cyberz.wtfWelcome back, gentle reader. When I last left you, we were just heading into round 2 of CFP for this year’s Australian Cyber Conference. I had hoped that my words might spur a jump in the quality of submissions we received for round 2. To be fair, I’d say over all there were fewer submissions which were obviously lazy and/or half arsed, but in general there was still a lot of room for improvement. So, here I am again, venting my frustrationoffering some constructive advice about how to write a CFP submission that has the best chance of being accepted…
1. Submit early!
We received over 800 submissions in total by the end of round 2, but the majority (about 500) were from round 1. It should go without saying that by the time round 2 opens (if there’s a second round at all), most of the speaking slots in the program are already going to be filled, particularly in popular streams. We did make a point of specifically calling out streams that needed more talks, but some people still submitted talks in round 2 for streams which were already full. I would have though this was obvious, but for the sake of clarity let me be blunt: submitting to a stream that’s already full is a complete waste of time, for you and the committee.
If you are not submitting until round 2, do so in the full knowleged that you are starting with a disadvantage. I don’t know if there is some misconception out there that proposals are only ranked once all submissions are in, and submitting in round 2 is fine because if it’s good enough it can still be ranked in the top 10, but let me disabuse you of that notion right now. By the time round 2 is open the acceptance letters for round 1 are already going out. If a stream is full it is full, there’s no chance you’re going to push the lowest ranked paper off the program to take their spot just because yours was scored higher.
Even for streams which aren’t full, by the time the committee has read 500+ submissions, they all start to blur together into a big bowl of generic word soup, unless there is something about them which really makes them stand out - generally that means you have first party research to present or you have something truly new and innovative to talk about.
If your talk is just another spiel rehashing a topic which has already been done to death over the years and/or hasn’t seen much in the way of change or innovation (I’m looking at you GRC, security architecture, and especially at you “How to become a CISO”), then thanks but we already have 10 of those talks and after reading all those submissions the entire topic feels tedious and boring. I’m sorry to tell you, but adding “your unique perspective and/or experience” is not a compelling selling point. If you have a super interesting case study to discuss and can go into dirty details then just maybe that will get you over the line.
Even in areas where there has been some minor or incremental innovation in practice or thinking, if we get 10 talks about the same thing, the reality is only one or two of them is going to get in and it will probably be the first 2 submitted.
2. Short. Titles.
Just because the title box allows you to use 30 words doesn’t mean you should. Think for a second about the audience you are trying to reach: they are probably scrolling down the list of talks on a phone screen at speed and trying to choose something to go to from a list of over 20 streams. If you can’t grab their attention in the 1.2 seconds it takes them to scroll past, you’ve lost them.
Yes, a bad title is enough to sink you. It’s the difference between a good paper and one that’s just OK, and when you are up against 800 other applications that matters. The title is the first thing the reviewer sees and it sets the tone for how they will perceive the rest of your submission. I’m sure there are lots of nuances and facets of the topic you want to address, but that is what the extract is for. Don’t try to describe your whole talk in the title.
Every time I saw a paper with a title like “Strategies for combining cyber threat intelligence with security operations for effective enterprise risk management in critical infrastructure: how to avoid the pitfalls of misalignment between technology and process” my eyes would glaze over and I would dread having to read the actual submission. The same talk with a title of “Making CTI and SecOps work together” would be way more likely to pique my interest.
3. Be Relevant.
Cybersecurity is one of the fastest evolving practices and bodies of knowledge in the entire world. There are new developments every day, news from a week ago is ancient history, and tech which was blowing up and bleeding edge last year could have fizzled into a puddle of nothing by now. In this sort of environment, one of the main reasons people come to conferences is to be educated about what’s new and what’s coming.
In this context, it’s amazing to me that people still submit talks about legacy tech or areas of practice that have barely changed in the last decade. Just because something is still in use doesn’t make it relevant. On-prem Active Directory remains the backbone of big enterprise IT environments, but its weaknesses and attack vectors are well known and discussed. There hasn’t been a new or novel attack method discovered in years, so anything you have to say on the matter has already been said.
Also, be conscious of who is keynoting. If one of the biggest names in the industry is going to be there talking on the same topic as you are thinking of, most likely anything you or anyone else has to say on it will seem like a kindergarten show and tell by comparison.
I could go on a similar rant about GRC. OK great, NIST released a new version of CSF, that’s worth talking about. Once. Most of the GRC submissions I read however (and there were many) simply wanted to talk about “strategies for effective enterprise risk management” or something similar. Spoiler alert, those strategies haven’t really changed since enterprise risk management was invented. Every few years there is a fresh coat of paint but the fundamentals are the same. Can we accommodate a few talks on this topic, sure, because there will be people who are new to the practice who are interested, but we don’t want 15 talks like this, so if you want try your luck just know that you’re competing against 50+ other people with equally uncreative ideas.
4. Pick the right category.
A surprising number of submissions came in that were clearly in the wrong category. Whether it was submitting an “ask an expert” but pitching a breakout talk, or simply choosing the wrong topic, these talks mostly got binned. In some circumstances the committee decided to seek clarification, but usually such mistakes were interpreted as either lack of attention to detail (see previous post: Read the instructions), or an attempt to sidestep the competition by choosing a steam which was less popular.
Don’t bother with cheap tricks, think that you’ll be given the benefit of the doubt, or that the organisers will bother to seek clarification. We have 800 submissions to read so we don’t have the time or the patience to follow up individual submissions. We also have a stack of other submissions from people who followed the instructions and selected the right categories, so why would be bother to chase people who didn’t?
5. No extensions.
Inevitably there are people who miss the deadline and email in the next day begging for an extension, citing some sort of exceptional circumstances. We denied all extensions without exception and the committee was unanimous in reaching this position.
Casting aside for a moment any arguments about fairness to people who got their submissions in on time (and they are strong arguments), there essentially are no circumstances so exceptional that you deserve an extension.
Why?
Because the submission process was open for months. There have been 2 rounds, both of which were heavily publicised on AISA socials and member communications. If you left your submission to the last minute under these circumstances you have already dropped the ball. If your submission is so ill prepared and rushed that an unexpected trip to the emergency vet the night of the deadline is enough to derail it, then the fact is it probably wasn’t good enough to meet the quality standard anyway, and almost certainly not good enough to come out on top of 800 other submissions. Having an extra day or two to finish it off is not going to change that.
With that, I will leave you. Yes, these are just my personal opinions, but if the response to my last post is anything to go by, they are shared by many people who also review CFPs for other events. Don’t let them discourage you from submitting a talk to your favourite con - I didn’t post this as a deterrent, rather to provide some transparency to what is typically a very opaque process. If your talks keep getting rejected then there’s probably something in here for you - pay attention and hopefully next time we’ll see you on stage.