Author: Tracy Z Maleef
Congratulations! You’ve decided to reach beyond your comfort zone and give a presentation outside of the hacker community. Mazel tov!
Libraries, public libraries in particular, are often underfunded and the librarians who work there are likely overworked and underpaid. It’s not unusual for public librarians to take on responsibilities akin to being a social worker, a tax form consultant, and maybe even a therapist. Communities can rely on librarians for things beyond the scope of their jobs. Let’s not make Information Security one more thing to be a burden. Give an InfoSec talk at a library to help educate and empower them.
This is the first in a series of instructions and tips on how to present a basic “Information Security 101” type of talk at a library. What are my qualifications to give this advice? I have a Master of Library & Information Science degree from the University of Pittsburgh. I worked as a librarian for about 15 years in a variety of settings. I was an active member of the Special Libraries Association, ultimately named a Fellow of that organization in 2015. Ever since I made my career transition into Information Security, I have given a variety of InfoSec instruction talks at libraries in the U.S. and abroad. I was originally the LibrarySherpa, and I’m now the InfoSecSherpa, let me be your guide up a mountain of information to presenting security topics in a library!
Preparation steps:
Strategy. Decide if you want to present to librarians or to the library patrons. The difference is that a presentation to librarians should include workplace types of instruction and tips. A presentation to library patrons would be more consumer, personal types of security.
Contact a library. You could contact the Library Director directly, or perhaps strike up a conversation with the reference librarian who is on duty when you visit the library. Keep in mind that these people are very busy. Consider the onus to be on you to provide information about yourself, your presentation, and basically sell yourself to them. Why? Again, they are very busy people. Just be courteous and ask to email your proposal and information to the person in charge of library event planning. Having some sort of personal recognition or an introduction can help expedite this process. For example, I am a frequent user of my local library, so I just had to tell them that I had some ideas in mind for Information Security sessions and how may I help. If someone you know can make an introduction for you, that will help. Remember that the outside world may find the concept of hacker handles scary, so keep that in mind if you are practicing OpSec and don’t give the librarians your real name. That might be off-putting to them. Feel out the situation.
Patience. Many libraries have their events planned far ahead, six months or more. May or June is a good time to propose Cyber Security Awareness Month talks for them in October. If a library can accommodate you sooner, great! Just go into this knowing that they may not be able to fit you in immediately. Also, patience for them to get back to you to confirm your involvement. Again, they are busy and also may have to clear programming with a Trustees group, library board, or Friends of the Library group. They may have some background work to do to get approval for your talk. It depends on the library.
Audience focus. So, now you’ve introduced yourself to the library director and have a date for your talk on their calendar. If you agreed to do a talk for librarians and library staff, try to get an understanding of the tech knowledge level of those people. Without being intrusive, see if you can scope out what their network situation is. This can be a simple question to a library director like, “Do you have an on-site IT person, or is your IT outsourced?” If they have an IT person on-site, talk to them to ask what specific problems or concerns they have. In the case of my local library, the children’s librarian is the most tech savvy on staff, so I met with her separately to prepare for my talk. If you want to speak to a niche group specifically like senior citizens, parents, children, differently-abled, etc., make sure you are skilled in the security concerns to those groups. Special note: if you will be speaking exclusively to children, some U.S. states may require that you have a special legal clearance to give that talk. The library will know for certain and ask them. Each state varies, so be sure to check if giving a children-only security talk.
Pivot. Be prepared to make more basic or more advanced explanations on the fly while presenting. You may find that the group is more tech savvy than you realized, or that there are more knowledge gaps than what you were expecting. Don’t get rattled. Don’t get exasperated. Just adjust. A helpful way to explain things more simply is through storytelling with analogies. Jessy Irwin, for example, has a great story to explain an 0-day to a non-technical audience using a tale about a house of bricks. She tells it beautiful and gets the point across.
Takeaways. It’s a good idea to create a slide deck or supplemental material that people can take home with them. Whether that’s a Power Point with a lot of links and resources, or some other print material that you craft, this will be overwhelming information for a lot of people. Make sure they retain it by having your presentation double as a learning guide after you leave.
Swag. People love swag — Stuff We All Get. I do my best to gather up swag from InfoSec conferences and vendors for my talks at libraries. Both the librarians and the patrons love it. Camera covers, t-shirts, stickers, everything. Plus, they usually have cool logs that are unfamiliar to them and they love it. You don’t have to do this, but it’s just a tip to get people with warm fuzzies about your talk.
NO FUD. I cannot express this seriously enough. DO NOT SCARE THESE PEOPLE. Yes, these are very serious things we talk about, but find a way to give them instruction in a way that it EMPOWERS them to defend themselves or troubleshoot. EMPOWER THEM.
Follow-up, or don’t. One of the reasons I hear from people who don’t want to give InfoSec 101 talks to the public is the fear that people will forever bug them with follow-up questions. That’s a fair concern. If your agreement is with the library to speak to the librarians, make it clear in your written and/or verbal agreement that you are available for one (1) follow-up of 15 minutes OR that your talk concludes your involvement. This is where having good takeaway handouts are key; they can answer questions people may have. It’s up to you if you want to provide follow up or not. Nobody will think ill of you for NOT following up. They get that this is a volunteer gig. Just set expectations ahead of time. If your talk is to patrons, give little to no contact information — whatever you are comfortable with. I didn’t want patrons contacting me, so I didn’t give any and nobody asked, either. I just sent them away with thorough material and safe links to resources.
Payment, or lack thereof. Be clear and up front whether or not you are seeking financial reimbursement to do this kind of talk. Now, keep in mind that most libraries are usually tight on funds. But, some may have a special account for speakers. My recommendation is that you go into this offering your services for free. I had the situation where a library in turn offered me an honorarium, but I turned it down and instead asked that they use that money to purchase cybersecurity books. I gave them a curated list of suggested titles to get them started. That’s different than visiting a local library to give 45 minutes or so of your time. Choose a volunteer opportunity that makes sense for your schedule and budget (meaning, don’t take on something that may cost to travel there, if that’s cost prohibitive for you.) Ultimately, do what’s best for the library, because that’s who this is supporting.
This concludes your preparation tips. Subsequent parts will include specific content tips of what to include in your presentation.
About the Author: Tracy Z. Maleeff, aka InfoSecSherpa, is the principal of Sherpa Intelligence LLC and also currently works as a Senior Cybersecurity Threat Intelligence Analyst. She previously held roles at the Krebs Stamos Group, The New York Times Company, and GlaxoSmithKline. Prior to joining the Information Security field, Tracy worked as a librarian in academic, corporate, and law firm libraries. She holds a Master of Library and Information Science degree from the University of Pittsburgh in addition to undergraduate degrees from both Temple University (magna cum laude) and the Pennsylvania State University. Tracy has been featured in the Tribe of Hackers: Cybersecurity Advice and Tribe of Hackers: Leadership books. Tracy publishes an Information Security & Privacy newsletter at infosecsherpa.medium.com. See https://linktr.ee/infosecsherpa for talks, interviews, and more.