CFP | Silicon Shecky

Call For Presentations, a staple of any conference. Those of us that come up with ideas to share, love and dread them. I wrote about them in my CFP season post earlier this year. Of 4 CFPs I put in for conferences this year, I got rejected for 3 of them. The last one, which is for Derbycon, just came this week. I am not surprised by the rejection as Derbycon had 125 slots and 495 Presentations put in (not 495 speakers, people put in multiple presentations to hedge their bets, I put in just one). Over the last few weeks, I have been impress with how transparent Derbycon has been with the process. Dave Kennedy tweeted a thank you that showed who was the panel who reviewed and scored them. There was another tweet from Dave I do believe that explained preference levels (score, has the presentation been done before etc…) used to make the decisions. He even tweeted about how difficult it was deciding who to cut because of how good the presentations sounded. Now the CFP for Derby was blind, so the reviewers did not know PII of who the submissions were from. Some, like Lesley Carhart, Lee Holmes, and Amit Serper gave thoughts and recommendations based on what they saw (click on their names to see what they wrote).

I figured I would post my CFP here (email address removed) and take a look at it, what I might have done wrong, and one small complaint about the Google Forms (based on what Lesley wrote about outlines). Lets take a dive shall we?

Thanks for filling out DerbyCon 8.0 Evolution - Call for Papers

Here's what we got from you:
DerbyCon 8.0 Evolution - Call for Papers
Use this form if you are looking to submit a talk for DerbyCon. All submitted talks will be reviewed by the DerbyCon CFP review board. If accepted, DerbyCon will reach out via the email address provided in this form. An accepted talk provides admission to DerbyCon for each speaker(s) and $200 cash per talk (to be divided if more than 1 speaker). If you choose to do so, donations are accepted at check in. DerbyCon does not provide reimbursement for travel and expenses. Follow @DerbyCon for additional announcements.

Email address *

Additional email address(es) of speaker(s)
If there is more than one speaker that will be contacted Example: Karl - creepy@derbycon.com , Bob Speaker - bob@example.net ....(clearly showing name association with email address, separating multiple speakers by commas). This info will be used to contact you, it will not be published

Name(s) of speaker(s) *
Provide your name(s), these will be printed in the handout and on the website unless notice is given
Mike "Shecky" K

Twitter Handle(s) of speaker(s)
Example: Karl - @dorkultra , Bob Speaker - @bobspeaks ....(clearly showing name association with twitter handle, separating multiple speakers by commas). This info will be published on the handout and website unless notice is given
Siliconshecky

Speaker(s) Bio *
Provide a brief bio for the Speaker(s)
Shecky has been involved in computers since the late 70's. Over the last 20 years he has worked up from being on the help-desk to Security Engineering roles. He helps organized one of the Burbsec meetups in the Chicago area, has volunteered at B-Sides Chicago in 2017, and Burbseccon in 2018 in Chicago and spoken at Cyphercon in 2018 and B-Sides Chicago in 2014.

Talk Title *
This will be the title of the talk
Communication Breakdown

Talk Description *
This is the description of the talk that will be put in the DerbyCon handout and website
We have all seen it and experienced it. It lurks all around us, and when shows its ugly head problems get exasperated. We have a communication breakdown so we will breakdown communication. The problems, and possible solutions. Ways to get better at communicating and how to potentially hack ourselves into being better communicators.

Talk Outline *
Provide an outline of your talking points. This helps us narrow in on the talks that are a great fit for the con.
I. Introduction
II. II. The problem
A. Talking over people’s heads 1. Example
B. Talking around the truth
C. Treating others like idiots, both in and out of the Cybersecurity Field 1. Example
III. Why should we work on communication skills?
A. Buy In from others in the company/client
B. Lower levels of frustration
C. Easier to get help when needed
D. Helps lower the loneliness factor
E. Helps with Social Engineering skills
F. Communication does help secure things
IV. Different types of communication and how to work on them
A. Written Word
1. Blog
2. Whiter paper
3. Social Media
B. Spoken Word
1. Toastmasters
2. Acting/Improv Classes
3. Speaking at confrences
4. Talk to strangers
a) Just say hello
b) Listen first
c) Talk to at least one new person every conference
d) Go to local meetups (security or non-security)
V. Conclusion – hack yourself into becoming a communicator
VI. Questions

Provide a category for your talk *
Ex: password cracking, social engineering, phishing, blue team, etc
Communication/Social Engineering

Has this talk been given before? If so.. Where?
Let us know if and where this talk was given before
This talk has not been given

Talk Length *
How long is your talk? Stable talks are 30 minutes, normal talks are 45. Please note that we reserve the right to change talk times based on available time slots and variety of content.
• ( ) 30 Minutes (Stable Talk)
• (X) 45 Minutes (Standard Talk)

Create your own Google Form

Pretty normal, I made one spelling error in the outline (the word conferences is misspelled).

Anything that we can see wrong with the description? Maybe a little grammar near the end:

“We have all seen it and experienced it. It lurks all around us, and when shows its ugly head problems get exasperated. We have a communication breakdown so we will breakdown communication. The problems, and possible solutions. Ways to get better at communicating and how to potentially hack ourselves into being better communicators.”

That last line probably should be combined into the sentence before it. That would be points off then, and can make a difference. When I wrote it, it seemed right to me, but English and grammar are weak points (one of the reasons I write this blog is to get better at both of them).

Next up is the outline. I have adjusted it back to how I saw it when I put it in originally. I did the outline in Word so I could get formatting correct. Lesley said in her blog post about problems she found with some of the CFPs “Many submissions I reviewed did not include one or the other. In some cases, the submitters provided long bullet lists or paragraphs instead of a tabbed outline that concisely described their talk proposal. ”

Above you see a proper outline. The actual e-mail showed my outline like this:

Talk Outline *

Provide an outline of your talking points. This helps us narrow in on the talks that are a great fit for the con.

Introduction II. The problem A. Talking over people’s heads 1. Example B. Talking around the truth C. Treating others like idiots, both in and out of the Cybersecurity Field 1. Example III. Why should we work on communication skills? A. Buy In from others in the company/client B. Lower levels of frustration C. Easier to get help when needed D. Helps lower the loneliness factor E. Helps with Social Engineering skills F. Communication does help secure things IV. Different types of communication and how to work on them A. Written Word 1. Blog 2. Whiter paper 3. Social Media B. Spoken Word 1. Toastmasters 2. Acting/Improv Classes 3. Speaking at confrences 4. Talk to strangers a) Just say hello b) Listen first c) Talk to at least one new person every conference d) Go to local meetups (security or non-security) V. Conclusion – hack yourself into becoming a communicator VI. Questions

Notice, it has lost its formatting. I will take blame on this one partially, only due to the fact that I did have it originally in proper outline form, and once submitted it reverted to the paragraph above. This is something I will have to figure out how to prevent next CFP I do, but it would cause points to be removed from my score.

Other items that get talked about such as fit into the conference’s overall theme/scheme are tough to judge since that information was not given by Derbycon itself. It is a guessing game there as to how the CFP review board felt on that. Soft skills talks are difficult to get accepted unless a CFP is perfect, at least from my perspective. Truth is I probably should have put this in as a workshop instead of a talk, I mean who wants to just listen to someone talk about communicating. I do wish we could have gotten feedback from the review board sent to us, but with almost 500 submissions, that is just way too time consuming,

Hopefully this helps some of you out there with what a rejected CFP looks like, and please feel free to comments and critique mine. Thanks again to Derbycon for being so transparent on the whole process.

It has begun. CFP season is upon us. Really it tends to go throughout the year, but with Defcon opening up its calls, RSA sending out rejection letters to everyone, and it being early in the calendar year, it seems there are more tweets about CFPs than at other times of the year. Talking at a con is a badge of honor, something to put on a resume, something to make an individual stand out, and we get all up in arms about it.

The world of infosec, I have noticed, tends to be about acceptance and rejection. There are a lot of introverts in our field. Introverts tend to have a tough time with both acceptance and rejection, hence why they do not feel comfortable in situations where an extrovert does. Yes there are plenty of introverts that play the role of extrovert, but really think about it. We sit in front of a computer screen, doing our thing, research, games, or other stuff, and we get along just fine. Well sort of. We do crave acceptance, and hate rejection, and I am sure somewhere in our psyche our being an introvert is some sort of subconscious method of protection from rejection (disclaimer, I am not a psychiatrist, but have played on one stage). So what does this have to do with CFPs? Everything.

Think about it this way. Human beings are said to be social animals. We get our social on at the cons we go to. Those cons are where we are around our peers, the people who are sharing our interest and passion to make the world more secure. We want to show that we belong, so we put in our CFP. We get rejected, we get down, and imposter syndrome either kicks in or ramps up to higher levels all because we want to be accepted by our peers. We yearn to show that we belong and know what we are talking about. We yearn to make an impact and share our findings, thoughts and experiences. That CFP gets rejected, and boom, there is a slap to our ego, our pride. What makes it worse is we keep preaching that speaking at a con is a great thing to do and everyone should at some point. Except, most of us never will either because we never put in to talk at one, or the cons never select us.

I will be honest here, I spoke at one BSides in Chicago back in 2014. I have not since. I have tried, I put in my CFP jsut like everyone else. I have gotten tips on how to write a better CFP, and still nothing. I put in the CFP figuring it is going to get rejected, but I still force myself to. Yes, I have imposter syndrome just like many of you do. This year I was thinking about it, while waiting for the first rejection e-mail (which I know is coming within a week of this post per the cons twitter account), and watched people talking about RSAs rejection letters that they were getting. These are people who are pretty much regulars on the con presentation circuit. People who I have watched present either in person or recorded at a con many times. Some have even been keynote speakers. I came to a multi part realization about the cons and being a speaker.

First, there are 3 types of cons we go to. The first is the vendor con like RSA. These are the cons where you really need to be speaking on what the vendor wants and extolling that vendor to become a speaker. There is plenty of good information at these cons, they can be fun, but ultimately you need to think like the vendor to get a speakers slot. The next 2 types tend to merge and shift between each other depending on the organizer and which way the wind is blowing for them. They are the Security con and the Hacker con. Most cons will lean one way or the other. You can usually tell them apart by a couple of factors. Do they focus on the latest and greatest vulnerabilities and exploitation techniques? Yes, well that tends to be a hacker con. Do they record the talks? No, well that tends to be a hacker con. Are they giving many defensive talks? No? That tends to be a hacker con. Are they giving talks about the state of the field, tips on being better in the field with soft skills or looking at our own shortcomings and how to hack around them? No? Guess what, hacker con. There is nothing wrong with hacker cons, I enjoy them, but I will more than likely get rejected from any sort of talk from them. My CFPs tend to lean more toward state of our field or soft skills, because I have yet to come up with a new, good tech talk. You can look at the history of this blog and see I do not put many technical blog posts up there. That is the thing though, we have more hacker and vendor cons than security cons. There are cons out there that try to strike a balance between security and hacking. Some do a decent job of it also, but for the most part cons tend to lean one way or the other. Some, if you look at their talk history, are rather obviously one or the other. Again, nothing wrong with it, but it does limit what we learn.

Second is the “rockstar” status. These are the people who are well known in the world of infosec, and give talks all the time. they might be SANs instructors, well known researchers or people that just are well known and respected. These people will get invited to be keynotes, as well they should. They also, unknowingly tend to be the cause of new or lesser known speakers not speaking at a con. It is not an intentional thing, they put in a talk and your talk is too similar to theirs, they get the nod. Be it because their CFP is seen first, written in a more catchy way or, if it is not a blind selection process, their name means the con might get a few more people. I know this has happened to me and it was not intentional. Those speakers, who I know pretty well, and I never knew that we were putting in similar talks. It happens. A good number of cons do a blind selection, where they do not see names, but the regular speakers know how to write a compelling CFP (even when it is a 140 word max and no outline is able to be submitted as is the case with a con I put in a CFP to). How do we get around this issue? There is a simple way quite honestly. If a well known speaker and an unknown speak have put in for the same talk, when accepting the well known let them know about the unknown’s talk and give them the option of reaching out to said person to do a dual talk. This all of a sudden does two major things. It gives the new speaker a great mentor to work with, and it helps get more speakers out there. Simple option, easy to do. The well known does not have to, but give them the option, and be willing to adjust to having it as a dual presentation. It does not take up an extra slot.

Those of us that are not selected for CFPs we have other options out there. This blog for instance is my thing. I will probably do some write ups of my rejected talks after I get all the rejection notices. Blogs are a low barrier to entry, and with a little bit of push, can make someone into a well known quantity that cons would want as speakers. It also allows for one to work on their writing skills. There is actually taking with people on twitter instead of just watching your feeds, again allowing you to become a known quantity. Join slack channels, speak locally at meetups, or even do a podcast. The options are out there if you want to get the word out on an idea.

The toughest part of all of this is getting over the rejection stigma. Imposter syndrome will always be there. We crave acceptance. Remember though, you need to accept yourself, as you are, in order to truly be happy.

Anatomy of a Rejected CFP

It is CFP season… So what