My journey began back in August 2017, when I attended my first InfoSec conference. 10 months later I delivered my first talk. This post covers that story.
I've written plenty about my initial exposure to the information security conference circuit. I attended BSides Manchester in August 2017 and felt right at home in that environment. I saw great talks, met some cool people and generally came away with an entirely fresh perspective on my role in information security.
It also (coupled with watching a recording of a Troy Hunt talk) gave me all the motivation I needed to become more actively engaged in the community.
So, I set about blogging, tweeting and generally being as positively active as I could be, to share my experiences, my thoughts and advice where possible.
It felt good. I'm all about giving as a person, so the opportunity to help others solve problems (whatever they might be) has always appealed.
Another bug that caught me was that I felt compelled to talk publicly about stuff (having successfully delivered a number of talks where I work), to further get my experiences across, perhaps in a way that just writing them down didn't quite manage.
So, I submitted talk material to a bunch of other BSides conferences; Leeds, Scotland and London. With Leeds I didn't make the final cut, but got offered a spot at the pre-conference party, with Scotland I got a reserve speaker slot and then finally, with London I got an actual living and breathing slot. I also got accepted for Securi-Tay, but sadly couldn't make it due to a massive dental fail.
Anyway, I was selected to talk at BSides London, which was really when the actual nerves kicked in. I've championed my own cause to get a gig and now having finally secured one, what next?
The good news for me was that my previous applications to talk meant that my presentation itself had been pretty well refined; for a start I went up to Glasgow as a reserve speaker, so my talk needed to be ready. It was ready. It just needed doing.
Early on in the development of my talk, I sent out the slide deck to a few friends whom I both respect and also get their application security, really just to get honest critique or pointers that might make the thing more impactful. The feedback I received ranged from "It won't work" through to "It just needs a diagram and it'll be great". Quite a broad spectrum, but what I did was stick to my guns somewhat.
Yes, it definitely needed a diagram, but I knew, or at least felt that content-wise, my delivery would pull it all into perspective and any gaps in the slides would be filled with my narrative. More on the result of this wisdom later.
So, with a couple of pictures included, I was ready to go to London.
This was tricky. Ideally, I should have casually headed down to London the afternoon before, had a good relax, maybe hooked up with pals and then been as fresh as a daisy for the conference. That didn't happen.
The day before was my daughter's birthday, so I wanted to be at home, all day for that. So, that's what I did. And then went to bed at around 21:00.
On the morning of the conference, I rose from my pit at 04:00, in order to be ready for a taxi to arrive at 05:00 and ship me into Manchester in time to get a 06:10 train to Euston.
This all went perfectly smoothly, until I got on the train, or rather until some other person got on the train.
I had a pre-booked seat, in the 'quiet carriage' which means passengers should be QUIET! To the bloke sat a seat or two down from me however, it meant swear constantly because the train internet was unreliable (obvs!) and then mash the hell out of his laptop keyboard for practically the entire journey.
Any thoughts I had of grabbing some sleep on the way down to London were decimated, by this complete tool.
I was sorely tempted to make his laptop disappear forever, but I'm a nice bloke.
Anyway, at roughly 08:20 we finally rocked into Euston. I had to be at the ILEC conference centre (think Earl's Court, if you're local) for 09:00 and wasn't convinced the tube would get me there. I don't know why I was worrying about being punctual, as there were people still registering their attendance towards lunchtime! Old habits, I suppose.
For this reason I took a cab, taxi or Hackney Carriage.
"Grenfell Tower over there, mate!"
For anyone reading this that isn't aware, Grenfell Tower is the site of a tragic tower block fire in 2017, causing the deaths of a significant number of people. Looking at it as we chugged along and then came off the Westway was particularly haunting. At that moment I realised any nervousness ahead of standing up and speaking in front of a bunch of strangers was of no consequence whatsoever.
I don't actually know what fear is or feels like.
Just get on with it.
The taxi driver got me to the ILEC conference centre at just after 09:00 and I went in. This was a seminal moment for me, as I received an obligatory swag bag with a lanyard and t-shirt in it that both said 'Speaker'. Because I was. I got the same goodies from BSides Scotland, but never spoke. In London, I was up, my name on a schedule, on TVs displayed in the venue and all that. But I still wasn't feeling any nerves. It had started to mystify me.
I was also in the book!
Also, I did OK for swag, as it goes:
First up in terms of talks was the opening keynote, delivered in typically awesome fashion by Mikko Hyppönen. Mikko is a seasoned, very respected (and very witty!) information security professional and delivered a talk around the current state of the internet. Needless to say the room was packed and indeed needed an overspill room with his talk streamed to allow everyone at the conference to see it.
It was a great start. Kicking off the day with someone held in such high regard by most in the industry was a masterstroke by the organisers.
Next up I sat in a talk delivered by David Chismon of MWR Security (recently acquired by Mikko's firm F-Secure), with his talk looking at how to assemble effective security teams within the enterprise. As David attested, it isn't easy and you are likely to get it wrong many, many times before you get it right. But, the message was to persevere. If something doesn't work, try something else and keep iterating this until you get the tuning that fits.
I ran (insofar as a middle-aged fat bloke can) from David's talk to catch the second half of Sophia McCall giving her experience of going from N00b to 1337, in terms of getting into the industry, through basic passion, enthusiasm and taking as many opportunities as are presented. It was a signal lesson to anyone wishing to get involved, that it's entirely possible, if you really want to do it. Phil Kimpton talks about this in his various testimonies.
Lunch. It was OK. :)
Oh, but hang on! One of the founders of the Security BSides movement is Jack Daniel. An amazing man with an equally amazing set of stories. It'd be great if he made an appearance, wouldn't it?
And so he did. It was a privilege to shake his hand.
Something, something oh my talk is coming up soon...
I felt in really good company, as my own talk followed Andy Gill's, in the same room. I've seen Andy at all of the BSides conferences he's delivered talks at over the last year and as a fellow Scot (he's got the accent, I haven't), I really enjoy his candour, delivery and the quality of his content.
This time, he was talking about getting into the industry. Tips, tricks, dos, don'ts and all that. As I've said before in previous posts, there are a guidelines for getting into the information security game, just like there are in any other industry.
Anyway, we both piled up to the room to check it out and then noticed something wasn't right.
No filming equipment. No audio equipment.
"Is the talk no getting filmed?" - Andy
"Erm, I don't think so. Let me check" - The Goon (a term regularly and affectionately used for conference helpers)
For context, the talks should have been filmed, we signed up for that and the fact they were getting filmed was publicised in the conference programme. But they weren't.
Andy was disappointed, for (I think) two reasons. Firstly he has a project to deliver a different talk at each BSides he attends in 2018, so it would have been ace to have evidence of that and secondly, he said himself that people around the world were looking forward to seeing it. He recorded his talk on his phone, so we may well see a bootleg video appear in due course. Who knows.
For me, I was disappointed because it was my first talk and it would have been awesome to have been able to share it, full stop. It took the shine off to begin with, but in the end it didn't matter to me.
Having quickly offloaded the issue that the talk wasn't to be recorded, I focussed on actually giving it. That's why I was there after all.
With Andy clearing off, I set up. At that moment, there were eight people in the room and the same eight people were there when I went to work.
Doesn't matter. This is a first for me and eight people are better than no people.
"Hi everyone and thank you for coming"
As that statement hit the air, the door at the back of the room opened and more people filed in. This continued.
I wasn't really paying attention to the numbers, but as it happened the eventual attendance turned out to be nearly 60 people.
The talk went great. I felt in control, I felt I knew my subject matter, I felt like I was using my slides as a framework, but my narrative as the killer. It just felt superb.
My talk was scheduled to last 30 minutes and it near enough did, but as it was the last in the track, it could have gone on for the rest of the day and indeed I spent another 15 minutes answering questions from the attendees, before I finally ran out of steam.
Oh, by the way, I talked about Web Application Firewalls...
Here are the slides!
... and there were plenty of people in the room that know all about those. One of those was Sam Stepanyan, OWASP London chapter leader and someone whom I've known for a while and have a great deal of respect for. He had a few opinions on my slide deck :)
At the end, Sam came and complimented me on my talk, which made me feel great. In his words "It was one of the best talks on WAF I've seen, because you didn't just talk about why WAFs are good, you described how you've done it".
Brilliant feedback and real confidence injection.
Had Sam been the only audience member (I'm delighted he wasn't!) then I'd have been OK with that, as impressing him was a bit of a feat, to say the least.
After my talk, I was exhausted. The 04:00 start, the energy spent coiling up to and eventually giving my talk and then the thought of my train journey home just made me want to literally run away.
So, that's what I did. I hot footed to West Brompton tube stop, took the rickety carriage to Victoria, swapped to another rickety carriage to Euston and then took the Virgin Pendolino back to Manchester.
Beaming from ear to ear all the way home.
I'd done it. I'd gone from punter to speaker inside a year and what's more the things I had to say had validity and hopefully helped others. That's my mission.
Hang On! What About The Nerves?
I mentioned that I had a lack of nerves ahead of giving my talk and here's my take on why.
I've been determined to give a talk at a conference since well before the end of last year, so my main focus was on both getting one accepted and then getting a subject nailed.
I've sat through many MANY talks delivered by people whom I now consider friends and thought "I can do that".
The taxi driver pointing out Grenfell Tower to me on the way to the venue really put all of my life's nonsense into sharp perspective.
Finally, I feel at ease in the community that I belong to and for that I thank everyone that has made me feel like that.
P.S. As the videos of the conference emerge online, I'll drop them into this post.
P.P.S. Won't include mine.
P.P.P.S. Or Andy's