The InfoSec community needs you (yes, you)!
Why you should be writing blogs, appearing on podcasts, and presenting at conferences... and how to get started!
Hello! I’m Leif Dreizler, and I work as a Senior Engineering Manager on the Security Features Team at Twilio Segment. I am also a conference organizer and podcast host.
Folks often ask me for help building their network or getting more involved in the security community. Unfortunately, it takes a lot of time and there is no shortcut that I am aware of. As the saying goes, “the best time to
plant a tree start networking is 20 years ago. The second-best time is now.”
Why does community involvement matter?
If you’re already sold on this, feel free to jump down to “Getting Started!”
Speaking and writing are by no means the only ways to get involved in the community, but they are the focus of this article. Conferences need volunteers, meetups need organizers, people need mentors, Discord communities need moderators, the list goes on.
It’s great for your career
Writing blogs, speaking at conferences, etc. is a great way to meet people. These might be people that want to hire you, or someone that you reach out to when you’re ready for a new role.
When you’re interviewing, it is always better to have someone on the inside that you can ask questions and receive candid answers from. Most of the interviews in my career have started as an informal text/Twitter DM/Slack message. This is a lot easier if people are already aware of who you are.
In addition to finding a new role, this type of work also helps you advance within your current company. Many engineering ladders have a section related to communication, and presenting at conferences and writing blogs is a great way to demonstrate mastery in that area.
I will note that it is by no means required to have a successful career. You may have perfectly good reasons for not wanting or not being able to share your work publicly. Tons of people have great careers in InfoSec and never do any of the stuff in this article.
It’s great for your team
Hiring in Information Security (InfoSec) is HARD.
It is something even the most experienced hiring managers at the coolest companies struggle with. During my time at Twilio and Segment I have had the privilege of working with a lot of fantastic people.
Our blogs and presence in the community are something that is often brought up by candidates during interviews. Candidates are much more invested in the process when they feel like they already know your team and are excited to work with you. It also allows folks to self-select out if your program isn’t aligned with what they’re looking for. This saves everyone’s time.
Having a presence in the community gives you an opportunity to meet incredibly talented folks. There is someone I met at a conference in 2019. I would send her open roles a few times a year and after multiple years she eventually joined another team at my Twilio and has excelled.
Having an existing relationship with candidates gives you a huge advantage when you’re trying to sell them on joining your team.
This applies to both individual contributors (ICs) and managers. Just because you aren’t a people manager (yet) doesn’t mean you can’t help your organization hire amazing talent.
The referral bonuses don’t hurt either 🤑
It benefits the community
InfoSec teams end up solving a bunch of similar issues as their counterparts at other companies, often in silos. We all face a lot of the same problems, even if we at very different businesses.
Even if you can’t open source the tool you’ve built, you can still “open source the approach” and share your learnings. Of course, it is even better if you can share your code, but this requires a significant amount of extra work, and in many cases might not even be possible.
Try to make yourself available to folks that read your blog or attend your talk and share additional information if you have the time and energy. Even though some people in the InfoSec community can be guarded, I have found that many others are happy to share information in semi-private settings if you ask them about their work.
Sharing your own work inspires others to publish their work, which makes technology safer for everyone else.
I hear there is a lot of snake oil in InfoSec. Why should I trust you?
I’ve worked in the security industry for over a decade, and have spent quite a bit of time presenting at and attending conferences and meetups, listening to and appearing as a guest on podcasts, and reading and writing blogs.
I have also helped many others review drafts of their blogs, do dry-runs of presentations, and coached them on how to get more involved with the community.
Here are some additional highlights:
Organizer for OWASP AppSec California (2014 - 2020). Also a member of the speaker selection committee for a few years
Organizer or LocoMocoSec (2019 - Present). Focused on running the Call for Presenters (CFP) and inviting speakers
Co-host of 404: Security Not Found podcast
Chapter leader for the Bay Area OWASP meetup group (2017-2020)
In my 2+ years as a manager at Twilio Segment, 3 of the people that report to me wrote their first blog, 2 appeared on their first podcast, and 1 applied to their first Call for Presentations (CFP) and got accepted to speak at their first conference
While I think a lot of this article could apply to the broader tech industry, the post was written with the information security community in mind.
Furthermore, these are also based on my experiences. I hope that the reader will find plenty of helpful guidance, but what has worked for the folks in my circle might not work for you, and there are plenty of great ideas you have that I haven’t considered.
I have also been privileged to always work at companies that funded conference travel, and encouraged me to present my work. I also spent the first half of my career as a security consultant and as a sales engineer, both of which are roles that lend themselves to meeting a lot of people.
Adding to this retrospective, the formative years of my career were also pre-COVID, when it was much easier to attend in-person events and meet people. I truly feel for people that were early in their career or trying to break into the industry the last few years, and for people that are unable to attend in-person events. Things were much easier for me.
My network expansion really slowed in 2020 and 21 as people retreated from super-spreader conferences and into the safety of Slack groups.
What do I speak or write about?
Maybe you already have a great topic based on your recent work. If so, you’re probably 10-50% done with the whole process at this point. Congrats! If you’re not quite so lucky, keep reading.
I highly recommend everyone keep track of a personal hype list. Career development is a completely separate post, but trust me when I say it is worth it. I encourage my team to think about their hype list weekly.
Your hype list is going to be helpful in a lot of situations: maybe your manager left and you’re getting someone new caught up to speed about what you’ve been working on, maybe you’re working on your résumé, maybe you’re helping your manager prepare a case for your promotion. Or maybe… you want to write a blog or submit to a conference!
Take a look at what you’ve been up to the past year and pick a topic you want to share with the world. It doesn’t matter if you’re not an expert, it doesn’t matter if other people have already written about it, your experience is unique and you never know when someone is going to read your story and learn something new, unblock themselves, or be inspired to approach a familiar problem in a new way.
If there isn’t anything that you feel inspired to write about, that’s okay too! Try to plan some upcoming work you think will be impactful and interesting to write about.
One of my teammates, Sal, and I started talking about this blog over a year ago. Our team had other priorities and it took him until late last year to start the work. The results became a blog, a podcast, and a BSides SF presentation (coming April 2023).
Regardless of the medium you choose to present, I highly recommend starting with an outline. Even if you don’t think you need one, having an outline makes it a lot easier for someone to review your plan.
I recommend starting an outline when you first think of an idea. You might create some outlines that never turn into a blog or presentation, that’s okay too.
Sometimes I will add things to an outline over the course of a couple months because I don’t feel like writing a blog. It’s okay to not feel motivated. Personally I have to be in a specific mood to work on a blog.
At this point, don’t even worry about structure. It can be less of an outline, and more buckets of related ideas. The key is to write things down so you don’t forget about them. It can be hard to squeeze in a new idea into a mostly finished blog that already has a flow you’re happy with. You often have to rewrite transitional paragraphs or sections which is time-consuming.
Once you’re mostly ready, refine the outline, rearrange content, and consider having someone look it over.
Ways to present your work
Every blog I’ve written, except this one, has been hosted on my company’s website.
I would generally expect it to be easier to talk about work stuff on your company’s blog since they can control the content. Maybe they don’t care and you can publish on your own.
You’ll need to find someone internally that knows how this process works. If this process isn’t written down, do your future-self a favor and write it down as you go through it. Once you’re a best-selling blogger, other people at your company are going to ask you how to publish a blog, and you can point them to your doc.
If you’re having trouble finding someone in your immediate circle, go to your company’s blog and look through some recent posts and see if you recognize anyone. If you don’t, reach out to someone at random. They will probably be excited to help!
As you might know from my previous blog, Tracking Meaningful Security Product Metrics, I think there is a lot of value in tracking your progress. Page views might be something you consider to be a component of success, or at the very least you might find it interesting.
The Segment Blog is instrumented with Google Analytics. At the time of writing, my previously mentioned blog had about 1,800 page views in about 2 months. Not bad!
The first spike is the initial release, the second and third spikes were when it was featured in the Unsupervised Learning and tl;dr sec newsletters. It’s always a good feeling to see your work published in newsletters that you already subscribe to.
Out of curiosity, I checked the stats for Goodbye Microservices: From 100s of problem children to 1 superstar, written by a former Segment engineer, Alex Noonan. It was incredibly popular when it was released so I thought it would be a good benchmark. It has received over 300,000 page views 🤯 and still gets 10-20 views/day even though it was released in 2018. Maybe Noonan should be writing this section instead of me 😅
Google Analytics also has helpful information about which pages referred views. I noticed that a couple other newsletters also featured my work, which was pretty cool.
Writing the blog
The process of actually writing is going to be pretty author-specific. In my experience helping people with blogs, once they have an outline, and are in the
write right mood, the rest of the content starts to flow.
I generally like to block off enough hours where I can attempt to go from blog to first draft in one sitting. I find it easier to keep going than to get started. Or at least that is what I’m telling myself now as I skip going to the gym to keep working on this blog which has no deadline.
Here are some tips another Segmenter received on their blog post from someone that worked at Y Combinator’s Hacker News. I tried to find something written by them about writing blogs, but failed to find anything publicly available. If you’re somehow reading this, please reach out, I’d love to credit you, your doc is much better than my summary. I send your doc to everyone internally that wants to write a blog.
Here are some highlights
Introduce yourself, the problem, and your world. This gets the reader invested in your story. If you don’t get someone hooked early, they close the page.
Make the reader understand the importance of the problem you’re solving and the pain you felt. Try to get the reader to put themselves in your shoes.
If your blog is just fun, hacky, and interesting on its own you can take a different approach. The example they give is a “Turing machine out of Lego.”
Don’t write a tutorial, write a story.
Tutorials are great. I’ve learned tons from tutorials. I would consider this blog to be a tutorial. But the audience is generally limited to people that have the same problem.
A good blog appeals to curious readers, even if they don’t plan to solve the same problem.
Talk about unexpected set-backs. Even if something turned out to be a dead-end, the exploratory nature is an important part of storytelling. It can also help others understand why you made the final implementation decisions.
Readers like a hero’s journey. They actually enjoy unexpected challenges and detours.
Publishing the blog
Make sure you have one or more people review your content before you publish the blog. Your manager should volunteer for this, but also reach out to others you trust. Don’t feel like you need to incorporate everyone’s feedback, you might even get two pieces of feedback that are contradictory.
You should consider everyone’s feedback. They took the time to read your blog and give their thoughts. Hopefully, the end result is better because of it.
But at the end of the day, you’re the author, it’s your blog.
Once you’re happy with the content, work your way through the approval process.
Many people find the idea of appearing on a podcast to be daunting. I’ll admit that I was nervous leading up to the first few guest appearances I had as well. Here’s a few things to keep in mind:
Podcast hosts want their guests to have a good time, how many times have you heard a casual InfoSec podcast host needle their guest with “gotcha” questions?
Most hosts are looking for guests. Finding reliable guests that are a good match for your show is quite time consuming. Having someone come inbound is a freebie.
You know what you’re talking about, you’re working on interesting stuff. And most importantly, You Got This!
Let’s dig into these a bit more.
Start by listening to a handful of InfoSec podcasts and find something you think you’d be a fit for.
Maybe you work in AppSec. You could check out Absolute AppSec or Application Security Weekly. Do some research on your specific area of security and skim through a few different options, try to find a host you really vibe with.
Some podcasts are more general, and cover a variety of topics, like Risky Business or SecuriTEA and Crumpets.
If you’re working on something that relates to a vendor your company uses, see if they have a podcast. Vendors are always looking for guests that can join and talk about their product in a positive way. Happy customers are your best salespeople.
InfoSec origin stories
Other podcasts focus on telling people’s stories. Check out Humans of InfoSec and We Hack Purple for examples in this category.
As you’ve probably realized during your time listening to podcasts, the hosts want the guests to feel comfortable and have a good time.
Pick a podcast you could see yourself on. Maybe they are focused on your area of work, or maybe you think the host is someone you’d vibe with. Ideally both.
Reach out with a brief intro about yourself and the topic you have in mind and why you think you would be a great fit for their podcast. Don’t hesitate to reference an episode that you listened to and present it as part of your evidence. Don’t be afraid of a little flattery.
This is just an example, feel free to deviate:
I really enjoyed listening to your episode where you interviewed person X about Y. [Maybe something that quickly shows you actually listened.] I’m working on $amazingThing that I think would be a great follow-up.
Here’s a link to a blog I recently published that could serve as source material.
Don’t be afraid to dream big, but also be realistic. You probably aren’t cold emailing Patrick, the host of Risky Business (a podcast with 16,000 weekly listeners), and getting interviewed as your first podcast. Maybe you are, if so that’s awesome. I’ve always wanted to be a guest.
You might get rejected, keep reaching out to hosts until you find someone that thinks you’d be a great guest. They’re lucky to have you! ❤️
A good podcast host will research you and your work. They might even share an outline with you in advance. Some hosts will schedule a meeting a few days before the episode to run through some ideas, others will have you join a bit early on the day of the podcast.
Most podcasts aren’t too much work for the guest. If you’re talking about a project you worked on, you already did the work. That’s the time-consuming part.
Unlike blogs and conference presentations, you don’t have to do a ton of writing in advance. That being said, I like to have notes in front of me during a podcast.
You don’t want to have prepared answers for everything, you want to sound natural and unscripted. But, I do find it helpful to have some notes in front of me so that I don’t forget key pieces of information.
If you have time, listen to one or two recent episodes. Maybe there will be something you or the host can reference. It also helps you get a sense of the host’s style.
Pre-recorded or Live?
Ask your host if the session is live or pre-recorded. Many hosts do their podcasts live since it requires less work (no editing) and they can engage with the community in realtime via YouTube chat, Discord, etc.
Others prefer to record their podcast and release it at a later time. This can make scheduling easier and allow for varying degrees of editing.
Check if your employer requires that prerecorded podcasts be reviewed by your PR team or not. You may be able to save yourself some headache by recording live, as this requirement is often waived.
Day of Prep
Plan to be in a quiet space and use the best audio equipment you own
Make sure you join the podcast early enough to test your audio and video
Make sure the required software is setup and working as expected
If you’re going to be on video, give yourself extra time to prep
After the podcast
Listen to the recording. You’re going to hate your own voice, it’s okay, everyone hates their own voice. I say “like” way too much. I noticed that I talked way too much in the first episode of the podcast I co-host.
Think about one thing you want to improve for next time. Or maybe two small things. You’re not going to become a radio host overnight.
It is usually easier to speak at a meetup than a conference. Your local meetup can be a great way to practice your presentation and build up your confidence.
If you’re in a bigger city, you might have multiple meetups to choose from. A Google search or looking around on meetup.com should hopefully yield some results. Look at the past schedules and see which one seems like the best fit for your idea. If you’re in a smaller city, there might be only one meetup. If this is the case, they are likely open to a broader range of topics.
I haven't been in years, but when I attended, I really liked that SecKC had a variety of time slots for speakers. They had options between 5 and 50 minutes. I think this is a great way to encourage new speakers to present.
Similar to smaller podcast hosts, local meetups are typically happy to have a speaker show inbound interest. Local meetup organizers are usually begging their friends and past speakers to present.
Your reach out strategy can be similar to the one mentioned in the podcast section, or you can find the organizers in-person (which I think works better).
If your current idea isn’t a fit, try to attend a few meetings and get to know folks in the meetup group. This should help your chances to speak in the future.
Conferences are very similar to meetups, so if you’ve had the chance to speak at a few meetups you already know what to expect. If you haven’t that’s fine too! Some conferences, like BSides Las Vegas, provide special assistance for new speakers. They call theirs Proving Grounds. Keep an eye out for opportunities like this.
Finding the right conference
There are a TON of conferences out there. Maybe you’ve already been to a few conferences and know of one you want to speak at. If not, here are some resources to get started:
Open Web Application Security Project (OWASP) - Originally started as web security focused, but has broadened over time. Has a combination of global events and smaller regional events.
BSides - Community-driven events with a global presence, run by local individuals (in most cases). The majority these are fairly small, San Francisco and Las Vegas are pretty big.
These conferences have a pretty broad set of talks. Don’t worry too much if you look at last year’s schedule for your local BSides and don’t see something similar to your topic.
InfoSec CFP - Twitter account that posts “Call for Presentations”
CFP Time - Website that posts CFPs
This is far from exhaustive, I recommend looking up other lists or searching Google for events in your area, or events related to your specific role in security.
In addition to these events, your company might host an internal security conference. That can be a great way to showcase what you’ve been working on.
Similar to the podcast section, there are also security vendor conferences. If you’re doing some interesting work with a vendor, these are also worth looking into.
It’s totally fine to submit the same talk to a few conferences
Creating a conference talk is a lot of work. You can improve the value to effort ratio by giving the talk a couple of times.
Consider tweaking things in between iterations. If the work is ongoing, provide updates! If there are slides you ended up not liking, cut them out.
The target audience for LASCON (Austin) and AppSec California (Los Angeles) is similar, but the attendee overlap is going to be low.
I tend to get bored of a talk after giving it 3 times, your limit may be different.
Hopefully your company covers travel and this isn’t something you need to worry about. If they don’t, try to work with your manager or another leader in the security organization to change this.
This is something that will benefit your career and the company. Not covering speaker travel is a sign that your company isn’t sufficiently investing in their employees and that you should start casually looking at other opportunities.
Preparing for the Call for Presentations (or Papers)
Every CFP is a little different, but they typically have some common elements:
It is worth keeping in mind that the CFP has two audiences. The reviewers and the attendees of the conference. Reviewers might be looking at 100s of CFPs, so it is important to make your CFP stand out. If the reviewers don’t like your CFP, the attendees will never see it.
Make sure you have one or more people review your content before you submit. As with all feedback, don’t feel like you need to incorporate it if you disagree. It is your presentation, you’re the one that is going to be on stage. You might even get two pieces of feedback that are contradictory.
This is a brief intro about yourself. It typically includes your job history, some things you’ve worked on, maybe some other events you’ve spoken at, and maybe a fun fact about yourself.
Your title is your first impression with a reviewer or attendee. It can be hard to come back from a bad title.
Here’s a couple classic title formats. Don’t feel like you need to conform to these if you have an idea you love.
Straight forward and descriptive
Simple and to the point. The reviewer probably has an idea if it is a fit just based on the title, e.g. How to Build a Security Team and Program.
Fun and descriptive
Similar to the previous category, but with a little flair, e.g. A Hipster History of CORS. I like this style because it is attention grabbing, but doesn’t obfuscate the content.
Attendees might just be looking at the titles in the conference program. You don’t want someone to skip your talk because your title wasn’t descriptive enough and they didn’t bother to read the abstract.
Here are a couple examples:
Embracing Risk Responsibly: Moving beyond inflexible SLAs and exception hell by treating security vulnerabilities and risk like actual debt
This is a really long title. Pique someone’s interest with the first part so they keep reading, and then follow up with a sneak peek of what you’re going to be talking about.
An Unlikely Friendship: Why Security Engineers and Product Managers Should Be Working Together
This one has a slightly different format. You start with something to grab people’s attention. On its own “An Unlikely Friendship” isn’t descriptive enough, so you should follow up with what you’re actually going to talk about.
There’s a reason why articles have clickbait titles. It works. It gets people’s attention. Just don’t go overboard. People need to get a sense of what you’re going to be talking about.
Title formats to avoid
This is personal opinion but avoid things that are played out unless you are incredibly clever. If you think it might be played out, it probably is. CFP reviewers look at a lot more titles than you do.
This includes almost anything that is based on “How I Learned to Stop Worrying and Love the Bomb” or “Smashing the Stack for Fun and Progress,” e.g. Working with Developers for Fun and Progress (this isn’t “incredibly clever,” it’s just ok).
I am going to speak for all conference organizers and say do NOT include any sort of sexual pun or innuendo in your title. It is less funny than you think, I promise. At LocoMocoSec we deny these since we assume the author has terrible judgment and is probably not an inclusive attendee.
This is your chance to really sell the CFP reviewer and future attendees. Writing your abstract is probably going to be challenging. You want your description to be short enough that people read it, but not so short where they have no idea what you’re going to talk about. You want to be succinct, yet thorough. It’s a difficult balance.
Here’s an abstract from the 2022 OWASP Global AppSec SF opening keynote by Anna Westelius:
In this talk, we’ll discuss scaling security programs through technology and secure-by-defaults in an evolving engineering ecosystem. We’ll share lessons learned from “paving roads” for security over the years, how to find opportunities, create shared accountability with engineering partners, and ultimately reduce security risks.
It’s only a couple sentences, but you have a good idea of what the talk will be about.
For better or worse, I think most CFP reviewers have probably made up their mind by the time they read your title, abstract, and bio. Make it count!
If your talk is accepted, remember that most conferences have multiple tracks happening at once, which means you are competing for attendees’ time. A good abstract will drive people to your talk.
I recommend writing your outline first. It will help organize your thoughts, and it will make it easier to write your abstract. Once your abstract is done, try to come up with a title. If you come up with a clever title first, you’ve struck gold. Usually that is the hardest part for me.
Outlines are not typically shared with attendees.
Your outline is your chance to prove to reviewers that you’ve thought about your subject matter in enough depth that you’re qualified to speak on the topic. It also helps them understand the flow of your presentation. Similar to the abstract, you want this to be the right length. If it is too detailed and lengthy you risk the reviewer skimming, if it is too short, they will think there isn’t enough content or you haven’t done enough research. If your outline is very short, it can come across as lazy.
I highly recommend working with a co-presenter if you have the option. You will hold each other accountable for deadlines, you can split the work, and it’s more fun. By far the best presentation I have given was made possible by having fantastic co-presenter.
Some conferences have multiple time slot lengths, others don’t. 50 minutes is fairly standard, but I love it when conferences have 25 minute talk slots available. Creating a 25 minute talk is less than half as much work than a 50 minute talk because your intro takes up the same amount of time and there is no room for fluff.
Here is a blurb I stole from Art into Science. I love it.
Talks can be scheduled for either a 20 or 40 minute block. This will be specified in the CFP submission form. When selecting a 40 minute talk in the form, please elaborate further as to why your talk will benefit from being 40 minutes long, as opposed to 20 minutes long.
I wish every conference speaker had the self awareness to make themselves go through this thought exercise!
Dealing with rejection
Getting rejected sucks, but it is going to happen. Rejections are especially tough with CFPs since they can be quite time-consuming.
Don’t get discouraged. There’s always next year, and there are other conferences to apply to. Take another look at the list you made during your research phase.
Rejections typically don’t come with feedback. Conferences are largely run by volunteers, and individual feedback would take a lot of time. Sometimes, if you reach out to the organizers they will provide feedback, but don’t expect it.
I also recommend looking at the schedule. If you see one or more talks that seem similar to yours, that could be a reason for rejection.
Occasionally you will get un-rejected, although this has only happened to me once. I assume I was on the cusp of getting accepted, and then someone dropped out. They reached out and asked if I was still interested, and I accepted.
Creating the presentation
I won’t rehash the “rest of the owl” meme from earlier, but really this is up to you. You want something that is interesting to attendees, represents your personal style, and leaves people feeling like they learned something.
Work with folks at your company or in your network to refine the deck and practice! Then practice some more. The audience is devoting their time to see you speak, put in the effort to prepare. The worst is when a presenter walks up and says “I wrote this on the plane ride over,” I find that incredibly disrespectful to the audience.
My personal bar is that I should be able to give the talk without presenter notes. I have been in the situation before where the projector setup only supported a mirrored desktop, I couldn’t pull up my slide notes up on my laptop.
I still look at the notes during the presentation, but it really boosts my confidence to know I can deliver the presentation without it.
If your meetup or conference presentation was based on a blog, include a link to it in your slides. It is a lot faster to skim through a blog than scrub through a conference presentation when you want to revisit something. It will also drive a bit of traffic to your blog.
Upload your presentation
I recommend uploading your slides prior to your presentation time slot. Some conference schedules like Sched give speakers the ability to upload their slides at the bottom of their time slot.
Have a slide early in your presentation that has your social links and instructions about where to find your slides online. Invite folks to take a picture of this slide. That saves people from taking pictures throughout the presentation. Duplicate this slide and put it at the end of your presentation and display it during the Q&A as well.
Delivering the presentation
I’m not going to pretend to be a top-tier speaker or presentation coach. All I can say is practice and have fun. The audience wants you to succeed. You’re going to do great!
Bring a water bottle on stage. This gives you a chance to take a break.
Many people start talking fast when they’re nervous. I put SLOW DOWN in some of my earlier presentation speaker notes as a reminder not to do this.
Prepare for the fact that there might not be that many people. That may make you more or less nervous, depending on what you’re nervous about.
If it makes you feel any better, I have given multiple presentations at conferences to about 20 people. You always hope to fill the room, but a lot of times that doesn’t happen. That's showbiz baby 👯
Try to pick out a handful of people in the audience that seem engaged and focus on them, it should help put you at ease. It’s tough to be a lesser-known speaker, but it gets better. Keep at it.
Even when attendance is low, you can still have people come up to you afterwards and ask questions and make connections. There’s someone I met at LASCON 5 years ago that was part of an audience of ~20 that I still chat with periodically.
Some conferences allow questions from the audience. If this makes you nervous, you can always decline to answer questions on stage and suggest that people find you after the presentation.
Occasionally there’s a guy (it’s always a guy) in the audience that wants to ask a question to show how smart they are. This is less common than it used to be, and they always look rude. Do your best to answer the question and move onto the next person, try to avoid letting them ask a follow-up question.
You can also suggest that they find you after the presentation. Use your magician’s smoke kit and change of clothes to evade them 🪄
Talking with people after the presentation is one of my favorite parts of the process. These are the people that were the most interested, and this is a great way to meet people. If you like talking with someone, add them on LinkedIn/Twitter/etc. so that you can stay in touch.
Panels are a variation of conference presentations. They can also be delivered via podcast or webinar. I think panels are pretty fun.
The prep work is a lot less than a conference presentation since you’re sharing the stage with a few other people and you aren’t making slides.
In my experience, panels kind of feel like being on a podcast. You’ve already done the work, you’re experienced in the topic, you mostly just show up and chat with your peers and the host. Sometimes there is some group pre-work, but oftentimes not.
Try to get to know the other panelists and host beforehand
Not everyone has to answer every question
Try not to dominate the conversation
If you expand on something that someone else said, acknowledge them. “Jumping off of what Bob and Alice said earlier…”
Goal setting and personal tracking
I recommend setting some achievable goals to help keep yourself accountable.
The last few years I have had a goal of writing one blog per year. Last year I waited until December, this year I got it out of the way in February!
If you’re committed to sharing your work with the community and you want a challenging, but attainable goal for the next year, here is my suggestion:
1 meetup presentation (assuming you live somewhere with regular meetups)
1 CFP submitted (assuming your employer covers travel, or there is a suitable local conference)
Follow the playbook in this blog to turn an outline into everything else and then see where you get accepted.
As you start publishing blogs and getting accepted to speak places, track these somewhere publicly. I keep a running list on my LinkedIn under the Publications section.
This serves as a public résumé, and also helps you remember all of your own accomplishments! 🎉
I believe in you.
If you’re able to share your work with the community, I highly recommend it. It accelerates your career, makes it easier for your team to hire people, and it benefits the InfoSec community.
Regardless of how you plan to share your work, create an outline. This provides the foundation for a blog, a podcast, or a presentation at a meetup or conference. It also helps you organize your thoughts and makes it easy to get early feedback.
If you’re feeling stuck when it comes to topics, use your personal “hype list” and roadmap to brainstorm topics.
This section is meant to provide you with some helpful reminders. If you need a refresher on any of these, check out the sections above.
Write a story, not a tutorial (tutorials are great, but it’s a different goal)
If your company has an engineering blog, research the approval and posting process
If the process isn’t written down or is out of date make the necessary changes
Most content marketing teams are ecstatic when they hear someone at their company has a blog ready
If your company doesn’t have an eng blog, see if you’re allowed to write about your work on a non-work blog. I hear Substack will let anyone post
Use analytics to track page views and sources of views
Use the resources available to publish the best version of your blog. This could be your manager, someone on your team that blogs a lot, technical writers, etc.
Podcasts are a great way to get comfortable talking about your work. You get to practice without the pressure of a live in-person audience
Hosts want their guests to be successful
Do some research and find a few podcasts you might want to appear on and reach out to the hosts
Listen to an episode or two in preparation
Ask the host if it will be live or recorded
Find a quiet place to join in from and check your software and hardware in advance
If you’re going to be on video, give yourself time to prep. I always pick out a fun shirt and try to make sure my hair is on fleek (to varying degrees of success)
Generally lower pressure than a conference
Great way to gain public speaking experience
Find a local chapter in your area and ask the organizers if you can present
Local chapters are always on the lookout for speakers
Everyone gets rejected. Keep submitting and see if you can get feedback
There’s less competition at smaller regional events
Ask your manager to cover your travel
Research some conferences you might want to present at within the next twelve months. Make a note of the relevant times (CFP opens, CFP closes, CFP notifications, conference dates)
Follow them on Twitter to stay up to date with announcements
If a conference has an “early bird CFP deadline” try to meet that, you have a better chance of getting accepted
Don’t worry about coming up with a title first. I usually go outline → abstract → title
I wrote this whole blog and proofread it before coming up with a title
Clickbait works, just don’t overdo it
Really make your title and abstract stand out. This is how reviewers and attendees will determine if your talk is interesting
You’ll need to balance brevity and thoroughness, being attention-grabbing yet descriptive. You’ll use a different formula every time
Strongly consider having a co-presenter
Conferences are a great way to meet folks, try to make the most of this opportunity!
Create some attainable goals for the next year
Keep track of your accomplishments on your personal website or LinkedIn
Thank you to everyone that has helped me by reviewing my blogs, hosting me on podcasts, attending dry-runs of my presentations, and promoting my content. It has made an incredible impact on my career and life in general 💚
Thanks for reading Leif’s Substack! Subscribe for free to receive new posts and support my work.
How would you encourage somebody who is on the outside of the security sector to get involved? The few times I've tried to go to meetups I have felt like I am way in over my head and it is hard to get the most out of talks without a baseline knowledge a bit higher than mine