Category: presentation

How to Ask Good Questions at RSA

So this week is RSA, and I wanted to offer up some advice on how to engage. I’ve already posted my “BlackHat Best Practices/Survival kit.

First, if you want to ask great questions, pay attention. There are things more annoying than a question that was answered while the questioner was tweeting, but you still don’t want to be that person.

Second, if you want to ask a good question, ask a question that you think others will want to hear answered. If your question is narrow, go up to the speaker afterwards.

Now, there are some generic best practice questions that I love to ask, and want to encourage you to ask.

  • You claimed “X”, but didn’t explain why. Could you briefly cover your methodology and data for that claim?
  • You said “X” is a best practice. Can you cover what practices you would cut to ensure there’s resources available to do “X”?
  • You said “if you get breached, you’ll go out of business. Last year, 2600 companies announced data breaches. How many of them are out of business?”
  • You said that “X” dramatically increased your organization’s security. Since we live in an era of ‘assume breach’, can I assume that your organization is now committed to publishing details of any breaches that happen despite X?
      I’m sure there’s other good questions, please share your favorites, and I’ll try for a new post tomorrow.

New School of Information Security Book Reading at Ada's

Last Sunday, I did a book reading at Ada’s Technical Books. As I say in the video, I was excited because while I’ve talked about the New School, and I’ve given talks about the New School, I hadn’t done a book reading, in part because of the nature of the book, and my personal comfort zone in promotional activity. Since Ada’s is just getting started on taking video, the quality of the recording isn’t super-high, but the conversation afterwards is great stuff.

Adam Shostack at Ada’s Technical Books from Ada's Technical Books on Vimeo.

Thanks to Danielle for inviting me, and I’d be happy to do more readings in the future.

Pie charts are not always wrong

In a comment, Wade says “I’ll be the contrarian here and take the position that using pie charts is not always bad.” And he’s right. Pie charts are not always bad. There are times when they’re ok. As Wade says “If you have 3-4 datapoints, a pie can effectively convey what one is intending to present.” Which is true. But in every case I’ve seen, those situations are as well served with a small bar graph.

What’s the least contrived situation in which a pie chart is better than a bar graph or table? (Pac man and pies are two obvious examples.)

The Visual Display of Quantitative Information

In Verizon’s post, “A Comparison of [Verizon’s] DBIR with UK breach report,” we see:


Quick: which is larger, the grey slice on top, or the grey slice on the bottom? And ought grey be used for “sophisticated” or “moderate”?

I’m confident that both organizations are focused on accurate reporting. I am optimistic that this small example in the utlity of pie charts will inform report writers. The report writers and their graphics departments, loving their customers, will move to bar charts to help them compare numbers between sources.

I’m confident that not using pie charts is a best practice.

Elsewhere: “The only time it makes sense to use a pie chart.”

And elsewhere: “The Visual Display of Quantitative Information, 2nd edition

Ooops! and Ooops again!

Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe:


Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an orrery, not an astrolabe?”

It appears that I’m going to have to update my commentary. Thanks, Brett!

[And thanks Scott–I misspelt orrery, now corrected.]