Security conferences: Why go?

For the last couple years, the RSA security conference has been later than usual. In 2009 it was in mid April, which was fantastic.

Last year it was March. Not as good, but still better than mid-February, when San Francisco is usually rainy and cold — and snowstorms foul up the travel schedule.

Given my dislike of February travel, it’s only natural that RSA would switch the conference date back to mid-February. During Valentine’s Day, to boot.

Two weeks before that, I’ll be taking the Shmoobus down to the ShmooCon security conference in Washington D.C. This is one of my favorites in terms of content and location.

While the time away from family is always rather tough to take, I do love going to these conferences. There’s a ton of networking to be done and stories to write, and I always come home a little bit smarter than I was before.

I have learned a few things about these events that are worth sharing. First, regarding ShmooCon:

Many CSOs view ShmooCon as an event of small importance. You don’t see the suits and ties that are on display at RSA. In fact, to those who haven’t attended, this conference is just a place where twenty-something hackers come to get drunk and throw TVs out hotel windows. Another crazy Black Hat/Defcon-caliber conference, more than one high-level security exec has told me in the past.

The larger reality is that a lot of important talks happen here that have implications up and down the IT security food chain. It’s also important to note that a lot of the young ruffians who come here are the very people who find the security holes so they can be fixed. They also build a lot of the technology CSOs lobby their upper management to invest in.

While most of the talks are tech-heavy, a lot of the discussion in the presentations and in the hallways are about the language disconnect that often exists between IT and upper management and how best to close the gap.

All important issues that must be addressed, from the IT basement to the top-floor executive boardroom.

We can’t live in silos doing our individual jobs and pretend the rest of the company doesn’t exist. In the battle to secure cyberspace, we’re all in this together.

RSA is a lot more commercialized, but I’ve found it to be fertile ground for networking. Here are a few things I’ve learned about that conference:

1. The vendor keynotes are not what they used to be

No disrespect toward the vendor keynoters, but I’ve found their talks less noteworthy in recent years. Sure, it’s good to hear their take on the latest industry trends, but if you’re an IT practitioner with years of experience you already know what they’re going to tell you.

The mob has moved its criminal operations online? You knew that. A data breach awaits the company who fails to take security seriously? You knew that, too. You also already knew that a data breach can happen if you DO take security seriously.

The high-level government speakers are a bit more interesting. In 2009, the main Wednesday talk was from Melissa Hathaway, then-acting senior director for cyberspace for the National Security and Homeland Security Councils.

The problem with RSA keynotes is that the size of the stage and auditorium and the rapid succession of keynotes doesn’t allow for the give and take between speaker and attendees that would make these more valuable. But sometimes you have to take what you can get.

2. Don’t let the exhibit floor get to you

The exhibit floor is loud. It’s packed. The people working the booths will hound you aggressively to stay a few minutes and see their slide deck or hear the pitch. That’s OK. They’re doing their job. But if you’re not careful you could easily get sucked into things that aren’t going to help you. And you’ll miss other booths that may have something more important to your particular security challenges. My advice: Look over the floor plan before you go in and pinpoint the vendor booths you actually need to get to. Walk right past everything else.

3. Seek out alternate events

One of the best things about RSA is that a ton of neighboring events take place in the neighborhood around the Moscone Center to coincide with the main attraction. One event that’s of particular interest to me is Security B-Sides. It’s billed as an anti-conference of sorts; a place where practitioners can go for an alternate, stripped-down view of the industry. The goal is to expand the spectrum of conversation “beyond the traditional confines of space and time,” giving people the chance to “both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos and interaction from participants.”

I’ll give you more specific details about this year’s BSidesSF event in a later post.

4. It’s more about the networking

To me, the most important part of RSA is the networking. The last two were great because I got to finally meet a bunch of people I had only met up to that point through Twitter. I also made many new contacts who have offered me a variety of helpful feedback ever since.

If there’s an opportunity to have coffee with a fellow security practitioner at the same time a keynote is going on, go for the coffee.

The keynotes may entertain, but it’s the relationships you forge over coffee or a meal that will likely lead to useful collaborations and lines of support in the years to come.

Safe travels, everyone!

–Bill Brenner