New Year wish list of an Infosec Conference Content Reviewer
(The following post is an expansion of a tweetstorm I made on 12Dec17)
I’m currently reviewing CFP submissions for @artintoscience, @KasperskySAS, and @OPCDE. I’m also on the content review board for @BlackHatEvents. While as a speaker you may submit a couple talks to any given conference, I and my fellow reviewers read an average of 100–200 submissions per event. Each review takes 5–10 minutes to read, rate, and comment on. That is an 8 to 30+ hour time commitment by each reviewer, and most conferences have between 10 and 30 reviewers. My wish list below is intended to help potential speakers maximize their positive impact on the review board and increase their odds of acceptance.
The following tweetstorm is my personal New Year’s wish (s/wish/plea) for all content submitters in 2018.
1/9 Define every acronym the first time you use it in an abstract.
expansion: No, you don’t have to spell out TCP/IP. Content reviewers for infosec conferences are computer security professionals. They just aren't all experts in YOUR field of research. Unless you can claim to know every acronym ever in the field of infosec, throw the reviewers a bone and help them quickly parse your abstract so they’re focused on what you offer the audience, not looking up specialized acronym definitions.
2a/9 Write a complete abstract that highlights 1. what you’re going to cover 2. what is new or interesting about it 3. what the audience walks away with the ability to implement as a result of attending. The number of vague half-assed abstracts I see is staggering.
2b/9 PROOFREAD YOUR SUBMISSION. Get a friend to proofread it too. If you have grammatical or spelling errors in your talk submission or your abstract is hard to understand, the content review board has no reason to think your actual presentation will be any better.
expansion: I’m not conflating grammar/spelling errors and “your abstract is hard to understand”. I said or, not and. :) Also, I’m not talking about speakers for which the language of the event is not their native language, content review boards are overall very understanding of translation issues and some conferences will even provide translation services at the event. What I’m referring to here are super lazy submissions that the author clearly didn’t put much effort into (and seriously, you would be stunned at what we see). Sure, the content board could send the author a message and ask them to fill in the assumptive gaps (and some do, its case-by-case here), but time is a finite resource and there are often another hundred abstracts still in the queue. If you want to maximize the chances that your talk gets accepted, understand that the authors who take the time to submit a complete and well thought out abstract earn more content reviewer time than the authors that don’t.
3a/9 Know your audience. Don’t submit an entry level talk to an advanced/expert event. And for the love of $DEITY, lay off the product/company pitches. I don’t know a single Content Review Board that accepts those. In most cases its automatic reject if a whiff of pitch is sensed.
3b/9 Know your audience part 2: Don’t submit a non-technical talk to a technical conference. “How to effectively hire pen testers” is certainly valuable content but not appropriate for a technical con (unless they have a career management track).
expansion: It is hard to give an example of how not to sound pitchy without someone somewhere thinking I’m calling them out. Instead, I’ll give an example of how I’ve made sure my talks don’t sound pitchy. 1/3
When I was at Bugcrowd, if I was giving a bug bounty talk I made sure to include data, case studies, and best practices from MANY companies including Bugcrowd so it didn’t come off as a sales pitch. And I made it super clear in the abstract that I was taking this approach. 2/3
Ask yourself what is your purpose in being there? Are you teaching the audience something that you as a speaker are a subject matter in, or are you marketing your company/services? Conferences want attendee value first & foremost in talks. The Expo floor is for marketing. 3/3
Another perspective on pitch talks in the words of @securelyfitz, bold emphasis mine:
Definition that has worked for me: if you have to spend $$ to make use of what you learn, it could be a pitch. If you have to spend $$ with the presenters employer, it definitely is.
4/9 Some conferences only want new content that hasn’t been presented before. If you (or anyone else) has presented already on your topic, make it clear how your presentation is adding to the knowledge base and adding new perspective/insight.
5/9 If your topic is super narrow or specialized (i.e. research on a single IoT product), be sure to include industry comparisons, best practices, or some other key learning for the broader security industry to benefit from.
6/9 Even if a conference doesn’t ask for a presentation outline, providing one will show you’ve thought through your content plan and are prepared to deliver a great talk to event attendees.
expansion: I’m not saying you HAVE to do this, but it generally won’t hurt your case if you provide supporting material the CFP didn’t ask for. You want them to see your vision for the presentation and think “I’d totally attend that talk!”
7/9 Be aware of the presentation time allowed. If a conference has 25 minute talks, don’t submit a talk that takes 50 minutes to cover in any meaningful depth.
8/9 Do you have tools or other practical resources you’ll be freely releasing to attendees? TELL THE CONTENT REVIEW BOARD. That stuff is gold.
9/9 read this post by @RSnake. It applies to more than just @BlackHatEvents submissions (which I also review for.) https://www.whitehatsec.com/blog/how-to-get-accepted-at-blackhat/
expansion: @raistolo presented the following speaker checklist in his Black Hat USA 2017 presentation “Death by a Thousand Abstracts: How (Not) to Get Your Research into Black Hat”. I didn’t link to this in my initial tweetstorm purely because of the second bullet point — some conferences love and welcome nerd jokes in abstracts, and Twitter isn’t a great format for that level of nuance. Ideally you’ve attended the con you’re submitting to at least once and have a feel for the type of event it is and if your nerdy humor is abstract appropriate. (Adding to the nuance: while nerd humor might not be abstract appropriate, it may be totally presentation appropriate! Again, it helps if you’ve been to the con before and know the vibe.)
•Did you review previous research on same subject and explain what is new?
•Did you write your abstract in an appealing way without excess jargon or nerd jokes?
•Did you write an outline that clearly conveys the idea you know what you will be talking about?
•Did you ask someone else to review your submission?
•Did you tell us clearly why we want to have you here?
•Have you removed marketing-type descriptions?
•Have you read all the parts of your submission out loud to ensure you’re making sense?