What is a password for, anyway?

Which of my children should I use as my password?

This may look like it’s going to be one of those really short articles, because we all know what a password is for, right?  Well, I’m not sure we do.  Or, more accurately, I’m not sure that the answer is always the same, or has always been the same, so I think it’s worth spending some time looking at what passwords are used for, particularly as I’ve just seen (another) set of articles espousing the view that either a) passwords are dead; or b) multi-factor authentication is dead, and passwords are here to stay.

History

Passwords (or, as Wikipedia points out, “watchwords”) have been used in military contexts for centuries.  If you wish to pass the guard, you need to give them a word or phrase that matches what they’re expecting (“Who goes there?” “Friend” doesn’t really cut it).  Sometimes there’s a challenge and response, which allows both parties to have some level of assurance that they’re on the same side.  Whether one party is involved, or two, this is an authentication process – one side is verifying the identity of another.

Actually, it’s not quite that simple.  One side is verifying that the other party is a member of a group of people who have a particular set of knowledge (the password) in order to authorise them access to a particular area (that is being guarded).  Anyone without the password is assumed not to be in that group, and will be denied access (and may also be subject to other measures).

Let’s step forward to the first computer recorded as having had a password.  This was the Compatible Time-Sharing System (CTSS) at MIT around 1961, and its name gives you a clue as to the reason it needed a password: different people could use the computer at the same time, so it was necessary to provide a way to identify them and the jobs they were running.

Here, the reason for having a password seems a little different to our first use case.  Authentication is there not to deny or allow access to a physical area – or even a virtual area – but to allow one party to discriminate[1] between different parties.

Getting more modern

I have no knowledge of how military uses of passwords developed, other than to note that by 1983, use of passwords on military systems was well-known enough to make it into the film[2] Wargames.  Here, the use of a password is much closer to our earlier example: though the area is virtual, the idea is to restrict access to it based on a verification of the party logging on.  There are two differences, however:

  1. it is not so much access to the area that is important, and more access to the processes available within the area;
  2. each user has a different password, it seems: the ability to guess the correct password gives instant access to a particular account.

Now, it’s not clear whether the particular account is hardwired to the telephone number that’s called in the film, but there are clearly different accounts for different users.  This is what you’d expect for a system where you have different users with different types of access.

It’s worth noting that there’s no sign that the school computer accessed in Wargames has multiple users: it seems that logging in at all gives you access to a single account – which is why auditing the system to spot unauthorised usage is, well, problematic.  The school system is also more about access to data and the ability to change it, rather than specific processes[3 – SPOILER ALERT].

Things start getting interesting

In the first few decades of computing, most systems were arguably mainly occupied with creating or manipulating data associated with the organisations that owned it[4].  That could be sales data, stock data, logistics data, design data, or personnel data, for instance.  It then also started to be intellectual property data such as legal documents, patent applications and the texts of books.  Passwords allowed the owners of the systems to decide who should have access to that data, and the processes to make changes.  And then something new happened.

People started getting their own computers.  You could do your own accounts on them, write your own books.  As long at they weren’t connected to any sort of network, the only passwords you really needed were to stop your family from accessing and changing data that wasn’t theirs.  What got really interesting, though, was when those computers started getting connected to networks, which meant that they could talk to other computers, and other computers could talk to them.  People started getting involved in chatrooms and shared spaces, and putting their views and opinions on them.

It turns out (and this should be of little surprise to regular readers of this blog) that not all people are good people.  Some of them are bad.  Some of them, given the chance, would pretend to be other people, and misrepresent their views.  Passwords were needed to allow you to protect your identity in a particular area, as well as to decide who was allowed into that area in the first place.  This is new: this is about protection of the party associated with the password, rather than the party whose resources are being used.

Our data now

What does the phrase above, “protect your identity” really mean, though?  What is your identity?  It’s data that you’ve created, and, increasingly, data that’s been created about you, and is associated with that data.  That may be tax accounts data that you’ve generated for your own use, but it may equally well be your bank balance – and the ability to pay and receive money from and to an account.  It may be your exercise data, your general health data, your fertility cycle, the assignments you’ve written for your university course, your novel or pictures of your family.  Whereas passwords used to be to protect data associated with an organisation, they’re now increasingly to protect data associated with us, and that’s  a big change.  We don’t always have control over that data – GDPR and similar legal instruments are attempts to help with that problem – but each password that is leaked gives away a bit of our identity.  Sometimes being able to change that data is what is valuable – think of a bank account – sometimes just having access to it – think of your criminal record[5] – is enough, but control over that access is important to us, and not just the organisations that control us with which we interact.

This is part of the reason that ideas such as self-sovereign identity (where you get to decide who sees what of the data associated with you) are of interest to many people, of course, but they are likely to use passwords, too (at least as one method of authentication).  Neither am I arguing that passwords are a bad thing – they’re easy to understand, and people know how to use them – but I think it’s important for us to realise that they’re not performing the task they were originally intended to fulfil – or even the task they were first used for in a computing context.  There’s a responsibility on the security community to educate people about why they need to be in control of their passwords (or other authentication mechanisms), rather than relying on those who provide services to us to care about them.  In the end, it’s our data, and we’re the ones who need to care.

Now, which of my children should I use as my password: Joshua or Rache…?[6]


1 – that is “tell the difference”, rather than make prejudice-based choices.

2 – “movie”.

3 – such as, say, the ability to start a global thermonuclear war.

4 – or “them”, if you prefer your data plural.

5 – sorry – obviously nobody who reads this blog has ever run a red light.

6 – spot the popular culture references!

Of headphones, caffeine and self-care

Being honest about being down.

I travel quite a lot with my job.  This is fine, and what I signed up for, and mitigated significantly by the fact that I work from home the rest of the time, which means that (video-calls permitting) I can pop down to see the kids when they get back from school, or share a dog walk with my wife if she’s at home as well.  The travel isn’t as easy as it was a couple of decades ago: I’d like to believe that this is because my trips are more frequent, and often longer, but suspect that it’s more to do with the passage of time on my body.  There’s more than just the wear and tear, however, and I think it’s worth talking about it, but I’m sure it’s not just me.

I sometimes get down.

I sometimes get sad.

I sometimes get peeved, and cross, and angry for little or no reason.

I’ve never been diagnosed with any mental illness, and I don’t feel the need to medicalise what I’m describing, but I do need to own it: it’s not me at my best, I’m not going to be able to perform my job to the best of my ability, and it’s not healthy.  I know that it’s worse when I’m travelling, because I’m away from my family, the dog and the cats, divorced from routine and, given that I tend to travel to North America quite frequently, somewhat jet-lagged.  None of these things are specific triggers, and it’s not even that they are necessarily part of the cause, but they can all make it more difficult to achieve and even keel again.

I wanted to write about this subject because I had a day when I had what I think of as “a bit of a wobble”[1] a couple of weeks ago while travelling.  On this particular occasion, I managed to step back a bit, and even did some reading around the web for suggestions about what to do.  There were a few good blog articles, but I thought it would be honest to my – and others’ – lived experience to talk about it here, and talk about what works and what doesn’t.

Before we go any further, however, I’d like to make a few things clear.

First: if you are having suicidal thoughts, seek help.  Now.  You are valued, you do have worth, but I am not an expert, and you need to seek the help of an expert.  Please do.

Second: I am not an expert in mental health, depression or other such issues.  These are some thoughts about what helps me.  If you have feelings and thoughts that disturb you or are having a negative impact on you or those around you, seek help.  There should be no stigma either to mental illness or to seeking help to battle it.

Third: if you know someone who is suffering from mental illness of any kind, try to be supportive, try to be kind, try to be understanding.  It is hard.  I know people – and love people – with mental health issues.  Help to support them in getting help for themselves, if that’s what they need you to do, and consider getting help for yourself, too.

 

Things that do and don’t work (for me)

Alcohol (and over-eating) – NO

One article I read pointed out that having a few drinks or eating a tub of ice cream when you’re travelling and feeling down “because you deserve it” isn’t self-care: it’s self-medication.  I like this dictum.  Alcohol, though a dis-inhibitor, is also a depressant, and even if it makes you feel better for a while, you’re not going to be thanking last-night-you for the hangover you have in the morning.  Particularly if you’ve got a meeting or presentation in the morning.

Exercise – YES

I never used to bother much with exercise, particularly when I was travelling.  But the years have taken their toll, and now I try to hit the gym when I’m staying in a hotel, maybe every other day.  However, I also find that there are often opportunities to walk to meetings instead of taking a taxi, or maybe making my own way to a restaurant in the evening, even if I catch a cab back.  I track the steps I do, and aim for 10,000 a day.  This can be difficult when you’re in a meeting all day, but little things like taking the stairs, not the lift (elevator) can get you closer to your goal.

If you have a free day in a city, particularly at the weekend, do a search for “walking tours”.  I’ve done a few of these, particularly food-based ones, where you get to stretch your legs whilst being given a tour of the sites and trying some local cuisine.  You also get to meet some people, which can be good.

People – YES and NO

Sometimes what I need to pull myself out of a gloomy mood is to spend some time with people.  Even if it’s just on the edges of a conversation, not engaging too much, being around people I know and value can be a positive thing.

On other occasions, it’s exactly the opposite of what I need, and I crave solitude.  On occasion, I won’t know until I turn up for dinner, say, that I’m really not in the right head-space for company.  I’ve found that if you plead jet-lag, colleagues are generally very understanding, and if there’s a loud-mouthed colleague who is very insistent that you stay and join in, find a quieter colleague and explain that you need to get back to the hotel early.

Reading – YES

Books are great to escape to.  Whether you carry a paperback in your laptop bag, have a Kindle (or other e-reader) or just read something that you’ve downloaded onto your phone, you can go “somewhere else” for a bit.  I find that having a physical book is helpful, or at least using an e-reader, as then you’re slightly protected from the temptation to check that email that’s just come in.

Headphones – YES

What did we do before headphones?  I try keep a set in my pocket wherever I’m going and connect my phone when I get a chance.  I may wander the floor of an Expo with music on, sit down with some music for a cup of tea (of which more below) in a five minute break during a meeting, or wait for a session to start with something soothing in my ears.  In fact, it doesn’t need to be soothing: I can be in the mood for classical, upbeat, loud, quiet, downbeat, indie, New Orleans jazz, bluegrass[2] or folk[3]. That’s one of the joys of having music available at pretty much all times now.  Insulating myself from the world and allowing myself to take a metaphorical breath before rejoining it, can make a big difference.

Caffeine – YES (with care)

I don’t drink coffee (I just don’t like the taste), but I do drink tea.  It can be difficult to find a good cup of tea in North America[4], but I’ve discovered that when I can source one, the very act of sitting down and drinking it grounds me.  Smell and taste are such important senses for us, and I associate the smell and taste of tea so strongly with home and safety that a good cup of tea can do wonders for me.  That said, if I drink too much tea, I can get cranky (not to mention the fact that it’s a diuretic), and then I miss it if I can’t get it, so there’s a balance there.

Breathing – YES

Breathing is helpful, obviously.  If you don’t breathe, you’re going to die[5], but there’s a real power to stopping what you’re doing, and taking a few deep, purposeful breaths.  I’m sure there’s lots of science (and probably pseudo-science) around this, but try it: it can be really fantastic.

Conclusion

I know that I’m not alone in finding life difficult sometimes when I travel.  Please look after yourself and find whatever actions which help you.  My intention with this article isn’t to provide fixes for other people, but more to share a few things that help me, and most important, to acknowledge the problem.  If we do this, we can recognise the need for action in ourselves, but also for support in our family, friends and colleagues, too.

Last: if you become ill – physically, emotionally or mentally – you are not going to be functioning as well as you might when well.  It is in your and you organisation’s best interests for you to be well and healthy.  Many companies, organisations and unions provide (often free) help for those who are struggling.  If you keep experiencing feelings such as those described in this article, or you are in acute need, please seek professional help.


1 – because I’m British, and that’s the sort of language I use.

2 – one of my little guilty pleasures.

3 – another.

4 – you need decent tea to start with, and boiling or just off-boiling water: that’s close to 100C, or 212F.

5 – I’m not a medical expert, but I know that.

Don’t talk security: talk risk

We rush to implement the latest, greatest AI-enhanced, post-quantum container-based blockchain security solution.

We don’t do security because it’s fun. No: let me qualify that. Most of us don’t do security because it’s fun, but none of us get paid to do security because it’s fun[1]. Security isn’t a thing in itself, it’s a means to an end, and that end is to reduce risk.  This was a notable change in theme in and around the RSA Conference last week.  I’d love to say that it was reflected in the Expo, but although it got some lip service, selling point solutions still seemed to be the approach for most vendors.  We’re way overdue some industry consolidation, given the number of vendors advertising solutions which, to me, seemed almost indistinguishable.

In some of the sessions, however, and certainly in many of the conversations that I had in the “hallway track” or the more focused birds-of-a-feather type after show meetings, risk is beginning to feature large.  I ended up spending quite a lot of time with CISO folks and similar – CSO (Chief Security Officer) and CPSO (Chief Product Security Officer) were two other of the favoured titles – and risk is top of mind as we see the security landscape develop.  The reason this has happened, of course, is that we didn’t win.

What didn’t we win?  Well, any of it, really.  It’s become clear that the “it’s not if, it’s when” approach to security breaches is correct.  Given some of the huge, and long-term, breaches across some huge organisations from British Airways to the Marriott group to Citrix, and the continued experience of the industry after Sony and Equifax, nobody is confident that they can plug all of the breaches, and everybody is aware that it just takes one breach, in a part of the attack surface that you weren’t even thinking about, for you to be exposed, and to be exposed big time.

There are a variety of ways to try to manage this problem, all of which I heard expressed at the conference.  They include:

  • cultural approaches (making security everybody’s responsibility/problem, training more staff in different ways, more or less often);
  • process approaches (“shifting left” so that security is visible earlier in your projects);
  • technical approaches (too many to list, let alone understand or implement fully, and ranging from hardware to firmware to software, using Machine Learning, not using Machine Learning, relying on hardware, not relying on hardware, and pretty much everything in between);
  • design approaches (using serverless, selecting security-friendly languages, using smart contracts, not using smart contracts);
  • cryptographic approaches (trusting existing, tested, peer-reviewed primitives, combining established but underused techniques such as threshold signatures, embracing quantum-resistant algorithms, ensuring that you use “quantum-generated” entropy);
  • architectural approaches (placing all of your sensitive data in the cloud, placing none of your sensitive data in the cloud).

In the end, none of these is going to work.  Not singly, not in concert.  We must use as many of them as make sense in our environment, and ensure that we’re espousing a “defence in depth” philosophy such that no vulnerability will lay our entire estate or stack open if it is compromised.  But it’s not going to be enough.

Businesses and organisations exist to run, not to be weighed down by the encumbrance of security measure after security measure.  Hence the “as make sense in our environment” above, because there will always come a point where the balance of security measures outweighs the ability of the business to function effectively.

And that’s fine, actually.  Security people have always managed risk.  We may have forgotten this, as we rush to implement the latest, greatest AI-enhanced, post-quantum container-based blockchain security solution[2], but we’re always making a balance.  Too often that balance is “if we lose data, I’ll get fired”, though, rather than a different conversation entirely.

The people who pay our salaries are not our customers, despite what your manager and SVP of Sales may tell you.  They are the members of the Board.  Whether the relevant person on the Board is the CFO, the CISO, the CSO, the CTO or the CRO[3], they need to be able to talk to their colleagues about risk, because that’s the language that the rest of them will understand.  In fact, it’s what they talk about every day.  Whether it’s fraud risk, currency exchange risk, economic risk, terrorist risk, hostile take-over risk, reputational risk, competitive risk or one of the dozens of other types, risk is what they want to hear about.  And not security.  Security should be a way to measure, monitor and mitigate risk.  They know by now – and if they don’t, it’s the C[F|IS|S|T|R]O’s job to explain to them – that there’s always a likelihood that the security of your core product/network/sales system/whatever won’t be sufficient.  What they need to know is what risks that exposes.  Is it risk that:

  • the organisation’s intellectual property will be stolen;
  • customers’ private information will be exposed to the Internet;
  • merger and acquisition information will go to competitors;
  • payroll information will be leaked to the press – and employees;
  • sales won’t be able to take any orders for a week;
  • employees won’t be paid for a month;
  • or something completely different?

The answer (or, more likely, answers) will depend on the organisation and sector, but the risks will be there.  And the Board will be happy to hear about them.  Well, maybe that’s an overstatement, but they’ll be happier hearing about them in advance than after an attack has happened.  Because if they hear about them in advance, they can plan mitigations, whether that’s insurance, changes in systems, increased security or something else.

So we, as a security profession, need to get better a presenting the risk, and also at presenting options to the Board, so that they can make informed decisions.  We don’t always have all the information, and neither will anybody else, but the more understanding there is of what we do, and why we do it, the more we will be valued.  And there’s little risk in that.


1 – if I’m wrong about this, and you do get paid to do security because it’s fun, please contact me privately. I interested, but don’t think we should share the secret too widely.

2 – if this buzzphrase-compliant clickbait doesn’t get me page views, I don’t know what will.

3 – Chief [Financial|Information Security|Security|Technology|Risk] Officer.

6 reasons to go (and not go) to a security conference

…the parties – don’t forget the many, many parties.

I’m at the annual RSA Conference this week in San Francisco. There are a number of RSA Conferences around the world, but this is the big one. There will be thousands – in fact, tens of thousands – of people attending, probably hundreds of exhibitors, and I’ve just pored through the many, many sessions available just on the first day to identify the ones I want to attend.

RSA – as other conferences – comes under fire for just being an opportunity for security vendors to pitch their wares, rather than a conference about security, and there is some truth in that. To be fair, though, they’re the ones sponsoring the show[1], and making it all work, and many of them will pay, as part of that sponsorship, to have sessions where they will pitch their products. And people attend these talks[3] – it’s really not my thing (and I’ve written about it in the past), but I’ve noticed that this year, there are clues in the session title that a particular talk will be sponsor-led, so more opportunities to avoid them if you’re not interested.

There are, however, lots and lots of talks that aren’t just product pitches. These range from the uber-technical academic cryptography talks[4] to “how we managed to deal with this problem in my company”, “what we’ve learned over 5/10/20/100 years of X” and innumerable talks on DevSecOps, Agile, security for/within/outside/above the Cloud by vendors, airlines, software companies, banks, insurance companies and very few start-ups.

I’ve been a little harsh in the previous paragraph, but I reckon there’s actually going to be something (probably many things – choosing between the multiple sessions scheduled at the same time can be challenging) for everybody. I always get a little annoyed that there’s not enough talk about systems security and complexity, but there actually seems to be a little more of that this year – though I’m willing to bet that the expo hall will be somewhat light on the same, with the usual SIEM, email security, storage, authentication, authorisation, logging and network tools being very much in evidence, alongside big consultancies and some a few small companies, not-for-profits and educational institutions.

6 reasons to attend a security conference

What, then, are some good reasons to attend a security conference? Here are my top 6 – in no particular order:

  1. sessions which will teach you something new – or help you see something from somebody else’s perspective;
  2. catching up with colleagues who you don’t otherwise get to see;
  3. the hallway track – meeting people between sessions, at meals or parties, in the lift[5] at your hotel and striking up a conversation;
  4. being able to check out vendors at their booths in the expo, and get demos of their products;
  5. swag and give-aways[6];
  6. the parties.

6 reasons not to attend a security conference

It only seems fair to provide the flipside, so here we go, this time in a particular order:

  1. sessions which won’t teach you anything new – or which show you something from the perspective of a speaker who you suspect has never worked in the real world, or is a complete idiot;
  2. catching up with colleagues who you’ve managed to avoid for the past 12 months, but who realise that you’re going to be at the show, and who you can’t politely put off meeting;
  3. the hallway track – being accosted by people between sessions who’ve seen your badge, have heard of your company, and have a particular feature that they really, really want you to implement, despite the fact that a) you’re not on the product team and b) they only buy one licence/subscription from your company a year;
  4. being subjected to demos by vendors at their booths in the expo because you didn’t move away fast enough, despite the fact that you only moved close to find out what their swag was;
  5. swag and give-aways – too many t-shirts (never enough in womens’ sizes, I’m told), and realisation that you’ve got so many that you’re going to have to check in extra hold luggage on the way back home to get it back to your children, who will have no interest in it, anyway;
  6. the parties – in particular the standard of the wine (poor) and beer (either so hoppy it makes your teeth retract into your gums or so gassy that you swell up to the size of a beachball) – and how you feel after them.

So, make your choices, and decide whether to go or not. I’ll keep an eye out for you in the lift at the hotel…


1 – and the parties – don’t forget the many, many parties[2].

2 – painkillers and heartburn medication are must-pack items for any serious attendees.

3 – not always on purpose – there are times when you’ll see an early exodus of people as they realise what they turned up to.

4 – all credit if you manage to get past the first slide of mathematics.

5 – I don’t care if it’s in the US, I’m not calling it an escalator.

6 – I reckon that the standard of swag at a conference is directly proportional to the strength of the market in that the sector 6 months ago – there’s a delay in marketing budgets.

Oh, how I love my TEE (or do I?)

Trusted Execution Environments use chip-level instructions to allow you to create enclaves of higher security

I realised just recently that I’ve not written yet about Trusted Execution Environments (TEEs) on this blog.  This is a surprise, honestly, because TEEs are fascinating, and I spend quite a lot of my professional time thinking – and sometimes worrying – about them.  So what, you may ask, is a TEE?

Let’s look at one of the key use cases first, and then get to what a Trusted Execution Environment is.  A good place to start it the “Cloud”, which, as we all know, is just somebody else’s computer.  What this means is that if you’re running an application (let’s call it a “workload”) in the Cloud – AWS, Azure, whatever – then what you’re doing is trusting somebody else to take the constituent parts of that workload – its code and its data – and run them on their computer.  “Yay”, you may be thinking, “that means that I don’t have to run it in my computer: it’s all good.”  I’m going to take issue with the “all good” bit of that statement.  The problem is that the company – or people within that company – who run your workload on their computer (let’s call it a “host”) can, if they so wish, look inside it, change it, and stop it running.  In other words, they can break all three classic “CIA” properties of security: confidentiality (by looking inside it); integrity (by changing it); and availability (by stopping it running).  This is because the way that workloads run on hosts – whether in hardware-mediated virtual machines, within containers or on bare-metal – all allow somebody with sufficient privilege on that machine to do all of the bad things I’ve just mentioned.

And these are bad things.  We don’t tend to care about them too much as individuals – because the amount of value a cloud provider would get from bothering to look at our information is low – but as businesses, we really should be worried.

I’m afraid that the problem doesn’t go away if you run your systems internally.  Remember that anybody with sufficient access to hosts can look inside and tamper with your workloads?  Well, are you happy that you sysadmins should all have access to your financial results?  Merger and acquisition details?  Pay roll?  Because if you have this kind of data running on your machines on your own premises, then they do have access to all of those.

Now, there are a number of controls that you can put in place to help with this – not least background checks and Acceptable Use Policies – but TEEs aim to solve this problem with technology.  Actually, they only really aim to solve the confidentiality and integrity pieces, so we’ll just have to assume for now that you’re going to be in a position to notice if your sales order process fails to run due to malicious activity (for instance).  Trusted Execution Environments use chip-level instructions to allow you to create enclaves of higher security where processes can execute (and data can be processed) in ways that mean that even privileged users of the host cannot attack their confidentiality or integrity.  To get a little bit technical, these enclaves are memory pages with particular controls on them such that they are always encrypted except when they are actually being processed by the chip.

The two best-known TEE implementations so far are Intel’s SGX and AMD’s SEV (though other silicon vendors are beginning to talk about their alternatives).  Both Intel and AMD are aiming to put these into server hardware and create an ecosystem around their version to make it easy for people to run workloads (or components of workloads) within them.  And the security community is doing what it normally does (and, to be clear, absolutely should be doing), and looking for vulnerabilities in the implementation.  So far, most of the vulnerabilities that have been identified are within Intel’s SGX – though I’m not in a position to say whether that’s because the design and implementation is weaker, or just because the researchers have concentrated on the market leader in terms of server hardware.  It looks like we need to go through a cycle or two of the technologies before the industry is convinced that we have a working design and implementation that provides the levels of security that are worth deploying.  There’s also work to be done to provide sufficiently high quality open source software and drivers to support TEEs for wide deployment.

Despite the hopes of the silicon vendors, it may be some time before TEEs are in common usage, but people are beginning to sit up and take notice, partly because there’s so much interest in moving workloads to the Cloud, but still serious concerns about the security of your sensitive processes and data when they’re there.  This has got to be a good thing, and I think it’s really worth considering how you might start designing and deploying workloads in new ways once TEEs actually do become commonly available.

Top 7 tips to improve your conference presentation

It’s all about the slides and their delivery.

Well, it’s conference season again. I’ll be off to the West Coast for DeveloperWeek, then RSA, and, I’m sure, more conferences through the coming months. I had a good old rant a few months ago about what I hate about conference speakers, so this seems like a good opportunity to talk about all the good things that I actually enjoy. Well, it might to you, but I’ve got all sorts of spleen-venting that I still want to do, so bad luck: you’re getting another rant.  This time round, rather than getting all shouty about product pitching (which was the subject of my last cross-fest[1]), this time it’s all about the slides and their delivery.

First, here’s a disclaimer, however, or maybe two. One is this: I’m not perfect[3]. I’m may well have been guilty of one or many of the points below in many or all of my presentations. If I have, I’m sorry: and I’d like to know about it, as I like to fix things.

The other is this: not everyone is excellent, or will ever be excellent, at presenting. However hard you try, it may be that it’s never going to be your top skill. That’s fine. On the other hand, if you’re not great at spelling, or you tend to zone out your audience, and you know it – in fact, if you struggle with any of the points below – then ask for help. It doesn’t need to be professional help – ask a colleague or family member, or even a friendly member of the conference staff – but ask for suggestions, and apply them.

Before we delve deeper into this topic, why is it important?  Well, people (generally) go to conferences to learn – maybe to be entertained, as well.  Most conferences require attendees or their organisations to pay, and even if they don’t, there’s an investment of time.  You owe it to the attendees to give them the best value that you can, and ignoring opportunities to improve is arrogant, rude and disrespectful.  You may not feel that bad spelling, punctuation or layout, or even poor delivery, will detract from their experience, but they all distract from the message, and can negatively impact on what people are trying to learn.  They are also unprofessional, and here’s another important point to remember about conference speaking: it’s an opportunity to showcase your expertise, or at least get other people to be enthusiastic about the things you do. If you don’t do the best you can do, you are selling yourself short, and that’s never a good thing.

Here, then, are my top seven tips to improve your conference presentations.  I’m assuming, for the purposes of this article, that you’re presenting a slidedeck at an industry presentation, though many of these points are more broadly applicable.

Layout

I’m not just talking colours and shapes, but also how much is on your slides, whether it’s in sentence or bullet format, and the rest.  Because how your slides look matters.  Not just because of your company’s or organisation’s brand, but because it directly affects how people process the information on your slides.  The appropriate amount – and type – of information to put on a slide varies based on subject, technical depth, audience, for instance, but a good rule to remember is that people will generally read the slides before they listen to you.  If you have more than about 20-30 words on a slide, realise that nobody’s going to hear a word you say until they’ve finished reading, and that’s going to take an appreciable amount of time.  If in doubt, have multiple bullets, and reveal them as you talk (and never just read what’s on the slides: what’s the point of that?).

Spelling, punctuation and grammar

You may not care about spelling, but lots of people do.  It can be distracting to many people to see bad spelling, punctuation or grammar on your slides.  Everybody makes mistakes – and that’s why it’s worth reviewing your slides and maybe getting somebody else to have a look, too.  The amount that this matters will depend on your audience – but correcting slips raises the credibility of the presentation as a whole, because mistakes reflect badly on you, whether you like it or not.

Pictures

Or graphs.  Or diagrams.  I don’t care: put something in there to break up the slides.  I’m really guilty of this: I tend to have slide after slide of text, and forget that many people will just glaze over after the first few.  So I try to find a few pictures, or, even better, relevant diagrams, and put them in.  There are lots of free-to-use pictures available (search for “creative commons” online), and make sure that you provide the correct attribution when you use them.

Style

People have different styles, and that’s fine.  Mine tends towards the jokey and possibly slightly over-enthusiastic, so I need to think about how I pitch different types of information from time to time.  Play to your strengths, but be aware of the situation.  People will remember you if you’re a bit different, and there are times for humorous t-shirts, but there are times for a jacket or tie and a more sombre approach, too.

Tone

Do. Not. Drone.  There’s just nothing worse, particularly when the presenter is just reading the information on the slides.  And after a long lunch[4], it’s so easy to nod off, or just start looking at stuff on your phone or laptop.   If you think you might suffer from a boring tone, ask people for help: practice delivering to them, and then think about how you speak.  It’s relatively easy for most people to learn to modulate their tone a little up and down with practice, and it can make all the difference.  Equally, learning when to stop to allow people to digest the information on a slide can give you – and them – a break: a change is, as they say, as good as a rest.

Delivery

I’ve already said that you mustn’t just read the words on the slides.  I’ll say it again: don’t just read the words on the slides.  Notes are fine – in fact, they’re great, as most people aren’t good at improvising – or you can learn a script, but either way, one of the most important lessons when delivering any type of information is to look at your audience.  Sometimes this is difficult – there may be little light to see them by, or you may find it nerve-wracking actually to look at your audience – so here’s a trick: pretend to look at your audience.  Choose a spot just a few centimetres[5] above where an audience member is – or might be, if you can’t see them – and speak to that.  They’ll think you’re speaking to them.  Next slide, or next bullet, move your head a little, and choose another spot.  Engaging with your audience is vital – and will actually make it easier to manage issues like tone.

Audience

This could have gone first, or could have gone last, but it’s really important.  Think about your audience.  If it’s a conference for techies, don’t use marketing diagrams.  If it’s for CEOs, don’t go into the weeds about compiler design.  If it’s for marketing folks, well, anything goes, as long as there are pictures[6].  Remember – these people have invested their time (and possibly money) in coming to see you to learn information which is relevant to them and their jobs, and you owe it to them to pitch the right sort of information, at the right level.

Summary

I really enjoy conference speaking, but I know that this isn’t true of everybody.  I often enjoy attendee conference sessions, but poor attention to any of the points above can detract from my enjoyment, the amount I learn, and how I feel about the topic and the speaker.  It’s always worth trying to improve: watch TED-talks, take notes on what your favourite speakers do, and practice.


1 – I’m pathetically amused that my spollcheeker[2] wanted that word to be “cross-stitch”.

2 – yes, it was intentional.

3 – just ask my wife.

4 – or during the first session after the conference party the night before – a terrible slot to land.

5 – or slightly fewer inches.

6 – this is mean and unfair to my marketing colleagues.  I apologise.  A bit.