So, you are attending a security conference. That’s great news. Every year, more and more people join the security community and explore the experience of attending a security conference. If you are new or relatively new to security conferences, getting the most out of your experience isn’t obvious. There are things people don’t tell you that you learn through trial and error. I hope to make this a bit less painful.
I’ve been attending and speaking at conferences for over twenty years. I’ve given my share of advice to new attendees, but it’s always been in person or as a couple of pointers to someone else’s social media posts. I wanted to share some insights since Black Hat USA and DEF CON are next week. As our community grows, new people begin to attend conferences and much of the advice they are given isn’t helpful. I hope to rectify that. If I can help even a few people make the most out of their experience and avoid some pitfalls, then this post served its purpose.
Bad Advice
Let’s start with bad advice. There’s no shortage of truly unhelpful advice that people seem to dish out as though they dispense ancient wisdom. You’ll hear things like pace yourself, drink water, and wear deodorant. It’s the type of condescending, childish response you get from people who pretend they have some secret knowledge and don’t want to share it with you. Yes, Las Vegas is in the desert. It’s also hot. Anyone with two brain cells to rub together can put as much together on their own.
Worst of all, we all know this isn’t the type of advice people seeking it want to hear. It’s like someone stepping up to the high dive for the first time and asking for advice, only to be confronted with someone telling them to make sure they bring a swimsuit. So, let’s all agree to stop doing this.
Understanding Security Conferences
I absolutely love security conferences, even though I may jokingly tell you I despise them. You see, I’m not the biggest people person in the world, but at a security conference talking shop with others, I feel like I’m in my element. I’m more likely to strike up a conversation with complete strangers and make new friends and acquaintances. This is why I want to encourage people to attend, interact, and engage. Now, we are starting to get to the heart of what security conferences are.
The first thing to understand is that security conferences are events or experiences if we are being dramatic. These events are only partly about the presentations delivered on stage. Thinking that security conferences are only about presentations is like thinking that county fairs are only about Ferris wheels. Conferences of all sizes typically have other activities, such as meetups, CTFs, vendors, contests, etc. This is what builds the experience of attending.
It surprises people to discover that presentations may not be the most valuable part of the conference. Given this perspective, you’ll want to maximize your conference experience. Hopefully, the rest of this post will assist with this goal.
It surprises people to discover that presentations may not be the most valuable part of the conference.
Start Here
What do you hope to get out of your conference experience? What would a successful conference experience look like when you return from the conference? Think of this as your destination on your map. However, instead of planning a turn-by-turn route or creating a script you need to follow, you’ll want to think of it as throwing out some waypoints and figuring the route out later. You’ll also want to leave some options open, as well as the ability to capitalize on serendipity.
If the conference has an official app, use it to build a schedule. If you’d prefer to use another calendar with which to build a schedule, that’s fine too, but just have a way to track events and activities that interest you
Sessions and Presentations
There will undoubtedly be sessions you won’t want to miss. Add these most important sessions to your schedule. Additionally, If you don’t have other conflicting activities, fill up the remaining conference hours with potential sessions that interest you. These will be your optional sessions. You aren’t locked into going to any of these, but at least you aren’t standing in the hallway trying to figure out what session you want to see or figuring out where it is while the sessions have already started.
Again, this is just a high-level plan and not some script you must follow, so fill the time slots. Okay, that’s it for the content and presentations. If you believe conferences are only about presentations, you can stop here. Wasn’t that easy? But if you really want to understand security conferences, keep reading.
The Security Community
It’s called the security community for a reason. The security community is among the weirdest, quirky, and welcoming communities of any industry. Full stop. I can’t think of another community where you could walk up on a technical conversation between a person in a sports coat, a furry, and someone wearing a tinfoil hat and shirt that reads “birds aren’t real.” All three of them have a great conversation, respecting each other’s perspective. If you wrote this into a TV show, nobody would believe it.
The community aspect of our industry is arguably the most valuable asset you can cultivate. It can launch your career into a whole new trajectory, allow you to make new friends, and introduce you to new avenues you didn’t know were open to you. All of this is on full display at security conferences.
The community aspect of our industry is arguably the most valuable asset you can cultivate.
This community aspect is why you’ll want to maximize your participation in networking opportunities. These include meet-ups, gatherings, and events that are both official and unofficial.
Hallway Con
Hallway Con is the security community’s conference. It’s the con within a con. Hallway Con is the reference to all of the conversations that happen outside of the presentation area. It’s the meetups, networking, catching up with old friends, and discussions with strangers, experts, and peers.
Hallway Con is where the real information is shared. People disclose details they wouldn’t share on the stage or over a video conference. This less filtered sharing allows for a more accurate picture and perspective of realities on the ground. People will be more honest in their assessments and give candid responses.
A couple of notes about Hallway Con. The Hallway Con experience is impossible to virtualize. You will get information from a virtual conference, but you won’t get the experience. This is a face-to-face, in-person activity only. Despite attempts to recreate this experience, nobody has successfully done it yet. This means if you attend a virtual conference, you miss out on some of the most important value of the conference.
You will get information from a virtual conference, but you won’t get the experience.
Hallway Con has a randomness aspect, and although you can’t purposefully plan it, you can enhance your odds of being successful. Here are a couple of tips.
- Catch up with people you know
Are there people you want to talk to or catch up with? Reach out to them and see if you can catch up. You could meet in a common area or have lunch. Anything that might get a conversation started. These people will often introduce you to new people.
- Scope out any interesting meetups
Meetups are specifically for this networking purpose. Maximize your opportunities by attending them. It’s good to remember that not all of these meetups are published on the conference schedule. Be on the lookout through various social media platforms as well as with conversations onsite. You can also ask about any meetups through your social media platforms and see what responses you get.
Add known meetups you’d like to attend to your schedule for tracking purposes.
- Roam around a common area and sit with strangers
I like to roam around the common area to see if there are people I recognize. These common areas are collecting points. You probably won’t know many people if you are new to the community, but it can still be a good exercise. You can also sit with strangers. I often sit with strangers during conference lunches. It’s a good way to be forced to introduce yourself and spark conversations. You typically find that you have much more in common with these strangers than you thought.
- Chat with presenters after their session concludes
Presenters are often also conference attendees. They don’t just deliver their talk and fly out the door. You can talk with them directly after their presentation to ask additional questions or get further clarification, but you can also see them roaming around common areas and having additional conversations. Remember, speakers will likely be more candid off-stage than on, so take advantage of this.
- Be prepared to share
Security people absolutely LOVE to talk. So, don’t worry if you are talking to an expert and are only asking questions. However, strangers are more open to sharing with you if you share something with them. This doesn’t have to be in-depth technical information. It could be challenges you are having or things that aren’t working.
Plan Your Evenings
There will undoubtedly be after-hours activities. The bigger conferences have afterparties sponsored by organizations and vendors. Sometimes, you can just walk up and enter, but many of these events require pre-registration. This isn’t something to put off. Research these events and register ahead of time.
These are also opportunities to maximize your networking. You’ll be there with other attendees and speakers. No speaker has ever not enjoyed someone walking up and telling them they enjoyed their presentation. Use it as an opportunity to spark a conversation.
Events and Contests
Security conferences are also about entertainment. There are many reasons you may want to watch Hacker Jeopardy and not actually participate. However, if you want to participate in a contest, you’ll probably need some preparation. There may be pre-registration or qualifying rounds. This may also include other preparations like bringing your computer with tools installed. Do a little research to increase your success.
Remember
Every security conference is different. Just because you attended one and didn’t like it doesn’t mean you won’t like another one. Taking it all in your first year at a larger conference is also okay. Don’t be too hard on yourself. It can be difficult to know what you are in for your first time at a large event. Plan the things you can and learn from the things you can’t. There’s always next year.
Misconceptions Persist
Okay… I’m gonna rant.
It irks me to no end to hear sales and marketing people who have never attended these security events talk about them like they know something about them. You hear things like security leaders and CISOs don’t attend DEF CON, that there’s no value in having someone speak at conferences because it doesn’t directly lead to sales, that security conferences are just an excuse to party, and many other completely out-of-touch statements. These are nonsense perspectives from people who are out of touch with the very community they are supposed to serve. If you are one of these people reading this and think I’m talking about you, then I’m absolutely talking about you.
Throughout my entire career, I’ve tried to educate people about the security community and the value of interaction at conferences. I’ve had both successes and failures. Some salespeople only want to sell firewalls to customers who, in turn, could care less if they bought them from a chatbot. There’s no competing with that.
If you think I’m being harsh, you should see the original draft wording of this section. I’m feeling generous today, so this is me being nice 😊
Rant complete.
Finally
Above all, have fun and enjoy yourself. Don’t stress about trying to make everything you want to see. Oh, and your head hurting from the knowledge you gained and your vocal cords a little raspy from talking so much are symptoms you’re doing it right. Remember, it’s not about what you learn but how you modify and apply it to your own challenges. It’s how you take the information in new directions and make it your own. That’s what this is all about.
In my haste to publish this post, I’m sure I’ve missed things. I’ll leave that to others to fill in any obvious blanks. See you at a security conference soon!