Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

Apply to speak at the O'Reilly Security Conference

Call closed 11:59 p.m. 05/18/2017 EDT.

We invite proposals from practitioners who want to have real conversations about security: security analysts, engineers, and administrators, developers, testers, results-focused QA researchers of all kinds, chief security officers, leaders in risk and audit, and security data scientists. If you’re on the front lines of defense with stories of great success and worthy failure, especially if they provide clear ideas for what to do next, let us hear from you. And while people need a sense of what’s possible, bring concrete technical solutions above all else. Please read our tips for preparing a proposal, and then submit your ideas by 11:59 p.m. EDT May 18, 2017.

Note: Names and company affiliations will not be considered by the program committee during the first round of review. Any videos submitted with the proposal will also be excluded from consideration for the initial review.

Themes we’re focusing on for the conference program include:

Bridging the gap

Security is not done for its own sake—it’s a business necessity. How can we break down the insularity of security teams and communicate effectively with other departments and decision-makers?

  • The wisdom or folly of creating a separate risk-management cycle
  • The true cost of security problems in both time and resources
  • Secure vs. cheaper vs. faster—what are the tradeoffs, and how do you work with the business side of your organization to discuss these?
  • Balancing security and privacy
  • What language can defenders use to reach leaders and decision-makers in their organization?
  • External factors vs. internal controls: Competitive influences, innovation, regulation, international considerations

Tech, tools, and processes

We’re hearing a lot about magic tools that can automate our work, often using “big data” as part of the incantation. What are the best methods for improving security, particularly those that introduce fewer vulnerabilities and demand fewer developer, maintenance, or monetary resources? How can effectiveness be measured, given the current lack of comparative analytics and data?

  • DevOps-style instrumentation and measurement
  • Building security in: Dev/Test/Integration tools and processes that help develop secure software
  • Learning from the environment—what’s actually working?
  • Working around the complexity of increasing technical debt
  • Supporting innovation without losing control of existing controls
  • Making the invisible wins visible
  • Injecting pragmatism and sustainability into defense tools and processes
  • Thrifty best practices: myth or reality?
  • Using data and risk analysis to identify priorities and measure progress
  • Reducing the technical competency necessary for companies to be secure, particularly for companies without a dedicated security team
  • Increasing compliance productivity
  • Unsung tools that are currently available and effective, but unused

Security analytics: Threat intel, metrics, data science and machine learning

Security in general has a mindset that the problems being faced are unique and in some ways they are, but analyzing large sets of complex data is the bread and butter of data scientists. How can practitioners apply the methods of data science, from collection through analysis, to make improvements to security and operations? How can data be used to make good, actionable decisions, particularly when much of the existing data is from vendor reports?

  • How to work with, or around, threat intel
  • Trend analysis
  • The right data to collect: What’s the role of external, easily available data sources in an internal security program?
  • How are security exposures, issues, performance, and investments measured?
  • Data visualization approaches to improve detection and response
  • Statistics 101 for security: How to read your data and evaluate research results
  • Affordable and accessible data tools for security pros
  • Finding and leveraging benchmarks and metrics
  • Using attacker tools/methods to generate ground truth for data-driven defense

Security usability

How have you built a successful, responsive security culture at your company? How are you making security more approachable and understandable for less/non-technical people? We’re looking for stories of usability, hiring, training, team structure, and changing behavior that lead to better security.

  • Building a bridge to service design and UX, to talk about security as helping users accomplish their goals more than as stopping machines from getting owned
  • What about end-users? The best defensive practices, tools, and tips for people outside the corporate firewalls
  • Recommendations, approaches and best practices for SMBs
  • Tools and practices for high-risk users
  • How do you make decisions under stress and uncertainty
  • How do you respond to a breach or other vulnerability?
  • What is your response to failure? How you respond to failures represents a more important metric than whether or not there has been a failure

Teachable moments

What does success look like? How have breaches, bugs, and mistakes at your organization changed your approach to security? If all goes well, few people will ever know how you saved the day. Talking about failures is hard, and might be frowned on by your company. But sharing what things led you to discovering that something was wrong and how you responded when you discovered a breach, might save others a lot of heart(bleed) ache.

Proposals will be considered for the following types of presentations:

  • 40-minute presentations, discussions, or panels
  • 3-hour tutorials

Required information

You’ll be asked to include the following information for your proposal. Because the first round will be a blind review, please do not include your name, affiliation, or any other identifying information in the title, description, or abstract of your proposal.

  • Proposed title
  • Description of the presentation
  • Suggested main topic
  • Audience information:
    • Who is the presentation is for?
    • What will they be able to take away?
    • What prerequisite knowledge do they need?
  • For tutorial proposals: hardware installation, materials, and/or downloads attendees will need in advance
  • Speaker(s): biography and hi-res headshot (minimum 1400 pixels wide; required)
  • A video of the speaker
  • Reimbursement needs for travel or other conference-related expenses (if you are self-employed, for example)

Tips for submitting a successful proposal

Help us understand why your presentation is the right one for Security. Please keep in mind that this event is by and for professionals. All presentations and supporting materials must be respectful, inclusive, and adhere to our Code of Conduct.

  • Pick the right topic for your talk to be sure it gets in front of the right program committee members.
  • Be authentic. Your peers need original ideas in real-world scenarios, relevant examples, and knowledge transfer.
  • Give your proposal a simple and straightforward title.
  • Include as much detail about the presentation as possible.
  • If you are proposing a panel, tell us who else would be on it.
  • Keep proposals free of marketing and sales, including buzzword-heavy jargon and FUD
  • If you are not the speaker, provide the contact information of the person you’re suggesting. We tend to ignore proposals submitted by PR agencies and require that we can reach the suggested participant directly. Improve the proposal’s chances of being accepted by working closely with the presenter(s) to write a jargon-free proposal that contains clear value for attendees.
  • Keep the audience in mind: they’re professional, and already pretty smart.
  • Limit the scope: in 40 minutes, you won’t be able to cover everything about Framework X. Instead, pick a useful aspect, or a particular technique, or walk through a simple program.
  • Explain why people will want to attend and what they’ll take away from it.
  • Don’t assume that your company’s name buys you credibility. If you’re talking about something important that you have specific knowledge of because of what your company does, spell that out in the description.
  • Does your presentation have the participation of a woman, person of color, or member of another group often underrepresented at tech conferences? Diversity is one of the factors we seriously consider when reviewing proposals as we seek to broaden our speaker roster. Note: first round is a blind review.

Other resources to help write your proposals:

Important dates:

  • Call for Participation closes on May 18, 2017
  • All proposers notified by June 2017
  • Registration opens by June 2017

Code of Conduct

All participants, including speakers, must follow our Code of Conduct, the core of which is this: an O’Reilly conference should be a safe and productive environment for everyone. Read more »

Create a proposal