I reviewed 600+ call-for-paper submissions, (and you’ll probably guess what happened next.)

Ever wondered if your conference talk proposal measures up? I definitely do, every time I submit to a conference.

Over the past week I reviewed over 600 call for paper submissions for the Derbycon information security conference. This was definitely a unique experience – I had participated in review boards in the past, but never on such a massive scale. I had to be considerably more critical that usual because of the limited number of speaking slots available versus the huge interest.

I came out feeling better about my own submissions, but with a lot of food-for-thought about what I can improve in the future. Many of the submissions I reviewed were excellent, and I had a very hard time making final decisions about which ones were the best. However, other submissions really needed some work.

Let’s talk about the biggest problems I saw:


The “Couldn’t Put in the Effort”

There was a substantial number of talk proposals with serious spelling and grammatical errors, lack of capitalization, and even incomplete sentences or mistakes in copy-pasting. If you’re proposing a talk you intend to give to dozens or even hundreds of people, I have strong reservations about your preparation when you can’t do even a cursory check of your paragraph-long application.

Let a friend, colleague, or family member put a second set of eyes on your submission. It shows you care.

The “Didn’t Read the Instructions”

Call of paper submissions usually follow a specified format. In this case, a synopsis and an outline were requested by the conference. Many submissions I reviewed did not include one or the other. In some cases, the submitters provided long bullet lists or paragraphs instead of a tabbed outline that concisely described their talk proposal. In others, the synopsis was well over 1000 characters. After 4 or 5 hours straight of reading submissions, it was a little much to take in.

Once again, a second set of eyes is really important to ensure you followed the instructions properly. I definitely notice attention to detail as a reviewer.

The “I’m Not Quite There, Yet”

Similarly, there were numerous talk proposals which proposed vague hypotheses or very general thoughts about what might be interesting. I agreed that some of the ideas sounded intriguing, but they weren’t fleshed out at all. In some cases, the submitter outright stated they hadn’t researched the topic or implemented the idea, yet. This was a problem because I couldn’t be certain they would complete their research and report in time, and their hypothesis could be incorrect or correct.

While I might be able to give these submissions more leeway in a smaller conference, I had to give preference to talks which were thought through and reliable.

The “Flavor of the Day”

The hot topics in information security in 2018 are apparently: MITRE ATT&CK, container security, and hiring and training talent. A massive percentage of submissions directly related to these topics. This required the submissions on these subjects to be engaging, thoughtful, and well written to stand out. Unfortunately, numerous submissions on these topics were pretty high level and vague.

Always do some background research on recent conferences to find out what “hot topics” in the field are and understand if you’re proposing a talk on a subject that has been extensively spoken about. Is your twist on it adequate to stand out and be useful? What’s your hook to capture the imagination of attendees and reviewers?

The “Soft Skills are Easy, Right?”

Everybody gets burnt out talking about highly technical stuff all the time, and at some point we all propose a talk on soft skills, team dynamics, or personal success. This is fine – soft skills are important to any technical field. However, be very certain that you’re spending as much effort on your soft skills talk proposal as you are on your technical proposals. I saw numerous submissions that included short, vague outlines of team dynamic or career progression topics. While these subjects matter, talks on them require equal effort and fleshing out.

If you’re going to submit a talk on why physical fitness is important to one’s career, to an IT conference, please ensure you’ve really thought out how and why it is important and express that well to the review board. Additionally, psychology, health, and social sciences are real fields that qualified people study for years! Being technical experts don’t make us inherently qualified to talk about them.

The “Wall of Text”

On the opposite end of the spectrum from vague and incomplete talk submissions, there were the fleshed out but incredibly dry and rambling submissions. A peril of being academic or extremely technical is often forgetting your audience.

While I’m a subject matter expert in several areas of information security, I certainly don’t know minutiae of every conceivable niche. Many submissions I reviewed were focused on an incredibly specific and highly technical subject, and provided no high-level synopsis or explanation. Ensure your synopsis is comprehensible to a general professional in your field, even at a management level. The longer and more technical it gets, the more crucial a coherent synopsis is.

The “Big Fish, Small Pond”

Some of the very best submissions I saw that were engaging, well written, and unique were submitted to the Stable Talks track. I was stuck wondering how much of this was imposter syndrome, modesty, or gambling with the odds.

If you’ve got a fleshed out idea that your peers and community have given you a positive opinion on, but you simply don’t feel experienced enough to submit it to the conference proper – you’re probably suffering from imposter syndrome. Do a little bit of introspection and talking with mentors. I can absolutely tell you with confidence that many of your submissions this year were superior to the standard talk track ones. Additionally, your odds of being selected were not significantly higher in Stable.

If you’ve 5+ years of experience working professionally in information security, it may be time to considering move up and leaving space for the new folks.

This is not a criticism of applying for Stable Talks. They’re a great place to get your feet wet in a shorter format. Just consider their purpose and your topic and speaking ability.

The “Why is this Important?”

Finally, many submissions really failed to intrigue or inspire curiosity. A CFP submission gives you a very short opportunity to capture the interest and imagination of the review board. We’re trying to decide if a talk is fleshed-out, interesting, and useful to the audience.

Quickly grabbing our attention with a well-written hook that makes us want to learn more is key to doing this effectively. The best submissions I saw caught my eye in the first sentence and made me want to read more.

The “I’m Cute, Pick Me”

I didn’t just title this blog to irritate folks. I really did see talk submissions with click-bait titles! Be very, very cautious about jokes in your submission that might miss their mark given a diverse review board. Nobody’s joke will ever be funny enough for me to select their talk without all the other required boxes being checked. It’s great to be clever in your title and your hook – just be cognizant that a pun or cultural reference might be misunderstood. Think through those choices carefully from multiple viewpoints.

It’s fine to specify your unique perspective or qualifications to speak on a particular subject. However, be cautious about turning exposition into bragging. It’s unlikely that referring to your accolades, career success, or certifications will change my opinion if your submission is otherwise lacking. It may actually cause me to be more critical – I inherently expect a PhD-holding executive to write better than a college student.

Finally, inserting your name or strongly implying who you are in a ostensibly blind review submission also really violates the spirit of a fair and equal board, so please don’t do it.


I hope you find these tips useful as you submit to academic and professional conferences. Happy CFPing!



Categories: infosec, security education

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: