NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!

Bohemian Rhapsody and the Art of Delivering a Good Security Talk

TV and movie awards season has recently come to a close as information security conference season has just begun. Like many people, I keep an ear out for which TV shows and movies are deemed “the best” by critics so I can plan for rainy days. For the latest batch of critically-acclaimed movies, I had only seen one of the favorites but had several others on “the list.” When the opportunity presented itself, I rented Bohemian Rhapsody. I was excited!

For one thing, I love Rami Malek, as do many infosec pros for his performance in Mr. Robot. For another, as a former professional musician I’ve always been fascinated by Freddie Mercury as a songwriter and performer. He was one of the best. I remember watching Live Aid and thinking, “No other set compares to this. Not even close.” And by all accounts, the best of the best performed at that concert: Elton John, U2, David Bowie, Tom Petty, Neil Young, Eric Clapton, Santana… I’m not alone in my opinion.

All of this is to say I had high hopes for the movie. I’d read reviews and knew of others’ skepticism, but I was still looking forward to it. And it certainly delivered in terms of entertainment value and grandiosity. But when all was said and done, though I was left singing Queen’s greatest hits all over my house for a few hours, it felt a little empty.

A bit like sitting through many security conference talks.

Choosing speakers for conferences

Before my gig at Edgewise, I programmed a well-known security conference, working with some of security’s “rock stars.” I was lucky; as the person ultimately responsible for the event, I was able to hand pick some of my favorite speakers who I knew would score high based on their talk content and delivery. But I also had to balance the well knowns with new speakers/presenters. So though I had the Freddie Mercurys and David Bowies lined up every year, there were also plenty of “emerging artists” on each program. And like Freddie stepping into the spotlight after a hiatus, some of the new-to-me speakers killed it on stage!

Then there were other speakers who were just OK. No conference can have all “10-out-of-10” speakers so this was fine, but there were commonalities among these middle-of-the-road speakers. The main thing that makes an OK conference talk just OK is lack of focused content. As a longtime Director of Content, you’d expect me to think that, right? But I have years of conference scores to back this up so stay with me.

Stay on the cutting edge. Subscribe to our blog.

All flash, no substance

The movie Bohemian Rhapsody had plenty of flash and was based on interesting subject matter. Its downfall was that it tried to condense 20 years of a person’s life plus 20 years of a band’s history into roughly 2 hours. Because so much rich content was jammed into limited time, important and interesting details were left out, critical pieces of history had to be altered to make sense in the bigger picture, and the entire thing felt a bit superficial. For me, I tried to use my imagination to fill in the details. A close friend said she liked it but that it felt shallow.

Rather than try to cover every aspect of Mercury’s life and the band’s life, the writers of the movie would have been better off focusing on a few key facets of either the man or the band. It’s a common misconception that to impart valuable information about a subject, the entire story must be told all at once. A large chunk of conference talks take this approach. It’s lovingly called “boiling the ocean.” The urge to impart all of one’s knowledge is understandable; as a speaker, you’re given 20, 30, maybe even 50 minutes to talk about a topic that could easily be a book: Effective Practices for Migrating to the Cloud. Navigating the Cybersecurity Talent Shortage. Implementing Zero Trust in Your Container Environment. These are huge topics, all of them. And it’s not speakers’ faults for feeling like they have to boil the ocean. Very few conferences would accept a talk on “How to Open Your Browser Securely.” A too-narrow focus doesn’t have enough marketing appeal for conference organizers, but there is a happy medium between a grain of sand and the entire ocean.

Hone in on what’s important

All conventional wisdom about how to give a good security talk says to provide 3-5 bulleted learnings for each session. Where lots of people go wrong is thinking that only the conclusion of the talk needs to highlight 3-5 “key points.” They’ll spend 20/30/50 minutes talking about a super-broad subject then try to wrap up with a few, discrete takeaways that were watered down in the context of the talk. The speaker shares too much information in too few minutes. There is plenty of science that shows people can only recall a finite amount of information during any one learning session. Now multiply one conference talk by 2-4 full days! But there is so much information about firewalls/encryption/data governance/being a good CISO!!! It’s true. But maybe save that for a long-form article.

Shoving everything you know about [insert topic] into one talk won’t result in people realizing how smart you are. Instead, your audience will leave feeling like they heard a lot of information, too many words, but can’t necessarily recall the most important aspects of what was presented. They can’t take any one thing back to their office, implement it, and affect a better security program. You’ll have the Bohemian Rhapsody effect: lots of flash and intrigue but no, “I really understand X. I learned something valuable.”

Bohemian Rhapsody was a fun movie, to be sure, but there was more fluff than substance. Personally, I didn’t learn anything about the band or Freddie Mercury that I hadn’t read/couldn’t read. If someone is going to choose your conference talk over another, don’t you owe it to them to deliver impactful content? Next time you’re writing the content for an upcoming presentation, lean in to a finite number of takeaways and write the entire talk around them. For example, one hugely successful talk at my past company’s conference was “Darwinism vs. Forensics.” The idea of the talk was that attackers always leave digital “breadcrumbs,” and they’re generally easy to find with the right tools and techniques. The speaker quickly presented 5-6 cases in which the adversary thought they were being clever and covering their tracks. The speaker then spent the rest of the talk detailing 3 different tool/technique combos he used in each case to uncover court-admissible forensic evidence. With 20+ years of experience and myriad tricks up his sleeve, the speaker could have offered a lot more. Solving these cases definitely required more skill and knowledge. Yet, he chose to focus on 3 tangible actions the audience could follow, and the feedback was unanimously, “The most valuable talk at the event,” “I am going to try this at my company,” “really useful information.” Several people requested an updated version of the talk for the following year.

The takeaway is this: dive deep into a topic and don’t attempt to cover everything in one session. Doing so rarely works anyway. And remember: one presentation isn’t your only chance to impart knowledge. Reel ‘em in with focused details of a subject and they’ll leave wanting more—and feeling satisfied that time at your talk was well spent.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.