5 Common CFP Submission Mistakes for Security Conferences

Throughout my years on the review board for Black Hat, I’ve seen quite a few mistakes in submissions. Many of these mistakes are ones I’ve made myself. Issues with submissions are often easier to spot as a reviewer than they are as a submitter, and in hindsight, can be painfully obvious.

Recently, I collected my thoughts and outlined some common mistakes. What struck me as I covered them was just how easy they were to avoid. Hopefully, putting some focus on these common mistakes will put you in a better position next time you answer a call for papers/presentations.

The following list is in no particular order.

Incomplete Submission

You may (or may not) be surprised at how many people leave a significant portion of their CFP response incomplete. Sometimes the submission is as minimal as a title and a couple of sentences. This minimal information is not enough to decide whether your submission is a good fit for the conference. Being a minimalist will not serve you well in the submission process.

Even when people provide a title and full abstract, they leave other portions of the response, such as the outline or questions about why the talk is a good fit, blank. If the submission contains questions beyond a title and abstract, then those questions are there for a reason. Some of these questions are arguably the most important. This mistake is the easiest to avoid, complete the submission, and provide the necessary detail for the reviewers.

Not A Fit For The Event

Security conferences vary widely in their emphasis on cutting edge techniques as well as their focus on the tracks they have. A submission should align with the expectations of the event. If it’s in a discipline outside the security domain, it should have a direct line back to security that connects the concepts.

One of the things I commonly see is that people submit introductory content to an event that is supposed to be more cutting edge. This mistake becomes apparent when you think about the attendees of an event and what their job positions are. To a submitter, this point may not be obvious, so let’s look at an example.

Don’t submit a talk on “how to get a career in InfoSec” to a conference where there is a pricey admission. There is a high likelihood that an employer covered the costs for attendance, so more than likely, they already have a job in InfoSec.

Look at previous talks given at the event for an indicator of the type of submissions the conference would accept. Would the attendees of a conference like Black Hat be interested in an introduction to phishing talk? I think you can guess the answer.

Not Performing Prior Research

Before submitting to a security conference, prior research must be conducted on both the topic you are submitting as well as on the conference itself. What previous work is there on your topic? If you are submitting a new technique or attack vector, ask yourself, is it really new?

Look at previous talks held at the conference. Has the conference had talks on the same subject you are submitting? This issue isn’t always a showstopper, but you have to understand that if a topic has been covered, then you need to explain how your submission extends or is different than previous work.

Performing prior research better equips you to differentiate your submission.

Not Understanding The Takeaways

One of my favorite questions to ask people when I peer review submissions is, “would you attend your own talk?” A big part of attending your own talk is in the takeaways provided. Attendees of security conferences want to apply what they learn and put it to work as soon as possible. If your talk doesn’t have any solid takeaways, then there is nothing to apply.

For some conferences, they get to the takeaways of your talk by asking what I refer to as “critical questions.” You need to either articulate these questions directly in the submission or if they are not specifically asked, include their essence between your abstract and outline. A couple of examples of critical questions are:

  • What makes this submission a good fit for the event?
  • What are the three key takeaways for attendees?

Not understanding the takeaways of your submission could mean that your talk lacks focus and the substance that attendees would expect. So what if you found some new vulnerability? That doesn’t help attendees. Attendees want insight into your approach and what you learned along the way. These features of your talk are what they can apply in their own work and research.

Leaving Unanswered Questions

This mistake has nothing to do with completing the submission fields of a CFP response but is about questions on the content of your submission. It’s not always possible for reviewers to reach out and clarify points you make or read your mind. It’s important to anticipate potential questions and have a response proactively in your submission.

Unfortunately, these questions aren’t static and will vary depending on your topic and submission. A few examples may be:

  • How is this submission different than “X”?
  • What’s better about your approach than others?
  • What unique insight are you providing?
  • How is your submission relevant to the topic?

These questions could go on and on. Anticipating potential questions and proactively providing answers is where the information you gathered from your prior research step comes into play. Remember, fewer questions in the mind of a reviewer is a good thing.

Bonus Mistake: Submitting a Sales Pitch

This mistake should be self-explanatory, but it happens all the time. Do not submit a sales pitch for a product or service to a security conference. There is little tolerance from organizers and attendees when this happens. Remember, attendees are sitting in your talk for takeaways they can apply. There is nothing for them to take away from your sales pitch. Leave the sales pitches for the vendor floor.

Get Feedback

One of the best ways to avoid common mistakes in your CFP response is getting feedback before submitting it. Ask friends, peers, co-workers, or whoever else you can get solid feedback from to look over your submission. I can’t stress enough how valuable feedback is to the process. Quite often, you are too close to the topic and the wording to be objective. It’s easier for someone with fresh eyes to spot mistakes. You may make mistakes as big as thinking you are communicating one concept when someone reading it thinks something different.

Conclusion

There is no shortage on the number of mistakes you can make responding to a CFP, however, by avoiding the list of common mistakes covered in this post, you are one step closer to that speaking engagement.

If you’d like some general tips for creating good submissions you can check out the following.

https://hexsec.blogspot.com/2012/12/create-good-security-cfp-responses.html

https://www.defcon.org/html/links/dc-speakerscorner.html#nikita-cfp

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s