After performing research at the end of 2014 on Microsoft enterprise security, specifically Active Directory, I realized that others may be interested in this information – my customers certainly were! So, I decided to submit a talk to the various security conferences and see what happened. I certainly didn’t expect to be accepted at 5 out of 5 of the conferences I submitted to!
- BSides Charm (Baltimore)
- Shakacon (Hawaii)
- Black Hat USA 2015 (Las Vegas)
- DEF CON 23 (Las Vegas)
- DerbyCon (Kentucky)
This post is my attempt to note the approaches that worked for me, and share with others the key items involved in my talk being accepted. By no means do I think I have struck on some sort of magic “formula” that ensures success, but I do want to share some important items that reviewers will look for and appreciate.
How did I get accepted to speak?
I think it was a combination of the following:
- Compelling, relevant, & current material
- Well-written CFP response submitted soon after the CFP opened (the earlier the better).
- Matching content to the conference focus (if a conference focuses on new content and you are submitting a version 2 of your talk, it’s likely you won’t be accepted).
Note: I have been rejected to speak at conferences since speaking at Black Hat & DEF CON. Don’t think that speaking at one conference means you will speak at others. Again, I don’t have the special CFP formula for acceptance. I just want to help others with the CFP process. Good CFP responses tend to get accepted and speaker slots are limited, so take the time to develop a really great response!
If you have tips and/or other information helpful for those going through the CFP process, please send them my way. Special thanks to Jericho (@attritionorg) for his input (any mistakes are mine alone).
Speaking at a conference is a lot of work before getting on stage
Putting together a good CFP response takes hours and should involve reviews by friends and colleagues. If and when you get the “yes,” that’s when more work is involved. Assuming you have written a detailed outline of your presentation (which you should!), the actual presentation should be developed from this. This is an extensive process. Even after your slides are done (are they ever really “done”? 🙂 ), it’s time to run through the presentation several times to work on content delivery and timing.
This all means you will likely spend days if not weeks pulling together a great presentation, since great presentations take a lot of hard work to develop.
If this is for you, please proceed. If not, you may want to re-think speaking. There are plenty of other ways to share research with the community, including starting a YouTube channel with videos, blog posts, tweets, etc.
The best advice I can give to any aspiring speaker is to create a CFP response before the CFP opens. Write out your talk information in free-form and then place the relevant information in the fields listed below. Re-write the summary several times noting that some CFP responses limit the summary field to only a couple paragraphs (or word count limitations).
I use(d) OneNote, but any note-taking tool like Evernote works too. Use this to collect your thoughts, develop ideas, build the outline, etc.
Lots of great talks are rejected due to poor CFP submissions and lots of poor talks are accepted based on great submissions. Be honest in the CFP response and ensure your response covers what you plan to speak about. Don’t try to cheat and write about one thing to get accepted only to change up the talk on-stage (you won’t get invited back).
Identify which conferences you want to submit to and determine the “Call For Paper” (CFP) start and end dates (I have included some at the bottom of this post). If the information is available from previous years, look at the data the CFP requires you to provide and start thinking about how you will write the text for each of these fields.
Common CFP Response Required Fields
Here is a list of some of the commonly requested CFP data for a submitted talk:
- Talk title
- Talk summary
- Your name
- Number of presenters
- Your bio
- Talk theme/category/genre/track
- Talk length
- Additional talk information that only the CFP review team reads – not shared publicly.
- Talk outline (may be merged with item 6)
- If, when, & where the talk has been given before
Take great care in writing really good responses to each of these items since the CFP review team only has this little bit of information to make a Yes/No decision, often with little time to review your submission.
Demo or no?
Few presentations are as effective or as memorable as those with good demos. However, this is a double-edged sword since if the “demo gods” are not with you, a demo fail is likely. You also want to be careful about demo set up time which includes typing commands. Make sure that if you are going to perform demonstrations in your talk, all demos are recorded and can be played. This also helps keep the audience engaged since they aren’t sitting there while the presenter is typing every command from memory (better to copy & paste). There are a few presenters who are amazing at live demos, but still have demo fails occasionally. After all, you are often at the mercy of the conference equipment, not just your own. So, if you are going to have demos in your talk, record them in advance so they can be played on stage if needed (they can later be uploaded to your YouTube channel).
If you have a team of five (or more) who have been working on the research that you want to present, don’t expect that all five of you will get on stage. It’s far better for two, maybe three, to be on stage presenting and the others in the front row. You can even point to them during the intro, but don’t expect the conference to select five people to present. CFP reviewers hate when they see four or more people listed since their first thought may be: “five people want free tickets.”
If you decide to present with another person, make sure you work out timing and when each of you will speak to ensure a seamless transition(s) and enjoyable presentation for the audience.
While starting early is important, so is submitting early. Many conferences perform CFP reviews in rounds and most select the good ones as they go through the submissions – both of these scenarios mean you have the best chance of getting accepted by submitting within a couple of weeks of the CFP opening. A lot of people procrastinate and submit their talk during the last week, if not the last day or hour of a CFP being open which pits you against a larger pool of speakers with less available speaking slots.
Know the C0N!
Before submitting a talk to the conference you have always wanted to speak at, review the talks from the past couple of years and see if they align with your talk material. You might have the best idea combined with awesome material, but you are less likely to get accepted if your talk is too far off what the conference focus is. This doesn’t mean you shouldn’t submit, though you probably should update the talk to ensure it is closer to what it usually covered. For example, if a conference has an offensive focus, you are much less likely to get a defensive talk accepted.
Crafting a Good Response
Your title and summary need to be as interesting as possible. These two sections are where you need to do a little bit of selling and highlight the most interesting parts of what it is you want to talk about.
Make sure you review all the data the CFP requires and make darn certain your response, at a minimum, includes all this information. Check, double-check, and check again or your submission will be discarded without review and your chances for acceptance will be zero.
Also, misspelling the conference name will likely move your response to the rejected pile.
Your bio is another section where it is worthwhile to make sure it is well-written. If your talk is about widget hacking, it’s fine if your job doesn’t involve widget hacking, but if you have been widget hacking for the past 5 years and have won widget hacking contests recently, that should definitely be in your bio. Keep the bio short; be concise. Many CFP’s limit the bio length to 100 characters.
The CFP team is looking for a couple of things in your bio:
- Are you an authoritative source? In other words, do you have experience/knowledge relating to your talk subject?
- Do you have experience/knowledge similar to your talk? If you have no experience in widget hacking, but have been firmware hacking for years and discovered issues with the firmware in widgets, that’s incredibly relevant.
The additional information field(s) seems like it is optional, but it’s not. This is where you want to provide more detail on your talk and sell your talk to the CFP team and the conference. If you are talking about widget hacking, provide some detail here to show you know what you are talking about, why it’s relevant to the community, and how your presentation will make the content interesting.
An outline is required, even if “optional”
Related to this field is the outline. Even if it isn’t requested, please provide an outline. It shows the CFP team that you have thought through the presentation flow and have an idea of not just how you will present, but also the key topics of the presentation. The CFP team will also have an idea if you can fill 45/50 minutes or if your talk may be better suited to a shorter timeframe.
Here’s a key recommendation: always include a detailed outline. Even if the CFP doesn’t require an outline, include one since it shows you have through through the presentation. Note that a detailed outline has more than 10 bullets. A detailed outline should walk the reader through all the major parts of the presentation. Jericho from the DEF CON CFP team told me that despite DEF CON requiring a “detailed outline,” they still get only “5 or 6 bullets”.
I also include a presentation flow outline which lays out how the presentation will go covering the major components. Something like:
- Introduction – several sentences that introduce the topic which provides a good overview of the talk.
- Main component 1 – several sentences that provide an overview of this component.
- Problem or Issue – a couple of sentences describing the problem.
- Problem resolution – a couple of sentences covering ways to resolve or mitigate the issue.
- Main component 2 – several sentences that provide an overview of this component.
- Main component 3 – several sentences that provide an overview of this component.
- Conclusion – several sentences that summarize what was covered and the key takeaways.
Great examples of this outline format are some sample Black Hat accepted submissions from 2015 (Black Hat USA CFP sample submissions (PDF)).
Have you presented this talk before?
The talk history field is an interesting one. It seems to ask two questions at once:
1) Do you have experience speaking at a conference?
2) How many times has this specific talk made the rounds?
If you have given this talk before at a good sized conference and it was recorded, you may get a “no” simply because there was other fresh talks that were well-written. However, the CFP reviewers may like that you have presented before. I suggest that if you have given the talk before, describe how this talk will be different – presenting updates to your research is a great reason for the material being presented. From what I’ve seen, if your material is compelling, you are more likely to get a “Yes” even if you have presented it before.
Additionally, if you have spoken before, provide what conference information. If the conferences you spoke at have little overlap in attendees, emphasize that.
The similar follow-up you may see to this one is “where have you spoken before?”
I was pretty nervous about this one since I had never spoken before at any conference. I did present at a PowerShell User Group at the beginning of the year about using the Active Directory PowerShell module to interact with AD more efficiently, so I hoped that was enough (it might have been). Another thing you can do is to record yourself covering a technical item for 3 to 5 minutes and provide the video to the CFP so they have an idea of your presentation skills. Plan to target small conferences first. I highly recommend you start with a local “hackers” group or BSides before going after Black Hat or DEF CON. You will gain crucial experience with a smaller crowd and gain confidence along the way.
Jericho also adds:
We also like seeing relatively new speakers do a talk or three at BSides and smaller confs, to show they are starting small and learning the ropes.
NOTE: DEF CON has a great CFP pre-review that is open for about 2 weeks well before the official CFP is open. Submit your talk to the DC pre-review and the DEFCON CFP team will review your submission and provide feedback, Take and incorporate this feedback in your submission and you may be able to turn what might have been a “no” into a “Yes!” when you submit to the official CFP.
Security Conference Likely CFP Dates
Most conferences request talk submissions months in advance.
Here are some of the security conference dates and their potential CFP start date:
- [January] ShmooCon (Washington, DC): September (previous year)
- [April] BSides Charm (Baltimore): November (previous year)
- [July] Shakacon (Hawaii):
- [August] Black Hat USA (Las Vegas): February
- [August] DEF CON (Las Vegas): February
- [September] DerbyCon (Kentucky): April
- [October] BSides DC (Washington, DC): April
Follow the conference twitter accounts for notification when the CFP is announced.
There are lots of others so search for infosec/security conference in your region/city.
BSides has conferences all over the world throughout the year. They need speakers, sponsors, and attendees. 🙂
Each conference has their own list of speaker benefits which tend to be related to how much the conference costs attendees; the more expensive the conference often equates to more coverage of speaker expenses. Note that I don’t guarantee this information to be accurate – please reference the conference’s web site for the current speaker benefit information.
Most security conferences provide the speaker a speaker badge which provides access to all talks and the opportunity to speak in front of an audience. BSides is a community run event with in a variety of locations all around the world. Trust me, don’t decide where to speak solely because of the benefits list. Speaking at a conference can be a terrifying and personally rewarding experience, especially at smaller venues. Also speaking in front of 50 people is a vastly difference experience from speaking in front of 2,500! 🙂
- Round-trip coach class airfare (amount capped) + 3 nights at the conference hotel + Honorarium
- Speaker party Tuesday night & lunch provided each day
- Speaker lounge area + “ready room” with projector for practicing talk
- Check for $ or 3 “human” badges
- Separate registration area, Speaker party Thursday night, & Speaker lounge area
- Round-trip coach class airfare (amount capped) + 2 nights at the conference hotel
- Speaker’s dinner the night before the conference starts
- Speaker lounge area
The next step: You have been accepted to speak at a security conference!
Or: This just got real!
Yes, now you have to take your outline and turn it into a presentation, which usually means slides.
I cover this in Part 2: Preparing the Presentation: How to Craft a Great Talk for a Security Conference!
- The DEF CON Speaker Process (DEF CON)
- How do I make my CFP stand out (DEF CON)
- So you want to present… (Advice from Jericho, a CFP Reviewer)
- Experiences of a first time DEF CON speaker (Part I & Part 2)
- Black Hat USA CFP sample submissions (PDF)
Trimarc helps companies and organizations improve their security to better protect against and detect attacks.
Visit TrimarcSecurity.com for more information.