It will come as no surprise that I think everyone in this field should share their knowledge. There are many ways to do this, and one great way is to speak at an infosec conference. You help others out while also making a name for yourself and meeting others in the community, all of which can be enormously helpful for your career.
I’ve heard many people say “well, I’m not an expert, so I shouldn’t give a talk” — throw that thinking out the door right now! Sometimes newbies have the most valuable perspectives because they give a fresh take on a topic. Even if a topic has been presented before, you might have a new way of thinking about it or presenting it.
In particular, I want to encourage women and under-represented minorities to submit proposals to conferences. When I’ve been on conference review boards, I know I and many other board members have desperately wanted to accept more diverse speakers (in every sense of the word “diverse”) who submitted great proposals — but if you don’t submit, we can’t accept you to speak!
It’s easy to say “submit to a conference,” but it’s tougher to actually do it. I wanted to share a rough process I’d recommend following as you craft a proposal. Many others have shared proposal-writing tips, so please check out those resources, which I’ve linked at the end. Since I found mostly tips out there, I wanted to write this about a soup-to-nuts process because I know doing this can be intimidating for someone starting out. Of course, your mileage may vary, and you might find a different process works for you.
0. & 1. Find an event and think of a topic.
You can find out about conferences to submit to from social media, from your friends or coworkers, or from a site like CFPtime.org. If it’s your first time speaking, you could choose a smaller conference like BSides, but if you want to submit to a larger conference like Black Hat or DEF CON, go for it!!! Some conferences have tracks for new speakers and offer coaching/mentoring. Take a look at location and what benefits the conference offers — many offer a free ticket for accepted speakers, and a few pay for travel as well.
You might think of a topic before you choose an event, and if so, be sure your topic is appropriate for the event (which you’ll confirm when you do your research in step 2). Good conference topics often come from your struggles, experience, or debates. If you’re just starting out in the field, you might consider a talk about your experiences getting started/learning a new topic. You could also discuss a problem you’ve seen and suggest a solution, or examine a widely-held belief you think is wrong and propose an alternate way of thinking. Another way to think of a topic can be to look at last year’s conference agenda or existing research and ask yourself what’s missing — what do you think should be part of the conversation that no one has presented?
As you decide you want to submit a proposal, this is also a good time to let your employer or school know of your plans so you can check on any policies they have. You should also let your team and leadership know so you can get their support.
2. Do your homework.
This is a fundamental step that I think many people miss, but if you skip it, I believe your odds of getting accepted are lower. You need to thoroughly research both the event you’re submitting to and the topic. Here are some questions to consider as you do this research.
- Who is the target audience for this event? Who has attended in the past? This is key to make sure your proposal will resonate. I’ve been on review boards where we’ve loved a proposal, but it wasn’t right for the conference. If it’s a red team conference, don’t submit a defense talk unless there’s a red team aspect to it. Sources might include the conference website, social media from the previous year, and talking to organizers/community members who have attended. This leads directly into the second question…
- What topics are the organizers interested in having at the event this year? What topics have previously been presented at the event? These are also key questions to answer to make sure your talk will resonate. The organizers often tell you what topics they’re interested in directly in the Call for Papers/Call for Proposals (CFP). However, don’t take this as gospel — if you have a topic that is in line with the general theme but not listed, it still may be a good fit! You can try reaching out to the organizers to ask if you’re not sure. You should also look at the conference website from previous years to give you a sense of what’s been previously presented, since this will give you a clue about whether yours might fit. Looking at past abstracts also tells you the level of detail and type of language the review board is looking for. (Is it formal/academic or is it more informal/conversational?) If you find someone has talked about your planned topic in a previous year, don’t sweat it, but be sure to have a different take— you can even propose a talk that will build on it! (For an example of this, check out Mark Parsons’ 2017 SANS CTI Summit talk and then Dave Herrald and Ryan Kovar’s 2018 SANS CTI Summit talk.)
- What other talks, papers, and blogs have been put out on your topic? Do your research about what else has been written and said on your topic beyond the conference you’re submitting to. You can’t read everything, but spend a few minutes Googling and taking a look at other conference pages and YouTube. Again, just because someone else has discussed it doesn’t mean you can’t, but you need to be aware of what’s out there so you can provide your take. You should think about the unique perspective you have, and be sure to express that as you start thinking and writing. Be sure to reference others’ work if you use it! Many review boards love when you take another researcher’s work and build upon it — it’s a great demonstration of the power of sharing our thoughts as a community.
3. Start writing some words…any words.
The thought of writing a proposal can be so daunting that you get writer’s block and psych yourself out before you even start. My advice is to just start writing something. Don’t worry about the language you use or if it makes sense. Just write, however it’s easiest for you to do this — a bulleted list, free text, on a whiteboard, in Notepad — whatever. If you struggle to write anything at all, try finding a friend or colleague to talk things out with first, then write down what you discussed. You could also try the “rubber ducky method” and talk it out with your four-legged friend or a rubber ducky…whatever floats your boat. (#FUZZYSNUGGLYDUCK)
4. Organize your thoughts into an outline.
Now you have a mess of written stuff. Start to organize it into a coherent outline and flesh out your ideas. Take a look at what format the CFP asks for — some even provide a sample submission, and if they do, use that to start organizing! Many conferences ask for a title, abstract (usually a paragraph or two), and outline (usually a page or two), but some are different, so be sure to check. I recommend copying the specified format into a Word/text/Google doc and editing there so you don’t lose your precious work due to a buggy proposal system. Even if your CFP doesn’t require an outline, I recommend creating one since it will help you organize what you want to say. Plus, if you’re accepted, Future You will be eternally grateful to Past You for getting a jump start on the work.
As Scott J Roberts writes, a good presentation will generally have three parts: an introduction, body, and conclusion. You could start with those three headings on your blank document to help you. Your outline can be phrases, sentences, or bullet points, but be sure to mimic any example outline the organizers provide.
Introduction: From your brainstormed mess of words, think about your key theme or thesis. If you had to describe the point of your talk (what you want someone to walk away knowing), what would it be? Once you have that down, consider what kind of introduction, definitions, or “stage-setting” you might need — this is where your research into the audience comes into play. If it’s a general infosec conference and you’re talking about reverse engineering (RE) malware, maybe you need a quick slide or two to define terms. But if you’re at an RE conference, you should probably skip that. You should almost always state the problem you’re trying to address with your presentation to help your audience understand why they should listen to you.
Body: After you’ve figured out your introduction, consider what supporting examples, information, or evidence you have for that main thesis. Think about a logical way to divide the presentation — do you have three different examples you’ll cover in depth? Do you have 10 pieces of evidence you’ll cover more quickly? Each presentation is different, but having a clear structure for the “body” of your presentation will help you create your presentation and the audience follow it more easily. For each of your “parts,” consider how you can create a parallel construction. (For example, if I’m talking about three threat groups, maybe I cover the four vertices of the Diamond Model for each of them.)
Conclusion: You’ll want to re-state your key point from your introduction as well as list the takeaways for the audience. You may also want to include future research or “what’s next” in this section.
If you have the time, it’s a good idea to start drafting up some slides of your actual content. (Scott’s blog post might help you there as well. Yes, I’m a huge fan of that post and Scott in general!) What might happen is that you find what you thought your presentation would be about is all wrong and you want to submit something else. (This has happened to me after I’ve submitted a proposal…oops…)
You can have the best technical content ever, but if you don’t organize it and communicate it in a way that the review committee (and audience) understands, it’s tough to have a successful presentation. Take some time to think through your talk flow as you craft a proposal, and it will pay off for you later.
5. Write a title and abstract.
Now that you have an outline, write the title and abstract. This may seem backward, but I’ve found if I start with the title or abstract, I realize as I’m writing the outline that I actually want to talk about something different. If you’re short on time and the conference doesn’t require an outline, you can skip that step, but I think your results will be best if you put in the extra work to create an outline.
Writing clever titles is the toughest part of this process for me, and I lean on my friends who are awesome at this for help (take a wild guess who came up with the title for my joint talk with Ryan Kovar at Black Hat). You may want to avoid cliches like “For Fun and Profit” since committees have seen them a ton. I personally like multi-part titles with “Something Clever: Something Straightforward,” but everyone is different. Remember you don’t need a clever title…you can just write what you’ll talk about. Lean heavily on your thesis/key point to help you craft an appropriate title.
Abstracts can also be tough to write. They should briefly summarize your talk while clearly communicating your key points. You might consider starting out with a “hook” that draws the reader’s attention or provides a statement of the problem (e.g. “You might have heard about FUZZYSNUGGLYDUCK, but what is it, really?” or “Ducks are everywhere, but are they always fuzzy and snuggly? This talk will reveal the answer.”) Make sure to include your thesis and key points — if you have trouble stating these, go back to your rubber ducky and tell him why he should be excited about your talk. I also like to explicitly state what attendees should expect to learn since this helps reviewers know your presentation will be of interest to their audience.
As you’re writing your abstract, be sure to review the past conference page to see the length and tone past abstracts have had. If you’re submitting to an academic conference, your tone will be very different than if you’re submitting to BSides, a SANS Summit, or DEF CON — and similarly, if you’re submitting to one of those and write a dense academic abstract, you may be overlooked.
6. Fill in the rest of the proposal fields.
Many CFPs ask for your title, company, Twitter handle, LinkedIn profile, website/blog, videos of you speaking, headshot, and bio. Make sure to have these things ready rather than getting caught without them at the last minute. If you don’t have a professional headshot, you can sometimes get these for free at events, or ask a friend to take one of you against a white background while wearing professional attire. When writing your bio, it’s okay to show off a little (especially if you’re humble)— you may want to include educational background, work history, previous speaking experience, awards, and hobbies. It’s fine to list a team/company blog that you contribute to, but it’s also okay if you don’t have a blog or video to link to.
CFPs often ask if you’ve given the talk previously. Be honest! My opinion is it’s fine to repeat a talk, especially if you’ve spent a lot of time on the research — different events reach different audiences. You should always be up front about this. If you plan to make updates to your talk, you can mention that.
7. Review and edit.
Sleep on your proposal for a day or two if you can, and come back to it with a fresh set of eyes. Make edits and refine it. Have a friend or coworker review it for you and make suggestions — what you intended to communicate may not be what they understand when reading it. SPELLCHECK IT. SERIOUSLY. (This sounds simple, but so many people don’t do it!) In particular, make sure you spell the name of the conference correctly. (Is it Shmoocon or Schmoocon…Defcon or DEF CON…?) As a reviewer, if I can tell someone didn’t spend much time on their proposal, it gives me no confidence they will spend time to make a good presentation.
8. Submit it and wait!
Make sure to submit it on time — if you’re not sure of the closing time (or time zone), ask the organizers. Most CFP systems will provide a confirmation email that you submitted. Conferences vary in how long it takes to get back to you, and it’s usually between weeks and months. If they have posted a date when they will let speakers know, it’s okay to ask about your status if that date has passed (but be nice if they need extra time to decide, particularly since many conferences have volunteer review boards).
If you aren’t accepted, don’t get discouraged! There are many, many infosec conferences out there, and you can submit to another one. (After all, you’ve already done the work to put your amazing proposal together!) Keep your head up and keep trying! I was rejected for the first conference I ever submitted to, but have been accepted at many since then. If you’re rejected, you can ask the committee for feedback if they don’t provide it. Some committees may not provide feedback, but it doesn’t hurt to politely ask.
If you’re accepted, congratulations!!! Now comes the real work: making your presentation. :) But that’s a topic for another day.
There are many other great resources on tips for submitting CFPs, and I’ve linked a few of them here.
Giving A Talk in InfoSec
We all needed this page at one point. Or more. I know I did and thank you to the people in our community who had stuff…
So You Want to Speak at a Security Conference?
After performing research at the end of 2014 on Microsoft enterprise security, specifically Active Directory, I…
So you want to present...
I've been attending InfoSec conferences since DEF CON 2, in 1994. Add up all the conferences I have been to, and all…
The Building Blocks of Infosec CFPs
Between gearing up to co-chair CircleCityCon's CFP, and working on a panel submission with a couple of first-time CFP…
DEF CON® Hacking Conference - Speaker's Corner
Check this page for short stories, talk teasers, technical info and words of wisdom from our DEF CON speakers Past &…
The author’s affiliation with The MITRE Corporation is provided for identification purposes only and is not intended to convey or imply MITRE’s concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.