What it's like to have your security conference talk rejected

Few things are as frustrating as working hard on a proposal only to be turned down

Giving talks is becoming an important part of many security professionals' careers. It boosts your credibility in the industry and can open doors. But it's time-consuming to put a proposal together. And when the good folks who run the RSA conference, Black Hat, Def Con or Interop turn down that hard work, it can be close to heartbreaking.

Still, it's possible to emerge from the rejection wiser and better positioned to get accepted later. For a glimpse at what it's like to endure the process, we spoke to several industry leaders.

What it's like to...

James Arlen, a Toronto-based security practitioner and contributor to LiquidMatrix and Securosis, has been turned down more than once. And, he says, it can hurt.

"I was rejected from several big-name conferences for several reasons," he said. "A proposed talk for Black Hat wasn't technical enough, not timely, and the material was not new enough. ShmooCon turned me down for not being technical enough, and because, apparently, 'no one wants to hear management material.'?"

RSA, meanwhile, has deemed some of his proposals too technical. What stung more, though, was being dismissed for not being an experienced-enough speaker, despite having spoken at several conferences.

"A whole lot of the time, I'm fairly certain that the selection committees don't know what they're looking for until they see it," Arlen says.

Jack Daniel, community development manager at Astaro AG, knows what it's like, too. He wishes selections committees would share their reasons for passing him over.

"I would really like a little feedback," he says. "I don't expect a detailed explanation, but something like: This event isn't the right venue for that topic; we're buried in (whatever topic) submissions this year; the talk is too technical or not technical enough for our audience; or we're simply sick of you."

To be fair—and Arlen and Daniel readily acknowledge this—there are plenty of good reasons to reject a talk. Organizers must balance providing opportunities for new voices and ideas while still attracting an audience, sponsors and vendors.

Michael Smith, security evangelist for Akamai and organizer for OWASP's AppSec DC event, says he sees several types of proposals:

  • Speakers that will always draw a crowd.
  • Speakers that he would never let talk.
  • Dark-horse speakers with awesome proposals.
  • Good speakers with weak proposals that he knows will execute flawlessly.
  • A whole raft of "yet another systems-development talk" or "yet another vague cloud-is-bad-for-security talk," from which he has to pick just one.
  • Really awesome proposals that are so unusual that he doesn't know what track to fit them into.

"The trick is to balance the proposals to the feel of the conference," Smith says. "When you're rejected for a conference, it's not about you most of the time (unless you're blacklisted). Mostly, it's about your fit with the rest of the program."

Smith has been turned down himself, and can relate to the feelings that inspires. "When it's RSA that rejects me, I get all heartbroken about it and sob nightly into my pillow," he says with more than a little jest.

Benjamin Tomhave, senior security analyst and business development manager at Gemini Security Solutions, used to get heartbroken over rejections, but his attitude has changed with experience.

"I used to take it very personally when talks weren't accepted. I've now moved to the point of accepting that there are a limited number of slots for presenters," he says. "I also try to be far more analytical about rejections.... What could I do (have done) to make my talk more appealing?"

He says there are two kinds of rejections: the "your talk is not accepted" rejection and the "nobody attended your talk" rejection.

For example, his proposal for a two-day course was accepted by AppSec DC, but it had to be canceled when only two people registered for it. "It stings to have invested time into getting that proposal written up... and then simply not get the sign-ups needed to support the course."

How to get your talk accepted

So what's a frustrated speaker to do? Joshua Corman, research director of enterprise security at The 451 Group, has learned to live by the following guidelines:

"1.) Appropriate expectations: Depending on the show, one in XXXX get picked. I've found that with RSA, one of three or four of my submissions get picked.

2.) Write it yourself: Don't let it sound like it came from a PR-marketing team. In fact, RSA is particularly good at (and brags about this) sniffing out real submissions from marketing ones.

3) It has to be GOOD and ORIGINAL material: Sometimes you're not picked because it is not new or interesting.

4.) You CAN be ahead of the conference: SEVERAL of my submissions in Year XXXX were too 'cutting edge' until 2 years later when the selection committee knew enough to pick them. I've learned to pepper my submission with a few more recognizable topics in addition to my desired newer thoughts.

5.) Some Cons TELL you what they want -- or you can figure it out -- but:

--RSA *loves* using case studies and end users on stage. A CSO *should* be easy to get in.

--BlackHat wants you to drop a zero-day or don't bother, for the most part." Of course, no matter what you do, you'll still have to contend with snobbery once in awhile, Corman says. That's when it especially pays to be different and bring other voices in. Consider it safety in numbers.

"The year-to-year speaker lists are usually VERY similar, so you may want to co-present with a trusted quantity to the con. I'm sure, for example, that including Jack Daniel or Jamie Arlen helped my PCI talk get accepted to DEFCON. I'm an analyst, for goodness sake!"

Copyright © 2010 IDG Communications, Inc.

What is security's role in digital transformation?