I recently attended the RSA 2009 Conference in San Francisco. Upon arriving back at work, one of the first tasks assigned (besides catching up) was to write a summary of the conference and what I learned as it applied to the company. Well, to say the least, this can be a daunting task. You can learn lots of interesting things at a major conference like RSA, but will much of it apply to your real-world everyday job? With this in mind, I began to wonder, "is there value in security conferences for companies?" And this, of course, has sent me down a rabbit hole.

Before I launch into a boring analysis or commentary, let me first preface all of this by saying, Yes: you and/or your team should absolutely go to conferences and training programs. Get out of the office, meet other people, see what else is going on in the world. This is a philosophy that my original home school for Gracie Jiu-Jitsu subscribes to, and it's one that I would hope everyone would appreciate. In technology—and particularly in information security—you cannot live in a vacuum. You absolutely, positively must get out and see new things, new people, new ideas, new places, new techniques, etc. We don't all tackle problems in the same way, and that means that there are some really cool new ideas waiting for you out there, if only you'll go look for them.

Hopping down from my soapbox, then, let's look at how you can make attending a security conference worthwhile. In my mind, there are three keys to having a good conference, while demonstrating value to your employer (who's hopefully footing the bill). First, you need to go into the conference with a plan that includes learning objectives. Second, whether you're comfortable doing it or not, you need to get out and be sociable with vendors on the expo floor. Third, whether you're comfortable doing it or not, you need to get out and be sociable with your colleagues. Allow me to go into a bit more detail...

Plan + Learning Objectives

 The "make a plan" concept really applies more to large, multi-track conferences than small, single-track conferences. Showing up for SOURCE in Boston will be a completely different experience from attending RSA or CSI, where there are a wide variety of topics and tracks. So, in the case of these large conferences, find out ahead of time what's being offered and develop a plan. Since your employer will be looking to you to incorporate the conference value proposition into the company, make sure your plan looks at what is important to your job, even beyond your basic interests (hopefully these align, but you never know). This is where learning objectives really come into play, because you can then go to a conference seeking specific knowledge or information. Hopefully, you'll walk away having found some of it.

Socialize with Vendors

Yes, yes, I know. If you talk to a vendor, they'll probably get your contact info, and then they'll call you all the time...over and over and over again... whether you want them to or not. Don't panic. Talking to vendors is a good way to find out what they have to offer—and, more importantly, what's coming down the pipe. Especially for security management, it's definitely worth your time to particularly seek out the younger, hungrier startup-ish vendors in order to learn what is being seen as emerging trends. These companies frequently have millions of dollars invested in research, so you might as well make use of their work.

Now, if you're not a big talker, don't worry. Here are a couple tips from, well, a big talker:

• Don't feel obligated to give information away.
• Get the sales flack talking and maintain eye contact to prove you're listening.
• Resist the demo unless you're actually interested. If you're interested, ask for a demo!
• If you're more technical, don't be afraid to ask to talk to the techie. (If you're not a techie, flee!;)
• Try to toss out leading questions to help the sales flack along.

As with most things, you'll get out what you put in—and sometimes even more. At big conferences, many vendors have parties at night, and so giving the vendors during the day can help get you into the thick of things. Which brings me to my third point...

Socialize with Colleagues

As smart as you are, there are people who know things you don't. Hopefully they're friendly! One of the best ways to find out is to go hang out with them. Hey, it's a conference. You're probably on the road, so what's the big deal? Even if you are introverted and scared to death of crowds, you can meet some amazing people (I met Dan Farmer at RSA this year—he's a huge reason I got into infosec!) and even learn a few things along the way.

Don't believe me? That's fine, but consider this: at last year's RSA conference I didn't know many people, and was known by even fewer. This year, having hung out with folks last year and then interacted with them over the course of the year via my blog and Twitter, I was now much better prepared to find folks, talk to them, and so on. What did this get me? Well, for starters, I found out about MiniMetriCon 3.5, which was held the Monday before RSA started. By attending that event I got to hear some excellent presentations on security metrics, including one by Jeremiah Grossman of Whitehat Security and one by Wade Baker of Verizon Business. Both presenters went through real life data that was not only sobering, but also information and educational (e.g. PCI is apparently not a complete waste of time and money, despite how it feels).

If you get out and meet people and swap stories, you will quickly find that you're not the only person fighting the good fight, but that you in fact have commiseraters in the grand scheme of things. It feels good knowing that I'm not the only one dealing with various issues—and hopefully you'll get to enjoy that sense of camaraderie, too.

Bonus: What Not to Say When You Return

Several times I've returned from a conference and been asked minutes after walking into the office "hey, how as it?" to which I've stupidly said "eh, it was ok, nothing great." D'OH! The last thing your boss wants to hear is that s/he just wasted a few thousand dollars to send you to a conference that wasn't worthwhile.

So, take a tip: Before you get back to work, start developing a storyline about how the conference was good and useful and educational. Pull out those learning objectives and developing talking points about how it met the company's needs. Pull out your notes from talking with vendors to demonstrate that there might be technology solutions for given problems. Put a positive spin on the conference as much as possible, and—assuming you actually want to go to another conference—make sure to make it sound like it was worthwhile.

Good luck and enjoy your next security conference!

Comments

Add New RSS

Write comment
Name:
Email:	do not notifynotify
Website:
Title:
UBBCode:	-color-aquablackbluefuchsiagraygreenlimemaroonnavyolivepurpleredsilvertealwhiteyellow -size-tinysmallmediumlargehuge
	Please input the anti-spam code that you can read in the image.

Powered by !JoomlaComment 3.26

3.26 Copyright (C) 2008 Compojoom.com / Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."