A Blueprint for Branding: Authentic Ways to Establish your Public Persona

All right. So, yeah, we're really excited to be here. I actually just moved to Seattle in November. Um, so it's really cool to see the security community out here. Uh, we both have a combined 20 plus years of working in security. We're currently uh at SEM GRP and both are startup investors and adviserss. Um, I'm currently a security engineering manager. I pre previously worked at Centry and Cloudflare and my friend Leaf here uh is a senior software engineering manager. He's currently a CFP reviewer for OOWASP and has presented at numerous conferences as well. Um and he previously worked at Segment and Bug Crowd. Also, you might have heard of our open source tool uh but we also have

paid offerings for static code analysis, software composition analysis, and secret scanning. Um and so if you want to learn more about any of these uh we'd love to help secure your company and we have a couple other uh some greers at the conference that you can speak with. Cool. So during this session we will share um effective strategies for building your personal security brand, provide tips on how to positively contribute back to the community and encourage a culture where others in your company feel motivated and engaged uh more in the community. So investing in building your brand and engaging with the security community can be incredibly rewarding. Um it helps advance and evolve the industry and

teams are often facing very similar challenges and can learn a lot from each other's experiences. It's also personally rewarding. It can help you secure your next role, attract talented people to your team, and open unique opportunities like becoming an adviser or a guest appearance on a podcast. and working with great people makes your job a lot easier and more enjoyable. Um, but it takes a lot of effort uh to build that kind of team and it's okay just get my okay um yeah and it also helps with recruiting and it helps um establish it can help establish you in a area of expertise. So um and you'll learn more about yourself, like what inspires and motivates you, your

strengths. So how do you begin and find your voice? So I would say focus on developing your voice. Figure out what's important to you and be willing to use your voice for that purpose. Uh if you're only doing it to develop your personal brand, it can feel a bit empty. Um but if there's a deeper understanding of yourself and what feels authentic to you, it can feel really rewarding and be fun. And if you're doing it because there is something you want to see changed in the industry, that's where it will have a lot of value and depth and and you know there's integrity there. So here are some ideas for figuring out how and what to share. Starting with

understanding yourself, your strengths, inspirations, and motivations um that will help you figure out what goals you want to set for yourself in this effort. First, ask yourself why do you want to share? Maybe it's to promote your public persona. And if that's the case, um asking yourself questions like what area do you really want to establish yourself in as an expert can kind of help uh inspire. So this helps me to getting this leads me to getting started and defining success for yourself. So it can feel overwhelming if you don't know what your goals are. Um you can set realistic goals for yourself depending on how much time or energy you want to invest. So,

this could mean writing one blog post a quarter or two CFP submissions a year. Um, and if you have a newsletter, maybe you're focused on increasing engagement or getting a certain number of subscribers. So, ideas can come from many different sources. And here are some ideas. Um, starting with completed projects, incidents, retros, or road maps. Um, if you can talk about an interesting or challenging incident and how the team recovered from that and learned, that's a great way to help your peers in the community, especially if they end up facing a similar incident. You might have people reaching out to you and kind of really view you as like an expert in that area. And similarly,

when you run a retro, maybe there was a follow-up action item you did where you learned a lot about a particular technology. Presenting internally or with trusted teammates and managers can also help create a safe environment to improve your presentation skills and uh before delivering it in front of a larger audience and ask for candid feedback. We all learn so much from each other. Um and so don't feel discouraged if you've never done this before and you have a long way to go. Um there's nothing better than just getting started and practicing and you'll learn how to do it and become more comfortable with it. Cool. Um, so how many of you here have ever written a

blog? Nice. That's actually quite a lot. That's probably like a third of you. That's cool. Um, well, hopefully, uh, this is still useful for folks that have written a blog before, but for the other two-thirds of you, here are some of my best tips about how to get started. Uh, for me, having an outline really unlocks the rest of the process. If you're working on a project and you think you want to write a blog about it at some point, try to take notes as you're actually doing the work. It's a lot easier to go back and write a blog if you don't have to try to remember what you did a month ago, two months ago

ago. Uh it's quite hard. Uh anyone who's done that, I see some people shaking their heads. So, uh social proof that you should be taking notes. Um this is a totally separate talk, but notes on that kind of thing also really help when you're writing your performance reviews. It's really helpful to be able to go back and be like, "These are all the cool things that I did to make sure that you get credit." Um anyway, so uh don't worry about the formatting of your notes. Don't get bogged down trying to make your notes perfect. Just make sure that you have them and then you can spend time turning them into a nice outline later. Once you

have an outline, it's a lot easier to get started. You can think of this like the way that you write a project plan before you get started on your work for your week or for your month or for your quarter. You can also take your outline and uh for your blog and turn it into a conference presentation submission. So, here's some actual tips about how to get started on on your blog. These um some of these came from somebody that used to work at Y Combinator, the folks that um host Hacker News. Um the first one is deciding whether you're writing a story or a tutorial. Tutorials are great, but they're generally uh the audience is limited to people that have

that same problem. If you want people to uh read your blog that have a different problem, you need to make the story interesting. And a great way to do that is to get them to feel your pain. Um, this helps get the reader invested early. And if you fail to hook the reader, they're just going to close the page and go do some work or or read something else. Um, try to get the reader to put themselves in your shoes. If your blog is just fun and hacky and interesting on its own, you can take a totally different approach. The example they gave here is making a touring machine out of Lego. You don't need somebody to

feel your pain uh as a security engineer if your blog is about doing something like this. Don't just say I had this problem and then this is how I solved it. The end readers actually want to understand the setbacks and challenges that you faced. And this can also help you illustrate why you made the choices that you made. For somebody who hasn't solved that same problem, they might think, oh, obviously the way that you would solve Y is to do X. Maybe you already tried that and it actually has a ton of pitfalls and you can save other people from going down that same road if you if you share the things that didn't work. So if you have a blog um I think

it's a lot easier to turn this into a uh talk for a meetup or a conference um than just starting from nothing. And these are really good ways as Misha mentioned that you can uh share your work with with new folks. So creating a conference presentation from a blog um is a lot easier. Like I said, you've already put in a considerable amount of time into uh thinking about this and you already have your thoughts organized in a way that's presentable. Um once you have a blog, you can also shop this around to folks that host podcasts. Uh tons of podcasts are looking for people to to be on their podcast. you're probably not going to

just uh show up onto Risky Business or something that's like incredibly popular unless you have a really really good blog, but there's tons of other great podcasts that are always looking for for guests. Same thing with local meetups. Your average local meetup uh is is desperate for comp for for speakers and so don't um be hesitant to to share your work locally. Um so similarly uh to the previous section, how many of you have presented at a conference before? Cool. So, slightly less, maybe a quarter or so. Um, but these are some of the common fields for a CFP. If you've never considered submitting to a conference, you need to start thinking about it early. CFPs often open like 6

months before the conference and they usually close, you know, maybe two to four months before the conference. So, um, start thinking about your presentation for Bside Seattle uh, about five to six months from now or maybe even a little bit earlier. Um, as Miesa mentioned, I've reviewed a lot of CFPs over the years, and uh, here are some of my tips. Your title is your first impression with a reviewer or an attendee. It can be really hard to come back from a bad title. There's a couple of classic title formats that I like, but don't feel like you need to conform to any of these if you want to do something different. Um, the first one is just simple and to the

point. The reviewer probably has a reasonably good idea if this is a fit for the conference. just based off of the title. The next category is similar to the previous one, but you can add a little bit of flare. Um, attendees might just be looking at titles when they're deciding what to go to. So, don't make your title too confusing or too abstract. Um, you want someone to know if they want to attend based off of the title. You can also do a two-parter. This one obviously worked reasonably well because there's a good amount of people here, but the first part can be something that's a little bit catchy and then the second part can be what you're

actually going to talk about. Um, don't be afraid to use a little bit of clickbait in your titles. Again, it needs to be something that people understand, but clickbait works. There's a reason why articles use clickbait. Um, and then my last tip here is do not have sexual puns in your title. I promise your penetration testing joke is not that funny. The CFP reviewers have probably heard it before. And I think that these types of titles really contribute to a less inclusive conference experience. And I I really hesitate to accept these as somebody who's uh reviewing submissions. Um your abstract. This is really your chance to sell interested attendees as well as the reviewers. Um,

for better or worse, by the time that a reviewer has read your title, your abstract, and your bio, they've probably mostly made their decision as to whether or not your work is going to be a good fit for their conference. You want the description to be short enough that attendees will read it, but not so short that they don't know what you're going to talk about. It's a difficult balance between it being succinct and thorough. Most conferences, including Bside Seattle, have multiple tracks, and attendees are going to use your title and your abstract to decide whether or not they want to go to your talk. As mentioned previously, I really recommend starting with an outline. If

you have a great title, uh, consider yourself lucky. A lot of people really struggle to come up with a title. And I found that over the course of working on your outline, um, things like the abstract and the title are going to be easier to uh, come up with. And so, even though this is probably like fourth in the CFP uh, form, do it first. Um, your outline is your chance to prove to reviewers that you've thought enough about the topic um to be qualified to give a presentation. These are not typically shared with attendees. So, don't worry if things drift a little bit. I mean, you don't want to give a completely different talk than what you

submitted, but a little bit of drift is okay. So, now let's talk about how to use AI in your submissions. Please, no AI slop. uh reviewers or volunteers, please do not submit garbage. We can tell when you just put something into chat GPT and pasted it into the submission form. And if somebody's going to spend that small amount of time on their uh submission, uh they're probably not going to spend the time to actually make a good presentation. That being said, um I helped somebody I worked with submit to her first conference earlier this year, and she spent time writing down a bunch of great ideas. We worked together to turn that into an outline without AI.

And then we used AI to help come up with potential titles and work on an abstract. Including a description of the conference and the audience you're targeting is really helpful. We got a lot better responses from chat GPT by doing this and also copying in guidance. So, I wrote a blog a couple of years ago about how to do a bunch of the stuff that Misha and I are talking about. We actually copied sections from that blog into our uh into our chat and it made the responses a lot better. Um so yeah, AI helped make this process a lot more efficient and genuinely had some good contributions and I think that you're actually doing yourself a disservice at

this point to not collaborate on AI or collaborate with AI on something like this. But just make sure that it's representing you well and it's representing you in a way that you would have represented yourself. Um, cool. I'm going to hand things back over to Misha. Yep. So, I'm going to be talking about sharing your team's work publicly, um, to create a culture where security teams improve their communication, uh, which will pay dividends as time goes on. Uh, sharing work can be a key indicator of growth and healthy teams. And the best teams that I've worked on, uh, really emphasize sharing your work publicly. So, here's another benefit. Uh it transforms us from being awkward and

unwilling communicators to being effective and powerful communicators within our own companies. Um how many times have we heard people say security is very important but then people at your company uh just don't do the work um for whatever reason. So in these situations what you can control is the effectiveness of your messaging. And security folks do tend to be correct but security folks also tend to shy away from communicating or highlighting their work. And we also tend to come across as disgruntled um and we sometimes avoid frequent messaging even though we really should be doing that. And all of this kind of friction hampers us from communicating danger and the need for quick action uh to derisk. Um so all of

this is great practice to be more effective at your own work. So for leaders um how can you expect your teams to do this kind of work if you're not doing it um inside your company? never miss a chance to broadcast your team's work and successes. And I want to ask like, you know, when's the last time you wrote a series of security slack posts or got up and spoke in front of your engineering teams? Um, and how often do you do this or do you just kind of expect your teams uh to do it? And then outside of your company, uh, if it's been a year or more since you've blogged or spoke, your team

needs you to blog and speak in order to emulate it or they just emulate you and don't do it. So finally, ensure you're doing multiple things to build the culture to support this engagement and help it grow. And uh yeah, your paperwork is never done. So but use it to change elements that positively influence employee behavior. So find a good spot in your ladders to state your comm's deliverables for each levels of the employees you have. And when employees kind of hide from these expectations, you have to hold them accountable. And for folks who do deliver describe this work and its impact in their annual review or promotion packets um you'll see that great comms and leadership

naturally tends to lead to impact on the company and give positive reinforcement to folks who work hard to make this effort. All of this is a way to like systematically positively reinforce this type of effort. So yeah, I mean I remember when I was on a team that did not pay for conference talk uh for conferences unless we attended the conference as speakers um and we had a learning budget but this really motivated us to work on the most impactful things and share it with our community or find opportunities to do that and it helped build a great reputation for our security team. Um, and as a manager, you can also link the work of these effective employees to the

overall success of your program. And when they're particularly effective, like share it and be loud about it internally or on LinkedIn. And I also want to um encourage setting aside time during work hours actually to work on blogs and presentations um because it's uh we should like normalize making progress on this type of work during work hours especially if we're going to make it a part of expectations and ladders. Um I think it's I think it's fine to be a to use work hours to do this kind of uh to make this kind of progress. Um, so yeah, now that you've done all this hard work to get your team's collateral produced and counted, Leaf is

going to talk about how you can package this work as advertisement for how awesome your team is. Cool. So, for most people, I think you'll get the majority of your traffic from newsletters or from posts on social. I post on social first and then I link that to my team and ask them to uh share the same link rather than just reposting the like underlying article. Emoji reactions, comments, and re-shares all help with the algorithm. So, make sure that you're all amplifying a single post. If you share your work in industry groups, make sure that it's a good fit for their interest. Nobody wants to get spammed by the same person all the time. Um, here are some stats

from a blog that I posted a couple of years ago. As you can see, a lot of the traffic uh came from social. This was a different blog that was hosted on my previous employer site segment. It was really easy to attribute spikes after the initial release to getting featured in a couple of well-known newsletters, but as you can see, the initial release, which was just on like LinkedIn and Twitter, um did pretty well on its own, like pinned tweets and featured media on LinkedIn, uh to make it easy for people to find your best work. If somebody's trying to get to know you, uh they're probably going to click on some of these things if they uh don't have

direct experience with you. Um, when you're sharing your work, share your work to connect and invite people into your world. Sharing your work is a great way to meet folks that are passionate about the same topics, and it helps you build a community. If you enjoyed someone's blog, consider sending them a DM uh to let them know. Most authors will be really excited, and it might encourage them to continue producing things that you enjoy. I remember a few years ago somebody reached out and said that one of my blogs helped them got helped them get accepted to speak at their first conference and it was really cool that somebody uh found my my work useful and

also helped them uh achieve something that they hadn't been able to do previously. I really like this quote from Matt Johansson. Um, one of the main reasons why I've helped organize and speak at conferences to meet people. And you don't get great community events without a lot of collective time and effort. And we really appreciate you choosing to spend your time with us when there's so many great talks to choose from. Um, so in closing, it doesn't matter if other people have written or spoken about the same topic. Your perspective is unique. This is one of the most common reasons I hear for people not to present at something. Um, don't let this hold you back. Um,

outlines can be reused across blogs and conference presentations, which makes the whole process a little bit more efficient for you. Um, use AI, but make sure that it's representing you well when you submit to speak at things. Help create a culture at your work that rewards this type of behavior. And use your network to promote your work, but also use your content to grow your community. If you want to hear from some more SEM grappers, uh, Vicilei is presenting at the top of the hour at 11 today and, uh, Milan and Vicilei are running a workshop tomorrow at 10:00. Um, as a reminder, I have two blogs on my Substack that cover this in a lot more detail. If you're getting

ready to present at a conference, um, take a look at those. And Misha and I are going to be around in case you want to chat about the presentation or hear about SERP. The bit.ly link has a link to all the slides. So if you want to revisit any of the stuff, it's right there. And uh with that, thanks for coming to the presentation. With raising my public profile is the risk of becoming a target. Uh have you guys encountered that? And is that something that I should be concerned about or it's just kind of in my head? Um I haven't encountered that. I think it would really depend on like what you're speaking about. Um, I think for a

lot of the folks I've met in the security industry, the stuff that they're working on at work probably wouldn't make them a target and you don't need to share what you you're working on, but I think it's it's really you just need to evaluate what the topic is. I think I kind of want to expand on what was just asked. So you have your CISO, you have your trustee. I've been on trustee before. And I think there's something to be said about like getting someone's blessing before hosting something, right? Getting management's approval, getting CISO's approval. There's a ton of topics I would talk about just generally that don't really need that kind of approval, but I think

it's something to be considered. What do you think? Yeah. I mean, like the places I've worked have all been pretty chill about what was talked about, but um the approval process was really just like, "Hey, let somebody on I forget it was like usually like the marketing team or like the brand team or something know what you were going to talk about." But um I've never really had a lot of problems, but yeah, you just need to know what the vibe of your org is and follow the rules for sure. All right, one last question. Thank you. Um, how would you since this is 2025 kind of give advice to temper a little bit political activism? So I

think people did really well against lamp but the industry was really quiet about Chris. So how do you any advice on that balancing act?

I'll go. Okay. Um yeah, so I mean I think it just goes back to like what you're comfortable with. Like I I don't know what people are going to be comfortable with presenting, but if you're comfortable and you want to speak up for something, I I encourage people to do so. But as the the first question kind of alluded to, like make sure that you're okay with the potential risks associated with taking a a loud public stance on something. I've never presented about anything that controversial. It's always just been like pretty normal stuff that I've been working on. So, I haven't really had to go through that uh thought process. I don't think I've posted anything

political on like LinkedIn or anything like that. But if you're worried, I I I guess if I were to post something like that, I would probably not ask my employer. I would just do it if I really believed it to be honest. Um, but if you're worried about it, then at least your manager maybe, you know, it's like, is this cool? Is this like not representing the company in a way that you think would be, you know unfavorable? Um so yeah, sorry if that wasn't really like a framework to for thinking about it. It does seem very personal. Um, and I've seen a lot more politically motivated posts on LinkedIn definitely this year. Um, even about Chris Krebs too. So I

think we're there seems to be more openness in general. All right, I think we're ready to