Many security researchers and thought leaders want to speak at a security conference but have a hard time passing the selection committee. For those who do present, some get discouraged about doing it again due to low evaluation marks. In today’s post, we have a Q&A with Katherine Teitler, who has been putting together security conferences for years and is ready to pull back the curtain and share her knowledge.

Question: You’ve been the director of content for two major security conferences: IANS Security Forums and MIS Training Institute (Infosec World). Can you explain a little about what the director of content does?

Answer: My role at MISTI is more of a security conference producer role than a content role. For MISTI’s security conferences, I manage the calls for speakers, recruit specific experts whom I’d like to have present at the conferences, put the program together (flow and timing), try to make sure we cover the full spectrum of talk topics, review presentations and manage speaker logistics, which is a huge part of the job.

The subject matter experts I’ve worked with over a longer period of time generally come to me a little more than new-to-me speakers, asking for feedback on abstracts and presentation decks. That for me is the fun part!

When you’re reviewing talk and paper submissions, is there anything in particular that catches your eye? Anything that potential presenters do that’s a big no-no?

The first thing I look for is alignment with the conference theme. For Infosec World, anything goes, but if you’re submitting a talk on, say, cloud-based identity management to the Threat Intelligence Summit, that’s not going to get accepted.

Then, there are some very basic things potential presenters should always do when submitting a talk. Make sure your submission is in line with the submission guidelines. If you’re leaving out parts of the submission (e.g., not supplying the abstract or bullets, not providing your bio), unless it’s a slow day, your talk isn’t going to be accepted.

I am one person managing four conferences, plus our seminar division (security and audit). If I don’t have confidence that you’ll send me what I need or that your materials will be well-thought-out, there’s surely another speaker who is willing to put in the effort.

A second element is accuracy. Don’t mislabel a coding error as “malware” or try to slip a 2013 breach into a talk on recent security events. Assume the people you are sending your submission to have the knowledge to judge it.

Another thing that really catches my eye is spelling or grammatical errors. Please check your submissions. Write them one day, review them the next. Ask a co-worker, friend or spouse to take a look. Read them to your dog. Whatever you have to do, just try to minimize mistakes.

Dogs are great talk test audiences, too! Any other “gotchas” with submissions?

I’ve also received talk submissions that claim to be submitted exclusively to “MISTI Conference X,” yet at the top of the page/email, the header is “Speaker Submission for Some Other Conference.” Again, check your submission for accuracy before hitting send.

Lastly, don’t be afraid to come up with a crazy idea. There are over 2,000 security conferences every year, and let’s be real, many of the talks are just versions of one another. If you have some new idea, don’t be afraid to send it.

Two thousand security conferences a year? I had no idea there were so many. With that many to choose from, do you have any specific tips for speakers on which types of approaches and subjects resonate most with attendees? Do all demos get higher marks than slideware-only talks? Or does it depend more on the content and presentation style?

It definitely depends on the content and presentation style — and the conference itself. What will fly at DEFCON could flop at Infosec World. Of the top 10 highest-rated talks at Infosec World 2015, only three were demos. Demos are popular because attendees feel like they are taking away something, but I’ve seen talks that are just as effective because they are content-heavy. By “content-heavy,” I don’t mean a million words in your slide deck — actually, I would recommend leaving something to the imagination there. Highlight the salient points in your deck and be a presenter. You’re the one with the knowledge, not the slide deck.

And despite the skepticism of the security industry, believe it or not, buzzword topics are the most popular. Lots of security people joke about the use of the word “cyber,” for instance, yet the most popular talks at Infosec World 2015 were the ones on cybersecurity.

As an attendee, I feel that if I learn one to three new things in a talk that it was time well spent. Do other attendees feel that way? Or do they want more?

This goes hand in hand with the previous question — I do think attendees hope to hear a few new things from every conference that they can actually go back to their offices and try.

The highest-rated talks at Infosec World 2015 were the ones in which attendees felt they heard something new or different than they’d heard elsewhere. A new technique, a checklist for X or a framework/diagram goes a long way. Provide some steps for attendees to follow, a new set of tools or a different approach. Speak to specifics and from experience, and you’ll be successful.

Attendees also like to hear good news. There is a lot of negativity in our field — it’s the nature of the business — so when attendees spend their time at conferences, they want to hear something helpful, not the same old, same old of, “The sky is falling, Chicken Little!”

Is there a flow or framework for a highly rated talk?

Start your talk by briefly setting the stage: Here is the issue/problem/challenge (include definitions of acronyms or less-common terms. Never assume everyone in the audience knows everything you know. You’re the expert on the stage.). Then, move to solutions. Yes, yes, I know not every security problem has a solution, and there are no silver bullets. But people are tired of hearing that there’s no perimeter so you can’t protect it. They’re bored by hearing that attackers have the upper hand because of resources and time and all the things they don’t. So state the problem once and then spend the bulk of the talk providing tactics, techniques and procedures listeners can practically implement.

So give ’em something to grab on to. On the other side, what are your “never do this” words of advice? For example, don’t title the talk, “All About Cats!” and then proceed to only talk about dogs.

Titles and abstracts are slippery. To ensure you’re addressing what you submitted, go back to the original copy and ask, “Did I cover what I said I was going to cover?” If you didn’t, you have two options: Revise your presentation and make sure it’s on topic — the whole topic — or ask the event producer/content director if you have any flexibility. Event organizations have print deadlines for on-site signage (generally about a month ahead of time), so if there’s room for flex, I personally would rather have a great talk that needs a few tweaks in the title or abstract. If there’s not (and believe me, it’s not that event producers are just being ornery), go through the takeaways you submitted and make sure your deck is in alignment.

As for “never do this” words of wisdom, please don’t send me 18 revisions of your deck. If there is a deadline and you can’t make it, send an email asking for an extension. Be reasonable in your ask, but communicate. The worst thing is having a deadline go by, reaching out to a speaker and getting radio silence. It takes only a few seconds to write that you’re behind. I’ve come up with a cheesy new saying for this job: “I’d rather have it right than rushed.”

In addition to being an accomplished director of content, you also have a master’s in music and are a concert flutist. Any lessons learned from your music career that have transferred to your information security conference career?

I’ve thought about this question a lot, and there are some similarities. For instance, in an orchestra, it’s all about collaboration and getting on the same page (sometimes literally). An orchestra has around 80 musicians, all with different abilities and ideas, but all playing the same piece, hopefully together, at the same time, same tempo, same style and phrasing, right dynamics and articulation, etc. Working on MISTI’s conference team, we have a bunch of great players, but again, we have different experience, sometimes different departments have different thoughts as to how the event should be executed, sometimes the budget is limited and we can’t get the venue/food/swag/speakers we want, but at least here at MISTI, we all have the same goal: putting on a valuable, memorable, profitable event. The article “The Best Teams Act Like Musicians” illustrates how collaboration in music can be borrowed for business.

On the other hand, sometimes working with speakers is a bit like bringing in concert soloists. The difference is, for any one concert, there is one soloist who gets to (mostly) set the interpretation of the piece. They work with the conductor to iron out discrepancies, but they’re the ones who guide the overall performance; the orchestra musicians are there to support the performance, but they can’t go off in their own direction. Conference speakers can act like soloists, a hundred of them planning for one conference without the conductor’s baton. Attendees come to conferences for the presentations and speakers’ knowledge, but there are other reasons they attend, as well: professional and personal networking, to efficiently hold multiple meetings, to share their own experiences and/or research — and sometimes it’s hard to get all the speakers on the same beat of the same bar of the same phrase in the same piece.

Thanks so much, Katherine!

Interested in speaking at a security conference? MIS puts on major security conferences throughout the year. You can find the full calendar here, and when you’re ready to submit a talk, the open call for speakers is here.

Image Source: iStock

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…