conferences – Alice, Eve and Bob

SF in June: Confidential Computing Summit

A good selection of business-led and technical sessions

It should be around 70F/21C in San Francisco around the 29th June, which is a pretty good reason to pop over to attend the Confidential Computing Summit which is happening on that day. One of the signs that a technology is getting some real attention in the industry is when conferences start popping up, and Confidential Computing is now at the stage where it has two: OC3 (mainly virtual, Europe-based) and CCS.

I have to admit to having skin in this game – as Executive Director of the Confidential Computing Consortium, I’ll be presenting a brief keynote – but given the number of excellent speakers who’ll be there, it’s very much worth considering if you have an interest in Confidential Computing (and you should). I’d planned to paste the agenda into this article, but it’s just too large. Here is a list of just some of the sessions and panels, instead.

State of the Confidential Computing Market – Raluca Ada Popa, Assoc. Prof CS, UC Berkeley and co-founder Opaque Systems
Confidential Computing and Zero Trust – Vikas Bhatia, Head of Product, Microsoft Azure Confidential Computing
Overcoming Barriers to Confidential Computing as a Universal Platform – John Manferdelli, Office of the CTO, VMware
Confidential Computing as a Cornerstone for Cybersecurity Strategies and Compliance – Xochitl Monteon, Chief Privacy Officer and VP Cybersecurity Risk & Governance, Intel
Citadel: Side-Channel-Resistant Enclaves on an Open-Source, Speculative, Out-of-Order Processor – Srini Devadas, Webster Professor of EECS, MIT
Collaborative Confidential Computing: FHE vs sMPC vs Confidential Computing. Security Models and Real World Use Cases – Bruno Grieder, CTO & Co-Founder, Cosmian
Application of confidential computing to Anti Money Laundering in Canada – Vishal Gossain, Practice Leader, Risk Analytics and Strategy, Ernst and Young

As you can tell, there’s a great selection of business-led and technical sessions, so whether you want to delve into the technology or understand the impact of Confidential Computing on business, please come along: I look forward to seeing you there.

My book at RSA Conference NA

Attend RSA and get 20% off my book!

Attend RSA and get 20% off my book!

I’m immensely proud (as you can probably tell from the photo) to be able to say that my book in available in the book store at the RSA Conference in San Francisco this week. You’ll find the store in Moscone South, up the escalators on the Esplanade.

If you ever needed a reason to attend RSA, this is clearly the one, particularly with the 20% discount. If anyone’s interested in getting a copy signed, please contact me via LinkedIn – I currently expect to be around till Friday morning. It would be great to meet you.

Back in the (conference) groove

Ah, yes: conferences. We love them, we hate them.

Ah, yes: conferences. We love them, we hate them, but they used to be part of the job, and they’re coming back. At least in the IT world that I inhabit, things are beginning to start happening in person again. I attended my first conference in over two years in Valencia a couple of weeks ago: Kubecon + CloudNativeCon Europe. I’d not visited Valencia before, and it’s a lovely city. I wasn’t entirely well (I’m taking a while to recover from Covid-19 – cannot recommend), which didn’t help, but we had some great meetings, Nathaniel (my Enarx & Profian co-founder) spoke at the co-located WasmDay event on WASI networking, and I got to walk the exhibition hall picking up (small amounts) of swag (see Buying my own t-shirts, OR “what I miss about conferences”).

For the last few years, when I’ve been attending conferences, I’ve been doing it as the employee of a large company – Red Hat and Intel – and things are somewhat different when you’re attending as a start-up. We (Profian) haven’t exhibited at any conferences yet (keep an eye out for announcements on social media for that), but you look at things with a different eye when you’re a start-up – or at least I do.

One of the differences, of course, is that as CEO, my main focus has to be on the business side, which means that attending interesting talks on mildly-related technologies isn’t likely to be a good use of my time. That’s not always true – we’re not big enough to send that many people to these conferences, so it may be that I’m the best person available to check out something which we need to put on our radar – but I’m likely to restrict my session attendance to one of three types of session:

a talk by a competitor (or possible competitor) to understand what they’re doing and how (and whether) we should react.
a talk by a possible customer or representative from a sector in which we’re interested, to find understand possible use cases.
a talk about new advances or applications of the technologies in which we’re interested.

There will, of course, also be business-related talks, but so many of these are aimed at already-established companies that it’s difficult to find ones with obvious applicability.

What else? Well, there are the exhibition halls, as I mentioned. Again, we’re there to look at possible competitors, but also to assess possible use cases. These aren’t just likely to be use cases associated with potential customers – in fact, given the marketing dollars (euros, pounds, etc.) funnelled into these events, it’s likely to be difficult to find clear statements of use cases, let alone discover the right person to talk to on the booth. More likely, in fact, is finding possible partners or licensees among the attendees: realising that there are companies out there with a product or offering to which we could add value. Particularly for smaller players, there’s a decent chance that you might find someone with sufficient technical expertise to assess whether there might be fit.

What else? Well, meetings. On site, off site: whichever fits. Breakfast, cocktails or dinner seem to be preferred. as lunch can be tricky, and there aren’t always good places to sit for a quiet chat. Investors – VCs and institutional capital – realise that conferences are a good place to meet with their investees or potential investees. The same goes for partners for whom setting aside a whole day of meetings with a start-up makes little obvious sense (and it probably doesn’t make sense for us to fly over specially meet them either), but for whom finding a slot to discuss what’s going on and the state of the world is a good investment of their time if they’re already attending an event.

So – that’s what I’m going to be up to at events from now on, it seems. If you’re interested in catching up, I’ll be at RSA in San Francisco, Open Source Summit in Austin and Scale 19x in San Antonio in the next couple of months, with more to come. Do get in touch: it’s great to meet folks!

Buying my own t-shirts, OR “what I miss about conferences”

I can buy my own t-shirts, but friendships need nurturing.

A typical work year would involve my attending maybe six to eight conferences in person and speaking at quite a few of them. A few years ago, I stopped raiding random booths at the exhibitions usually associated with these for t-shirts for the simple reason that I had too many of them. That’s not to say that I wouldn’t accept one here or there if it was particularly nice, or an open source project which I esteemed particularly, for instance. Or ones which I thought my kids would like – they’re not “cool”, but are at least useful for sleepwear, apparently. I also picked up a lot of pens, and enough notebooks to keep me going for a while.

And then, at the beginning of 2020, Covid hit, I left San Francisco, where I’d been attending meetings co-located with RSA North America (my employer at the time, Red Hat, made the somewhat prescient decision not to allow us to go to the main conference), and I’ve not attended any in-person conferences since.

There are some good things about this, the most obvious being less travel, though, of late, my family has been dropping an increasing number of not-so-subtle hints about how it would be good if I let them alone for a few days so they can eat food I don’t like (pizza and macaroni cheese, mainly) and watch films that I don’t enjoy (largely, but not exclusively, romcoms on Disney+). The downsides are manifold. Having to buy my own t-shirts and notebooks, obviously, though it turns out that I’d squirrelled away enough pens for the duration. It also turned out that the move to USB-C connectors hadn’t sufficiently hit the conference swag industry by the end of 2019 for me to have enough of those to keep me going, so I’ve had to purchase some of those. That’s the silly,minor stuff though – what about areas where there’s real impact?

Virtual conferences aren’t honestly too bad and the technology has definitely improved over the past few months. I’ve attended some very good sessions online (and given my share of sessions and panels, whose quality I won’t presume to judge), but I’ve realised that I’m much more likely to attend borderline-interesting talks not on my main list of “must-sees” (some of which turn out to be very valuable) if I’ve actually travelled to get to a venue. The same goes for attention. I’m much less likely to be checking email, writing emails and responding to chat messages in an in-person conference than a virtual one. It’s partly about the venue, moving between rooms, and not bothering to get my laptop out all the time – not to mention the politeness factor of giving your attention to the speaker(s) or panellists. When I’m sitting at my desk at home, none of these is relevant, and the pull of the laptop (which is open anyway, to watch the session) is generally irresistible.

Two areas which have really suffered, though, are the booth experience the “hall-way track”. I’ve had some very fruitful conversations both from dropping by booths (sometimes mainly for a t-shirt – see above) or from staffing a booth and meeting those who visit. I’ve yet to any virtual conferences where the booth experience has worked, particularly for small projects and organisations (many of the conferences I attend are open source-related). Online chat isn’t the same, and the serendipitous aspect of wandering past a booth and seeing something you’d like to talk about is pretty much entirely missing if you have to navigate a set of webpages of menu options with actual intent.

The hall-way track is meeting people outside the main sessions of a conference, either people you know already, or as conversations spill out of sessions that you’ve been attending. Knots of people asking questions of presenters or panellists can reveal shared interests, opposing but thought-provoking points of view or just similar approaches to a topic which can lead to valuable professional relationships and even long-term friendships. I’m not a particularly gregarious person – particularly if I’m tired and jetlagged – but I really enjoy catching up with colleagues and friends over a drink or a meal from time to time. While that’s often difficult given the distributed nature of the companies and industries I’ve been involved with, conferences have presented great opportunities to meet up, have a chinwag and discuss the latest tech trends, mergers and acquisitions and fashion failures of our fellow attendees. This is what I miss most: I can buy my own t-shirts, but friendships need nurturing. and I hope that we can safely start attending conferences again so that I can meet up with friends and share a drink. I just hope I’m not the one making the fashion mistakes (this time).

7 steps to a (bad) tech demo

Give the demo, look condescending, go home.

I’m currently involved with putting together a demo to show off the amazing progress we’ve made with Enarx recently. I’ve watched – and given – quite a few demos in my time, and I considered writing a guide to presenting a good demo. But then I thought: why? Demos should be about showing how clever we are, not about the audience – that’s pretty clear from most of the ones I’ve seen – so I decided to write a guide to a what many audiences would consider a bad demo, in other words, the type that most of us in IT are most practised at. Follow this guide, and you can be pretty certain that you will join the ranks of know-it-all, disdainful techies who are better than their audiences and have no interest in engaging with lower, less intelligent beings such as colleagues, user groups or potential customers. If you’re in marketing, sales, documentation or another function, you can still learn from this guide, and use it as part of your journey as you strive to achieve the arrogant sanctimoniousness which we techies cultivate and for which we are (in)famous. Luckily, many demos already exist which exhibit these characteristics, so you shouldn’t need to look far to find examples.

1. Assume your audience is you

You only need one demo, because everybody who matters will come from the same background as you: ultra-technical. You will, of course, be using a terminal, which means text commands to drive the demo. Don’t pander to lesser mortals by expanding parameters, for instance: why use df --all --human-readable --portability /home/mbursell/ when df -ahT ~/ is available and will save you space and time. If you really must provide graphical output (sometimes even hard-core techies have to work with GUIs, to their intense annoyance and disappointment), ensure that you’re using non-standard colours and icons. Why not use a smiley-face emoji for the “irretrievable delete” function or a thumbs-up icon for “cancel”? And you get extra points if you use a browser which still supports the <blink> tag: everybody’s favourite from the mid-90s.

Your audience shouldn’t need any context before the demo, either: if they’ve come to hear you speak, all you’re doing is giving them an update on exactly how far you have come – in other words, how clever you are. Find ways to exhibit that, and they’ll be impressed by your expertise and intelligence, which is what demos are for in the first place.

2. Don’t check it works

Your demo will, of course, work perfectly. Every time. Which means that there’s no need to check it just before delivering it. In fact, you might as well make a few last tweaks just beforehand – preferably without saving the “last good state”. Everyone will be amused if anything goes wrong – and if it does, it absolutely won’t be your fault. Here’s a list of useful things/people to blame if anything does happen:

the conference wifi (more difficult if you’re presenting virtually)
the VPN (no need to specify what VPN, or even if you’re using one)
other developers (who you can accuse of making last minute changes)
the Cloud Service Provider (again, no need to specify which one, or even if you’re using one)
DNS
certificate expiry
neutrinos
the marketing department.

3. Use small fonts and icons

Assume that everyone watching your demo:

has perfect eyesight
has perfect colour perception
is sufficiently close to the projected image to see it (physical demo)
is viewing on a screen as large as yours (online)
is viewing on a screen at equal resolution to yours (online)
has sufficient bandwidth that everything displays quickly and clearly enough for them to be able to see (online)
can read and decipher unfamiliar text, commands, icons, obscure diagrams and dread sigils at least as quickly as you can display – and then hide – them.

4. Don’t explain

As noted above, anybody who is worthy of viewing the demo that you have put together should be immediately able to understand any context that is relevant, including any assumptions that you have made when creating the demo. “Obviously, I’ve created this WebAssembly binary directly from the Rust source file with the release flag, which means that we get good portability and type safety but decent on-the-wire speed and encryption time” is more than enough detail. You should probably have gone with something shorter like: “here’s an ls -al of the .wasm file. It’s cross-platform, safe and quick. Compiled with cargo +nightly build --release --wasm32-wasi, obviously.” Who needs a long and boring-to-deliver explanation of why you chose WebAssembly to allow users to run their applications on multiple different types of system, and the design and build decisions you made to reduce loading time over the network? No-one you care about, certainly.

5. Be very quick or very slow

This important point is related to several of the ones before. If you’ve been paying attention, you’ll know that there’s no good reason to worry about your audience and whether they’re following along, because if they’re the right type of audience (basically, they’re you), then they will already understand what’s going on. You can therefore speak as fast as you like, and whether you’re speaking their first language or not, they should pick up enough to appreciate the brilliance of the demo (in other words, your brilliance).

There is an alternative, of course, which is to speak really slowly. This should never be because you’re allowing your audience to pay attention and catch up however, but instead because you’re going into extreme detail about every single aspect of your demo, from the choice of your compilation options (see above) to the font family you use in your (many) terminals. This isn’t boring: it’s about you and your choices, so it’s interesting (to anyone who matters – see above).

6. Don’t record the demo

Your demo will work first time (unless you’re hit by problems caused by someone or something else – see 2 above), so there’s no need to record it, is there? What is more, anyone who is sufficiently interested in you, your project and your demo will attend in real-time, so there’s no need to record it for late-comers or for people to watch later. You’ll have made lots of changes within the next couple of weeks anyway, so what’s the point?

7. Don’t answer questions

Demos are for you to tell people about your project, and about you. They are not excuses for postulants to ask their questions of you. Questions generally fall into three types, none of which are of any interest to you:

Stupid questions which betray how little an audience member understands about your demo. This is their fault, as they not clever enough to get what you’re doing. Ignore.
Annoying questions which would be clear if people paid enough attention. These may be questions which are relevant to the demo, but which should be obvious to anyone who has done sufficient research into your work. Why should you clarify your work for lazy people? Ignore.
Dangerous questions which point out possible mistakes or “improvements” to what you’ve done. You know best – you’re not showing a demo to get suggestions, but in order to expose your expertise. Ignore.

Conclusion

You are brilliant. Your demo is brilliant. Anybody who doesn’t see that is at fault, and it’s not your job to make their lives easier. Give the demo, look condescending, go home.

Enarx goes multi-platform

Now with added SGX!

Yesterday, Nathaniel McCallum and I presented a session “Confidential Computing and Enarx” at Open Source Summit Europe. As well as some new information on the architectural components for an Enarx deployment, we had a new demo. What’s exciting about this demo was that it shows off attestation and encryption on Intel’s SGX. Our initial work focussed on AMD’s SEV, so this is our first working multi-platform work flow. We’re very excited, and particularly as this week a number of the team will be attending the first face to face meetings of the Confidential Computing Consortium, at which we’ll be submitting Enarx as a project for contribution to the Consortium.

The demo had been the work of several people, but I’d like to call out Lily Sturmann in particular, who got things working late at night her time, with little time to spare.

What’s particularly important about this news is that SGX has a very different approach to providing a TEE compared with the other technology on which Enarx was previously concentrating, SEV. Whereas SEV provides a VM-based model for a TEE, SGX works at the process level. Each approach has different advantages and offers different challenges, and the very different models that they espouse mean that developers wishing to target TEEs have some tricky decisions to make about which to choose: the run-time models are so different that developing for both isn’t really an option. Add to that the significant differences in attestation models, and there’s no easy way to address more than one silicon platform at a time.

Which is where Enarx comes in. Enarx will provide platform independence both for attestation and run-time, on process-based TEEs (like SGX) and VM-based TEEs (like SEV). Our work on SEV and SGX is far from done, but also we plan to support more silicon platforms as they become available. On the attestation side (which we demoed yesterday), we’ll provide software to abstract away the different approaches. On the run-time side, we’ll provide a W3C standardised WebAssembly environment to allow you to choose at deployment time what host you want to execute your application on, rather than having to choose at development time where you’ll be running your code.

This article has sounded a little like a marketing pitch, for which I apologise. As one of the founders of the project, alongside Nathaniel, I’m passionate about Enarx, and would love you, the reader, to become passionate about it, too. Please visit enarx.io for more information – we’d love to tell you more about our passion.

AI, blockchain and security – huh? Ahh!

There’s a place for the security community to be more involved AI and blockchain.

Next week, I’m flying to the US on Tuesday, heading back on Thursday evening, arriving back in Heathrow on Friday morning, and heading (hopefully after a shower) to Cyber Security & Cloud Expo Global to present a session and then, later in the afternoon, to participate in a panel. One of the reasons that I’m bothering to post this here is that I have a feeling that I’m going to be quite tired by the end of Friday, and it’s probably a good idea to get at least a few thoughts in order for the panel session up front[1]. This is particularly the case as there’s some holiday happening between now and then, and if I’m lucky, I’ll be able to forget about everything work-related in the meantime.

The panel has an interesting title. It’s “How artificial intelligence and blockchain are the battlegrounds for the next security wars“. You could say that this is buzzwordy attempt to shoehorn security into a session about two unrelated topics, but the more I think about it, the more I’m glad that the organisers have put this together. It seems to me that although AI and blockchain are huge topics, have their own conference circuits[2] and garner huge amounts of interest from the press, there’s a danger that people whose main job and professional focus is security won’t be the most engaged in this debate. To turn that around a bit, what I mean is that although there are people within the AI and blockchain communities considering security, I think that there’s a place for people within the security community to be more involved in considering AI and blockchain.

AI and security

“What?” you may say. “Have you not noticed all of the AI-enabled products being sold by vendors in the security community?”

To which I reply, “pfft.”

It would be rude[3] to suggest that none of those security products have any “Artificial Intelligence” actually anywhere near them. However, it seems to me (and I’m not alone) that most of those products are actually employing much more basic algorithms which are more accurately portrayed as “Machine Learning”. And that’s if we’re being generous.

More importantly, however, I think that what’s really important to discuss here is security in a world where AI (or, OK, ML) is the key element of a product or service, or in a world where AI/ML is a defining feature of how we live at least part of our world. In other words, what’s the impact of security when we have self-driving cars, AI-led hiring practices and fewer medical professionals performing examinations and diagnoses? What does “the next battleground” mean in this context? Are we fighting to keep these systems from overstepping their mark, or fighting to stop malicious actors from compromising or suborning them to their ends? I don’t know, and that’s part of why I’m looking forward to my involvement on the panel.

Blockchain and security

Blockchain is the other piece, of course, and there are lots of areas for us to consider here, too. Three that spring to my mind are:

around smart contracts (see my article What’s a blockchain “smart contract”? for more thoughts on that particular gem);
the assumptions built into many blockchain systems around the long-term safety of various cryptographic primitives (see my article Will quantum computing break security?);
the implicit trust that is exhibited by many “naive” users of blockchain systems around the various entities and stakeholders in the environment (I’ve written about “zero-trust” here: Thinking beyond “zero-trust”).

Whether you believe that blockchain(s) is(are) going to take over the world or not, it’s a vastly compelling topic, and I think it’s important for it to be discussed outside its “hype bubble” in the context of a security conference.

Conclusion

While I’m disappointed that I’m not going to be able to see some of the other interesting folks speaking at different times of the conference, I’m rather looking forward to the day that I will be there. I’m also somewhat relieved to have been able to use this article to consider some of the points that I suspect – and hope! – will be brought up in the panel. As always, I welcome comments and thoughts around areas that I might not have considered (or just missed out). And last, I’d be very happy to meet you at the conference if you’re attending.

1 – I’ve already created the slides for the talk, I’m pleased to say.

2 – my, do they have their own conference circuits…

3 – not to mention possibly actionable. And possibly even incorrect.

Of headphones, caffeine and self-care

Being honest about being down.

I travel quite a lot with my job. This is fine, and what I signed up for, and mitigated significantly by the fact that I work from home the rest of the time, which means that (video-calls permitting) I can pop down to see the kids when they get back from school, or share a dog walk with my wife if she’s at home as well. The travel isn’t as easy as it was a couple of decades ago: I’d like to believe that this is because my trips are more frequent, and often longer, but suspect that it’s more to do with the passage of time on my body. There’s more than just the wear and tear, however, and I think it’s worth talking about it, but I’m sure it’s not just me.

I sometimes get down.

I sometimes get sad.

I sometimes get peeved, and cross, and angry for little or no reason.

I’ve never been diagnosed with any mental illness, and I don’t feel the need to medicalise what I’m describing, but I do need to own it: it’s not me at my best, I’m not going to be able to perform my job to the best of my ability, and it’s not healthy. I know that it’s worse when I’m travelling, because I’m away from my family, the dog and the cats, divorced from routine and, given that I tend to travel to North America quite frequently, somewhat jet-lagged. None of these things are specific triggers, and it’s not even that they are necessarily part of the cause, but they can all make it more difficult to achieve and even keel again.

I wanted to write about this subject because I had a day when I had what I think of as “a bit of a wobble”[1] a couple of weeks ago while travelling. On this particular occasion, I managed to step back a bit, and even did some reading around the web for suggestions about what to do. There were a few good blog articles, but I thought it would be honest to my – and others’ – lived experience to talk about it here, and talk about what works and what doesn’t.

Before we go any further, however, I’d like to make a few things clear.

First: if you are having suicidal thoughts, seek help. Now. You are valued, you do have worth, but I am not an expert, and you need to seek the help of an expert. Please do.

Second: I am not an expert in mental health, depression or other such issues. These are some thoughts about what helps me. If you have feelings and thoughts that disturb you or are having a negative impact on you or those around you, seek help. There should be no stigma either to mental illness or to seeking help to battle it.

Third: if you know someone who is suffering from mental illness of any kind, try to be supportive, try to be kind, try to be understanding. It is hard. I know people – and love people – with mental health issues. Help to support them in getting help for themselves, if that’s what they need you to do, and consider getting help for yourself, too.

Things that do and don’t work (for me)

Alcohol (and over-eating) – NO

One article I read pointed out that having a few drinks or eating a tub of ice cream when you’re travelling and feeling down “because you deserve it” isn’t self-care: it’s self-medication. I like this dictum. Alcohol, though a dis-inhibitor, is also a depressant, and even if it makes you feel better for a while, you’re not going to be thanking last-night-you for the hangover you have in the morning. Particularly if you’ve got a meeting or presentation in the morning.

Exercise – YES

I never used to bother much with exercise, particularly when I was travelling. But the years have taken their toll, and now I try to hit the gym when I’m staying in a hotel, maybe every other day. However, I also find that there are often opportunities to walk to meetings instead of taking a taxi, or maybe making my own way to a restaurant in the evening, even if I catch a cab back. I track the steps I do, and aim for 10,000 a day. This can be difficult when you’re in a meeting all day, but little things like taking the stairs, not the lift (elevator) can get you closer to your goal.

If you have a free day in a city, particularly at the weekend, do a search for “walking tours”. I’ve done a few of these, particularly food-based ones, where you get to stretch your legs whilst being given a tour of the sites and trying some local cuisine. You also get to meet some people, which can be good.

People – YES and NO

Sometimes what I need to pull myself out of a gloomy mood is to spend some time with people. Even if it’s just on the edges of a conversation, not engaging too much, being around people I know and value can be a positive thing.

On other occasions, it’s exactly the opposite of what I need, and I crave solitude. On occasion, I won’t know until I turn up for dinner, say, that I’m really not in the right head-space for company. I’ve found that if you plead jet-lag, colleagues are generally very understanding, and if there’s a loud-mouthed colleague who is very insistent that you stay and join in, find a quieter colleague and explain that you need to get back to the hotel early.

Reading – YES

Books are great to escape to. Whether you carry a paperback in your laptop bag, have a Kindle (or other e-reader) or just read something that you’ve downloaded onto your phone, you can go “somewhere else” for a bit. I find that having a physical book is helpful, or at least using an e-reader, as then you’re slightly protected from the temptation to check that email that’s just come in.

Headphones – YES

What did we do before headphones? I try keep a set in my pocket wherever I’m going and connect my phone when I get a chance. I may wander the floor of an Expo with music on, sit down with some music for a cup of tea (of which more below) in a five minute break during a meeting, or wait for a session to start with something soothing in my ears. In fact, it doesn’t need to be soothing: I can be in the mood for classical, upbeat, loud, quiet, downbeat, indie, New Orleans jazz, bluegrass[2] or folk[3]. That’s one of the joys of having music available at pretty much all times now. Insulating myself from the world and allowing myself to take a metaphorical breath before rejoining it, can make a big difference.

Caffeine – YES (with care)

I don’t drink coffee (I just don’t like the taste), but I do drink tea. It can be difficult to find a good cup of tea in North America[4], but I’ve discovered that when I can source one, the very act of sitting down and drinking it grounds me. Smell and taste are such important senses for us, and I associate the smell and taste of tea so strongly with home and safety that a good cup of tea can do wonders for me. That said, if I drink too much tea, I can get cranky (not to mention the fact that it’s a diuretic), and then I miss it if I can’t get it, so there’s a balance there.

Breathing – YES

Breathing is helpful, obviously. If you don’t breathe, you’re going to die[5], but there’s a real power to stopping what you’re doing, and taking a few deep, purposeful breaths. I’m sure there’s lots of science (and probably pseudo-science) around this, but try it: it can be really fantastic.

Conclusion

I know that I’m not alone in finding life difficult sometimes when I travel. Please look after yourself and find whatever actions which help you. My intention with this article isn’t to provide fixes for other people, but more to share a few things that help me, and most important, to acknowledge the problem. If we do this, we can recognise the need for action in ourselves, but also for support in our family, friends and colleagues, too.

Last: if you become ill – physically, emotionally or mentally – you are not going to be functioning as well as you might when well. It is in your and you organisation’s best interests for you to be well and healthy. Many companies, organisations and unions provide (often free) help for those who are struggling. If you keep experiencing feelings such as those described in this article, or you are in acute need, please seek professional help.

1 – because I’m British, and that’s the sort of language I use.

2 – one of my little guilty pleasures.

3 – another.

4 – you need decent tea to start with, and boiling or just off-boiling water: that’s close to 100C, or 212F.

5 – I’m not a medical expert, but I know that.

6 reasons to go (and not go) to a security conference

…the parties – don’t forget the many, many parties.

I’m at the annual RSA Conference this week in San Francisco. There are a number of RSA Conferences around the world, but this is the big one. There will be thousands – in fact, tens of thousands – of people attending, probably hundreds of exhibitors, and I’ve just pored through the many, many sessions available just on the first day to identify the ones I want to attend.

RSA – as other conferences – comes under fire for just being an opportunity for security vendors to pitch their wares, rather than a conference about security, and there is some truth in that. To be fair, though, they’re the ones sponsoring the show[1], and making it all work, and many of them will pay, as part of that sponsorship, to have sessions where they will pitch their products. And people attend these talks[3] – it’s really not my thing (and I’ve written about it in the past), but I’ve noticed that this year, there are clues in the session title that a particular talk will be sponsor-led, so more opportunities to avoid them if you’re not interested.

There are, however, lots and lots of talks that aren’t just product pitches. These range from the uber-technical academic cryptography talks[4] to “how we managed to deal with this problem in my company”, “what we’ve learned over 5/10/20/100 years of X” and innumerable talks on DevSecOps, Agile, security for/within/outside/above the Cloud by vendors, airlines, software companies, banks, insurance companies and very few start-ups.

I’ve been a little harsh in the previous paragraph, but I reckon there’s actually going to be something (probably many things – choosing between the multiple sessions scheduled at the same time can be challenging) for everybody. I always get a little annoyed that there’s not enough talk about systems security and complexity, but there actually seems to be a little more of that this year – though I’m willing to bet that the expo hall will be somewhat light on the same, with the usual SIEM, email security, storage, authentication, authorisation, logging and network tools being very much in evidence, alongside big consultancies and some a few small companies, not-for-profits and educational institutions.

6 reasons to attend a security conference

What, then, are some good reasons to attend a security conference? Here are my top 6 – in no particular order:

sessions which will teach you something new – or help you see something from somebody else’s perspective;
catching up with colleagues who you don’t otherwise get to see;
the hallway track – meeting people between sessions, at meals or parties, in the lift[5] at your hotel and striking up a conversation;
being able to check out vendors at their booths in the expo, and get demos of their products;
swag and give-aways[6];
the parties.

6 reasons not to attend a security conference

It only seems fair to provide the flipside, so here we go, this time in a particular order:

sessions which won’t teach you anything new – or which show you something from the perspective of a speaker who you suspect has never worked in the real world, or is a complete idiot;
catching up with colleagues who you’ve managed to avoid for the past 12 months, but who realise that you’re going to be at the show, and who you can’t politely put off meeting;
the hallway track – being accosted by people between sessions who’ve seen your badge, have heard of your company, and have a particular feature that they really, really want you to implement, despite the fact that a) you’re not on the product team and b) they only buy one licence/subscription from your company a year;
being subjected to demos by vendors at their booths in the expo because you didn’t move away fast enough, despite the fact that you only moved close to find out what their swag was;
swag and give-aways – too many t-shirts (never enough in womens’ sizes, I’m told), and realisation that you’ve got so many that you’re going to have to check in extra hold luggage on the way back home to get it back to your children, who will have no interest in it, anyway;
the parties – in particular the standard of the wine (poor) and beer (either so hoppy it makes your teeth retract into your gums or so gassy that you swell up to the size of a beachball) – and how you feel after them.

So, make your choices, and decide whether to go or not. I’ll keep an eye out for you in the lift at the hotel…

1 – and the parties – don’t forget the many, many parties[2].

2 – painkillers and heartburn medication are must-pack items for any serious attendees.

3 – not always on purpose – there are times when you’ll see an early exodus of people as they realise what they turned up to.

4 – all credit if you manage to get past the first slide of mathematics.

5 – I don’t care if it’s in the US, I’m not calling it an escalator.

6 – I reckon that the standard of swag at a conference is directly proportional to the strength of the market in that the sector 6 months ago – there’s a delay in marketing budgets.

Top 7 tips to improve your conference presentation

It’s all about the slides and their delivery.

Well, it’s conference season again. I’ll be off to the West Coast for DeveloperWeek, then RSA, and, I’m sure, more conferences through the coming months. I had a good old rant a few months ago about what I hate about conference speakers, so this seems like a good opportunity to talk about all the good things that I actually enjoy. Well, it might to you, but I’ve got all sorts of spleen-venting that I still want to do, so bad luck: you’re getting another rant. This time round, rather than getting all shouty about product pitching (which was the subject of my last cross-fest[1]), this time it’s all about the slides and their delivery.

First, here’s a disclaimer, however, or maybe two. One is this: I’m not perfect[3]. I’m may well have been guilty of one or many of the points below in many or all of my presentations. If I have, I’m sorry: and I’d like to know about it, as I like to fix things.

The other is this: not everyone is excellent, or will ever be excellent, at presenting. However hard you try, it may be that it’s never going to be your top skill. That’s fine. On the other hand, if you’re not great at spelling, or you tend to zone out your audience, and you know it – in fact, if you struggle with any of the points below – then ask for help. It doesn’t need to be professional help – ask a colleague or family member, or even a friendly member of the conference staff – but ask for suggestions, and apply them.

Before we delve deeper into this topic, why is it important? Well, people (generally) go to conferences to learn – maybe to be entertained, as well. Most conferences require attendees or their organisations to pay, and even if they don’t, there’s an investment of time. You owe it to the attendees to give them the best value that you can, and ignoring opportunities to improve is arrogant, rude and disrespectful. You may not feel that bad spelling, punctuation or layout, or even poor delivery, will detract from their experience, but they all distract from the message, and can negatively impact on what people are trying to learn. They are also unprofessional, and here’s another important point to remember about conference speaking: it’s an opportunity to showcase your expertise, or at least get other people to be enthusiastic about the things you do. If you don’t do the best you can do, you are selling yourself short, and that’s never a good thing.

Here, then, are my top seven tips to improve your conference presentations. I’m assuming, for the purposes of this article, that you’re presenting a slidedeck at an industry presentation, though many of these points are more broadly applicable.

Layout

I’m not just talking colours and shapes, but also how much is on your slides, whether it’s in sentence or bullet format, and the rest. Because how your slides look matters. Not just because of your company’s or organisation’s brand, but because it directly affects how people process the information on your slides. The appropriate amount – and type – of information to put on a slide varies based on subject, technical depth, audience, for instance, but a good rule to remember is that people will generally read the slides before they listen to you. If you have more than about 20-30 words on a slide, realise that nobody’s going to hear a word you say until they’ve finished reading, and that’s going to take an appreciable amount of time. If in doubt, have multiple bullets, and reveal them as you talk (and never just read what’s on the slides: what’s the point of that?).

Spelling, punctuation and grammar

You may not care about spelling, but lots of people do. It can be distracting to many people to see bad spelling, punctuation or grammar on your slides. Everybody makes mistakes – and that’s why it’s worth reviewing your slides and maybe getting somebody else to have a look, too. The amount that this matters will depend on your audience – but correcting slips raises the credibility of the presentation as a whole, because mistakes reflect badly on you, whether you like it or not.

Pictures

Or graphs. Or diagrams. I don’t care: put something in there to break up the slides. I’m really guilty of this: I tend to have slide after slide of text, and forget that many people will just glaze over after the first few. So I try to find a few pictures, or, even better, relevant diagrams, and put them in. There are lots of free-to-use pictures available (search for “creative commons” online), and make sure that you provide the correct attribution when you use them.

Style

People have different styles, and that’s fine. Mine tends towards the jokey and possibly slightly over-enthusiastic, so I need to think about how I pitch different types of information from time to time. Play to your strengths, but be aware of the situation. People will remember you if you’re a bit different, and there are times for humorous t-shirts, but there are times for a jacket or tie and a more sombre approach, too.

Tone

Do. Not. Drone. There’s just nothing worse, particularly when the presenter is just reading the information on the slides. And after a long lunch[4], it’s so easy to nod off, or just start looking at stuff on your phone or laptop. If you think you might suffer from a boring tone, ask people for help: practice delivering to them, and then think about how you speak. It’s relatively easy for most people to learn to modulate their tone a little up and down with practice, and it can make all the difference. Equally, learning when to stop to allow people to digest the information on a slide can give you – and them – a break: a change is, as they say, as good as a rest.

Delivery

I’ve already said that you mustn’t just read the words on the slides. I’ll say it again: don’t just read the words on the slides. Notes are fine – in fact, they’re great, as most people aren’t good at improvising – or you can learn a script, but either way, one of the most important lessons when delivering any type of information is to look at your audience. Sometimes this is difficult – there may be little light to see them by, or you may find it nerve-wracking actually to look at your audience – so here’s a trick: pretend to look at your audience. Choose a spot just a few centimetres[5] above where an audience member is – or might be, if you can’t see them – and speak to that. They’ll think you’re speaking to them. Next slide, or next bullet, move your head a little, and choose another spot. Engaging with your audience is vital – and will actually make it easier to manage issues like tone.

Audience

This could have gone first, or could have gone last, but it’s really important. Think about your audience. If it’s a conference for techies, don’t use marketing diagrams. If it’s for CEOs, don’t go into the weeds about compiler design. If it’s for marketing folks, well, anything goes, as long as there are pictures[6]. Remember – these people have invested their time (and possibly money) in coming to see you to learn information which is relevant to them and their jobs, and you owe it to them to pitch the right sort of information, at the right level.

Summary

I really enjoy conference speaking, but I know that this isn’t true of everybody. I often enjoy attendee conference sessions, but poor attention to any of the points above can detract from my enjoyment, the amount I learn, and how I feel about the topic and the speaker. It’s always worth trying to improve: watch TED-talks, take notes on what your favourite speakers do, and practice.

1 – I’m pathetically amused that my spollcheeker[2] wanted that word to be “cross-stitch”.

2 – yes, it was intentional.

3 – just ask my wife.

4 – or during the first session after the conference party the night before – a terrible slot to land.

5 – or slightly fewer inches.

6 – this is mean and unfair to my marketing colleagues. I apologise. A bit.