Your Ad Here: Helping Your Organization Build Their Security Brand

hi everybody Welcome let's get no no M okay you can you can hear me good barely no it's okay no thank you hi everybody welcome I'm sorry that was to love I hope you had a good uh lunch break uh we'll get started with our next talk uh it is helping your organization build their security brand uh so please welcome our speakers leave rler and Colleen kage over to you guys thank you hey everyone uh this is your ad here helping your organization build their security brand I'm Leaf I've spent the last decade working in security and besides Las Vegas was actually the first conference that I attended in 2013 uh so it's cool to be back as a

speaker I'm currently an engineering manager at semrep we're an ABC vendor focused on static analysis and software composition analysis and we have a booth here at bsides on the opposite uh end of the the hall so check that out if you want some swag I'm also the co-host of uh the hit podcast 404 security not found we get about a hundred listeners a month um and we do uh we do news and uh discussion episodes sometimes we have special guests but it's pretty fun I've also been a cfp reviewer for appc California and Loom mosc which is probably some of the more relevant experience for this talk and before semrep I joined seg mint uh in 2017 as

an absec engineer and later went on to lead a team focused on building security features as well as internal security tools which is where I met Colleen and a little bit about me I currently advise startups on security strategy and try to help the First Security hire uh promote their agenda and like put push back on the push back that they get I've been practicing security for about two decades now uh working in most of the security domains um I've also been a ceso at both private companies that are small and larger public companies um and if I'm honest I really really love preo way more it's just it's just a better experience for me um but anywhere I lead security I

highly encourage folks to do blogs podcasts and talks whenever possible and I lead by example by doing my share of the conference talks Keynotes and podcasts um and I've been inspired to do even more because of people like Lea so thank you Leaf we broken up this talk for you into four sections first Leaf is going to start with the benefits of all teams being more engaged with the security Community next I'll cover how to foster a culture of rewards to keep the benefits flowing then Leaf will show you how to optimize the benefits by amplifying all this good work by your team and last we'll both cover the different ways that you can show up in

the community so blogs podcasts and talks and how to prep for them uh in a quick PSA we've included a link to the slides here um so I'll give you a second to take a photo um that way you don't have to take notes you can just obsorb and as we're going through this and you're absorbing if you've been putting off your next Community piece of Engagement consider this your friendly nudge from some friends um make notes during our presentation you know whether you have an idea for a blog or you think you could get on a podcast do a talk what could you start working on today and that's exactly how anyone gets started on this

stu um I'll wind on this little intro with a disclaimer um while some of the most successful infosec folks that that we've ever worked with or we know do periodically share their work they make time for it we know a few people who have had absolutely Stellar record shattering careers but they never do this maybe they've never written an article maybe they've never set foot on stage um they could be highly effective managers or ic's who just maybe haven't had any time um or maybe they work for an organization that actively discourages or penalizes sharing information um maybe they work for the government so uh or they could work for Apple uh not the government but if

you've had friends or family who worked at Apple you know you can see that they are definitely not encouraged to share the inside workings of company security with the rest of the world for obvious reasons and that's okay it's not for everyone I'm going to start us off today by talking about the benefits of having your teams more engaged with the security Community having a public Persona really really helps with recruiting which helps you build your security Dream Team working with great people makes your job a lot easier it also makes it a lot more enjoyable see a lot of people that we have worked with in the crowd uh which is great um but it also takes a lot of

effort because usually these are people that other people also want to work with and so you're competing for the best people uh I think there's a lot of overlap between recruiting and sales and you can think of your blogs and presentations as your marketing department because it makes better candidates come inbound and it also helps recruiters reach out to people and have them actually respond to their cold emails it's a lot easier if they've like actually heard that your team is good uh and working on cool stuff than just uh you know the million other emails they're getting and I think that having blogs and Conference presentations go live around the same time that you're trying

to post roles is also helpful because uh the timing just helps Drive traffic to your jobs page and just make people more aware and I think a lot of recruiting is also timing so having someone be aware of your company and having a recruiter Reach Out is a pretty good combo um and with that in mind we have a lot of open roles at semrep but I wanted to highlight just one which is uh a security engineering manager for a vulnerability research team it's my personal mission to find a great candidate date for the hiring manager uh this week I am convinced that they exist in Vegas um and you should definitely work for semri there's a lot of cool people

there so FYI um the infoset community is super small and orgs that publish their work come up more frequently in conversations when people are thinking about where to work next I'm sure the Netflix team gets a lot more inbound interest than the NBC Peacock team when they open up a role and you might be thinking well Netflix probably pays twice as as much and that's probably true but we didn't pay anywhere near what Netflix paid at segment and we were able to build a pretty awesome team that people from Netflix admired and I attribute a lot of that to our involvement in the community community involvement shows that your team is working on cool stuff is given

time to write and blog about it as well as travel to speak at conferences and that they have at least a decent Learning and Development budget to be able to go and do these things uh and these are things that a lot of security people uh probably a lot of you in this room want from their employer and so showing that you have that is a good way to attract people to join you so here's another benefit it transforms all of us from being like maybe painfully awkward that's how I was and unwilling communicators to being effective and Powerful communicators at our own jobs all companies say security is very important to us but you on the

inside know things like how often do Folks at your company actually fall in line instead do they actually admit admit sorry omit security work from their quarterly planning do they ignore your tickets do they get exceptions and otherwise get out of doing the security work while this is likely due to multiple reasons what you can control is the effectiveness of your messaging security folks tend to be correct right we research things we make sure that it's like all ready to go this piece of information but we can also come across as disgruntled sometimes or we might bury the lead or we avoid giving frequent loud and clear messaging to Eng teams um or execs and all of those

groups definitely need to be frequently nudged and that hampers us from communicating danger and the need for quick action when something needs to get done so in this section I'll talk about how to shift your culture a bit so that teams improve their communication which will lead to getting more done and team members getting rewarded so some of you might be thinking sure I can do this it's not a problem but what is my manager doing to start recognizing rewarding this Behavior this is extra work or maybe you're that manager who isn't supporting this effort on your team Shame Shame as a ceso I've always emphasized that sharing work internally and externally is a key growth indicator

in our job ladders and an art org because it's core to getting stuff done it was a hard requirement at segment and while it was extra work for all of us it definitely provided us with dividends and we also created infrastructure to support it because you have to all right I'll start with leaders leaders how can you expect your teams to hustle if you're not hustling first internally and externally inside your company never miss a chance to broadcast your team's good work and successes when's the last time you wrote a series of security slacks to your company or got up and spoke in front of engineering or at all hands how often do you do this or do you

just sort of pwn it off on your teams and hope they do it unfortunately you're a leader means you got to go first you like get the Baton go do it hand it off and eventually the Baton comes back to you and you have to do it again um but that's the way it goes and outside the company if it's been like over a year since you've either blogged or or spoke your team needs to see you blogging and or speaking in order to emulate it otherwise they're going to emulate you not doing anything that's bad um so then once you're you're doing that they're doing that then you're like shoot we need to like advertise a little bit um

so once you're doing this do you have a culture to support it and sustain it you know like do you just do it once and then nobody ever gets up and does it again are you in the audience cheering on everybody when they're doing it are you immediately amplifying people's work and slack uh the company internet or in LinkedIn or whatever social media um are you encouraging others to cheerlead it is an effort I don't know if anyone's ever been a cheerleader before but I think those folks are underpaid is a lot of work yeah and paperwork sucks and you have a lot of it when you're a leader eh but you can use it to change elements

that positively influence your employees Behavior so if your job ladder is something like this fake job ladder um you know there are areas where you can State the different types of comms deliverables that you want to see from each level of employee along with the frequency and the desired impact of that stuff um you can think of this as like your success criteria for the communication and Leadership vertical that you have on your team because then once you start filling us out you can Port over the entire row that your employee belongs to over to a career development plan and it's like a CDP and in the CDP you can sort of collect a personalized checklist of work for this

person based on that success criteria and you can use the CDP during your one-on-one see paperwork helps and then you could shade the different areas like red yellow or green depending is the person trending away from this goal are they trending toward the goal yeah so that's a but but what do you do about people who hide from their responsibilities and they're they're like no no no the rest of you can go and speak and vog and I'm just going to go hide under here and do my job well if you're a leader you have to hold them accountable that's the crap thing about being a leader um so I recommend keeping this column red until the employee

starts delivering it will hold them back from going to the next level I'm sorry um because what you don't want is a situation where you have like two people three people on your team who are carrying the heavy load of the comms and Leadership stuff cuz it's demoralizing they're working really hard and maybe they're progressing at the same rate that the person who's not doing it is and once they get demoralized what can they do it's your best employee they can leave you and you don't want that to happen so for folks who do deliver describe this work very detailed and in its impact in their annual review and promo packets you'll see that great Cals

and Leadership naturally leads to getting stuff done and high impact on the company and remember to go and get praise from other people who've been impacted as well and not everything is promo or money related your folks also want to earn some gold stars from you in your conversations with your employees describe the comm's leadership and impact growth that you were seeing in them you know before they started doing this to where they are today and how they're growing regular regularly recognize them in slack LinkedIn at your all hands all of that and then teach them how to self-promote that'll help them with their career growth and then when talking about your road map link

these very effect effective employees to the overall successes of your program maybe because of them you shaved what one to two years off of your total roadmap that is huge that is a big differentiator for them and that means that your employee who's doing this work is foundational to your or being able to roll out security capabilities they're your stars which means you have to be their hype person all right now to I's for I's many of us uh the struggle is real maybe you have an underd veled comms and Leadership competency I guess you would if you observe the following symptoms in yourself and your experiences maybe product and Engineering don't include your security

activities in their planning maybe they don't do any of your tickets maybe they push back maybe they make fun of your training if you're a person who does training or they don't do training without you berating them um so all this frustrate security people we've all been there so if you're frustrated and you're like I need to go talk to them I'm going to give them a piece of my mind so you go to talk to them and maybe because of the lack of communication and Leadership experience you have maybe you end up bearing the lead focusing on jargon or minutia giving them a super long-winded explanation that only makes sense to security people uh or you give

them 10 10 times the amount of information that they actually need and yet you're still not getting the message clearly across to them so if this hurts a little bit you know maybe this also happens when you talk to senior leadership I have been there if this is there is hope um you're probably already a very good engineer and just a bit frustrated and just know that the gap between where you are and where you need to be is not huge it just requires some consistent work from you in this area um so one thing you can do is really just jointly work with your managers and build yourself that detailed career development plan don't

wait for your manager like you can help do some of this um and that plan can grow the non-technical aspects of being a great engineer this plan works alongside all of your existing projects anyway that span multiple quarters which means you have multiple opportunities to work your slack and email magic to get up in front of engineering and speak and externally to speak at a Meetup and or write in the company blog so one thing to remember it's like we're all bought into security because we're security people but everyone else doesn't consistently do security stuff because it's the right thing to do unfortunately we all have to be sold so work on your selling skills writing good plans that

folks buy into like and have people read them comment on them bring up the hype verbalize your plans frequently and crisply and just continue to keep that hype level high all right so doing all this work what does it get you um I'll get to that in a minute um but like this the true benefit at least from your manager's point of view they'll look at you and they'll see that hey this person's adding power to their messaging this year by regularly speaking and writing you know and maybe you're like shoot this has been forcing me to continually refine my message and gain confidence and confident messaging is what pushes people to do security work

really confident messaging gets people to do almost anything so as people are starting to get security work done for you you document what that work is and why it matters on slack to C so it's another way that you can keep the hype up like thank you for the you know platform team for doing X Y and Z in there so this leads to higher job satisfaction because stuff is finally getting done in your org for us at segment it created a virtuous cycle within product and Engineering because folks actually listened to when our employees spoke and did the requested work instead of just avoiding it over time product and enge happily did even more security work it was something that

we couldn't believe but then quickly took advantage of and then we spent less time on the basics that we hated things like chasing down old BS that nobody ever wants to fix and we actually got to shift left in that organization so like think about embedding with the Eng team to get projects done getting to set up real preventative measures to avoid tons of new vulnerabilities from being generated in the first place and a few of us got to teach end how to do their own threat models which is essentially like passing our security curse onto our friends and Engineering all right tracking all of this so finally you're doing all this great work but then how do you sort of

like put it all together into a package uh well my suggestion for the first couple years that you do this is just keep it really simple just keep make it easy on yourself at segment um in the early days with a Security Org That Grew From like two to three people to 35 um I just created a a Confluence page that had a simple table and we just kept adding our blogs and talks to it it just kept growing and after a year the table was huge it was like a scrolling huge table because the crew there was just self-motivated and didn't need any micromanaging to to present um it was sweet as the sea I don't have to work as

hard um this Confluence page was then visible to all of segment everyone could see it and then we'd hype somebody's latest efforts um in the engine security slack Channels with links we just wouldn't let any of that effort go today um at twilio so it's a little bit different there um with a Security Org of about 130 people and a different culture we started using a small company called discernible to help overcome the team's inertia on doing this type of work so imagine how happy we were to have discernable do all the heavy lifting for us to get folks moving all that nudging that you would need to do as a leader or as a peer like

discernable will help with that so basically using their drop in workflow we could help our teammates through that entire engagement pipeline so from thinking about what to talk about to like getting your cfp together rehearsing and then finally giving the speech and then also metrics highly recommend this it'll take some of the burden off of your shoulders okay imagine now that you've done all this hard work you've set up the framework for it everybody's speaking you're tracking it and this team's collateral is like now being produced and counted ah what do we do then there's more Leaf will talk about how you can package up this work as an advertisement for how awesome your team

is so this is uh some stats from a Blog that I posted earlier this year and as you can see about 2third of the people that went to the blog came from social and so I recommend posting on social first and then sending the links to the social stuff to your team so like LinkedIn Twitter whatever um instead of having people individually post the underlying article this will help you get some traction online uh if somebody on your team writes something and they ask you to post for them tell them no uh we worked with somebody named Pablo at twio who said he didn't want to make a Twitter and wanted me to post for him and I just

told him no I'm not doing that you you have to make a Twitter and post yourself and we'll all retweet you um if you have a security twitterati at your company like Clint uh you can try to have them repost your stuff and uh try to boost boost things there um but uh you can also send this to groups on slack or like send it to people individually just don't make sure or make sure you're not spamming them because one of the goals of this is to improve your career and people uh don't want to be spammed by people so make sure it's a good fit for whatever the audience is for me I try to post stuff

around 10 uh between two Tuesday and Thursday because most of my network is uh within the United States uh there's definitely a bias towards the west coast and so I found that that's a pretty good time where uh people are online and have you know gotten settled for the day but it's not too late for people on the East Coast uh so you have plenty of time to get traction this is from a different blog that I posted earlier in the year uh on the segment site and you can see that after the initial Spike uh a lot of the like later page views came from getting posted in Daniel miser's unsupervised learning and Clint's tldr secc both

great resources so uh check those out if you want to stay up to date on security news but if your company has something like Google analytics try to get access to it just so you can see this information it's pretty cool to see like where traffic is coming from and um like you know where where it might be getting reposted if your company has a a SL security page try to post some cool articles uh that talk about your company's security program on there um this is a good way to highlight people's work it's also a good way for potential or current customers to learn about your security program in a positive way versus only hearing about it uh after a

security incident I really like the design here from figma but no surprise that figma has a well-designed site um and then you can also do some things like add some pinned tweets or featured media on LinkedIn this makes it easy for somebody who's looking you up uh maybe you know a recruiter or somebody that wants to work with you uh to find your best stuff uh they're not going to reach out and ask hey what's your best conference presentation um and so having some stuff highlighted is really nice by now hopefully you're convinced that you and your team need to be doing this work and you've heard some tips for the ways that you can create an

environment to encourage this work um and so now let's talk about some practical tips to actually make this stuff happen in my opinion everything starts with having a good outline um you can really take an outline anywhere once you have an outline it's a lot easier to start writing your blog this is like writing down a project Plan before you start work for the week or month or quarter uh Colleen used to have a sticker on her laptop that said weeks of programming Can Save hours of planning and I think that applies to stuff like this as well it's a lot easier just to get the ordering right than try to move stuff around and have to change all of your

Transitions and like uh I try to avoid that because it sucks um once your blog's out you might get some inbound interest from people that do podcasts um and if not that's totally fine you can send it to some people that have podcasts that you think you might be a good fit for most podcast hosts are looking for guests that's something that a lot of people don't realize uh not like Patrick Gray from Risky Business I'm sure he's inundated with people who want to be guests but your average like me mediumsized podcaster is looking for good content and so having somebody come inbound is is very nice um you can also take this outline and turn it into a cfp

submission and then you can turn it into a conference presentation assuming that you get accepted similar to writing a Blog with an outline it's a lot easier to write uh a conference presentation from an outline and so having this outline is just really powerful throughout the whole process naturally when you adapt a Blog to a conference presentation there's going to be stuff that you add or stuff that you admit omit but um the general structure is probably going to be the same and it's a lot easier to turn a Blog into slides than turn nothing into slides some of my tips for outlining is write down everything that you think might be useful don't worry about the

structure can be stats or quotes or just random ideas some parts of it might be really like well written other parts are pretty exploratory and I actually try to write things down as I'm working on them and so sometimes the process of outlining actually takes like weeks or months uh as a project is going but it's a lot easier to think about this stuff and write it down than to go back and try to remember it um Jerry Kaplan the author of the book startup uh would make audio recordings every week about what he did and then send them to a transcription service uh this was in the like late 80s or early 90s so a little

bit different time period but uh this served as like the source material for his book which I thought was pretty cool if your team isn't used to doing this kind of work at all I think you probably need to do a little bit of foundational work and the first step is to get people comfortable writing stuff down if people aren't comfortable writing stuff down it's a lot harder to get them to do outlines and blogs and all this stuff and this has a benefit even if nobody writes a Blog on your team getting people in a documentation for a sculture is really helpful for getting people to agree on ideas outside of meetings and have people be able to uh voice their

opinions um and try to get a consensus before you have to even talk about something um and it's also really important especially with so many people working with people that are in different parts of the country or world even um writing things down is really helpful it's also helpful looking back because you actually have the documents to show like why we did something or why we didn't do something another thing you can do is get people used to demoing uh so we do team demos no demo is too small it it could be a feature it could be a spreadsheet it could be a document anything can be a team demo uh hopefully your team has a safe environment where

people feel comfortable speaking um and this is a good way to get people used to speaking in front of a a larger audience if you're what you're working on is relevant to your whole company maybe you could present it in all hands or maybe if your company's really big uh you have the concept of an internal conference uh if you or somebody that you know says that you don't know what to write about this is a very common problem um but I think one thing that really helps is is having a personal hype list of the stuff that you've been working on um we could do a whole separate conversation about career development but having a list of your

accomplishments has a lot of benefits outside of blogging makes it helpful for when you're coming to like annual review and promo time it's also great if you end up like switching teams or switching managers and you have somebody who's now unfamiliar with your work you can give them a list of the stuff you've been working on um but another benefit is that you can use this to come up with what you should be writing or speaking about if you don't have a hype list just kind of think back over the last year go through your J tickets or linear tickets or your GitHub issues or GitHub PLL requests or documents that you've created or even just kind of flip

through your calendar and look at like what meetings you had and things like that I think you can retroactively generate like a pretty decent hype list and then you can use that to come up with stuff that you should be uh telling the community about another thing that I hear comment is the stuff I'm working on has already been talked about or blogged about it that does not matter that is not a valid reason um you have a unique experience working on this project and you probably are working or thinking about things in a way that nobody else has thought about and so sharing your unique story might be helpful to somebody else also technology changes

pretty quickly even if the underlying problems often don't and so giving an updated view of something that you know maybe somebody talked about a year or two ago is is very valuable so don't let this hold you back um the other thing to keep in mind is a lot of companies end up solving the same problems and so uh you know that means that these things aren't figured out yet so tell people what you were up to I think the process of actually writing a Blog is pretty author specific so I'm not going to tell you like how to actually write the blog but in my experience helping people write blogs once they have an outline and they're in

the right mood I think the content start to flow pretty quickly and you can even work with them say like hey let's just do one section or like let's do the next section for me personally I find it easier to keep going than to get started and so I actually write the majority of a Blog in one sitting so I probably get like 85% done um like I get a pretty much a full draft done like it's definitely not a final draft but I have like most of the ideas done but uh that's mostly just because that's uh the best way for me to work some blog tips um these are some things that we got uh from somebody that used

to work at Y combinator which runs Hacker News they were giving feedback to somebody that would had written a Blog at segment um and I think that these are really helpful to keep in mind the first one is be really intentional about whether it's a story or a tutorial tutorials are great but the audience is generally limited to people that have the same problem a story can appeal to people that are curious readers even if they might never solve that same problem the risk of a story though is if you don't hook somebody early they're probably going to close the tab because they don't have that problem whereas a tutorial they're probably going to keep

reading because at the end of the day they still want to solve that problem a good way to hook the reader early is to get them to feel the pain that you felt when you didn't have this thing that you built or this process what you want to do is you want to get them to put them themselves in your shoes if your blog is just fun and hacky and interesting on its own you can take a totally different approach uh the example that this person gave was building a turing machine out of Legos I don't think you need to get somebody to feel the pain of not having a Lego turing machine uh you can just tell them

about it because it's cool and interesting on its own um but not every security topic is like that another thing is do not take readers on a direct like hey we had this problem and here's how we solved it they actually like a hero's journey and so talking about unexpected challenges setbacks things like that can help you illustrate why you made the decisions that you made it might be really obvious to the reader hey you know like you should have done X it was like well I thought that was obvious too and then I tried it and it was actually a really bad idea and here's why it didn't work out and here's why we did things a

different way and so it can just get ahead of some of those types of like conversations and questions as well as we transition from blogging to public speaking I'm going to hand things back over to Colleen thank you well I think onstage presentations could be pretty scary uh whether you're experienced or not and usually all of us need a bit of nudging to get up on stage so you can think about doing a presentation in Easy Mode first to get you warmed up in terms of prep podcasts are much easier in my opinion than writing a blog or giving a presentation so if you've already written something um whether it's an article at work or a blog or whatever it

is or you've given a talk you can then start there and just massage the talking points that you already have easy easy um but if you don't have that you can just work with the podcaster and create questions and like a desired direction that you want the interview to take um then you just start filling in the answers to those questions um as Leaf mentioned before everyone is dying for more content the more content we all get the more we want and podcasters are trying to keep up with that need so you pairing up with a podcaster you're actually helping them and so for you benefit for you it's a great practice and like a very low-risk environment if

you're worried that you're going to like lose your place you're like shoot what were the answers that I came up with then you can just have your notes up on screen right next to the podcaster face and so it looks like you're staring right at them but you're also staring right at your notes hot tip um and podcasting is fun a lot of us in this room have done it uh a lot of folks that you've talked to at bsid probably have done some podcasts you learn something from the podcast host and they learn something from you and you'll at least laugh one time um and so with this low barrier entry all you need

is a topic a quiet space to talk and then like no unintended weird stuff behind you you can have intended weird stuff behind you that's fine but no unintended weird stuff and then how do you decide between like a live podcast versus a pre-recorded one each one has different benefits so if you're the person who goes God what if I mess up what if I use too many ums what if I do something wrong then you want to opt for the editable pre-recorded C podcast because then you're good but what if you're this person who goes I don't want everyone at my company particularly the legal department crawling through every single minute of my spoken content

that's horrible and cringey then live might be better for you um so in that case you just basically share the proposed bullet points with your legal department they do their redlining and stuff like that and then all you need to do is just stick with the the approved bullet points and you're good to go as mentioned as mentioned previously uh Colleen and I both have experience as cfp reviewers and we've distilled down some of our best tips Colleen has been a reviewer for bside San Francisco and I've been a reviewer for appc California and Loom mosc you should think of a cfp as having two audiences the reviewers and the attendees of the conference reviewers

might be looking at hundreds of cfps so it's important to make yours stand out because if reviewers don't like your cfp or they think another submitter has a stronger submission uh your audience will likely never see it once you've made it past that stage you're still competing for attendees time how many tracks are there happening at this conference you need to entice people to come to your uh event specifically make sure that at least one person reviews the cont content before you submit it it's good to get some feedback from somebody you know other than yourself but at the end of the day you're the one who's going to be up on stage and so while you should consider

the feedback if you don't agree with it don't do it just because somebody told you because you're the one that has to deliver it try not to make too many changes after you've been accepted but if you want to make some tweaks to your abstract uh I think that's usually okay when you're thinking of titles I think a little bit of clickbait is fine there's a reason why articles have clickbait titles it gets people's attention just don't go overboard you want the reviewer and the attendees to actually know what you're going to talk about if you have a bad first impression with the reviewer which is your title it can be hard to come back from

that here's some common patterns for titles I think a straightforward in description title is the classic the reviewer and the attendees probably know if they want to go to that talk just based on the title uh a fun and descriptive title is kind of just a Twist on that where it's like hey they're probably talking about cores if you care about cores you might be interested in that talk and then you can also do what we did where the first half is just nonsense like that could be anything but it probably got at least some of you interested and then you follow up with what you're actually going to talk about some things to avoid in titles uh

if you have seen a lot of talks that have the same pattern of a title think about how many more a cfp reviewer has seen considering they see hundreds of talks um and then avoid anything that's a sexual pun or innuendo at Loc osc we just Auto reject these because we assume the author has bad judgment and is probably not an inclusive attendee and while that's not always the case we just can't afford to take the risk and so we just don't accept them as a speaker if you've never written an about U section uh take a look at some conference uh bios from previous years uh don't worry if the people on the schedule seem a lot more experienced

than you everybody gave their first talk at some point and some conferences like besides Las Vegas even have uh special help for new speakers um some conferences ask for links to past talks uh it's usually not in the about you section but if you have some um really good examples of podcasts or meetups or something um try to uh showcase your best work for your abstract um you want it to be short enough that people actually read it but not so short that they have no idea what you're talking about this can be a really difficult balance but I think that people natur tend to skim things over a certain size so you do kind of need to optimize for that um and

again this isn't just for the cfp reviewers like us it's also for the attendees like yourselves um you're competing for people to come to your talk and sometimes you give a talk that's like 2third full sometimes you give a talk that has a line out the door uh and I've been in both those situations and that's just Showbiz baby um here's a good example of an abstract from Global appc SF uh last year in this talk we'll discuss scaling Security Programs through technology and secure by defaults in an evolving engineering ecosystem we'll share Lessons Learned From Paving roads for security over the years how to find Opportunities create shared accountability with engineering partners and ultimately reduce security risks

this was from a keynote um by Anna uh just go see a talk if it's by Anna you can just skip the ab ract but um I think this is does a really good job of illustrating what the talk is about and people should have a pretty good idea if it's going to be useful to them just based on the abstract some conferences require an outline other ones don't um as you might have guessed at this point I'm a big fan of having an outline and so even if a conference doesn't require one I recommend making one anyway I think it's going to give you a leg up on people that don't write one because you're

going to write a better abstract which helps you write a good title uh outlines are typically not shared with attendees and so this is really just for cfp reviewers you don't have to worry about that dual audience component the way that you do with everything else but this is really your last impression with a reviewer because um you want to show them hey I've done enough research on this thing that I'm qualified but again you don't want to make it like a whole talk uh you want them to just be able to see that you're going to talk about some great stuff if your outline is really short uh it can come across as lazy so make sure that you have like

some minimum length similar to blogging or uh you you want to have somebody peerreview your cfp submission um make sure that you don't hire yes-men for this task you want someone who's actually going to give you real feedback here and um again like you don't have to incorporate everything but uh just try to think if it makes sense to include and then uh colen is going to give you some tips on making the jump to delivering your first talk okay how are we doing on time I think we have 5 minutes oh all right Speedy okay uhoh don't panic your talk has been accepted but by now you've been making notes on things that you'd like to

include in future material right taking notes I see few of you taking notes which is good um maybe you've even captured some clever turns of phrases and you're like oh that sounds good I got to write that down all of that is good motion but here's something to consider throughout this entire section if you can write and deliver a good Meetup or a conference talk you can write and deliver a good keynote you can be to for all three to me the difference between the talk types is kind of like the difference between a tall a grande and a ventti because I am that basic all three talks start with outlines have a beginning a middle and

an end they all zoom in and they provide specific examples that illustrate your point they all tell a story or a tutorial um and they get an an important message across and in fact content between all different types of talk formats is very similar what's more as all of Leaf's previous tips and tricks work for them as well and if you've been actually actively using them you're between 50 to 80% done hyp list the process now is just keep iteratively filling in that outline and then manage the crap out of yourself so your Meetup talk is like a talls siiz drink maybe even shorter like a short or a demi or whatever it is it's not that I don't

know um if you've been doing security for at least one year you already have a topic that you should be talking about not only that but there's just a meet up just down the street from you and they're desperate for New Blood because what happens is the same folks rotate in quarter after quarter and they want a new person to show up and that's you and if you're company can host the Meetup even better because the host gets a speaking spot which means you can bypass the entire acceptance process which is very easy mode recommend that um meetups all have a lower barrier to entry you can even do a short lightning talk 5 to

15 minutes it can be an advertisement for a blog or an article it could be a recap of a project that you just did um and some other topic ideas that we've seen could be like security tools that you've built or processes that you've implemented educational talk based on something you had to learn for work and that you wanted to share like we had to just do a bunch of research on ooth or jwt's for an internal project and we're here to share our learnings easy you can give a predictions of the future talk or even an inspirational talk like ours it lightly educates but mostly just pushes people into doing something positive um and for your Meetup or

lightning talk keep it on the shorter side and lean into high impact visuals because you just don't have a lot of time visuals matter for the longer and more formal types of talks all the previous topics um are still applicable but just like with your Meetup the work is filling in that outline um and you can do that now on paper audio notes or start moving your outline over to some and then it becomes really real and for conference talks you can also consider doing like a joint presentation are you finding that you're too busy to really just take this on by yourself maybe you're too unfocused to finish slides that's fine usually um and to cut down

on the overall amount of work that you need to do and just make it fun consider co-presenting your co-presenter can help you thank you give you uh content organize it practice it with you and give you a break when you're on stage so you can reap the benefits of being on a two-person team um if you're doing it by yourself and you're really struggling the key is just keep going just keep pushing yourself and filling in that outline and reward yourself handsomely for every couple of hours of concentrated work that you do you deserve it so your keynote it's 95% similar to any other talk that you would write except the main difference is your

Panic level goes through the roof of course you can reuse parts of a previous talk just ensure that the topic is going to be like 80% of your mixed audience like will be able to appreciate and understand it um folks that attend your keynote think about like they're all from every single type of domain every single skill level it could be their first day in security they could be 20 years in security and any domain and when filling in the outline the one extra thing you need to remember for a keynote is you've zoomed all the way in and you've given details but now you need to zoom all the way out and make the connection um between at least one

of the main drivers of your speech and then one of the main drivers of the cont conference that's plugging those things in makes the keynote and uh while you're sweating through it it's normal to go back and forth on wording Graphics ordering all of it um you're going to fiddle with your talk until your deadline hits that is normal if that happens to you you're 100% normal um and while you're fiddling with your talk you can like go take a break procrastinate and then go pick out like your version of the Steve Jobs power outfit something to do no matter what size speech you're giving it please practice it at least five times out loud

and have an audience for at least one of those even though you don't want any of your co-workers family or friends creeping on you watching you criticizing you they will pick up on problems and missed opportunities in your speech it's super helpful even though it's cringey just do it they'll point out where am I being super confusing where am I failing to make a big impact and if it's a keynote they're like hey aren't you supposed to like zoom out and do the thing you're like ah I didn't do it well so 99% of this test feedback is going to be useful to you in some way so before you get up on stage somebody helping you

out is a gift take advantage of it i' would say just skip this one all right yeah this one's just a quick one if you get very nervous here's a link to uh how to manage adrenaline all right and to wrap up our presentation and to give you some tips to walk away with remember these points all of this is really important to help you build your dream team and support efforts once they're working with you accounting for and tracking all the things is important always always build and fill in that outline it is key to everything you do clickbait works but do not be creepy and remember to use your network to promote your work finally all

talks are basically the same and you can learn some calming techniques to help you when your nerves kick in cool so thanks for attending our talk uh we'll be around for the next hour or so we'd love to hear about what you want want to speak about and uh how it helps your security team and if we miss one another uh we're in various security Community slacks as well as on Twitter um and so I'll be hanging out at the semrep booth which is again is on the other side but yeah we have a link to the slides I also wrote a couple of blogs about this earlier this year that has this down in like written form so um

yeah I appreciate everyone uh coming out and supporting us today thanks and