Call for Papers: The Inside Track
Get advice from organisers and reviewers of cyber security conferences on how to write winning conference submissions.
I enjoy speaking at conferences, and my career has benefitted from it. I have gone from being a pretty nervous public speaker, to one who barely notices nerves in the lead up to a talk, even when stepping on stage to speak to thousands of people. I often have conversations with people who say they would love to do the same, but for one reason or another, haven’t made the leap to giving their first talk. I have encouraged some of those people to make the jump and they have all gone on to get the ‘speaking bug’.
So, I recently did a twitter poll, asking why people who want to speak at conferences, don’t go on to do so. With over 6,000 votes, the poll had a much greater response than I expected, which indicates that there is a great desire among people to speak at conferences, but a variety of factors get in their way.
Now, I’m not saying that everyone should speak at conferences, but if you want to, then let’s try to make it happen. There are so many events and conferences out there, from small local get-togethers to huge conferences that draw international audiences, so finding the right place for your first talk is the first step. Remember that lots of the established conferences, like besides, usually have rookie and lightening tracks that are a great first stepping-stone for new speakers.
Returning to the poll for a minute, the four options I gave as answers were based on the reasons most people have given me for not speaking at conferences. It’s frustrating that you can only provide four poll answers on twitter, as I had to omit two other pretty likely reasons for not speaking at conferences: employers that don’t allow it and your submission to the call for papers not being accepted. For people who are submitting to conferences and not having their submission accepted, or who don’t know where to start with a cfp, I’ve asked organisers and reviewers of some fantastic cyber security conferences for their advice on writing a submission.
Advice From Conference Organisers:
Blackhat Review Board
Biggest advice I can give anyone is to stop, read and think 'does this make sense? does it articulate what I'm trying to say?'
Too often I see submissions that have been submitted without being QA'd by a colleague/friend/loved one. If you look at any large conference, the number of submissions are often high, so you need your submission to be as clear as possible about what it is you are going to present, why this excites the hell out of you and why it should everyone else and also give a sense to the review board that you've taken effort in creating the submission.
Loved ones can be brutal, especially those not in this field. Ask them to read it and honestly reply back if they understood it. If they didn't, then you know you need to work on it. I'm more than happy to help anyone get their submission ready, you just need to ask.
- Focus on the meat of your talk. Far too often submissions try to be fun / catchy with cool title and lots of fancy ‘cyber bingo’ words in the submission. Instead, focus on the value. What are people going to learn from your talk, what will they be able to do differently as a result, how will they be able to apply your lessons learned. The more value your talk provides, the more likely you will be accepted.
- People love real world stories, both success and failure. Academic theory is great, but the best talks have real world stories to back-up their lessons learned.
Managing Director, DeepSec GmbH
- Everything you submit must be ready for publication
- Make sure the title expresses what you want to say.
- Mark any content intended for organisers only appropriately
- Provide a small and larger abstract - text-only, no formatting
- Make sure a wide(r) audience can understand what the point of the presentation is
- It’s not a film production. Don’t add special effects and show. Facts and didactics plus some training on presentation will do nicely.
Check out more of René’s advice here.
Well, there’s always the standard recommendations: describe the problem/challenge, your approach, your solution and alternatives that might exist. Key takeaways from your talk will be XYZ-something. Then there’s the standard recommendation of presenting real-world scenarios, obviously something you’ve experienced yourself, instead of pure hypothetical work. Depending on the type of conference of course.
Previous talks/cons you’ve done, feedback received, links to online slides/recordings can be a plus, but don’t overdo it. Then there’s the fact most cons ask for original content. It’s almost as if they want all 0-days in every single talk. Such talks may be cool & impressive, but if the problem described has already been fixed with a patch, it is nothing but a «LOOK AT ME I AM SO L33T!» talk, promoting your own value & services. So I am fond of talks that describes problems and challenges that looks at the root causes, and tries to do something about them, which is why I do PasswordsCon).
Main thing I see when I review — the biggest sin is not explaining what the purpose of the talk is and what the takeaways are.
The reviewers won’t necessarily read your talk (you might not have written it yet!) but they need to see that you understand this
Also submit early. That helps a lot :)
For more information on how to get a submission accepted at 44CON, there is a great blog post here.
Atlantic Security Conference Board Member
For me when looking at submissions I look for topics that I think would be relevant for our community. I always want to bring content that I feel our local community will find relevant and useful. My suggestion would be research and understand your target audience and try to present something they will want to spend time viewing.
Co-founder of SteelCon
Submit something interesting regardless of the technical level. If I had the choice of fun to listen to or highly technical I'd go for the fun talk most of the time. People want to be entertained. Think of the audience, if it is a general, all welcome conference, then a general talk that most people will want to watch will get more bums on seats than something very specialised which may show off a super cool technique but will leave most people stood around in the lobby waiting for the next talk.
Thank you to all of the organisers above, who have provided an insight into what they see, and what they’re looking for. The three top tips, which I have pulled out from all of the comments above, are:
1. Put yourself in the audience’s shoes: what fits this conference and what will people enjoy listening to? Try to appeal to a wide audience
2. Don’t worry too much about being l33t, by no means do you need to be dropping 0 days to give a good talk
3. Spend time clearly articulating what your talk is about and, crucially, what the audience will take away from it; check with friends and family that what you have written makes sense
While I have pulled out these three general pointers, the various comments above show that individual conferences have different approaches and priorities. So, look at the conference you are interested in speaking at, and consider what you can offer that will be of particular interest to them. Check out their previous talks, read their website to see what they are looking for and even try reaching out to the organisers if you have specific questions or want some guidance.
A final piece of advice is to look to your local infosec meet-ups as a great place to give your first talk, or to test out a new talk and get some honest feedback. There are so many DC groups all over the world, and you will generally find a friendly and welcoming group of people who will be happy to listen to whatever you want to talk about and give you feedback.