Recently, I had the opportunity to do something I don’t do often: present to an audience that isn’t directly involved in security.
It was an enlightening experience as I noted which ideas were met with nods of agreement and which concepts were met with blank stares. The event was a cloud summit in Prague, so part of the communication issues may have been related to language, but I suspect as much of the problem had to do with the unique language used by those of us in the information security industry.
There are a number of aspects of a presentation to a non-security audience that I place foremost in my mind when creating my presentations. How much technical understanding do we have in common? What background do they have in the topics I’ll be covering? How can I phrase the messages I have to be as simple and clear as possible without taking away from the depth of the conversation? Everyone who is dealing with technology has to deal with the implications of security, even if they don’t know it.
Common Language, Common Concepts
I think one of the hardest issues is to build in the groundwork for the conversation from the very start of the presentation. When I think about the topic of “security,” there are a whole host of concepts that I automatically include in that one word. But when a person without my background thinks of the same word, it’s likely that the first thing he or she thinks of is having a long, complex password that has to be changed every 90 days. So, I like to start each conversation by defining what I mean when I say “security.” It’s a combination of availability, privacy, integrity, confidentiality and many other things, but mostly, it’s about keeping data safe and in the hands of people who should have control of it.
The second tip is making sure to take out as many of the three-letter acronyms as possible from any talking points. In information security, as in any technical space, there are a whole host of acronyms that can be overloaded or confusing. When I say “PCI,” am I talking about the payment card industry and credit card numbers, or am I talking about a bus slot on a motherboard? Is the audience going to understand what border gateway protocol is and what it means if I say “BGP?” Rather than rely on the audience to understand what these terms mean, I try to either avoid them altogether or define them the first time I use them, explaining what the acronym means and what the technology does.
I know I make the same mistakes in presentations as I do when talking to someone further up in the organization. I make jokes equating 127.0.0.1 to home and then have to explain why I’m laughing, which totally ruins any comedic value. More importantly, if I’m not careful, I don’t set up the foundational concepts to support the arguments or stories I’m trying to tell and have to circle around to explain why my conclusions make sense. If I can prepare and deliver a presentation where I’ve assembled this logic in an entertaining way to get my message across to an audience of strangers, I know I can use those same skills to communicate to management.
Embrace the Difference
I like presenting to different audiences because the feedback is always distinct from what I’d get at a security conference. I know I’ve done well when someone walks up to me and says, “I’ve never thought of it that way.” I enjoy it when the audience wants to talk more about some aspect of what we do and walks away with a bit more understanding than they’d had before.
There are exceptions, but I believe most people in this field want to present at security conferences and their peers. And why not? We need to decimate the information among ourselves. But I also believe that there’s a lot to be gained by talking to a different audience, to people who don’t share the same interests and the same language that we do in our profession. We complain that “they” don’t understand security, but how many of us are actually trying to reach out and educate them in their language? Not as many as there probably should be.