Calls for presentations: Depending on whom you ask, CFPs are either a great opportunity for subject matter experts to display knowledge and vie for a coveted spot on a conference program, or an absolute nightmare, as the intended speaker carefully calculates the best topic to submit.

Honestly, I wanna see you be brave

Calls for presentations: Depending on whom you ask, CFPs are either a great opportunity for subject matter experts to display knowledge and vie for a coveted spot on a conference program, or an absolute nightmare, as the intended speaker carefully calculates the best topic to submit and exactly how to position a proposed talk so it rises above the rest of the submissions.

That’s the submitter perspective.

From the conference producer and advisory committee perspective, the opportunity vs. nightmare also holds true, though from a completely different angle. Now in my third year programming InfoSec World for MISTI, I‘ve learned a few things along the way. And I am still learning. The process is not perfect—nor will it ever be—but since the InfoSec World 2017 CFP just opened, and in the last two days I’ve already received several dozen emails with questions about the process, we at MISTI thought it would be a good idea to provide a peek behind the curtain.

In reality, CFPs are not a big mystery, though they may appear as such from the outside looking in. Some in the infosec community have had the experience of helping select speakers for events; we’re a community of doers and conference goers, and if you’ve been in the industry long enough, you’ve likely been asked to participate by a colleague/friend/inundated conference producer. Andrew Hay, one such industry expert (who has spoken at past MISTI events and will chair the Cloud Summit at InfoSec World 2017), recently published a blog post entitled, “Towards an Objective and Scientific CFP Methodology.” Hay raised a number of great points which I will be keeping at the forefront of my mind over the next six weeks. Insofar as the InfoSec World 2017 CFP is concerned, here are a few things spot-seeking speakers can keep in mind.

Image 1


You can be amazing

Selection Committee

InfoSec World forms an advisory board every year. The board includes subject matter experts and frequent security speakers who’ve been around the block (and back) a few times. Yes, the board for 2017 is exactly the same as it was in 2016. And some served for a year or two prior as well. Why the repetition? Hay makes a point in his post about not using the same committee members from year to year so that the conference avoids bias and the possibility of growing stale. What I’ve found working with this particular advisory committee is multifold.

They get it: The 2017 InfoSec World advisory committee members have all attended the event for multiple years. They understand the aim of the conference, and they know how it differs from the other 1,999 other U.S.-based security events. Unlikely as it may seem, they do spot repeat speaker submissions, and have often attended past speakers’ talks at previous InfoSec Worlds. The advisory board is part of the success of the event, and they’re just as committed as internal MISTI staff to creating a diverse and fresh, new program every year. In fact, it is because they have been part of the InfoSec World fabric for so long that they are able to provide such excellent guidance. They know what fits MISTI and what belongs at another conference.

When MISTI decides to introduce a new element to the event, the advisory folks who have been there, done that can be a reliable sounding board from an inside but not-too-inside point of view. They’re not going to bring forth dozens of grandiose ideas to dramatically revamp the conference in a way that doesn’t work for InfoSec World attendees. And keeping attendees in mind is the #1 goal.

Bias: Humans typically like to be surrounded by people they know and can rely on, and the people putting together MISTI events are no different. However, as an advisory committee, we work collectively to ensure that new speakers are introduced every year, and for 2017, in particular, I have tasked the board with helping me find new-to-MISTI speakers. Hay mentioned in his article that the goal for conferences should be to “mandate a 60% (or higher) new speaker rule.” He and I discussed this previously, and while in theory I agree, in actuality, attracting that many completely new speakers is a challenge. (If you’re reading this article, though, and know someone who has never spoken at InfoSec World, immediately forward the CFP link! We love new speakers.) The advisory committee has consistently helped with outreach over the years to ensure attendees aren’t merely hearing the same old voices and talks year after year. That gets boring for everyone. However, will we select some InfoSec World veterans? Of course—a good conference balances the tried and true with new and different.

You can turn a phrase into a weapon or a drug

Submitting a Topic

Completeness: For 2017, all prospective speakers must submit proposed talks through an online form. In the past speakers have been asked to answer a series of questions, the answers to which could be sent to MISTI in Word, PDF, or other text document. This was one of the aforementioned nightmares. Only about half of submissions initially included all required information, which meant I had to personally request the additional information (some conferences won’t; incomplete submissions are auto-rejected). Another high percentage of applicants typed entries in a funky font or unusual formatting, thinking it might help the proposal stand out (think: Legally Blond). All of this created more work, extra documentation, and the potential for unnecessary inaccuracy.

Hallelujah! The process has been fixed for 2017! Well, not entirely. By nature, some CFP questions must be answered in a text box, and we’ve already received one submission that didn’t include an abstract.

If you’re planning on submitting—to InfoSec World or any other conference—pay attention to the questions being asked and do your best to answer them befittingly and in full. Supplying an abstract should be fairly obvious when we’re talking about a speaking proposal, but I suspect we’ll see more “None” in some text boxes before the CFP ends.

Image 2Accuracy: Pease double and triple check your work if you plan to submit. Ask a colleague or coworker to proof your submission before hitting “submit.” Heck, ask your kid to give it a quick read. From a reviewer’s perspective, what does it say when typos or grammatical errors fill your submission? How can the committee trust that you’ll contribute a spectacular talk at the conference if your submission—which is a fraction of the presentation length—is sloppy? We can’t. And remember that the selection committee is comprised of SMEs who’ve all worked as both end users and for vendors; they know their stuff and they know the CFP game. Two years ago, one submission mistakenly referred to a well-known bug as a virus. Another speaker called high school basement hackers “script kitties.” We have a bunch of cat lovers on our selection committee, but those kinds of mistakes won’t go unnoticed, and the submission won’t be accepted.

Truth: Security vendor press and marketing teams are On. The. Ball. when it comes to CFPs! They are generally the first ones to respond and/or ask questions when a CFP opens, and they’ve honed their skills at writing standout abstracts. They study. They learn. They submit. While the polish of these submissions is appreciated (see paragraph above), the advisory board can often identify when the abstract is written by a non-practitioner, which gives us pause. How do we know the actual speaker is an expert at the topic submitted if she or he didn’t review it? If the talk is technical but lacking appropriate technical details that could be supplied by a SME, how can we be sure the right information will be proffered during the conference? Again, we can’t.

We’ve received submissions in the past where the speaker’s name and details have been omitted and the submitter’s/PR person’s/marketer’s details included because the marketer or PR person doesn’t want MISTI “bothering” the proposed speaker. Our job as an advisory committee and event producer is not to bother the speaker; we really don’t have time for that. We must know who the speaker is, however, and have his/her information for when/if the speaker is chosen.

Occasionally a PR agency or marketer will submit a speaker and accompanying talk without the proposed speaker’s knowledge. Please do not do this if you are submitting on behalf of someone else. In the cases where this happens and the submitted speaker is then unavailable when chosen (because the selection committee can’t know that the proposed speaker doesn’t know he/she is being submitted), you don’t get to plug and play a new speaker. A conference agenda is built around the combination of a carefully considered speaker and her/his experience, talk, and the quality of the submission. If one element becomes unavailable, the submission is null and void.

Say what you wanna say, and let the words fall out

Be Brave! Be Bold!

Skills: Some incredibly smart security practitioners have scant experience presenting in front of large crowds and are afraid they won’t be chosen through a CFP due to their non-rock star status. Those people need some gentle nudging. If that’s you, let this be your gentle nudge. Hay introduced me to one very quiet but impressive speaker for one of MISTI’s smaller events and, even though he didn’t strut the stage like it was his catwalk—he presented rock solid material very softly but pointedly—I asked him onsite (OK, maybe insisted) that he submit to InfoSec World 2017 to present in front of a larger audience. The advisory committee has already forwarded emails of SMEs they’ve met over the years who aren’t “on the speaker circuit” but have a ton of practical knowledge. We’re looking for more. All conferences need more of that. It’s your content and the quality of your submission that will get you chosen.

Over the years I’ve watched a few shy practitioners become proficient and highly-rated speakers. The goal is great content. Great showmanship only works if the content behind it is not smoke and mirrors.

Topics: Since the 2017 CFP opened I’ve received so many emails asking about the projected “sexy” topics at InfoSec World that I’ve started to wonder what my IT team must think of me. Here’s the thing about “sexy” talks: they’re only effective if enterprise security practitioners can learn something from them. InfoSec World attendees are overwhelmingly information security managers and directors at large enterprises. The top industries represented are finance, health/medical, insurance, government, and retail. These folks want to learn something they can use. Often they need to justify conference attendance and time out of the office to managers and/or teammates. Don’t focus on submitting a “sexy” topic; present something from which your listeners can learn. Have a crazy idea based on experience, research, or theories? Please submit it! Think your idea could stir up controversy? Bring it! I’d rather program talks that instigate debate than ones during which people are falling asleep because they’ve heard it all before.

Sometimes a shadow wins

The security industry as a whole needs new ideas that help practitioners manage the myriad threats thrown at organizations every day. If that’s you, or if you know someone who needs a little coaxing, the InfoSec World CFP is neither scary nor awful. It is, indeed, a great opportunity to strut your stuff and maybe come join us in Orlando in April.