How can we sell security? (Part 2)

At the Security Roundtable at the UKOUG Tech 2014, an important topic was how we can convince organizations to work on improving security. I originally envisioned this as a keynote like presentation. But seeing that UKOUG Tech 2015 was still a year away and people tend to favour technical presentations, I decided to write this as a multipart series on how to get organizations interested in doing IT security properly.


Part 2: Brush up your presentation techniques and people will listen.

Boring beginnings

About ten years ago I got interested in presentation techniques. I did a one day course once about Method-R, the performance method Cary Millsap described in his book Optimizing Oracle Performance. It was very interesting material. Unfortunately, I wasn’t that interesting. After lunch I saw peoples eyes go shut. I also got low scores and these people were right. I was boring that day on a topic that had so much potential.

Until then, a presentation was supposed to be created in presentation software, like Powerpoint. It had to start with an agenda, followed by loads of slides with 7 to 10 bullet points, and in the end you would say something like “and in summary…”. Your slides were your reading material. You would read the lines from your laptop screen, but your audience could read those on screen as well.

Then I read an article from Garr Reynolds on his Presentation Zen blog, called Gates, Jobs and the Zen aesthetic. I saw how Steve Jobs used completely empty screens, so the attention of the audience would be drawn to him. And I saw what the overly complicated presentation of Microsoft’s Live strategy by Bill Gates did to me. It was frustratingly.. complicated and distracting. Only I never realized it felt that way. Or that there were other options.


My first Zen-like presentation

The first time I tried a more Zen-like presentation, was at an insurance company, where I worked. The problem was that developers were in the lead in this company and DBAs could sometimes argue all they wanted, but their advice was often thrown in the wind. And then there was this project for the new Internet site that I was in. The project leader wanted the DBAs to monitor performance, which – if you read Cary Millsap – was totally not going to work. I already saw myself going through Statspack reports daily, trying to find unidentified performance issues.

So I asked if I could do a 10 minute presentation with my ideas about monitoring the performance of the website and they agreed. And so I worked on my first Zen-like presentation. Less text, more images, very few bullet points. I also worked on my narrative: that DBAs can really not monitor the performance of a website, that you need to monitor the response time of key functionality. And that the business had to tell what the desired response time of that key functionality was supposed to be.

And it worked. I was amazed how well it worked. They listened! Developers agreed that they needed to measure the response time and that the project had to speak with the business people about desired outcomes. I was surprised. I went back to my desk with a big smile that I could not wipe from my face. No pointless daily Statspack report reading.

Well, of course I used the same techniques later in security awareness presentations. Again I sometimes got surprised about the power of presentations. In a security awareness presentation for developers I helped to give the more security conscious developers a voice. I didn’t even knew there actually were security minded developers in that team.


Why presentations are a killer skill.

Why do presentations work so well? Well basically it gives you a stage. You’re less likely to be interrupted when doing a presentation. When you ask people if you can do a presentation of about 10 minutes about a topic, they often agree. So having a stage to tell something about security is sometimes only a question away. Think about that.

Of course you need to prepare for this occasion. I think there are three types of presentations I give:

  1. Technical presentations and course material. These are presentations about technical topics, like how the log writer works, or how to use Database Vault features. You usually don’t try to convince people in these presentations and they don’t really have really be “Zen”. Although I usually start these Zen-like, to get people into the topic or to explain complex concepts.
  2. Presentations in which you try to convince people to do something or use something. I usually make these more Zen-like.
  3. High impact presentations, in which you really need everybody’s attention. These are very important, urgent presentations. Data will be stolen, things will break, jobs will be lost, if people ignore your message. These presentations are my most planned out presentations where I follow as much of the advice in the books I read on how to do better presentations.

When I see urgent security issues and management somewhere I work doesn’t feel like spending time or resources on that, I do “category 3” presentations. It’s when I take Presentation Zen by Garr Reynolds and The Presentation Secrets of Steve Jobs by Carmine Callo out of my bookcase.


How I prepare for a high impact presentation

There a lot of tips and working methods in these books. I have my own way of working based on them. My way of working is usually the following:

  1. Start with a short working title.
  2. Make a mind map of ideas and words related to that title. If I can, I try to divide the topics in three acts/parts of my presentation (following advice in The Presentation Secrets of Steve Jobs). Later on in my presentation I clearly mark these three acts in Powerpoint as “this is where a new chapter starts”.
  3. Write the words and phrases of the mind map on sticky notes and try to place them in a logical order.
  4. Only now I start Powerpoint to make slides. I’ll also be browsing (free) stock photo sites and Google Images for imagery that reflect a certain word or phrase that I wrote down on my sticky notes the best. Don’t forget that there is often copyright on photo’s, especially stock photos. These are not free to use. Sometimes I make my own photographs, if I can’t find the right image. But I don’t have my own studio, so it’s hard to make these pictures stock photo like.
  5. I rehearse what I’m going to say multiple times. Driving to and from work is a great time to rehearse. Make that time in traffic useful.
  6. Often, after rehearsing with slides (obviously not in traffic) I refine the presentation even further until the story is sound and seamless and I can tell it with a good amount of energy.

This is a lot of work. Think 10-20 hours per hour of presentation (all things added up, including otherwise wasted time in traffic). And because it’s hard to justify working 20 hours on a presentation (especially if you don’t even get to spend time on security), I often do this mostly outside working hours. I don’t want to be dependent on management to get enough time to do this right. That’s why I reserve this kind of treatment for only the most important presentations.


In summation…

Even if you’re not able to spend that much time on your presentation, you will still be surprised on how well presentations work and how you can bring matters to attention of your organization and let it land there. So go and ask for 10 minutes in the next meeting.


About Marcel-Jan Krijgsman

Marcel-Jan is de PR-functionaris van de Werkgroep Maan en Planeten. Hij verzorgt ook het nieuws op de Facebook pagina en deze blog.
This entry was posted in Oracle security and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s