Skip to content

I like the regional Infosec conferences. For someone at a SMBiz, it's an opportunity to see how the rest of the world does things without sitting through hours of vendor talks pimping one product (and eventually their family of products) as the be all end all. Learning the hows is akin to crawling before walking before running. One you learn what you can do and how to do it in efficient ways, you can then push to acquire tooling that supports the skill set. 

I have become disillusioned with the conferences in my immediate area (MKE//CHI) in the last year or two. As a defender, I'd be thrilled if there was at least one talk that benefitted my side fo the fence that wasn't a weird corner case scenario. Usually, I'd see a talk that looks good, that would turn into 'I did crazy thing and I'm not going to have any serious detection or prevention strategy besides patch.' I want more in depth talks that speak to a defender. So this year I pushed my regional boundaries out to Detroit ( and Indy ( 

Circle City Con (hereafter CCC) turned out to be the con I wanted. Designed so local people only had to take a half day off of work, it ran from Friday afternoon to Sunday early afternoon. This gives people plenty of opportunities to come see what's going on. There were talks and trainings, a CTF, a modest vendor presence, and evening events Friday and Saturday. 

The trainings looked to be solid. However, some of the better trainings like @da_667's training on virtual labs, was an all day training on Saturday, meaning if you did the training, you did nothing else Saturday. Had I the power to make a recommendation, I would set the trainings in the morning and do talks in the afternoon on Saturday, with trainings part 2 Sunday morning for 8 hour trainings, to minimize the number of talks missed. The training was a huge time commitment. That would be some difficult juggling, but possible in the available space.

Check out @frankmcG's twitter feed, as he live tweeted several talks. This is a good way to check out core content and decide if you should watch the talk when it's published (almost always yes).

The opening ceremonies made it clear that over the five previous years, CCC had its own culture. This meant that for first timers, there was a lot of references and in jokes that went right over one's head. Whereas it was informative about the weekend to come, it also made it clear I could skip the closing ceremonies. 

The opening keynote was a look at data rights and privacy laws around the world, and what an org had to honor in regards to a personal data request. Amber Welch did an excellent job going through the ins and outs of the laws and how to 'hack the system' with the legal framework in place. This was a solid talk, right up to the last five minutes when a blatantly political remark thrown in as a backhanded attempt at humor soured the whole thing for me. It would have been a B+/B, but the one remark, and everything it carried with it (especially in light of the talk) dropped it down to a C/C-.

Shecky (@siliconShecky) gave a talk on Saturday on hiring for Infosec roles titled 'Get off my lawn ... or are we looking for the right people?' He talked about addressing the core skillsets needed in Infosec beyond the technical (sysadmins, pentesters, coders, etc) and looked more holistically at the background types we should bring in and nurture, as they will provide overall value to an Infosec team (e.g. librarians for research, thespians for social engineering, data scientist for analysis, etc). He also showed the division between the field of security, subfield of Infosec, and the sub-subfield of Cyber Security. 

Alex Chalmers gave a talk titled 'Evicting the Password from the Digital Estate'. This was a talk on the weakness of passwords, proper password guidelines, where passwords exist in the cybersecurity space, and what an institution has to do to move past them. He addressed how NIST has written its framework to apply to the federal government, and what we can pull from that. He looked at the differences between single factor, two factor, and multifactor authentication, and how different authentication types are combined to get to a mature multifactor setup. The caveat to his talk is in a mature institution, the idea of going passwordless is so popular (and misunderstood) that the mere mention that I saw a talk on this means I will have to present the idea to leadership. Thank you Alex. Even still, watch the talk.

Steven Bernstein (@sciaticNerd) gave a talk titled 'Cons and careers'. This is the talk that's perfect for anyone new to the industry or trying to break into Infosec. IT looks at the non-technical self imposed stumbling blocks to personal and career growth, including tackling impostor syndrome. He uses his own path as an example of how he cleared the stumbling blocks, and what it takes for someone else to do the same, as well as why they need to. This was the A+ talk at CCC, and is one that should be spread far and wide.  And his delivery was near flawless. He'd be a good speaker to have at any con.

Part two of my review will come tomorrow, looking at a few more good talks and highlighting some of the great people I met.



Community is an interesting concept. A collective group bound by shared values and beliefs - this is how community is defined. Now, even in the smallest communities (population 2) not all of the values and beliefs are shared. For a community to stand, the core values must be shared.

Infosec isn't a community. Infosec is a philosophy built around values and beliefs, potentially including a right to privacy, data security, breaking systems to fix them before someone else can break them, and control of one's data. People may have more to add to that list. People may not include everything on that list. Either way, how anyone defines Infosec is built around the values and beliefs they assign to the philosophy - and that isn't a universal list. This distinction of personally defined philosophy versus the values and beliefs that make up that philosophy matters.

A modern American philosopher I know hangs his hat on the credo "Acta, non verba." Actions, not words. We are defined by our actions more so than our words. Social media has amplified this disparity. Many will tweet about injustices. They will post selfies with pontification about wrongs on instagram. What they will not do is take any meaningful action to work to correct the wrongs and injustices. What makes it worse is they will actively decry a wrong in the world, and then demand someone who is characteristically unlike themselves to be the ones to fix it.

At no point in human history has that been the way things have worked. Ever.

History is replete with turning points built on the backs of individuals who take personal responsibility to be the change they want to see in the world. They lead from the front. They let their behavior set the example. Whether it was George Washington leading the rebellion, Dr. Martin Luther King Jr marching non-violently, or Elizabeth I pushing back against tradition, someone said the world shouldn't be this way and worked to change it. Successfully. They did this by establishing a like minded community of people willing to put in the work to change the status quo in a constructive manner.

This is why the concept of an Infosec community is poisonous.

Infosec professionals and aspirants are very active on social media. They share information, brag about accomplishments, and preach. A lot. When some grave ill comes to the attention of the Infosec people engaged on social media, the pitchforks are sharpened and torches lit. Vitriol is flung into the arena and guns start blazing. There is no time to wait, battle must be ensued. People have to be seen challenging this wrong from their phones, tablets, and laptops, and they need to be among the first to engage.

My guiding principle of incident response is simple. When all hell breaks loose, the very first thing you should do is nothing. The second is take a breath. Why? Either you have an incident response plan, which means the incident will be handled properly and timely, or you don't, at which point you are in grave danger of the likelihood of immutable damage occurring by you and your team's hand is taking exponential jumps.

When these horrible behaviors are brought up in social media (ALWAYS selectively edited for maximum impact as desired by the poster) the response is sudden, damning, and often without any analysis or rational thought. Combined with the need to be seen railing against the horrible thing, we start seeing a pattern of what defines the 'Infosec Community.'

You change behaviors by engaging constructively

The 'Infosec Community' chooses to name and shame, and condemn, and then only selectively based on who is in and who is out.

And here is where the concept of Infosec as community crumbles. The 'community' doesn't hold everyone accountable equally (making justice not a principle). The community will indict and sentence (without trial or defense) based on selective information (basing a declaration of attribution on a lone indicator. Due process, a search for truth // fact, and thoroughness out the window). The 'community' will take things out of context if it supports their side. It engages in whataboutism. The list goes on.

There isn't an Infosec community. There are communities that exist within the bounds of Infosec. Recognize them for what they are.

"All animals are equal, but some animals are more equal than others."

-George Orwell.



There is nothing like an empty hotel gym at 5am. You can struggle. You can flatulate with impunity while your guts undulate like a bridge about to flip while on the treadmill. You can do low weight high reps on the dumbbells without 'bro do you even lift' condescension.

No matter what you want to improve, no matter how much of a novitiate you think you are, there is always a way to improve yourself in a manner which will not draw attention to yourself and your perceived shortcomings until your impostor syndrome has lessened.

Or dive right in and face it.

As an institutional defender, I have the disadvantage of having to guess right the first time to detect an attack at the earliest stage. Every institution also has a limited budget, so as a defender I've had to choose what doors I watch with given levels of scrutiny. The only way to do so is to build a threat model.

To understand threat modeling, you need to start with the risk equation.

Risk = (Threat to asset x vulnerability allowing reach x impact to institution) / mitigations


If your business has a gum ball machine in the lobby that takes quarters, the threat is the loss of the gum ball machine, its quarters, and its gum balls. The vulnerability is it can be beaten with a key, someone can use slugs to get gum balls, or someone can grab it and run. The impact is the cost of the lost goods, the reputational impact, and the time lost replacing it, updating policy and procedures, or working with the police. The mitigation could be bolting it to the floor, having a custom key, or hiring someone to either man the machine or protect it.

You need to understand what you are trying to protect, to understand the threat to it, what vulnerabilities it has, the impact to its loss, and if the mitigation is appropriate. Hiring an armed guard will make the loss of the gum ball machine unlikely. The cost outweighs the benefit.

What are you trying to protect? It could be any number of things.

  • Money
  • Physical property
  • Intellectual property
  • Access // Trust
  • Reputation // Brand

The asset needs to be defined, before you can understand the risk involved. Most likely, your institution has multiple asset types. These assets will not carry the same risk, and will not be protected the same way.

In a bank, the obvious asset at risk is the money. That asset exists both as physical currency and digital bits. Each has its own threat model. Both are at risk from thieves, insider threats, or potential destruction. How do you define each? How do you prioritize which one you want to protect more? How do you define your crown jewels?

Think about the threat to the assets. Someone could take the physical money. Someone could manipulate the digital bits to make someone else take ownership of the money. How do they accomplish either feat? Are you more worried about masked assailants taking the currency from a branch office, or a digital adversary abusing the SWIFT banking system to move money to another bank and account in an unauthorized manner? If you controlled security spend, how much would you spend depending which? How would you prioritize your detection capabilities?

Think about the vulnerabilities. Who has access to move the money? Who determines who has that access? How is that access granted? Who audits that behavior? When and how often? How do you define trust of the people involved in access? How do you verify that trust? What about the systems involved? What physical protections exist? How strong are they? What hardware and software is in use to control access to the digital assets? How often are they patched? What is the software // hardware lifecycle? What policies governing use of these assets are in place?

Think about the impact. How does the loss of the asset affect the institution? What is the total cost of that loss? How do you quantify the loss of trust? The failing morale? The loss of time investigating, then vetting and putting in place new mitigations (procedures, audits, hardware and software)?

In order to prioritize your defenses, you need to understand what you are protecting, the impact of its loss, how it can be lost, and and why (and potentially who) that loss would occur. Then design your mitigations based on that. That is your threat model.


Nobody is a Qualified Infosec Practitioner

I read the same tweetstorm everyone else did about what you have to have to be an infosec professional.  My $0.10 is simple: every time someone says you aren't a true // capable // professional Infosec practitioner, remember they weren't born like that either. They ignore their past and it's learned ascent, and view the world of Infosec through the bias of their position, their history, and their employer's threat model. 

And remember, many of these supposed supermen usually work at the behest of the US Federal Govt, so all their brilliant life choices mean this is the third time this year they aren't getting paid. No one gets it right all the time.

All respect to the people who help and uplift and work to make us all safer wondering how they are going to pay January and February rent. I can't begin to imagine ...

Leave Your Comfort Zone

I have recently unmuted every account I had muted on Twitter (100+). I unblocked many. I didn't unblock all, because I do have lines. I instead muted words or phrases whose use (in my searching) never amounted to a good conversation on Infosec. I chose to immerse myself in the views (via retweets) of those I disagreed with, sometimes vehemently. As seen above, we view the world from within the lens of our own experiences. We can't understand why people act a certain way // speak a certain way // vote a certain way while only looking through our lens. 

I have diversified my reading. I just finished Democrat to Deplorable by Jack Murphy. This book takes a look at how nine million people who voted for Obama twice then voted for Trump. It's been easy to scream racist // sexist // various pejoratives designed to shut down discussion at people rather than look through their lens, but Jack lets us peer into his. It is a good look at second and third order effects, and shows us what happens when people's use of words clings to definitions long past. Literally.

Next on my list is The Handmaid's Tale. I frequently heard how this would be a reality with the elevation of Kavanaugh to the Supreme Court. Reading the back cover I can't even begin to imagine the world view I currently believe to be inane where anyone can think American politics could create such a world. I choose to delve into it because there may be ideas that deserve greater discussion and thought - assuming people are willing to have real conversations about it.


I am about to buy a game for my Nintendo Switch I don't want because then my nephew will have someone to play against on his newly opened switch (which my brother wisely updated before putting under the tree). The $60 I'm spending isn't for the game, it's for the shared experience with my nephew. 

I'm fortunate this Christmas that most of my gift givers gave me things that we could use together - they gave something that was bundled with the gift of time. I have too much stuff as it is (and still need another bookshelf and a small number of other things), so the gift of time is especially welcome as I live alone.

Time is your most limited and most precious resource. Put it to good use.


I am working on an opportunity that may allow me to make a living while returning more of that most precious commodity to me - time. It is a sacrifice that puts me at odds with another potential choice in advancing in my Infosec career in a way I didn't expect. Like anyone else in this world, I have choices. Unlike many, mine are choosing between two potential betters. I acknowledge my agency in the choice, and the responsibility that goes along with it. I already have dedicated time to my projects, my education, my work, and my businesses. I have to remember to carve out time for my health, fitness, and decompression. You put on your oxygen mask before your child, because you can't help anyone else until you take care of you. True on planes spiraling to armageddon as it is in your daily life. Eat healthy, work out, read, and rest. You will feel better.


Time for the cast iron pan fried ribeye, air fried garlic potatoes, steamed green beans, sautéed spinach, hot tea, and the spate of Christmas movies:

A Christmas Story

Die Hard

The Ref

Die Hard II

and Scrooged.

I hope you aren't reading this on Christmas (unless you are in an inhospitable place, then I hope I provided a moment's relief). If times are good, embrace it because this moment will never come again. If they are bad, just wait, it is only a moment, and will small effort will be gone forever soon enough.

Remember, Reginald VelJohnson's role in Die Hard gave us Family Matters. Here's to second order effects.



The arbitrary end of the calendar year approaches. This is always a good time for review.

The purpose of a review is to take stock of what you accomplished compared to what you planned to accomplish. If you've accomplished everything you've planned, then odds are you didn't press yourself enough. If you didn't accomplish everything you planned, then you need to refine your expectations or your prep work. From a work // employment standpoint, this is a chance to burnish your CV // Resume combo, even if you have no plans to switch jobs. You may consider a switch, or have one forced on you, at some point. In this case it is easier to hit the ground running if you keep your resume and CV accomplishments current. I use the accomplishments of the year to plan for my goals for the following year, and build a long term plan, so I have a focus.

As James Spader said in Stargate, the last point needed to get to a destination is a point of origin. To consistently track your journey, you need to keep looking at that point of origin to stay on course. As you hit different waypoints, that changes the point of origin for the current leg of the journey, but keep the original one in mind to maintain awareness of where you started.

My journey started when I went to school. I got my first IT job, then I got my first InfoSec job. Then I got my associates, then a better job with a pay and responsibility increase, then my bachelors. It took me time to get some certs and work my way into a top flight institutional defender position. Once there, I worked to build out professional 500 level InfoSec certs, learned new technologies, demonstrated excellence, built out a mentoring program, started speaking at Cons, started writing a blog, and started building an e-commerce website.

That is a lot of accomplishments. And it seems daunting to people new to the industry (or even veterans). Take a look at that list, and realize that began in July 2006. I see a list of accomplishments over 12 years, and I feel I have not done enough. It takes time to build momentum. Success builds on success. And the more wind beneath your wings, the better you are at charting a course going forward.

I have three SANS certs: GCIH (504 Incident Handler), GCFE (500 Windows Forensics), and GCTI (578 Threat Intel). Planning ahead, I am taking the class and exam for the 572 Threat Hunter course in Q1 2019. Beyond that I know I need the 401 GSEC and two gold papers to press for the GSE. That will press into 2020. The past has helped inform my direction as an institutional defender, and I need to shore up my certifications to be able to demonstrate that. This is good from a job standpoint, and to have a skillset that lets me press for more training and leadership // directional decision for my institution.

I need to get the website fully secured and both Android and iOS apps built for the site by end of summer 2019. Site is almost done, and infrastructure yet needs to be built. I've done most of the legwork, and Humble Bundle and No Starch have helped provide resources. The ultimate goal is to build as near passive income as possible, as a resource to eliminate debt, build more of a nest egg, provide a safety net, and build independence.

I need to get the CISSP, for reasons both obvious and personal. I need to slot time in to do that, and the study should start in 2019, even if the exam is in 2020. Whatever direction I go, it both shows an excellence HR departments understand, and it provides flexibility to be on either the policy or technical side of the house.

I need to press for my Masters. To do that I need to take the GMAT in summer 2019, expecting school won't start until January 2020 at the earliest. And I need to decide between a MBA, a Masters in IT, or a combination program. Once again, the credential matters, as there may be opportunities for leadership at my institution, and I need to further separate myself from my cohorts, though I expect taking on the role would come with their support.

I need to start outlining both of my books. I plan to write a fiction book and a non-fiction book on Infosec. Sometimes all you have to do is sit down and write. But it will collapse without structure. My desire is to put something out there that will help future institutional defenders start and build a career.

I think of where I started, and how the successes built on each other to maintain a progression closer to exponential than linear. All things take time. What's important is to compound the successes over time. This won't make accomplishments easier, it will make the burden of success easier to carry.

"Progress not Perfection." Denzel Washington in The Equalizer.


The concept of trust is a foundational one in InfoSec. You give a user access, you expect that access to be used in the designated way. You give an accountant trust to dispense money in accordance with, and only for, the business need. You give your kids the car keys or let them stay home alone, trusting to get the car back in one piece and the house clean of party remnants. If a user misuses the system, the accountant embezzles money, or the kids damage the car or house, privileges (or jobs) can be revoked.

Thus the concept of forced trust. You want a job with the Federal government? You are filling out very detailed forms, and you have no choice but to turn over that data. Your employer has to have your W-2 information for payroll. You want to stay connected with your family? That may mean you need a Facebook account. Even with all the privacy settings, the data gets slurped, in ways you may realize, but most don't.

To be a part of the world, in so many ways you are forced to trust entities that have already, maybe even repeatedly, proved they aren't worthy of that trust.




Every major hotel chain (Marriott 2018, Hilton 2017, Hyatt 2015, Starwood 2015).

Online retailers.

Brick and mortar retailers.


Sure there's a fix. Never submit identifying information. Only use cash. Drive older cars. Only use prepaid cellular, and only turn it on and call from the same place.

How practical is any of that? Even monks in monasteries are online. So what can you or anyone do?

Humble Bundle prompted this. The good news is only those with a humble subscription, not regular users, are affected. And the reports show the adversaries got e-mail addresses and that those e-mails were tied to subscriptions. These can be leveraged for phishing attacks, or spam from other game services.

I purchase the monthly bundle on occasion. My protections for this and other online retail is somewhat simple. Anything that isn't primary to my life is tied to a secondary e-mail account, and a secondary account for my money. I move money in to pay, and I'll happily take the monthly account fee to not have a minimum balance. A low balance credit card fits this bill nicely. Any compromise will send spam and phishing to the secondary e-mail account. If something goes horribly wrong, it's easy to burn that account and spin up a new one. Password managers prevent reuse attacks. And if something slips through the e-mail provider's BS detector, I know not to click the link and just login at the site directly. Any reputable service will have alert notices clearly visible right after login. I know people who use more unusual browsers (e.g. Opera) for transactions on banking and healthcare sites, knowing they are less likely to be targeted for exploitation on those sites. Obscurity is not security, but obscurity can augment security.

We live in a world where forced trust is constantly betrayed. Even if Facebook is broken in half, other services will fill the void. They too will betray you (whether or not members of their board Lean In). The best anyone can do is understand their personal threat model: what do they have that would hurt when lost, and how can they reduce the risk of that loss, or in the modern world prepare to continue on when that loss happens. We are in the Matrix, there's no more getting out. There is simply dealing with the world as it is.

"You lost today, kid. That doesn't mean you have to like it."

-Man who gave Indiana Jones his hat.




This is part four in the series on personal codes of conduct. These are my maxims, my personal guiding philosophic code.

Part 1

Part 2

Part 3

Maxim 10: People aren't dumb. They are illogical.

Dumb users may be the foundational trope of IT. Doubly so in Infosec. I remember the early days of the Bastard Operator from Hell (reference point: go to and search BOFH). There were other actual non-satirical blogs like this of admins having days ruined by inane stupid requests from users. If you are old enough, you remember the stories of the now extinct cd-rom drives' birth when there was always that one user who thought it was a coffee cup holder. To be fair, by modern definition, the coffee cup wizard is a hacker. They found an undesigned use for their hardware. We mocked them; we should have praised them for their ingenuity. Thus my maxim.

Users aren’t dumb. They are illogical.

End users are trained to do their processes. Most jobs in offices today are designed to be done in near assembly line style. A user has a very defined set of duties. They are trained on that set of duties. They practice those duties every time they do them. The procedure is logical for them. That logic exists within the bias of their experience. Most jobs do not require – nor do they want – people who think outside of the box. This is the complete antithesis of IT and Infosec – we follow processes but are constantly put into situations where the box doesn’t exist, and we must solve the problem // track the adversary // stop the malware // fix the issue RIGHT NOW. This requires us to be agile in thought while still following a logical progression. To be in the IT // Infosec space, you need to have the ability to be logical. Troubleshooting is applying logic to a problem. The nature of our jobs requires us to be able to logic any situation that comes up, as inevitably many have nothing to do with our systems.

In the modern day Everything as a Service society where most people outsource their needs to third parties, the need to be able to solve problems logically is no longer a necessity. It gets outsourced. Thus, when people need to be logical in an unfamiliar environment, they get frustrated.


subject inexperience x emotional escalation x attention at that moment = disproportionate response (Blowback)

You must understand the logical approach in dealing with an illogical person, then you can mitigate any unpleasant response. If you can minimize the attention on them at that moment, calm the situation down through the liberal use of patience, and use it as a teaching moment, you minimize all three factors leading to blowback. The biggest part of this is knowing that they will be illogical with their next tech and security issue, and the next, and the next. On a long enough timeline with enough interaction, they will start understanding the logic. And helping them get there gets you an ally.


Maxim 11: Words matter.

“If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.”     -- Cardinal Richelieu, in The Three Musketeers.

Words change the path of the world. Look at what a tweet from the commander in chief can do. Words can be used to change a mood, challenge an assertion, even save a life or sentence a human being to death. Words can build allies or create enemies.

We live in a world where people want to be offended, forgiveness is conditional, and even (especially) the most mighty of Infosec heads look for reasons to crucify people based on their personal orthodoxy. For all the talk in helping people up, they also file away every printed work to use against those same people someday.

In the modern world, our words are eternal – every tweet a testament, every comment an epitaph. In this world, you must be skillful with your words as if they will be carved in stone forever. You need to respect the damage they can do to you as well as to others. Your words will be used against you by your adversaries and enemies.

Be direct. Use exacting language. Understand how to communicate for your medium. If you use twitter, reference an idea then link to a blog post expanding on it. Review written words before publishing. Think on any e-mail before hitting send. Think about the potential recipients (even ones not in the To field or among your twitter followers) as your message is shared and how they choose to interpret the words from within their bias bubble.

It sounds like a lot of work. It is. It doesn’t matter if we don’t like the world being that way, we deal with the world as it is (Maxim 2).

Corollary: Passive aggressive statements are a sign of weakness. Those who deliver such statements demonstrate a cowardice to take responsibility and challenge something directly, most likely because they know their challenge will not stand up to any logical scrutiny. These statements are most often used when logical truth is at odds with emotional (childish) desires.

Do Not Be Passive Aggressive.

Maxim 12: Take care of the people who take care of you.

I am fortunate. Not because I have slogged through the mud to an amazing job with the best benefits I have ever seen (not primarily). Having slogged through thankless jobs, I am very appreciative of those who enable me to spend more time doing what I need to be doing, rather than being forced to do little housekeeping day to day time sinks that whittle down my time availability in my day. I once thought the idea of the rich person with the butler was snooty. Having been support staff, I realize the value in the staff giving back time into my day. Lunch is provided, so I don’t have to spend time making it before work. People keep the office and restrooms clean, so I don’t. I have a HR department that is constantly challenging our benefit providers to do better so I don’t have to shop around myself. I have a bona fide excellent IT support team who makes sure I never have to engage with angry users.

I also realize these people get paid far, far less than I do.

It starts by acknowledging that they are not an invisible service provider. They have names. Most have families. They aspire. At times they have unpleasant jobs. I want them to feel valued; I want them to feel appreciated. I want them to achieve and do well in life. I want them to be part of a culture of success.

And to do that, I give my time. When they have questions of personal security, I will take the time to do a security review and let them know what options are available. Are they in a branch of IT and are looking at positions on the horizon? I work with them to know what they should train to build the skillset for pending internal positions that would be a promotion. I help them find the conferences and knowledge bases they don’t know exist. Sometimes, just having hallway talk about how bad the Buccaneers are doing this year (after a too promising 2-0 start with a backup) so the slightly better Packers could be in a worse position.

Taking the time is more than just being human, it’s pragmatic. Because that day will come when I need them to take the time for a reason I can’t imagine, when they wouldn’t have to. I won’t even have to ask.

Across seas of monsters and forests of demons we traveled. Praise be to Allah, the Merciful and Compassionate. May His blessing be upon pagan men who loved other Gods, who shared their food, and shed their blood. That His servant, Ahmed Ibn Fahdlan, might become a man, and a useful servant of God.

-- Ahmed Ibn Fahdlan Ibn Al Abbas Ibn Rashid Ibn Hamad, closing line to 13th Warrior.




I have a folder in my e-mail where I save the CFP rejection notices I have received, from the conferences that send those notices. When these rejection notices come in, they always come with platitudes such as 'thank you for submitting' and 'please submit next year'. They never say 'your submission was awful' or 'please don't contact us again.' They come with zero constructive feedback. If you talk to people on the selection committee, they will say some variation on the following lessons people can learn from the process:

  1. Try submitting the talk again at other conferences.
  2. Try again next year.

These are complete falsehoods.

Submitting at other conferences may be a waste. Selection committees are inbred. Selection committees are made of high profile Infosec people and conference insiders. There are not a lot of these in a region. Ergo, they get reused. If you are rejected from giving a talk in Indy and you submit to a conference in Chicago // Louisville // Grand Rapids, you may very well be rejected again by some of the the same people who told you to submit it elsewhere.

Why would you try again next year? In the world of Infosec, where things change daily, if the talk wasn't up to their snuff this year, when all the incremental changes happen in a year, how will your talk be even more relevant? Doing this is a waste of time.

As always Maxim #2 applies (We deal with the world as it is - we don't pretend it's the way we think it should be). In light of that, here are the real lessons I have learned from the CFP process, and my several rejections.


Make a decision - do you want to speak on this topic, or do you want to speak at this conference?

Understand this. You may have a topic you think is of value. You may have  conference where you'd like to speak. And they may not go together. Most every talk can fit into the base design of some conference - there are dozens, if not hundreds, in the US alone. But most conferences have a very specific template. Look at the webpages for that conference past, and see the talks and abstracts they publish. Does your topic line up with these? If your goal is to present at a conference versus give a talk on a specific topic, look at the past talks to find what they like to have presented at their conference (and it is THEIR conference, despite any claim about being part of or welcoming to the community - internalize that). Find something in that vein and present it. Do they take talks about threat hunting? Find a topic on hunting that hasn't been done, such as hunting with outlook registry artifacts or hunting through Mac system logs. Learn a topic that they'd like that no one has presented, become an expert, and submit that. That may mean waiting until next year, but if the goal is to present, put yourself in a position to do that. If you want to present on the topic, you may have to widen your search, and expect to travel.


Every conference has a clear template about what presentations they accept. They are the presentations from previous years.

This seems so common sense, but it is never really preached. People will mention it occasionally, but it is the ultimate Canon on what a conference wants. You have a library of what talks they want, how they should be titled, what the abstract should look like, and most importantly, what kind of people they want presenting (this last one is the unspoken dirty little secret - conferences are run by people with agendas, remember). Everything from the headshot to the name to the title to the bio is laid out in a nice order. Review these over a long enough timeline and you will see a pattern. Build to fit the pattern they want. This increases your chance at selection.


Don't punch above your weight.

Some conferences, through the patterns explained above, don't want new people or unknowns. They tie the prestige of the conference to the speakers who present. When a conference publishes a partial list of speakers before the stated date of selection, they are demonstrating their prestige. Each of these speakers will have some list of notable accomplishments or previous speaking engagements which give the conference weight, and explain what they are looking for.

Like every rule there is an exception. There is nearly always a magical little checkbox at these conferences that (when most politically correct) says 'check here if you are an underrepresented group.' Understand in modern parlance, that means not a white male. As a white male, I have very strong feelings about this, for reasons you wouldn't expect (and some you would). But the truth (maxim 2) is that if you are not a white male, use this to your advantage. Conferences want people who aren't white males (for reasons ranging from pure to sexist//racist, depending on the conference - not everyone is on the side of the angels). Use this to your advantage. Make use of the opportunity. Understand this doesn't mean (at most conferences) that you will be accepted because of a sub-par talk. What it means is you win tiebreakers. The conference will pick out the big names and the talks they clearly want. If yours is a talk they want, and you aren't up against an Infosec name, and you followed the submission guidelines (people don't - conference organizers whine about this every year), your competition is whittled down to any other similar talk being presented by either an unrepresented group or an insider who knows someone on the selection committee - and the checkbox can beat even that. Understand this, there is no shame in using the available advantages. It is your future, and your resume - don't hold yourself back.


Sometimes, the only winning move is not to play.

If you read this as a defeatist attitude, you already miss the point. As the old woman in The 13th Warrior told Buliwyf, perhaps you've been fighting in the wrong field. If your goal is to get information out there, but you don't think you can get past the selection committees for whatever reason, you have options. Write a blog. Do a podcast. Post a video on youtube. Create the content with your own personal spin, and use that to build your personal brand. Demonstrate value. Connect with like minded people. Share content. Do this, improve your skills at presenting information (in any format), build a history of useful content, and you become a name that the conferences want, you build bridges to people on the selection committees, or you may be brave enough to put in the time to start a conference covering those uncovered topics.

Here's the dirty little secret of meritocracy, and an example of where even the most beneficial and fair system breaks down. When you accomplish something that lets you connect with the people running these conferences, you are in a position to make better connections and have access to research others don't, making it easier to get the better jobs or access to information on topics you'd like to research, that you can then present, creating a continuous cycle. It takes a lot more effort to get into the eye of the storm than it does to stay there. And when others see people make that same journey, they will work to insulate that group. It's the nature of tribalism, which has existed since the dawn of mankind and will never go away. Understand it. Accept it. Make use of it.

Ultimately, decide what you want. Take the time to learn the real rules of engagement, then play to win.