Over the weekend, I became immersed in a discussion on Twitter centered around getting more people involved in InfoSec conferences. Here’s the original post by @hacks4pancakes:
Lesley’s initial point led to many great responses relating to the value of attending conferences and the process of communicating that value to the powers that be within your organization. As one who has recently gotten more involved in attending conferences, I thought it might be worthwhile putting my thoughts and experiences on “paper.”
One response to Lesley’s post spelled out the most common objections you might face when inquiring about conference attendance:
- What is the cost?
- Time away from work!
- What is the ROI?
- All the videos of talks will be posted anyway!
Of course, all these objections are valid, but in my opinion, they are all short-sighted. Based on my experience, the real value in attending the right conferences comes down to these key benefits:
- Vendor Interaction
- Socializing / Collaborative Insight
- Continuing Professional Education (CPEs)
- Professional Recognition (Speaking)
Understanding these benefits and articulating them to your colleagues goes a long way in developing a culture that supports participation. Let’s go a bit deeper.
Networking in the sense that I am talking about here is simply building relationships with others in the field. This is important for two reasons. First, you can dramatically enhance your knowledge base by building friendships with like-minded experts and learning from them. The community is very keen on sharing expertise, and you should take advantage of this. Second, you have something to contribute! By building friendships, you can gauge your level of expertise in comparison with others, and you will ultimately come to realize that you indeed can contribute to the community, thus expanding the common body of knowledge and making the world just a bit smarter and safer for everyone.
Over the years, I have come to meet, hang out with, and get to know some amazing people. I call them all friends, and we all look forward to meeting and learning from each other at every conference we attend. The out-of-band collaboration is something you just can find by any other means. It still amazes me that through attending conferences and going out of my way to build relationships, I can text or call some pretty amazing people in high-level positions, ask them just about anything, and receive a response.
Please note: there is a definite distinction between education and training. Education is simply the process of becoming aware of basic theories surrounding a topic. This is the sort of information you gain by attending a talk or having a discussion with an attendee or speaker. Training is the act of acquiring the skills necessary to perform a task proficiently. We will hit on this a bit later.
Conferences are jam-packed with great talks that have been vetted by the community and are top-notch. You can easily hit the key talks that are relevant to the focus of your work. If you don’t come away from every conference with three or four useful tips that can be employed right away in your workplace, you aren’t paying attention! Add the opportunity to interact directly with the speakers and get to know them personally, and you take home something far more valuable than you might imagine.
I am continually referring to talks that I have attended, reviewing them, and in many cases, interacting with the presenter as I use their insight in making our organization more secure and improving our service offerings.
Many conferences have varying levels of competition, typically in the form of programming challenges or capture the flag (CTF) events. Larger conferences like DEF CON have so many competitive events that you could spend your entire time at the event participating in these events. Where’s the value in these games?
The CTF events are typically geared toward a variety of skill levels. These events give you the ability to apply your red team or blue team skills in a simulated yet timed setting. Opportunities for this sort of practice might not be readily available for you outside of a conference. In most cases, even if you don’t get very deep into the competition, you have the option of taking the competition home with you for dissection later. Most of the CTF organizers provide solutions after the event, so you can follow their approach and learn as you go.
Participating in these events makes you a better analyst and a better defender of your own network. I have learned a ton just by taking time to try some of the CTFs at various conferences. I know my skills are not where they need to be, but they are way stronger because of my participation.
As I mentioned before, training is the development of skills necessary to perform a task proficiently. Conferences often make training opportunities available to participants. Many times, trainings are conducted in the days before the main conference event. In the case of DEF CON, BSides Las Vegas, and other events, there are trainings you can attend that are completely free of charge. All you must do is get your reservation in before the seats are gone.
These trainings are quite detailed and usually given by experts who normally give these types of trainings only during expensive classes. Some of the better InfoSec conferences offer training that is very affordable as compared to the mainstream training available in the marketplace. These affordable options can boost your skills and in many cases help move you closer to industry standard certifications.
Yes, we are talking about the dreaded expo floor here. Fear not! You are on a mission to learn, and most vendors who exhibit at conferences are there to educate. Your job is to find out which ones those are.
Over the years, I have learned to be up-front with exhibitors by avoiding the badge scanning game whenever possible and working to learn what their product of service does while filtering that through a lens that determines how their offerings might apply to my company or benefit others. You will be surprised how much you can learn by having the right discussions with vendor reps.
The knowledge you gather may not seem relevant, but trust me, many times I have come across a need within my company, and because I took a few moments to learn about key vendor offerings, I can recommend (or not recommend) products and services that solve immediate problems. There is always something to learn, and vendors will educate you for free.
Socializing / Collaborative Insight
There is no denying that conference attendees know how to party. Almost every conference I have attended has one or more parties. Some of the larger conferences have a significant social agenda. Even the parties have a purpose. Aside from enjoying your favorite adult beverage and some tasty food, these social events give you the opportunity to get to know attendees on a more personal level. Just remember to temper your indulgences and stay in control as you are representing your employer.
What you learn and the relationships you build at these social functions is amazing. You will build relationships that will impact you the rest of your life. You never know what you will encounter or who you will meet. I have had the pleasure of meeting the CSO of a major bank, the CISO of a major department store, and the CSO of a well-known pizza chain just by attending a few social events and taking the time to meet those around me. Another friend who I met came to me to collaborate before publishing a very important article.
These events are also great places for introducing people that you know but don’t necessarily know each other. You never know what those introductions might lead to.
Continuing Professional Education
Most of the major organizations that offer certifications related to InfoSec require that you complete a certain number of continuing education credits to maintain your status. These organizations also understand the value of conference attendance and have contingencies in place that give you hour for hour credit for time spent attending relevant conferences. For example, (ISC)2, requires 40 CPEs per year to maintain a CISSP certification. Failure to keep up with your CPEs results in having to site for the exam again.
I can earn almost all my CPEs for a year simply by attending a couple of conferences. If I submit a talk, I get even more CPEs. I would much rather spend time at a conference as opposed to studying for a difficult exam.
Almost all conferences provide an avenue for InfoSec professionals to submit papers or talks for consideration. These are typically known as a Call for Papers or CFPs. They usually open six months or so before the conference date, but the times vary between conferences. Some conferences are very competitive while others are a bit less strict.
Typically, the only requirements are that you have a topic that is relevant to the community and that you follow the submission instructions for the conference CFP. One big thing to keep in mind – DO NOT submit a vendor-centric talk that hawks your company’s wares. This will get you rejected immediately, and word spreads quickly in this community. That said, sharing your expertise through a talk is a great way to showcase your company. Getting accepted will likely result in your superiors approving the trip.
So now you have some food for thought. Take some time to digest and creatively formulate your own talking points for discussion with your colleagues. Focus on value, not cost. Help everyone realize that conference attendance is a win-win for everyone!
About the Author: Jim Nitterauer, CISSP is currently a Senior Security Specialist at AppRiver, LLC. His team is responsible for global network deployments and manages the SecureSurf global DNS infrastructure and SecureTide global SPAM & Virus filtering infrastructure as well as all internal applications and helps manage security operations for the entire company. He is also well-versed in ethical hacking and penetration testing techniques and has been involved in technology for more than 20 years.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.