The 2011 security conference season is upon us, with Black Hat DC already fading in the rear-view mirror. As I embark upon a busy couple months, I can help but reflect a bit on what is to come and question the value (perceived and real) of all this hoopla. Sure, I love getting the chance to travel a bit and catch-up with friends whom I typically only see at these events, but beyond the social aspect, what's the value of the security conference?
The Good
Lest it seem like I'm dissing conferences altogether (I'm not), let's start by looking at some of the positives...
* Networking: Hands-down, conferences - especially major conferences - are great places to meet new people, hang out with industry friends, and generally network like crazy. Because, no matter how much we might hate to admit it, business is still very much about who you know. More importantly, though... meeting new people can be a great way to learn new things. Introverts: get out of our comfort zones a bit. Extroverts: take it easy on the newbies and introverts! :)
* Training & Knowledge Transfer: One of the biggest benefits for attending a conference is to, ya know, learn stuff. Maybe it's through taking a course (a la SANS), or by sitting-in on interesting sessions by breakers (e.g., Black Hat and DEFCON). Whatever it is that interests you, there's no way you should walk out of a conference without having learned something new and interesting. If you do, then it's as much your fault as it is the conference organizer's.
* Community Exposure: No, this is not a "good vs bad naked" comment. If you're new to the industry, then it's important to see the industry broadly to understand just how much is going on. Even if you're not new to the industry, it's still important to be reminded how much is going on. As small as our little community often seems to be (*cough*echo chamber*cough*), there really is a ton of stuff going on, whether it be various standards initiatives, new research, new products, new groups, new companies, etc, etc, etc. It's important to be reminded just how small a part we as individuals play in the grand scheme of things.
The Bad
Now that we've covered some of the strong points of conferences, let's look at some of the negatives...
* Ego Stroking and Pissing Contests: Unfortunately, egos play a big part of most conferences - especially the major conferences. The fact of the matter is that it takes a degree of *ahem* self-confidence to stand up and give a talk. This is never more evident than at major events (I find this to generally be less true at small events). So, there's going to be an inevitable degree of ego stroking at many talks, and the value will decrease accordingly. At the same time, we also see a lot of pissing contests, particularly with the hard-core technical "hacker" cons (BH, DEFCON, etc, etc). Black Hat has gotten to the point that if we don't see a bunch of 0-days dropped, then we're disappointed. And then there are is the confluence of ego and "competition." It all leaves me a bit cold. Not that I have a problem with the "breakers" and the great work they do, but then again I don't really need the reminder in flashy terms of just how buggered most things are. There's a place for this, but we just need to go into these situations knowing that a lot of it is about boosting egos.
* Vendor Orgies: Perhaps the greatest criticism of major conferences is how they've become massive vendor sales platforms. RSA is a great example where almost the entire "keynote" track is allocated for top-level sponsors. RSA attendees will find that the "other" big room is where the "real" keynotes are held, rather than the major presentation hall where all the vendors schlepp their wares. Security BSides owes much of its momentum to attendee frustration over the vendor influence on major events (ironic given the reliance of BSides on vendor sponsorship;).
* Preaching to the Choir: Is there an echo in here? I think so. I think the biggest negative to most cons today is that we're generally preaching to the choir. The people who are generally flocking to presentations are those who are already interested in the topic and, more often than not, engaged in the conversation. Breakers go to hear other breakers, managers to hear other managers, lawyers to hear other lawyers, etc, etc, etc. Unfortunately, most of the time we don't need our own communities and sub-communities to hear the same message from the same people, but rather need cross-pollination. If you're going to a conference this year, then I highly recommend getting outside your comfort area and attending talks in areas with which you are less familiar or comfortable. Oh, and please go with an open mind. You might be surprised by what you find.
The Ugly
If the negatives aren't bad enough, I think there are some sad realities that simply need to be acknowledged about conferences...
* Actual Value is Frequently Limited: The sad fact is that many conferences have limited value. The bigger the conference, the more true this is. I love attending conferences like RSA and Black Hat, but it's generally due to the social/networking aspect and not because of the overwhelming content. This is, unfortunately, a sad reality about conferences, and also a major reason why the Security BSides movement got its start. Let's face it: a 1-hour talk is only going to be able to communicate a limited amount of information. Moreover, when you're attending 4-8 1-hour talks each day, plus being consumed by the vendors on the expo floor, there's only so much that your brain can take in. RSA is a great example where the week is long and exhausting, despite some decent content. Even the smaller events suffer from this problem: the brain can only take in so much new data in a short period of time.
* Very Hard to Demonstrate ROI: If your employer is paying for your trip to a conference, then how are you demonstrating the return on that investment? That is, what value are you deriving in a business sense? For speakers there is some value in terms of increased exposure, but for the average attendee? It can be tough. If you're attending a conference this year, then I highly recommend planning for your trip and beginning notes on how you've derived value from the experience. The more you can apply this directly to your job, then the better it'll be and the more likely you'll be able to get your employer to send you again.
* SSDD: I'm harping too much on the "echo chamber," but it's a real and legitimate problem. We're seeing a lot of the same faces at major conferences, oftentimes with the same or similar talks. Where's the value in that? Not only are we generally talking to ourselves, but we're listening to the same people delivering the same content. Ugh. This is where the smaller regional conferences have a major leg-up in that it's far easier to find new voices with new ideas. Hopefully these news voices are being given a chance to speak. BTW, if you *are* a new speaker, then seek out experienced speakers to help you be a better speaker. Do not simply let it ride and hope that everything will go well. Make sure things go well! If you can demonstrate good skillz, then that will increase the likelihood that you'll be given an opportunity to speak again.
Comments (3)
Hi Ben..
It's interesting that you write this, because i just did a mini splurb on infosec conferences too. (http://blog.thinkst.com/2011/01/is-answer-more-infosec-conferences.html)
After the post some people on twitter have been talking about decreasing the number of cons and single track only cons, which isn't exactly what i had in mind (for some of the same reasons you specify).
I.e. i think we _do_ need different types of conferences to get young blood in. My main point (although im clearly biased), is that we run the risk of quality being lost in the noise. It's why i think ThreatScapes has value.. i.e. i think cons will grow, and more cons will be introduced and that, that isn't necessarily bad, but organizations could do with a sort of curated filter.
Nice post..
@haroonmeer
Posted by haroon | January 26, 2011 6:10 AM
Posted on January 26, 2011 06:10
Haroon,
Thanks! That's a very interesting post. I very much agree with your thoughts, especially about needing different kinds of conferences. We definitely need to get away from the "talking heads" model as the primary delivery vehicle for information, and instead get to hands-on technical formats. For example, I think BH sort of had the right idea splitting "briefings" from "trainings," but I think they need to go back and add in a "workshops" track parallel to briefings that provides concentrated hands-on interaction on a given topic in, say, 2-hr blocks. I'm doing something similar for BSides Austin w/ the AppSec Guerrilla Camp concept, too.
I've followed you on twitter (I'm @falconsview) and look forward to chatting further! :)
-ben
Posted by Ben | January 26, 2011 7:07 AM
Posted on January 26, 2011 07:07
Hiya..
Thanks muchly. Agree that multiple formats are useful (if for no other reason, because different people learn differently).
I'm a poor tweeter, so feel free to drop me an email anytime at all..
Good luck with BSides..
/mh
Posted by haroon | January 26, 2011 10:48 AM
Posted on January 26, 2011 10:48