People new to the security field frequently ask me if they should go to security conferences and which are the best ones to attend. My answer is always, “It depends. What are you trying to accomplish?” Personally, I have a love hate-relationship with security conferences. While I enjoy those sexy talks about the latest and greatest vulnerability as much as the next person and appreciate meeting others in my field, after about two days of it, I’m done.
Between the rampant industry cynicism and pointless arguments over whether or not some presenter really is the ninja-rock-star he or she is purported to be in the media and the security community, I’m mentally drained and bored. According to the Security Organizer and Reporter Exchange (SECore), there are more than 1,200 security conferences at last count. I wonder if there are too many or if it's a matter of choosing more wisely.
I admit that I try to avoid the Vegas/Black Hat/Defcon pilgrimage that many seem to make annually, probably because I simply can’t stand Las Vegas. The constant din of noise and the gambling (even in McLaren Airport) make my skin crawl. But I’ve spoken at the mammoth RSA conference in San Francisco, which has more than 20,000 attendees, and have attended Black Hat in D.C. and some of the smaller “boutique” conferences such as Shmoocon.
[Check out what's on the agenda at this week's Black Hat conference in 9 Technologies Security Researchers Will Break At Black Hat.]
The problem I have with some of these events is how much emphasis is placed on finding something “broken” in an application or protocol. Great, someone can man-in-the-middle a particular application, if the moon is full and it’s a Leap Year. I’m exaggerating a bit, but some of the talks I see are for “vulnerabilities” that simply don’t exist if the system or network has been properly configured and hardened. Or other times, a dangerous exploit is demonstrated, but without any practical recommendations for mitigation.
What I don’t see are very many talks covering viable methods for classifying data, designing secure architectures, and building in application security. There seems to be an egocentric need to demonstrate superiority through destruction. Hey, Oppenheimer, I’m not all that impressed by someone who can blow up a cathedral. Call me when you’re ready to build one.
Although I sound pessimistic about the conference experience, I have to admit that I’ve also had some great experiences, but not in the way that you’d expect. For example, the time I saw Joseph Menn at Black Hat speak about hunting down cybercriminals in Russia. And I've been able to get face time with various luminaries at Shmoocon and RSA as I stalked them with a microphone in search of an interview for my podcast; everyone was always very gracious and I’ve managed to get great content. Conferences have also given me opportunities to take some amazing training classes from people like Val Smith and Richard Bejtlich. These events have also offered me the chance to exchange ideas with fellow professionals, someone new or a person whose blog or Twitter account I follow, but have never met in person.
Conferences, especially in IT, seem to be loud and raucous with lots of interaction. This is good for me for the first day or so, and then I’m on overload. But I’ve noticed this is due more to my bad planning and have figured out some strategies that make these events less painful and more enjoyable.
I recommend you try to pace yourself. Break up your day into sections where you can give yourself some quiet moments, otherwise you’ll crash hard after the event. Try to balance the “breaking” sessions with the “building” talks; it’s less depressing. Take notes, so you can share what you learn with colleagues upon your return.
Many attend some of the larger conferences for the endless string of parties, and at an event such as RSA or Black Hat, there are more stars than in the heavens. But as enjoyable as these evening festivities can be, remember that these are still professional events. If your employer paid for your attendance, you don’t want any record of questionable behavior to damage your reputation.
Don’t try to do much work during the conference. First, it can be risky to access your enterprise from the hotel or event network (even with VPN) at a security conference. There are some unscrupulous types who consider it a badge of honor to compromise users and systems during these events. Also assume that your traffic could be captured for analysis later. Additionally, why give yourself the additional stress of trying to stay engaged at the conference while being distracted by what’s going on at the office? Make sure you have coverage and that your co-workers know you will have limited availability.
But the best advice I can offer is, if you work in information security, don’t limit your professional development to security conferences. I notice that many IT professionals tend to isolate themselves in the bubble of their particular specialty. By doing this, they miss an opportunity to gain knowledge of other disciplines, which could enrich an understanding of their own. Consider attending a networking conference such as Interop or maybe a systems administration event.
Also, why limit yourself to large conferences? They’re great, but you could also try the smaller alternative gatherings such as the B-Sides events scheduled all over the United States. It’s a great chance to have conversations with other working professionals trying to solve problems.
And why stop at conferences? Consider joining a nearby hacker or maker space, your local ISSA chapter or even a meetup. Finally, you don’t have to be a passive technical sink; why not submit your own talk? Teaching something is a great way to learn it in-depth, and what better way to give back to the community?
So, sure, go to a big conference and have fun. Just remember that professional development is a continuous process. Your engagement should be consistent throughout the year because it’s a better personal and professional choice.