Skip to content

Lessons Learned

I have a folder in my e-mail where I save the CFP rejection notices I have received, from the conferences that send those notices. When these rejection notices come in, they always come with platitudes such as 'thank you for submitting' and 'please submit next year'. They never say 'your submission was awful' or 'please don't contact us again.' They come with zero constructive feedback. If you talk to people on the selection committee, they will say some variation on the following lessons people can learn from the process:

  1. Try submitting the talk again at other conferences.
  2. Try again next year.

These are complete falsehoods.

Submitting at other conferences may be a waste. Selection committees are inbred. Selection committees are made of high profile Infosec people and conference insiders. There are not a lot of these in a region. Ergo, they get reused. If you are rejected from giving a talk in Indy and you submit to a conference in Chicago // Louisville // Grand Rapids, you may very well be rejected again by some of the the same people who told you to submit it elsewhere.

Why would you try again next year? In the world of Infosec, where things change daily, if the talk wasn't up to their snuff this year, when all the incremental changes happen in a year, how will your talk be even more relevant? Doing this is a waste of time.

As always Maxim #2 applies (We deal with the world as it is - we don't pretend it's the way we think it should be). In light of that, here are the real lessons I have learned from the CFP process, and my several rejections.


Make a decision - do you want to speak on this topic, or do you want to speak at this conference?

Understand this. You may have a topic you think is of value. You may haveĀ  conference where you'd like to speak. And they may not go together. Most every talk can fit into the base design of some conference - there are dozens, if not hundreds, in the US alone. But most conferences have a very specific template. Look at the webpages for that conference past, and see the talks and abstracts they publish. Does your topic line up with these? If your goal is to present at a conference versus give a talk on a specific topic, look at the past talks to find what they like to have presented at their conference (and it is THEIR conference, despite any claim about being part of or welcoming to the community - internalize that). Find something in that vein and present it. Do they take talks about threat hunting? Find a topic on hunting that hasn't been done, such as hunting with outlook registry artifacts or hunting through Mac system logs. Learn a topic that they'd like that no one has presented, become an expert, and submit that. That may mean waiting until next year, but if the goal is to present, put yourself in a position to do that. If you want to present on the topic, you may have to widen your search, and expect to travel.


Every conference has a clear template about what presentations they accept. They are the presentations from previous years.

This seems so common sense, but it is never really preached. People will mention it occasionally, but it is the ultimate Canon on what a conference wants. You have a library of what talks they want, how they should be titled, what the abstract should look like, and most importantly, what kind of people they want presenting (this last one is the unspoken dirty little secret - conferences are run by people with agendas, remember). Everything from the headshot to the name to the title to the bio is laid out in a nice order. Review these over a long enough timeline and you will see a pattern. Build to fit the pattern they want. This increases your chance at selection.


Don't punch above your weight.

Some conferences, through the patterns explained above, don't want new people or unknowns. They tie the prestige of the conference to the speakers who present. When a conference publishes a partial list of speakers before the stated date of selection, they are demonstrating their prestige. Each of these speakers will have some list of notable accomplishments or previous speaking engagements which give the conference weight, and explain what they are looking for.

Like every rule there is an exception. There is nearly always a magical little checkbox at these conferences that (when most politically correct) says 'check here if you are an underrepresented group.' Understand in modern parlance, that means not a white male. As a white male, I have very strong feelings about this, for reasons you wouldn't expect (and some you would). But the truth (maxim 2) is that if you are not a white male, use this to your advantage. Conferences want people who aren't white males (for reasons ranging from pure to sexist//racist, depending on the conference - not everyone is on the side of the angels). Use this to your advantage. Make use of the opportunity. Understand this doesn't mean (at most conferences) that you will be accepted because of a sub-par talk. What it means is you win tiebreakers. The conference will pick out the big names and the talks they clearly want. If yours is a talk they want, and you aren't up against an Infosec name, and you followed the submission guidelines (people don't - conference organizers whine about this every year), your competition is whittled down to any other similar talk being presented by either an unrepresented group or an insider who knows someone on the selection committee - and the checkbox can beat even that. Understand this, there is no shame in using the available advantages. It is your future, and your resume - don't hold yourself back.


Sometimes, the only winning move is not to play.

If you read this as a defeatist attitude, you already miss the point. As the old woman in The 13th Warrior told Buliwyf, perhaps you've been fighting in the wrong field. If your goal is to get information out there, but you don't think you can get past the selection committees for whatever reason, you have options. Write a blog. Do a podcast. Post a video on youtube. Create the content with your own personal spin, and use that to build your personal brand. Demonstrate value. Connect with like minded people. Share content. Do this, improve your skills at presenting information (in any format), build a history of useful content, and you become a name that the conferences want, you build bridges to people on the selection committees, or you may be brave enough to put in the time to start a conference covering those uncovered topics.

Here's the dirty little secret of meritocracy, and an example of where even the most beneficial and fair system breaks down. When you accomplish something that lets you connect with the people running these conferences, you are in a position to make better connections and have access to research others don't, making it easier to get the better jobs or access to information on topics you'd like to research, that you can then present, creating a continuous cycle. It takes a lot more effort to get into the eye of the storm than it does to stay there. And when others see people make that same journey, they will work to insulate that group. It's the nature of tribalism, which has existed since the dawn of mankind and will never go away. Understand it. Accept it. Make use of it.

Ultimately, decide what you want. Take the time to learn the real rules of engagement, then play to win.


1 thought on “Lessons Learned

  1. The NinJa Punch

    Great advice, thanks for sharing. I haven't kept my rejection emails, simply because, like you said, there's no constructive feedback.

    I love the reference to the 13th Warrior, particularly because it applies. One of the things I don't like is that valuable information and insight is held back because it was submitted to one of the big name conferences, and won't be available for 6 months. There are a lot of times when the information being available sooner makes it much more useful, and also allows it to be enriched and built upon.

    Again, thanks for an insightful post.


Leave a Reply

Your email address will not be published. Required fields are marked *