Infosec CFP main

Part one of this post on submitting a knockout CFP proposal focused on following instructions, accuracy, originality, and attention to detail. These are the “basics,” much like security has its basics of maintaining and monitoring logs, access controls, and developing and updating an incident response plan. In part two we’ll delve into four more dos and don’ts—that may be a bit less “Well, duh!”—and help your next CFP submission get noticed…in the right way.

Know Expected Attendee Demographics

Because the security industry holds so many conferences, it’s easy to recycle talks and/or CFP submissions. This only works, though, if the events are similar in nature. Any decent conference will try to carve out its own niche, and every conference attracts a slightly different type of attendee. Some events are focused on product launches, which means you can expect a lot of sales and marketing attendees. Hacker cons attract very technical security practitioners who may not be interested in talking about the business aspects of security that week. There are events geared towards CISOs and other security leaders; conferences programmed for developers; summits for folks focused on compliance and regulations; symposia on containerization and identity, cloud, or mobile. And the list goes on.

Before you submit your talk to a CFP, learn about the conference and tailor your talk to the expected audience. Most event organizations provide demographic information. Read it and use it. If you’re unsure, ask. I’ve read several excellent submissions on topics like “How small- and medium-sized businesses can run an effective security organization,” or “security for startups,” but MISTI events customarily attract attendees from large enterprises. Plenty of other conferences would love to receive these submissions, though.

Regardless of the strength of your submission, if your talk won’t resonate with the audience, programming it is a recipe for failure. Therefore, reviewers won’t take that risk. Become familiar with the expected conference audience and submit an abstract that will be most attractive for that specific situation.

Focus Your Talk around the Lessons Learned or Audience Takeaways

Every presentation, regardless of format or forum, should provide takeaways for the audience. Those takeaways can be advice, recommendations, lessons learned, new data, or action items. Attendees want to gain something during your talk, otherwise, you’re just wasting their time.

We’ve received submissions such as: Title: An Overview of Malvertising. What attendees will learn: 1. What malvertising is. 2. The history of malvertising. 3. What other attendees have learned about malvertising. Or abstracts that read something like, “As a group, we’ll swap stories on the funniest, most bizarre things we’ve seen and heard as security practitioners.”

The review committee can’t determine much from the former type of submission, and the latter is better suited for an informal conversation over drinks or dinner.

CFP reviewers want to be certain that submitters have not only thought about audience takeaways but that the potential presenter can convey her or his ideas in a clear, logical manner and that he or she has the audience’s best interest in mind throughout the entire presentation. How this is expressed in your submission is the biggest indication of what event organizers can expect onsite, so put extra thought and time into the outcomes you will share during your presentation. Generalizations or overly obvious statements won’t catch the committee’s attention.

Demonstrate Your Expertise…Not Your Company’s Product or Service

You know that talk, that one where you expected to hear new research and instead got a thinly veiled product pitch from a speaker whose marketing team insisted she or he add in an “about us” company slide and continually sprinkled references to the company’s product or customer engagement. Infuriating, isn’t it? No one wants to be sold to (that’s why sales people make the big bucks), so when submitting a CFP, even if you work for the best, next-gen, based on machine learning with artificial intelligence, game-changing, disruptive company in the universe, don’t include it in your CFP (and definitely not your talk). Most review boards have reviewed thousands of CFPs in the past and have an eagle eye for spotting potential sales pitches. None shall pass.

We get it: you work for a company that has a product or service to sell. I can say from experience, however, that, without question, vendor representatives who do not try to covertly message the organization’s offerings score better and receive far superior feedback onsite. The tendency to pitch is almost always foreshadowed in the CPF.

The advisory board knows what company you work for and what your job entails (i.e., evangelism)—those are mandatory fields. Instead of smacking us over the head with barely-concealed work references, demonstrate personal intelligence, thoughtfulness, and creativity. 

Present Forward-Looking Topics…or a New Twist on an Old Problem

Many submitters want to present on the hottest topics of the moment. I predict the InfoSec World 2018 CFP will see an influx of proposals on ransomware. Last year it was IoT. Each year brings a new marketing buzzword. If you want to present on a popular topic, be prepared to submit something from a unique perspective. Most conferences can’t risk programming five talks on the same topic unless the ideas and advice about that topic are radically divergent.

Furthermore, what’s trendy may or may not be relevant in 6 or 9 months when the conference takes place. While we don’t expect you to break out your crystal ball and tarot cards, think about the future of security—even beyond the conference dates—and consider the security landscape then, what new techniques or processes might be useful and effective. Don’t shy away from cutting-edge topics or ideas either; if the topic is applicable to the space and you’re passionate about it, even if it’s not de riguer, send it in. Today’s crazy idea could be tomorrow’s new way of managing security.

Don’t forget, too, that despite all the years security professionals have been working on the “security basics,” they’re fundamental for a reason—we’ll always need to attend to them, especially since basic controls are routinely ignored or forgotten, resulting in cybercrime. Because of this, security conferences must program talks on “the basics.” Yet very few submissions on these topics are received in comparison to trendier topics.

Consider a “basics” talk if that’s what you’re passionate about (or have been dealing with yourself), but give it a new twist. Offer a fresh perspective and nuanced point of view. Dare to be different about an old problem and perhaps you’ll help an attendee finally understand why his organization needs a proper asset inventory or why her team must start contracting for penetration tests and running vulnerability scans more than once every few years.

In other words, you do you; submit on whatever topic floats your boat and you’ll increase your chances of acceptance. Passion comes through in a well-written submission. Pick a topic that excites you, be vigilant in crafting an accurate, easy-to-read, interesting proposal, and you’ll be steps ahead of the rest.