Share the spotlight: Creating a culture where everyone shares their work
How to encourage others at your company to write blogs, appear on podcasts, and speak at conferences and meetups.
Hello! I’m Leif Dreizler, and I work as a Senior Engineering Manager on the Security Features Team at Twilio Segment. I am also a conference organizer and podcast host.
I often chat with folks at other security organizations about how to foster an org-wide culture where employees are writing blogs, speaking at conferences, appearing on podcasts, and so on. If you’ve stumbled across this blog from somewhere in tech outside Information Security (InfoSec), I think much of this blog would still apply, but this is written with an InfoSec lens.
As the title suggests, this blog is all about creating a culture of community involvement within your team or organization at work.
If you’re looking for individual tips about how to get started check out my previous blog, it provides guidance on how to research events and prepare content.
What we’ll cover:
Why does this matter? - the benefits to you, your team, and your company. This section can also help you sell this type of culture internally and convert skeptics.
Tips for leaders - your team is probably already busy. How are you going to make them feel well-supported throughout the process? How are you going to help first-time writers/presenters get started?
Promoting your work - this section is all about using your team’s collective network to generate buzz. They’ve spent months on the work, let’s make sure your blogs are well-distributed and your team has a shot at landing a few podcast appearances.
Why should I help build a culture of community involvement at my company?
Community involvement helps your team attract talent, can grow your own career, and benefits your company. But, cultivating these practices takes a LOT of manual work. Ongoing work. Email reminders, Slacks, follow-ups. Work that can’t be automated.
These are things that security teams don’t like. I don’t really like them either. It’s worth doing. I promise 🥳
If you’re already bought in, feel free to skip ahead to “Tips for leaders!”
It attracts talent
Even with last year’s changes to the macroeconomic environment, hiring freezes, and layoffs, hiring remains challenging and competitive in InfoSec. It probably won’t change until AI takes all our jobs.
Having public representations of your team’s work allows potential candidates to learn about your org over time and at their own pace.
There’s a lot of overlap between recruiting and sales. Think of blogs and presentations as your marketing department. It makes more candidates (customers) come inbound, and helps your recruiters (salespeople) successfully get folks to respond to their cold emails.
Having a blog or conference presentation go live around the same time you open up a new role is a great way to drive people to your /jobs page.
The InfoSec community is small, and orgs that publish their work come up frequently in conversations when people are looking for their next role. I’m sure the Netflix security team gets a lot more inbound interest than NBC Peacock’s team when they open a role.
You might be thinking… “Netflix probably pays twice as much,” and that’s probably true. But I can tell you from personal experience that when we were building the Segment InfoSec team we paid nowhere near what Netflix did, and we were able to attract incredible folks. I attribute a lot of that to our presence in the community.
I think that community involvement is a fairly reliable indicator that the team is working on interesting projects, is given time to write and travel, and that they have a decent learning and development budget. These are things that most security people want. Teams that are struggling to keep their heads above water are less likely to be able to do these things.
If you want to be a referral juggernaut, you need to network. Sharing your work is a great way to do that.
Encouraging folks on your team to write blogs and speak at conferences helps establish them as an expert in their field. It also helps expand their network, which can be incredibly helpful when they’re researching their next project.
I can’t even begin to count the number of times I’ve seen someone ask about a topic in an industry Slack channel, and get a ton of great intel from folks that have solved similar problems.
Communication is also a component of many engineering ladders, and this type of work is a great way to demonstrate mastery in that area.
Written and verbal communication skills are important at all career levels, but it becomes increasingly important the higher someone rises in an organization, regardless of whether it is on the manager or individual contributor track.
It benefits the community
Think about how much time you’ve saved in your career because of open-source software, a pitfall you avoided because of something learned at a conference, or an approach you read about in a blog.
InfoSec teams end up solving the same problems at different companies. Please allocate time in your team’s busy schedule to allow people to share what they’ve learned.
It can promote your product
Depending on your company and the content, you can also lightly promote your product. Just be careful that it isn’t too salesy or your target audience will probably lose interest.
In a recent blog, I talked about the metrics our team tracks. This is mostly powered by Segment, Snowflake, and Datadog. This showed a use case for our product, but was by no means was it the focal point of the article.
Tips for leaders
Hopefully you’re bought into why community involvement matters, here’s how you can drive this type of change in your org.
It is worth noting that you can be a leader in this area without being a manager. Some things in this section will be easier as a manager, you may need to get a manager to sponsor you.
Lead from the front
One of the best ways to encourage this behavior within your organization is to exemplify it yourself. I originally joined Segment in 2017 because I saw Coleen Coolidge give a presentation at BSides SF. Since then I have seen her keynote multiple conferences, speak on panels, and encourage others to do the same.
There are at least 10 high-impact people that joined Segment and later Twilio (which acquired Segment) as a result of this presentation if you include attendees and their referral trees. Incredible ROI.
Since becoming a manager in 2020, almost everyone that has reported to me has written a blog. Most of these people published the first blog of their career, appeared on their first podcast, and one was accepted to speak at their first conference.
The people on my team have felt well-supported in this area, and have let me know how much they appreciate the help I’ve given them and the doors I’ve helped open. In reality, they’re doing 99% of the work, but it still feels nice to be appreciated.
I highly recommend making time for this as a manager, I know you’re super busy. It will not only pay dividends for you and your team, and it will also give you the warm and fuzzies 🥰
Work on blogs and talks during work hours
I make it abundantly clear that writing blogs, building decks, etc. can and should be done during work hours. I wrote this blog during work hours.
My team does weekly planning. Writing a blog gets a ticket in Jira. We talk about progress the next week the way we would about any other ticket.
Many people will need some periodic nudging. This is a lot easier if you know what people are working on. If you haven’t caught up with them in a while, ask them about what they’ve been up to and help them brainstorm ideas.
Tips to helping along the way
You need to meet people where they’re at. Here are a few scenarios:
Someone on your team might be an excellent writer. They’ve written blogs in the past, but they’ve never published a blog at your company. Do a bit of proofreading and then help them find the right people to talk to, or better yet, provide them with a document that lays everything out.
This person might be a strong writer, but new to blogging. Help them by asking questions about their work, help them build an outline, and share any personal tips you have about writing a blog. I wrote down some of my thoughts here.
A new blogger could also need help with their writing in general. This can be pretty time consuming, so try to be efficient. It is totally fine to tell someone to “fix this throughout the document” after you’ve identified a few examples and identified a problematic pattern. You could also suggest they run their content through something like Grammarly.
You can also feel free to time box your involvement. If you’re busy, tell them you can read the first few sections.
Debugging writer’s block
There’s no silver bullet, and I am far from an expert at this. I sat on an outline for a blog I wrote last year for 2 months because I didn’t feel like getting started.
I have successfully helped folks in the past by applying similar techniques to figuring out what is slowing down a project.
Ask them if they know why they’re stuck. Sometimes people have a good idea about why they’re stuck, and need you to help them solve a specific problem.
“I don’t like the way this paragraph sounds” or “I don’t like the flow between these two ideas.”
Recommend they take a break and work on other tasks for a few days
It is better to have them blocked on the blog and still making progress on other objectives than just sitting there thinking about the blog.
Break the remaining problems down into smaller pieces and revisit the outline. Does the outline need more detail for the section you’re stuck on? Does it need to be broken out into multiple sections? Does it need to be scrapped entirely?
Set a goal with a deadline of the next time you meet. It can be a section or even a single paragraph.
Help them write a paragraph. You want to avoid doing the work for them. But I think it is fine to help them with a paragraph to get things moving again.
If I were helping someone write a paragraph convincing others to get involved in the community it might look something like this:
Writing blogs, speaking at conferences, etc. is a great way to meet people. [something about finding your next role] [something about referring people to your company]. It is a lot safer to join a company where you know folks internally. [why is this the case?]
This keeps them involved, shows them you’re here to help, and helps maintain their voice. Try to incorporate ideas or phrases from their outline. You don’t want it to feel like you did their homework for them. You’re just trying to get things moving again.
I also use this method in my own writing. Sometimes I feel like I’m getting stuck, so I will insert some placeholders for myself and continue writing the next section.
If you’re an established speaker, consider presenting with someone that is less experienced. Your personal brand will help elevate them.
I still remember watching “Twubhubbook: like an appsec program, but for startups,” at AppSec California 2017. The presentation was delivered by Neil Matatall and Brent Johnson. At the time, Neil was already well known in the AppSec space, and Brent was still in college.
My first manager, David Shaw, co-presented with me at NolaCon in 2016.
If you’re trying to help others promote their work, consider sending their blog to folks you know that publish newsletters, host podcasts, or organize meetups. They’re always looking for exciting new content.
I recommend keeping a list of who at your company can make intros. We used to keep ours in the same doc that had the blog publishing and approval instructions.
I know travel budgets are super slim this year, a lot of teams aren’t getting to do off-sites, and learning and development budgets have been cut, but if there is one thing you can make room for, pay for your team to speak at conferences.
Gather a few estimates based on which conferences people want to attend. You should be able to quickly gather the following:
Hotel cost * nights
Company per diem * nights
Few hundred dollars for ground transportation
If people at your company aren’t confident travel will be covered, they’re less likely to submit to speak at conferences. Especially junior folks that are less likely to be able to fund their own travel.
This is an important growth opportunity for your team, make sure you are investing in them.
You should have a system in place to track who published blogs, who spoke at conferences, etc. Bonus points if you integrate the tracking and approval processes, since this increases accuracy.
The original version of this at Segment was a Confluence page. It kept track of who spoke/blogged/podcasted, the month, the event name, and a link. It made it easy to see all the amazing work people did in a given year. Of course, sometimes people forgot to track their work, but it was still fairly accurate.
This year, Twilio we engaged Discernible to help streamline this process. Discernible has a helpful Slack app that lets you raise your hand and ask for help, as well as opt into being a mentor.
If you need help writing a proposal, having your blog proofread, or working on a slide deck, it will present you with a simple Slack form and then a mentor from your company will reach out. When your work is in a final state, another Slack workflow notifies people that are allowed to approve content. Approved content automatically gets entered into a Google Doc for tracking. It’s pretty slick.
One of our security org-wide goals in 2022 was for 25% of the security organization to contribute something to the community, Discernible made this easy to track.
Things that get set as goals and tracked are easier to get funded. This can help make the case for conference travel budgets.
Make sure that folks getting help with their content thank those that helped them. Twilio has a system called “Hoot hub” where you can recognize folks that embody the company values. I always remind the people on my team to send Hoots out after their work is published.
If your company has a suitable office for hosting meetups, see if you can host a local chapter. The host typically gets a speaking slot, which guarantees you can showcase some of your team’s work.
Encourage people from your company to attend. This not only shows support for your co-worker, it maximizes the chance your team meets someone great to recruit.
If you have any ability to sponsor community events, please consider it. These are amazing events run almost exclusively by volunteers. I’ve helped run conferences for a decade and have never been paid (although it has opened a TON of doors). Most folks involved in conferences do it because they want people to have a good time.
Without sponsors these events aren’t possible. Try to put some money in the yearly budget. It makes things easier for you when it comes time to sponsor conferences.
You might be surprised at how inexpensive some conference sponsorships are. Take a look at a few of the conferences that your team is interested in attending.
If you’re not an InfoSec vendor, and you’re just a company looking to support the community, I recommend looking for sponsorships with high visibility. A sign next to the coffee machines or the lunch lines like having a billboard on the freeway coming into San Francisco.
This type of work doesn’t have to be for everyone
Tons of people have great careers in InfoSec without writing a blog or attending a conference. Your colleagues may have perfectly good reasons for not wanting or not being able to share their work publicly. Respect their boundaries.
Tracking conference deadlines
Blogs, podcast appearances, and meetups all occur throughout the year so you don’t really have to worry about scheduling. Unfortunately, conferences have a somewhat narrow window where their Call for Presentations (CFP) is open, so you have to stay on top of things.
I don’t have a good system for this, but here it is:
Follow a bunch of conferences on Twitter
Keep tabs on industry Slack channels
Create calendar events with email notification reminders for relevant deadlines (CFP opens, CFP early-bird closes, CFP closes, conference dates)
Ping people on Slack to remind them of deadlines
Note: if a conference has an early-bird CFP, try to meet this deadline. It gives you a better chance of getting accepted. If you meet the early-bird deadline, and your talk gets accepted, a better talk could get submitted afterwards that might get rejected.
I actually find keeping track of conferences and pinging people to submit to be fairly annoying, and you probably will too, but please do it for the good of your org.
Maybe folks at your company are ready to dive right into blogging and speaking. Amazing! 🍾
Others might need a little more help. Here are a few things you can do to build up this muscle. These are also just good practices 🤩
Get people comfortable writing things down. It is more important than ever with today’s distributed workforce. It helps with planning, it avoids a bunch of unnecessary sync meetings, and is a more mature way of operating. It also helps with performance reviews, project retros, and a bunch of other stuff.
An additional benefit is that it gets people used to writing about their work. This makes it easier for people to crank out blogs and fill out CFPs.
Security team demos
Encourage people to show off what they’ve been working on. No demo is too small. Some people demo code, others demo documents and spreadsheets. It’s a great way to stay current on what other folks are working on and get people comfortable presenting to a friendly audience.
Once people are used to presenting at team demos, see if there are openings at an upcoming company all-hands. The stakes are higher than demos, but lower than a conference. Just make sure the content is a good fit for the audience.
The blog to conference presentation pipeline
This is a phrase someone coined to describe my not-so-secret formula. In reality it is probably more accurately described as the “outline to anything” pipeline, but I like the ring better on the original.
Just like writing a software design doc before you build something with code, you should be writing an outline before you write a blog or presentation. You can always deviate from the outline as the content evolves.
Write it down
When you’re brainstorming, don’t worry about the structure, just write down everything that comes to mind. It can be quotes or stats (or a reminder to look up a stat), bullet points, or memes. Maybe you have a mixture of really fleshed out sections and some things that are super exploratory.
Sometimes I add things to an outline over the course of a few weeks and then write the first draft of the blog in one sitting. There’s no right way to do this.
Once you’re getting close to writing, take the time to revise your outline. Having a good outline makes you less likely to make big structural changes later. Sometimes it still happens, don’t get too discouraged, it’s just a bit more work.
If you want some early feedback on your content, share your outline with someone.
Outline → ??? → Profit
The outline unlocks everything. Here’s my recommended ordering if you’re trying to maximize the value of a specific topic:
Blog → Podcast
I love having the blog done before I appear on a podcast. Hopefully your blog generates some nice buzz and gets people excited to hear from the author.
Having a blog also makes it easy for the host to research your idea, and is a nice addition to the show notes.
The podcast is a great way to get comfortable talking about your work, and is a lot less time-consuming than building a conference presentation and practicing.
Outline → Conference
Many conferences have an optional or required outline section. If you had someone review your blog outline, it might already be ready. If the outline was more for your own planning, you might need to make some edits. When you’re done, paste it into the CFP form. You’re done with the most time-consuming part!
You’ll still need to spend some time on your abstract, but I’ve found that repurposing some of your blog’s intro is a good place to start. This should be an attention-grabbing overview of the rest of the blog, so it is good source material for your abstract.
In some cases your blog title might work as a conference title. If that’s the case, you probably didn’t have to spend too much additional time on the conference CFP.
In most cases there’s no issue in submitting the same content to multiple conferences. Some of the bigger conferences care, but most of the smaller ones don’t. You never know which conferences will end up accepting your talk.
Sometimes, because of CFP deadlines it makes sense to switch the order. It’s just a guideline anyway.
I find this to be slightly less efficient, but it works totally fine.
Meetup → Conference
This step is optional, but you should strongly consider it. It gives you the opportunity to practice your presentation in front of a live studio audience with less pressure than a conference.
It is also a good way to get involved in your local security community, especially if you plan on presenting elsewhere. For example, if I were presenting at BSides SF, I would try to present at OWASP Los Angeles first.
If your meetup or conference presentation was based on a blog, include a link to the blog in your slides. It is much faster for the audience to skim through a blog if they want to revisit a topic later.
Promoting your work
This section is all about generating buzz and making others aware of your work.
Self-promotion might be uncomfortable for some folks, but you’ve put so much work in already, please stay strong through the final steps.
Think about the people that could benefit from hearing about your work that might miss out if you don’t share it widely.
Publishing your blog
🔬 Non-scientific Recommendations 👨🏻🔬
I don’t have any data to support this section.
Post when you think most of your audience will be online and engaged. My network is West Coast centric, and very limited outside the U.S. As a result, I try to post around 10 a.m. Pacific Time on Tuesday, Wednesday, or Thursday.
My logic is that people are too busy on Mondays and ready for the weekend on Fridays 🕺🏻
10 a.m. gives people on the West Coast time to go through their Slack messages, feel a sense accomplishment, and then hop on Twitter and see my tweet. It also leaves plenty of time in the day for my tweet to gain traction, and isn’t too late for it to circulate in East Coast networks.
LinkedIn and Twitter
These are always the first places I post. Once you do this, ask folks at your company to retweet, reshare, etc. Provide the links to your tweets and posts. Make it easy for them.
Having folks engage with the content makes it more likely to show up on other people’s feeds. I assume it’s better to have people amplifying your posts vs. all doing their own posts with links to the same blog. I am by no means a social media wizard 🧙🏻♂️ so take these theories with a grain of salt.
As you can see in the stats provided by Substack, Twitter and LinkedIn drove a significant amount of the traffic for last week’s blog.
If your blog mentions a vendor in a positive light, try to get them to reshare your post by tagging them. This will give you access to a new network of potential readers.
If there are some folks in your network that you think would enjoy reading your blog, definitely send them a message with the link to the tweet or LinkedIn post. Ideally they get the hint and reshare organically.
I’m shameless and just ask people to reshare. Yolo.
If you’re in any industry Slacks/Discords/etc. share a link if you think the members would be interested.
Hacker News can be really hit or miss in terms of traction. I had one blog make it onto the front page, and another blog I thought was way better, barely go anywhere.
Be careful with how you promote your Hacker News post, I know they have shill detection.
Your company’s /security page
This is more applicable in the B2B space, but I think it is a nice touch to add a few blogs to your company’s security page. This gives your potential customers some insight into how seriously your company takes security. Maybe they’ve even heard of a couple of the people on your team.
Here are a couple examples for Segment and Figma. Scroll down to “Articles by Security” and “Inside Figma Security,” respectively.
Your company’s job postings
Pick a few of the most relevant blogs or conference presentations and add them to your job descriptions. Bonus points if you tailor these on a per-role basis. This will help entice top candidates and give folks a way to learn about your team.
I recommend pinning a tweet of either your most recent blog/presentation, or whatever you’re the most proud of. I also recommend adding some “media” to your LinkedIn.
The screenshot below shows a link to my most recent blog and my BSides SF 2022 presentation.
This gives someone that is trying to quickly get to know you some guidance as far as what content they should look into. This person could be a future co-worker 👀
I keep an exhaustive list of my blogs and speaking engagements under the Publications section of my LinkedIn.
Please steal my playbooks and tactics if you found anything useful. I’m happy to chat about this stuff. If we’re in an industry Slack, reach out to me there. If not, send me a DM on Twitter or LinkedIn.
The world needs more competitive CFPs to keep conferences feeling fresh. We need new voices blogging for the first time. We need companies to allocate time to their employees to make this possible.
You don’t have to be a manager or senior individual contributor in this area. I played an important role in creating this community-centric culture at Segment as an L2 Security Engineer. You can too!
This section is meant to provide you with some helpful reminders. If you need a refresher on any of these, check out the sections above.
I promise it’s worth it
Helps your team attract talent
Great for career development
It benefits the community
Tips for leaders
You don’t have to be a manager to be a leader
Lead by example. If folks see you contributing to the community, they’re more likely to join in
Respect your colleagues’ boundaries if they don’t want to share their work
Having a blog or conference presentation go live around the same time you open up a new role is a great way to drive people to your /jobs page.
Combat the idea that your team has nothing interesting to present. Not every blog needs to be groundbreaking. A blog can be interesting because it is your experience
Encourage people to work on a blogs and talks during work hours
Periodic nudging can help people find the motivation to share their work
Be there to help. This could be brainstorming, proofreading, giving feedback, making intros, co-presenting, or a slew of other things
Track your team’s progress and set goals. This can make it easier to get funding
Host meetups and sponsor conferences when you gain
Cover employee travel
Building a foundation
The more comfortable people are at writing and presenting their work internally, the easier it is for them to do it externally
Promote a document-first culture, host monthly team demos, encourage people to present at all-hands
The blog to conference pipeline
Everything should start with an outline
Once you have a blog, everything else is easier. You’ve already done the work and spent a significant amount of time thinking about it
Use the blog to land a couple podcast appearance
Use your blog’s outline as the basis for a CFP submission
Once you’re accepted to a conference, present at a local meetup to get practice
Promoting your work
Publish your blog on Tuesday, Wednesday, or Thursday
Post to LinkedIn and Twitter (and Mastodon?)
Ask your team to reshare your posts
Send it to individuals or groups outside your company
Add some hit blogs to your company’s /security page
Include blogs and presentations in your job postings
Add your work to your LinkedIn and set a pinned tweet
Thank you to all the folks trying to improve the InfoSec community. I really appreciate everything that you do 💙
Thanks for reading Leif’s Substack! Subscribe for free to receive new posts and support my work.
Hi Leif! Found this article via a reshare on LinkedIn. Thank you for everything you do for our community and for encouraging others to do the same!