Speaking Requests


Adam is happy to consider speaking at your event. When speaking to non-profits, universities, or community events by video during the Seattle business day, he's happy to donate time. He's usually happy to join a podcast. For closed events for corporate clients, we’re happy to work with you on an appropriate plan. (Unfortunately, we need to clarify that an appropriate plan with a for-profit firm includes payment, not “exposure” or promises that it may lead to future business.)

We can provide either standard, semi-standard, or customized content. Our standard content is below, and you can get a bio and headshot at about Adam.

From Tacoma Narrows to West Seattle: Lessons from 100 years of Pacific Northwest Bridge Failures

A talk on changes in cybersecurity engineering

The Pacific Northwest has an abundance of bridges, and most of them seem to stand up well over the years, with notable exceptions and problems. What can software learn from them? More importantly, the software world is shifting to more transparency and liability. Transparency is coming not only from the normalization of breach notification and learning from incidents, but also with the newly introduced CSRB. Liability is coming not only as part of the US National Strategy, but from a plethora of more local regulation. What does it mean for appsec practitioners, our employers and the open source projects we work on?

A Fully Trained Jedi, You Are Not

This talk is focused on education, and what we should teach people about security

Abstract: As software organizations try to bring security earlier in the development processes, what can or should regular software or operations engineers know about security? Taking as given that we want them to build secure systems, that demands a shared understanding of the security issues that might come up, and agreement on what that body of knowledge might entail. Without this knowledge, they'll keep building insecure systems. With them, we can have fewer recurring problems that are trivially attackable. (Longer abstract, slides from the first version at Blackhat 2022.)

Threat Modeling Lessons from Star Wars

This is a semi-technical introduction to threat modeling talk, with Star Wars as a hook. The talk is designed to take the audience who thinks they want to threat model from not knowing what that entails to understanding how to do so, avoiding the traps that make it hard.

Abstract: Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.

Threat Modeling in 2022

This is the most technical talk that Adam generally gives.

Abstract: Attacks always get better, so your threat modeling needs to evolve. Learn what's new and important in threat modeling in 2022. Computers that are things are subject to different threats, and systems face new threats from voice cloning and computational propaganda and the growing importance of threats “at the human layer.” Take home actionable ways to ensure your security engineering is up to date.

A Seat at the Table

This non-technical talk has been the keynote at a variety of places, and is focused on the leadership questions of security having a seat at the design table. It covers engineering, soft skills and shifting left.

Abstract:Important technical decisions are often made by a small team, and that team rarely includes security. There are good reasons for that, and it leads to predictable problems. Why doesn't security get a seat at the table? What problems result? What can we do to overcome both?

That was close! Doing science with near misses

This talk and the public health one are big picture talks about the future of how we build secure systems and societies.

Abstract: There's an old joke: "Half my advertising budget is wasted! I wish I knew which half!" Working on defense, it sometimes feels like the advertising folks are lucky. In security, it's hard to explain why some controls are more important than others. That's because we lack evidence for the effectiveness of those controls. This talk presents a concrete road forward after of several years of looking into 'how can we learn more, faster?' so we can get better at defense?

We need a discipline of cyber public health

Abstract: The pandemic has given us unprecedented reason to pay attention to public health, and there are many lessons that information security can take away. Those include how we track and understand problems, how we convince the public to engage with defenses (or fail to), and how public health complements medicine.