Stepping into the Spotlight at Security Conferences

As a cybersecurity practitioner or leader, you are likely on a steadfast journey to improve your skill set, broaden your network, and build your professional brand. Some of the best opportunities to accelerate your goals are found at security conferences, especially if you want to level up from being just an attendee to really diving in, getting involved, and putting your name out there.

Over the years, Bishop Fox has prioritized involvement at many security conferences‒big and small alike. We’ve always enjoyed being an official conference sponsor and encouraging Foxes to speak and conduct training courses at events all over the world.

We would like to share some of the important things we’ve learned along the way to hopefully help you on your journey ‒ things like our favorite conferences and why they’re worth attending, tips and tricks for speaking sessions and Call for Papers (CFP) submissions, and insights to up your presentation game. Let’s begin.

Our Favorite Conferences

There are many security conferences out there to choose from, and we love so many! Since there are simply too many to share here, we’ve chosen to highlight some of our favorites that bring us back year after year.

SANS Cyber Security Summit and Training Events

Twitter: @SANSInstitute

SANS Institute has several virtual and in-person summits and training events lined up across the globe. Summits typically consist of:

• In-depth presentations: Series of talks about security tools, techniques, and strategies, presented through case studies and demonstrations.

• Panel discussions: Experts and practitioners discuss specific topics of interest, and audience participation is encouraged via Live Q&A.

• Interactive workshops: Conducted by experts, workshops enable attendees to examine realistic scenarios and devise action plans.

• Virtual forums: This is where you can share real-world experiences, ideas, and lessons with your peers.

SANS also offers certifications and ample continued education credit opportunities.

Black Hat

Twitter: @BlackHatEvents

Black Hat is an annual multi-day event focused on delivering the latest cutting-edge research, developments, and trends to the security community. Black Hat hosts Trainings and Briefings that take place over four days. Trainings are hands-on technical courses where you can learn tools and techniques such as penetration testing, web application exploitation, or defending SCADA systems.

Briefings, on the other hand, are the crown jewels of the conference wherein highly reputable security experts take the stage to present their most recent work and exploits. In addition to Black Hat USA (the original event hosted in Las Vegas every summer), you can now also join Black Hat conferences in Europe and Asia. The Las Vegas edition traditionally precedes DEF CON (next on our list), so you can easily hit both conferences in the same week!

DEF CON

Twitter: @defcon

DEF CON is arguably the largest hacking conference in the world and usually happens immediately following Black Hat in Las Vegas. It is known for its relatively more festive selection of activities compared to other security conferences. In addition to the usual speaking events and workshops, DEF CON also runs several contests such as Capture the Flag, scavenger hunts, lock picking, and Spot the Fed.

Although it’s an event that attracts hackers (yes, the malicious kind as depicted by the media and pop culture), DEF CON is also regularly attended by journalists, security professionals, researchers, students, and even people from the government intelligence and law enforcement agencies. Indeed, ‘Spot the Fed’ is pretty much what you think it is.

The world has turned upside down since 2020, so you understandably might not have made it to DEF CON in 2021. You can get caught up from home with DEF CON 29 Recap: 9 Talks You May Have Missed.

BSides

Twitter: @SecurityBSides

BSides is a series of community-driven conferences scattered across the globe. They are much smaller than major security conferences like Black Hat and DEF CON (a few hundred people in attendance compared to thousands); however, that’s not an issue as BSides events are usually designed to maximize participation and engagement. Some BSides events are so informal that participants simply meet at a predetermined place and time, share discussions and questions, and then collaboratively agree on the agenda.

Curious about BSides, but haven’t attended yet? Check out Senior Security Consultant Chris Davis’ presentation on “LeXSS - Bypassing Lexical Parsing Security Controls” from BSides Pristina earlier this year. This research was also a nominee for PortSwigger's Best Web App Hacking Technique 2021.

Wild West Hacking Fest

Twitter: @wwhackinfest

Another smaller-sized conference (compared to Black Hat and DEF CON) is Wild West Hacking Fest (WWHF). It’s not as small as BSides events, but small enough for you to have more intimate discussions and establish deeper connections with other participants. WWHF still has talks and keynote presentations, but it’s more focused on hands-on lab activities.

Adding to the friendly atmosphere is the location. Since its inception, WWHF has always been held in Deadwood, South Dakota. The nearby Moriah Cemetery is home to the graves of Wild Bill Hickock and other Old West figures. So, yes, the place (and the conference itself) definitely has a wild west vibe to it. Starting in 2021, WWHF began offering an additional conference location in San Diego, in case the beach scene is more your style.

If you are lucky, you might cross paths with a Fox like Hector Cuevas Cruz who gave a presentation on Introduction to ATM Penetration Testing at the Wild West Hacking Fest Way West San Diego edition in 2022.

RSA Conference

Twitter: @RSAConference

While we keep mentioning Black Hat and DEF CON, they are certainly not the only major security conferences in existence. Another highly attended event in the security space is the RSA Conference (RSAC) which began 30 years ago as a user conference for customers of RSA. RSA conferences are held annually in the U.S., Europe, Asia-Pacific, and in the UAE. The mission of RSAC is to facilitate conversations among the world’s cybersecurity professionals about current and future concerns, ideas, and solutions that will help enable individuals and organizations to succeed and grow safely and confidently.

RSAC started out as a small, cryptography-focused conference and has since blossomed into one of the‒if not THE‒largest information security conferences in the world. RSAC attracts a lot of businesses and security vendors, so that should give you a hint on how crowded they can be as well as all of the networking that you can accomplish. Although the main RSA conferences are usually multi-day events, there are also smaller RSAC Unplugged events that are done in a day and often free or available to attend for a small cost.

OWASP Global AppSec

Twitter: @owasp

OWASP Global AppSec is a more topic-focused event that concentrates on application security bringing together infosec professionals from both the public and private sectors who are interested in all things AppSec. The event includes exhibits, keynotes, and training sessions.

Organizers break tracks and sessions into specific areas of interests such as:

• Beginner: Dedicated to newbies who are learning the ropes of infosec firsthand.

• Breaker: For attendees who like breaking stuff. Here, they break stuff that builders build.

• Builder: For attendees who like putting together tools, applications, and architecture.

• Defender: If you like the thrill of defending systems against hordes of attackers, this track is for you.

• DevSecOps: Interested in discovering ways to blend software development, security, and operations? You will want to check out this track.

The Diana Initiative

Twitter: @dianainitiative

The Diana Initiative is a diversity-driven conference that strives to build a more inclusive information security industry. It includes multiple speaker tracks, hands-on workshops, and a Capture the Flag event.

Each year, the conference puts emphasis on promoting diversity initiatives. For example, in this year’s theme, “Take the Initiative”, the organizers have pledged that discussions will hone in on impactful ways participants, regardless of gender, sexuality, skill level, and neurodiversity, can advance information security, diversity initiatives, and their own professional and personal development.

CactusCon

Twitter: @CactusCon

Last but not least, we’d like to make special mention of CactusCon. It is Arizona’s largest security conference and one which we’ve always been deeply involved in, given our homebase in Tempe! In fact, in 2021 we were again an official sponsor, and Bishop Fox alumnus Barrett Darnell hosted the conference kickoff with a CTF event. Dan Petro and Andrew Wilson also made appearances with their groundbreaking presentations. Like other conferences, CactusCon is filled with talks, keynotes, and workshops.

Chances are you may not be as familiar with CactusCon, so check out our recap here to watch the “Top Five Security Talks” from CactusCon 10.

Speaking Sessions & CFP Submissions

Attending a security conference is all well and good, but any cybersecurity professional worth their salt would ultimately aim to snag a coveted spot as a presenter at a conference. This gives you the chance to communicate your research or new technology to a broader audience and get feedback on it, establishing yourself and your organization as credible thought leaders.

Many of the major security conferences like RSAC, Black Hat and DEF CON have closed the window to invite speakers in 2022, but that gives you an opportunity to find smaller, more localized events to help you get your feet wet. And it is never too early to prepare for the next round of security conferences in 2023. That said, here are some best practices that you can use to ace that CFP submission and get a presentation slot at your dream conference.

But first…

What are CFPs?

A CFP or Call for Papers (may also be Call for Presentations or Call for Proposals) serve as a request for those who want to be considered as speakers or presenters for technology and academic conferences. Individuals participating in the CFP process submit an overview of their intended presentation to the organizing body within a specified window. The submission usually consists of the title, an abstract, and the outline or additional details you may wish to include.

In the cybersecurity space, common topics sent for review include security research findings, trending security awareness issues, and new tech solutions that can help in risk mitigation. A security CFP typically accepts entries up to three months before the actual conference. For instance, DEF CON 30’s CFP submission window closed May 1 for the August 2022 conference, while that of WWHF Deadwood 2022 is only open until June 26 for the October schedule.

Tips & Tricks for Getting Your Topics Accepted

With that, we’re back to the big question: How do you increase your chances of getting your proposal accepted and securing a spot in the lineup? We can help you with that. So roll up your sleeves and get to work because believe me, you’re up against some of the best security professionals out there.

Lead with a catchy title.
It’s the first thing that grabs attention, so you can never go wrong with having an appealing, curiosity-piquing title. What makes this all the more challenging is that there’s only so much you can do with a few words, so choose them wisely.

It’s one thing though to have a good title, and altogether another thing to use a misleading one for the purpose of making it sound more interesting. If your title can’t be as catchy as you want (because some topics are just not meant to sound fun), at least don’t make it vague or deceptive. Use clear wording that immediately gives the review panel an idea of your subject matter.

Sell your topic in the abstract.
After the title comes the meat of your submission‒the abstract. You’ve caught their interest with your title, now keep the momentum going in the abstract. Convince them in three paragraphs or so as to why your session is a must-listen for the attendees.

Keep in mind, however, that the intention is to expound on your topic, not give the entire talk away. Introduce it well in the first part, provide just the right amount of information in the second, and in the last part, keep them wanting more in your call-to-action (CTA).

Close the deal in the details.
Most security CFP formats include a freeform area in the end where you can include your outline and other additional details. Use this part well as this is your last chance to persuade them.

Providing an outline offers a clearer view of the subtopics you intend to cover, while the added details can include the materials and tools that you will use in your presentation. All these should put more weight into your CFP submission and help further convince them how your session can add value to the conference.

How to Up Your Presentation Game

So, your paper got accepted‒congratulations! But if you think the hard part is over, think again. Just because you’ve hurdled that challenge doesn’t mean it’s all fun and games afterwards. The next part could be even more difficult‒actually making the presentation.

It can be easy to think that anybody can just go up to a podium and deliver a talk, but there is a lot of skill and sometimes nerves involved. To deliver a successful presentation, you must not only speak to your topic in depth, but really influence and make an impact on the listeners. Here are some tips that can help:

Practice, practice, and practice some more.
The old adage ‘practice makes perfect’ may sound like an overused cliché, but guess what? It actually works. Well, at least in public speaking it does. Nothing improves your confidence and develops your presentation skills better than speaking at every chance you get.

It doesn’t have to be a sizable crowd right away. Start with small groups––join a Toastmasters club, take the lead in workplace huddles and Zoom meetings, and then work your way to a larger audience. You’re also welcome to join Bishop Fox’s Discord sessions where you can exchange ideas with over 900 security professionals and enthusiasts. Reddit is also a collaborative virtual space to chat with security professionals about their experiences preparing for conference speaking engagements.

Connect with your audience.
Presenting at a conference is like taking a journey of sorts with your listeners. Consider these questions as you develop your talk: What are the attendees’ expectations when they go to your session? How do you want them to feel at the end of it? And then what do you want them to do?

When you can answer all of these, you would have a better shot at presenting your information, so that your talk resonates with your audience. This makes them more receptive to your ideas and helps lead them to the conclusion that you are aiming for and respond accordingly.

Come prepared.
An enthusiastic audience may arrive at a session eager to listen, but they can just as easily tune out when they see that the speaker is ill-prepared. Use materials that allow you to clearly articulate your topic without piling on the hype.

If you’re introducing a new technology, tool, or solution, make sure that you can do a demo and that it works. If you’re presenting research findings, make sure you have sufficient data. If you’re disclosing a vulnerability or demonstrating an exploit, make sure the former exists and the latter does the expected action. You are only able to fully keep the listeners’ attention when your expertise in the subject matter shows through.

Security Conferences Add Invaluable ROI

Whether as an attendee, trainer, or presenter, participating in a security conference is an experience every cybersecurity practitioner should have. You get the chance to meet like-minded security folks, build your professional network, develop meaningful business relationships, and well, just rekindle your enthusiasm for security-related ideas and why you got into this business in the first place. It’s a worthwhile investment of time and money, and you might get to visit a fun, new place that you can check off your bucket list.

Make sure to stop by and say “Hi!” when you see us at your next (or first) security conference!