Behind the scenes at security conferences

Katherine Teitler shares an insider view of security conferences in an effort to help security leaders improve the value they get when attending, speaking, or both

Ever wondered what goes on behind the scenes at a security conference? Maybe what it takes to get your talk accepted? Or perhaps how to get the most out of your attendance?

I met Katherine Teitler last year at InfoSec World and was impressed with the quality and depth of the conference she produced. It made it easy for me to come back this year to host the CISO Leadership Summit just to work with her again. And again, I was treated to a few days of great conversation and even some new thoughts (did you read the piece about Simon Singh and the secret math of the Simpsons?)

Katherine Teitler of MISTI

Katherine Teitler of MISTI

Katherine Teitler (@katherinert15, LinkedIn) is the Director of Content for information security at MISTI, where she programs conferences, including InfoSec World, one of the industry’s longest running events, and works with security SMEs to build classroom training. She also writes and manages MISTI’s infosec News & Trends, and contributes blogs and articles to third-party sites.

Over the last year, I witnessed the effort she puts into the show. As this year was wrapping up, I suggested she share some “secrets” for our benefit. Here are the five questions we discussed. Lots of value packed into this one!

Conferences are huge productions. Where does it start?

Most are familiar with the call for presentations (CFP) or related approach. As a security conference planner, CFPs are really helpful. They allow me to see what’s of interest to the industry and to source new speakers. I’ve built a good network over the years, but there are always great, new SMEs who have something useful to share.  

Misconceptions about the purpose of a CFP abound. To begin, submitting to a conference versus being asked doesn’t mean you’re not “top of the list.” Ian Amit, an industry veteran and well-respected speaker submitted to InfoSec World 2016. His talk ended up being one of the most popular and highly rated talks!

Some people also think that to be chosen to speak at a conference, they have to have a “rock star” name. That’s definitely not true; conference producers don’t just pick the “biggest” or most familiar speakers to present. Sure, it helps with marketing if the speaker is well-known, but the end goal is substantive, engaging talks. Having a name in the industry doesn’t mean you have more or better knowledge than others, and not having that notoriety doesn’t mean you don’t have something really valuable or interesting to share. The CFP submission process provides a glimpse into the potential presenter’s knowledge and thoughts, regardless of his or her name or title.

The benefit of a CFP is new ideas - it’s a way for ANYONE to speak up and have a conference producer or committee take a look. It exposes the conference (and industry) to new speakers, and it’s a chance to socialize the conference. CFPs help the organization get the message out before the program is built. We know that most people attend conferences to learn new things and network with others, but with so many security conferences happening at all times, all over the world, a CFP helps promote the event and, at least, put the event dates in front of speakers and attendees.

The CFP is only the starting point; there are many more moving pieces when building a conference -- topics, speakers, tracks, timelines, audience needs, etc. If your talk isn’t chosen for a particular show, it doesn’t necessarily mean it wasn’t a good topic or was poorly written. There are many things that needs to be balanced: the number of sessions on the program, the number of submissions similar to yours, the number of submissions in the same topic area. The last point is a big one; every year there are “hot” topics for which I receive a bunch of submissions. Some of the “hot” topics are not the most applicable to enterprise security practitioners--the core group of attendees for MISTI conferences--so I have to sprinkle the fun-but-not-practical talks carefully. Attendees still flock to the talks about tried-and-true security, so those talks have to make up the bulk of talks that eventually get programmed.

In my case, I much prefer to see edgy talks and not the same old, same old. Again, there are thousands of security conferences all around the world; if there’s something with a slightly different perspective, that will stand out on a conference program.

Fascinating that the best presentations are those that “no one wants to talk about, but everyone wants to listen.” Share more.

A misconception about conferences is that successful shows only produce hot topics; the reality is that the most successful talks -- and looking at numbers to demonstrate it -- are on the proverbial basics. It’s fun to talk about IoT, for instance, but the fact of the matter is, we’re still not getting access control right. Not everyone--despite all of the noise--uses encryption as a rule...or correctly. There are big problems that need to be solved before we turn our attention to connected cars that really aren’t a true threat in enterprises.

These “basics” talks are the talks no one wants to give, but everyone wants to hear. These are the real challenges and people need help improving. Or they want to see how they compare to others. The most popular sessions at InfoSec World 2016 were on active defense, understanding how and why systems/companies keep getting compromised, managing and measuring risk, information governance, NIST, building a secure cloud, forensics...all security basics.

It’s an opportunity for people with core experience to share with others (hint, hint).

What happens between submission, acceptance, and the actual conference?

The challenge is selecting from competing concepts. Ultimately, the decision is made on more than the talk itself. It takes a remarkable blend of topics and talents to produce a successful show.

The goal is to attract and support the best speakers -- to produce a good show where the audience benefits (and the speakers, too).

This is where experienced and successful conference producers shine - A good conference isn’t built on the selection of stellar individual talks. That’s a good start, but there has to be some cohesiveness to the entire program, and a bigger conference has to touch all of the bases. Unless it’s a conference on a single topic, like cloud or threat intel, there has to be a little something in there for everyone. (Of course, no matter what you program, some prospective attendee will come back saying you missed their sole area of focus. No one’s perfect!)

It can be really challenging to put an entire program together because speakers’ primary job is not to speak at conference (despite how we’re couching this today); many are practitioners and/or running their own businesses, which means it’s hard to get their time and attention even when internal deadlines and needs are pressing. One way I try to create stickiness with speakers is to spend time from the CFP until the conference engaging with them, getting to know them and what they’re focused on. This helps build an understanding that’s greater than an abstract of what they’re capable of, what kind of talk they can deliver. It also helps vet new ideas, either for the upcoming conference or future ones. Even when the program is finalized, it’s not final. It’s still a living, breathing thing until the day the conference begins. If I discover a speaker has a great perspective on something different than what s/he submitted and it’s not being covered, there is an opportunity to update the talk, or use it for a future event.

Producers need to engage on Twitter, read speakers’ blogs, interact, realize speakers are busy people, too; the benefit of building strong relationships with speakers is the improved quality of their talks and resulting experience for everyone

It means treating people well, organizing carefully, and anticipating needs. It’s really important to be uber organized when dealing with speakers. Many people have told me they appreciate the clear direction MISTI provides (but we can always be better). We want to make it really easy for the speakers to show up and do their thing. They don’t need to focus on conference logistics; that’s MISTI’s job. Speakers need to know where and when to go and what to expect so they don’t have to worry about anything other than content. I’ve seen a lot of conference producers who think their job is, solely, to put talks into an agenda. That alone does not a memorable conference make, and it aggravates speakers. I’ve watched at conferences where speakers didn’t show up because they didn’t know where and when they were supposed to be there.

When everyone invests, the overall quality goes up -- which makes it easier in subsequent years.

What are the keys for a successful conference experience for speakers and attendees?

It’s a curious challenge to try to select topics (and speakers) 6-7 months out. What people submit (whether it’s through a CFP or because I contacted the speaker and invited him/her to speak) is based on what’s in their brain at that moment Some new issue might evolve between the submission and the conference. Someone may discover a new tactic for dealing with a security incident. A patch might be issued. So it’s always a challenge to balance currency with future relevance. In security, we have the benefit (or burden, depending on how you look at it) of always needing to go back to basics. This means that prospective speakers can be sure their talk will be relevant in the future.

During one of the InfoSec World 2016 talks, one of the speakers provided an anecdote: when you go to see a professional baseball game and the players start filtering onto the field, what do they do? Do they perform their fanciest catches and slides into home plate? Nope. They warm up by playing catch, just how they started learning to throw and catch a baseball when they were little kids in T-Ball. In security, we always have to go back to the basics and rely on the foundations. That’s not to say new things aren’t built/uncovered/developed all the time, but what it means is that any lasting security practice is built on a sturdy foundation. Talks that address this will certainly be applicable 9 - 10 months down the road. (Caveat: always try to add a new twist!)

We know most people only revisit their talk about  a month or two before the show. At that point, there may be a different perspective. Maybe something new has happened. Don’t be afraid to approach the show producer if something, including your thinking about the topic, has changed over time.

When talks change along the way, they need to be part of the fabric of the event…

Nearly 2000 domestic security conferences take place every year; no one wants the same-old presentation that’s been recycled time and time again.

The right relationships connect the speaker with the needs of the audience - and everyone benefits.

Sometimes that means helping to shape the talk or pushing speakers to offer their unfiltered and authentic thoughts. Yes, it can be provoking. Isn’t that the point? I’d rather program a talk that people gets people fired up and arguing a point than one out of which people filter saying to colleagues, “I was telling my boss that same thing just the other day.”

Ultimately, successful producers create an environment where speakers and attendees help mold and influence the event. Event producers help form the tone of the event - they are the first people with whom speakers interact. If a speaker feels stifled or feels unfairly treated or feels a lack of responsiveness from the producing organization, the negativity or apathy is going to bleed over into how the speaker approaches his/her presentation onsite. Conference producers aren’t magicians; we can’t provide a pony, rainbow, or even technical-issue-free experiences at every conference, but a big part of my job is trying to make speakers feel valued (because they are!!) and appreciated.

What can security leaders do to maximize their next conference experience?

Realize that conferences aren’t passive activities. In college, I’d sometimes fall asleep on my textbook hoping I’d absorbed all the material through osmosis while sleeping. It didn’t work that way, and neither do conferences.

The key to absorbing new information takes three steps

  • Actively think about the topic or presentation (or perhaps the conference as a whole)

  • Participate

  • Distill what you learned into what works in your context

The distillation of information is key. Conference presentations are general by necessity: they are one-to-many talks so customization to the individual listener is impossible. While sitting through sessions, attendees should be asking themselves, “How is [this] applicable to me and my organization?

Conferences offer the opportunity to learn from people with different approaches, mindsets, and experiences. But you need to actively invest in the payoff. Start conversations. Get a different point of view. Make sure you’re challenging your own thinking: Only YOU can do that. The speaker can’t do that. S/he can plant seeds, but it’s up to the attendee to either use what they hear or just file it away, like a trippy episode of “Limitless.”

Copyright © 2016 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.