations (especially those that are stand-alone presentations rather than being based on a paper). Rather more fortunately, that also means that I now see fewer speakers and presentations like this one: a classic parody of the triumph of style over substance.

In fact, there's quite a lot of information in that clip about how to emulate a certain style of presentation, and you may find that there are echoes of that information in this series of articles. After all, the TED talks may be irresistible parody fodder, but they're so successful because they do tend to prioritize good presentation skills, and they are intended to include good content. Which means that even a so-so presentation may generate useful thoughts on how to do better.

In security as in other fields, a potentially useful conference generally stands or falls by the quality of its papers and presentations, so of course it’s important to maintain quality, and therefore the interest of delegates. Happily, while it's not always easy for a good paper to survive a bad presentation, it happens. Conversely, a slick presentation that's weak on useful content may linger in the memory, but its attraction is ephemeral, and more a matter of entertainment than of improving our knowledge of the subject.

"In the end, it's about conveying a message"

There is, of course, no reason why a presentation can't be entertaining as well as rich in content: from where I stand (or sit, preferably) the best presentations are indeed both. But entertainment value is not the only measure of effectiveness. In the end, it's about conveying a message.

I make no claim to be an accomplished or charismatic speaker myself. Indeed, I've tended to be happiest with the arrangement where I wrote most or all of the paper and someone else did most or all of the presenting. However, I've seen and made enough presentations to make a few suggestions as to how someone who dehydrates at the very thought of public speaking, and therefore usually manages to avoid this particular form of torture, can try to raise the bar for their first conference presentation. This is the first step towards building up your own confidence through experience.

Many conference speakers are industry professionals who are often expected to present publicly as part of their job descriptions, so they set a very high standard. Indeed, some conferences become so focused on slick, charismatic presentation that it becomes more important than good, innovative content. If you're to shine at that sort of event, you probably need to look at specialist help, such as the Toastmasters International Education Program. (To demonstrate that I'm not merely being modest about my own lack of charisma, this has been recommended to me several times by people who wanted to make a professional – or at least better – speaker out of me. However, making security presentations as one of my primary activities is not the way I ever wanted to go, and certainly is not going to happen at my age.)

It would be cynical, perhaps, to suggest that you aim to stand out from the crowd simply by learning magic tricks or the ukulele. (Actually, I can play ukulele – a side-effect of being a reasonably competent guitarist – but it's unlikely that I'll take advantage of that particular skill in the security market…) But I have seen these or similar techniques used very effectively to capture an audience's attention, not just for effect but in order to maximize the impact of an underlying message.

"Many conference speakers are industry professionals who are often expected to present publicly as part of their job descriptions, so they set a very high standard"

However, not all security conferences are simply a series of sales presentations, even if they do provide an excuse for some great off-piste entertainment and social networking. Part of the value (to me, at any rate) of a conference like Virus Bulletin that offers a significant amount of technical content, is that much of the industry content comes from the “backroom boffins” who research the threats and develop the products, and their insights are enormously valuable, even though they’re not necessarily A-list presenters. Other speakers from the fringes of the industry, the independents and corporate researchers, also have insights and ideas of relevance to the industry and to customers alike that may be less technically oriented. And personally, I've generally tended towards the educational end of the spectrum rather than the ubergeek, and it seems there's room for that too. (There's certainly a need for it.)

Mind you, that doesn't mean I don't appreciate the entertainment and social networking (and the alcohol, and the additions to my collection of tee-shirts...)

You Can Talk…


How can we maintain the advantages of rich content while keeping presentation standards high? In principle, there are presentation skills that anyone can learn. There are some people (how I envy them!) who can use a paper simply as a jumping off point for an extemporized presentation – or one that is so well prepared that it sounds extemporized – but anyone can substitute good preparation for natural improvisational skills. Nearly every article I've ever read offering advice on presentation delivery underlines the need to appear spontaneous. I guess that means that if you can't extemporize, memorize; if you need more cues than the slides give you, use cue cards rather than printed notes; and so on. Appearing spontaneous yet polished is highly desirable, but if spontaneous is a step too far, you can still try for polished.

Confession time. I've learned not to trust my memory, and have chosen to prioritize accurate time-keeping (and avoiding – as much as possible – the stammer that's affected me since childhood) over spontaneity. That won't work for everyone – either in my audiences or among those making their own presentations – but it's more effective than standing there panicking. And maybe that's enough for you, especially if you have no intention of becoming a fixture on the conference circuit. Nevertheless, there are plenty of ways in which you can make that approach less stilted.

  • Don't simply read extracts from a paper: a good presentation grows out of a paper, rather than just summarizing its content or even trying to squeeze the entire 16-page paper into 30 minutes or less. (If your 'paper' is actually your presentation notes, I think it's OK not to vary significantly in the content, though some will disagree where the notes are actually published.) However, it's actually quite permissible for a presentation to be significantly different from the paper it's based on, as long as an acceptable proportion of the audience is inspired to read the paper.
  • Building on that, try to develop a good understanding of the differences between the content your audience can take away from a presentation (especially when it’s one of many delivered over several days), and a paper which the reader can probably read faster than you can deliver it orally. If you understand that, you can take steps to ensure that they have the salient points, rather than drowning them in detail.
  • The worst presentations I've ever seen – and I've sat through even more bad presentations than I've delivered – were those where a presenter simply read out the sentences on his slides. More often than not, these were also some of the worst slides: visually uninspiring, too many, too cluttered. I'll get back to presentation design later in this series.