Ah, the highly controversial call for presentations review process! Many infosec industry events use a CFP to find qualified speakers and tease out fresh topics. From a conference programmer’s perspective, the CFP submission process helps uncover new speakers, and it’s a productive way to learn what’s on the minds of industry speakers. 

Paperback Writer

Ah, the highly controversial call for presentations review process! Many infosec industry events use a CFP to find qualified speakers and tease out fresh topics. From a conference programmer’s perspective, the CFP submission process helps uncover new speakers, and it’s a productive way to learn what’s on the minds of industry speakers. 

While mapping the future success of a live, in-person presentation to a short written abstract is often challenging, the InfoSec World advisory board have keen eyes when it comes to deciphering how to translate what’s on a page to real life.      

Every event organization runs its CFP process differently. No two processes are the same, and it’s unlikely that an industry standard for selection criteria will emerge; “good” and “bad” talks are highly subjective in much the same way “good” and “bad” music is subjective. As with music, however, some objective evaluation criteria can be applied.

Dear sir or madam will you read my book?

Let’s dissect the review process a little and look at some of the things that help or hinder a submission from the advisory board’s perspective.

Whether we receive five or 500 submissions, the first thing the board evaluates is the completeness of the submission itself. This is the first year MISTI used an online form for the InfoSec World CFP, and we carefully reviewed mandatory fields before the CFP opened in mid-August. The form was intended to cut down on hours of chasing required information after a talk had been approved and accepted. Most of this year’s submissions were, indeed, complete, but some flexibility in the form allowed for creative input. For instance, the “title and abstract” field was one text box, and several submissions omitted either the title or abstract of the proposed talk. (Lesson learned: two separate text boxes next year.) Even though the fields could (should?) have been separate, title and abstract seem like two relatively core—and obvious—elements of a CFP submission. Because the form could have been clearer, anyone who inadvertently left off information was sent a personal note and asked to supply all of the necessary information. Surprisingly, a few submitters never bothered to reply. Unfortunately, the review board isn’t able to properly evaluate these submissions and these few talks can’t be accepted to the program.

Take away: If you’re going to submit a talk to any conference or event, ensure your submission is complete. If you accidentally do not include all of the required information and the conference programmer reaches out, respond in a timely fashion so your talk can be considered.

It took me years to write

Moving right along, content of submissions matters. A lot. Because reviewers are working with limited information, double check spelling and grammar. Most importantly, though, if a submission includes technical details, cites research or publicly available information, or refers to a known vulnerability/exploit/malware strain/well-known methodology/etc., ensure your facts are correct. Conference programmers look for speakers who know her/his subject inside and out, so if a submission incorrectly categorizes technical details, misquotes information, or “borrows” information from another known talk without proper attribution, that submission cannot be accepted to the program. In previous years (though, thankfully, not in 2017), we’ve reviewed talks that were obvious wordsmithery based on another SME’s work, and still others included incorrect information. Be confident that advisory boards are scrutinizing each submission and not just glossing over rows and columns to get it done; the goal is a great, substantive conference, and that can only be accomplished when each and every speaker is properly vetted. 

Take away: Submit talks that reflect your true subject matter expertise and double check your submission before clicking “send” to make sure you’ve clearly and accurately written what you mean.

Will you take a look?

Another important review criterion is scope of the submission. It’s very tempting to want to include as much information as is available on a given topic, but remember that conference talks are only 50 minutes each (or 30 or 45, depending on the event…). If a submission includes everything a SMEs knows about a subject, it’s hard to determine what, exactly, will be presented. Submissions that focus on one aspect of a subject are likely to be more valuable than one that tries to boil the ocean, so to speak. We know you want to share your expertise, but a talk that hones in on suggestions for improving the forensics portion of an incident response program is going to be more effective than one that promises to improve your entire SOC, for instance. 

Take away: It’s the details that matter. Reviewers can tell that you’re a smart person by the content of you submission, so don’t feel the need to data dump; it will actually hurt your chances more than it will help.

It’s based on a novel by a man named Lear

The cybersecurity community has many, many conferences—too many for any mortal being to reasonably consider attending them all. Conferences that have been in business for a while have a niche; some events are built for vendors, some are geared towards end users. Some conferences focus on the business aspect of security while others focus on very technical audiences. Some events play up the “hallway track” and networking while different conferences are all about the sessions. No one event is “right,” and submitters should know to which kind of event they’re submitting before submitting. Many CFP sites include details about the audience and planned tracks, but more can usually be supplied upon request. Consider the audience and theme of the event to which you’re submitting. Chosen talks will be applicable to expected attendees—at the experience, job title, job responsibility, industry, and interest levels. Successful conferences are relevant to attendees, so know (or learn) about the audience before submitting “pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle” to InfoSec World or “How to Adopt the NIST Cybersecurity Framework” to DEF CON.   

Take away: Submit relevant and appropriate presentations for the anticipated audience. A great talk on a subject not germane to attendees won’t be accepted, not because it isn’t interesting, but because there’s a right time and place for everything… your talk might be at the wrong place at the right time.

And I need a job

Every CFP process is different and every advisory board member has her or his “hot buttons” when it comes to submissions. The above criteria are not exhaustive, but these thoughts are top of mind as we on the InfoSec World 2017 selection committee are reviewing each and every submission this week. From a reviewer’s point of view, the best submissions are those that are complete, compelling, distinct, well written, spell out clearly what attendees will learn, and targeted to the expected audience.

A “perfect” formula doesn’t yet exist, but these tips provide a touch of insight to the InfoSec World CFP review process.