It has begun. CFP season is upon us. Really it tends to go throughout the year, but with Defcon opening up its calls, RSA sending out rejection letters to everyone, and it being early in the calendar year, it seems there are more tweets about CFPs than at other times of the year. Talking at a con is a badge of honor, something to put on a resume, something to make an individual stand out, and we get all up in arms about it.
The world of infosec, I have noticed, tends to be about acceptance and rejection. There are a lot of introverts in our field. Introverts tend to have a tough time with both acceptance and rejection, hence why they do not feel comfortable in situations where an extrovert does. Yes there are plenty of introverts that play the role of extrovert, but really think about it. We sit in front of a computer screen, doing our thing, research, games, or other stuff, and we get along just fine. Well sort of. We do crave acceptance, and hate rejection, and I am sure somewhere in our psyche our being an introvert is some sort of subconscious method of protection from rejection (disclaimer, I am not a psychiatrist, but have played on one stage). So what does this have to do with CFPs? Everything.
Think about it this way. Human beings are said to be social animals. We get our social on at the cons we go to. Those cons are where we are around our peers, the people who are sharing our interest and passion to make the world more secure. We want to show that we belong, so we put in our CFP. We get rejected, we get down, and imposter syndrome either kicks in or ramps up to higher levels all because we want to be accepted by our peers. We yearn to show that we belong and know what we are talking about. We yearn to make an impact and share our findings, thoughts and experiences. That CFP gets rejected, and boom, there is a slap to our ego, our pride. What makes it worse is we keep preaching that speaking at a con is a great thing to do and everyone should at some point. Except, most of us never will either because we never put in to talk at one, or the cons never select us.
I will be honest here, I spoke at one BSides in Chicago back in 2014. I have not since. I have tried, I put in my CFP jsut like everyone else. I have gotten tips on how to write a better CFP, and still nothing. I put in the CFP figuring it is going to get rejected, but I still force myself to. Yes, I have imposter syndrome just like many of you do. This year I was thinking about it, while waiting for the first rejection e-mail (which I know is coming within a week of this post per the cons twitter account), and watched people talking about RSAs rejection letters that they were getting. These are people who are pretty much regulars on the con presentation circuit. People who I have watched present either in person or recorded at a con many times. Some have even been keynote speakers. I came to a multi part realization about the cons and being a speaker.
First, there are 3 types of cons we go to. The first is the vendor con like RSA. These are the cons where you really need to be speaking on what the vendor wants and extolling that vendor to become a speaker. There is plenty of good information at these cons, they can be fun, but ultimately you need to think like the vendor to get a speakers slot. The next 2 types tend to merge and shift between each other depending on the organizer and which way the wind is blowing for them. They are the Security con and the Hacker con. Most cons will lean one way or the other. You can usually tell them apart by a couple of factors. Do they focus on the latest and greatest vulnerabilities and exploitation techniques? Yes, well that tends to be a hacker con. Do they record the talks? No, well that tends to be a hacker con. Are they giving many defensive talks? No? That tends to be a hacker con. Are they giving talks about the state of the field, tips on being better in the field with soft skills or looking at our own shortcomings and how to hack around them? No? Guess what, hacker con. There is nothing wrong with hacker cons, I enjoy them, but I will more than likely get rejected from any sort of talk from them. My CFPs tend to lean more toward state of our field or soft skills, because I have yet to come up with a new, good tech talk. You can look at the history of this blog and see I do not put many technical blog posts up there. That is the thing though, we have more hacker and vendor cons than security cons. There are cons out there that try to strike a balance between security and hacking. Some do a decent job of it also, but for the most part cons tend to lean one way or the other. Some, if you look at their talk history, are rather obviously one or the other. Again, nothing wrong with it, but it does limit what we learn.
Second is the “rockstar” status. These are the people who are well known in the world of infosec, and give talks all the time. they might be SANs instructors, well known researchers or people that just are well known and respected. These people will get invited to be keynotes, as well they should. They also, unknowingly tend to be the cause of new or lesser known speakers not speaking at a con. It is not an intentional thing, they put in a talk and your talk is too similar to theirs, they get the nod. Be it because their CFP is seen first, written in a more catchy way or, if it is not a blind selection process, their name means the con might get a few more people. I know this has happened to me and it was not intentional. Those speakers, who I know pretty well, and I never knew that we were putting in similar talks. It happens. A good number of cons do a blind selection, where they do not see names, but the regular speakers know how to write a compelling CFP (even when it is a 140 word max and no outline is able to be submitted as is the case with a con I put in a CFP to). How do we get around this issue? There is a simple way quite honestly. If a well known speaker and an unknown speak have put in for the same talk, when accepting the well known let them know about the unknown’s talk and give them the option of reaching out to said person to do a dual talk. This all of a sudden does two major things. It gives the new speaker a great mentor to work with, and it helps get more speakers out there. Simple option, easy to do. The well known does not have to, but give them the option, and be willing to adjust to having it as a dual presentation. It does not take up an extra slot.
Those of us that are not selected for CFPs we have other options out there. This blog for instance is my thing. I will probably do some write ups of my rejected talks after I get all the rejection notices. Blogs are a low barrier to entry, and with a little bit of push, can make someone into a well known quantity that cons would want as speakers. It also allows for one to work on their writing skills. There is actually taking with people on twitter instead of just watching your feeds, again allowing you to become a known quantity. Join slack channels, speak locally at meetups, or even do a podcast. The options are out there if you want to get the word out on an idea.
The toughest part of all of this is getting over the rejection stigma. Imposter syndrome will always be there. We crave acceptance. Remember though, you need to accept yourself, as you are, in order to truly be happy.