On Skipping Security Cons

On Twitter last month, friend and fellow infosec professional Marcus Carey suggested industry peers place too much importance on conferences:

One can take the tweet several ways.

Mood music:
https://youtu.be/gWWWBvxEXZM

Some might say he’s criticizing conference organizers for roping in people who spend all their time speaking at and attending conferences and too little time in their organizations working on the daily challenges the bad guys throw in front of us.

Others might say he’s picking on people who attend a lot of conferences simply to be seen. I don’t think he is, especially since every time I’ve seen him in person, it’s been at a security conference. The conferences I attend have a lot of repeat speakers who I’ll never get tired of listening to, such as security pioneer Dan Geer. (Watch him speak at Black Hat 2014.) Other famous speakers have done a lot of important work over time but have become less relevant lately. I won’t name names here, but yeah, I’m tired of seeing them as keynoters.

The debate over security conferences will go on into infinity. Carey’s soul searching sparked something within me, though, and it’s unlikely it has much to do with his intent.

I love security conferences. I love traveling around the world to attend them. I’ve made countless connections that have taught me many lessons in how this industry ticks. It wouldn’t be a stretch to say my conference attendance led to my current job.

But I have to admit that as the years have gone on, I’ve become almost obsessive about getting to conferences. To skip them is to be invisible and irrelevant. To stay away is to no longer be respected.
That’s how my mind presents it, anyway.

In an earlier post I called it the security rock star mentality — the notion that you had to be seen to be relevant and that by getting around a lot, I thought I was somehow better than I really was.
Early on, as a journalist, I had to attend as many conferences as possible to generate content and feed the needs of a daily news machine. In my current role, the mission is more about promoting what my company does and collecting research I can bring back to base for future use.

My current job also involves less frequent travel. Some of that is because I can easily communicate face-to-face with colleagues around the world through Skype and other video-conferencing programs.
But I’m also traveling less because there’s a lot going on in my family right now. My kids have a lot of activities I want to be there for. My father has been in hospice and I’m trying to get in all the time with him as I can. And so it goes.

I’ve noticed something since grounding myself, however: My absence at security conferences hasn’t hurt my career or workmanship. Not one bit.

The people I like to see at conferences are all available to me on Twitter, Facebook, and increasingly on Skype. Most talks are recorded and end up on YouTube within hours of being delivered. And most importantly, less travel has meant more time immersed in my company’s research. I’m working with some of the best researchers in the industry, learning more from them than I’d learn from a hundred conference keynotes.

I’m not retreating from the conference scene forever. I still get too much value from events like DEF CON, Black Hat, RSA, ShmooCon and BSides to completely stay away. I expect to travel more frequently next year.

In the meantime, I’m staying home, being around more for my family and constantly working to improve my craft.

RSA 2015 Crowd Shot

The Women at RSA Conference 2015

Renowned writer Violet Blue recently noted that the speaking agenda at RSA Conference 2015 includes only five women and only one of which is a security practitioner:

At least one person on Twitter felt it was an unfair observation; that there’s nothing wrong with women going to conferences to talk about their kids.

It’s a noteworthy post. I, too, would like to see more women speaking at conferences like RSA. Five out of 25 is a small ratio. I don’t say this as a fan of quotas, but as someone who has learned a lot from the female perspective in my lifetime.

While Blue doesn’t say so specifically, my impression is that she was lamenting the lack of female security practitioners, that women on the bill should be there to talk security, not kids. If I read her right, it’s a fair point. It is a security conference, and those of us who will attend want to hear about that subject.

Having said that, I’m not against people straying from the subject, either. Many life lessons can be applied to how we approach our profession. I’ve gotten a lot of good security lessons through the trial and error of parenting, such as managing the desire to share pics and funny things kids say against the need to protect their privacy. If the women on the agenda talk about children in a way that’ll give us something to think about as security practitioners, so much the better.

My thinking on this topic has certainly evolved. In 2013, I wrote that folks speaking at a security conference should keep their talks to security:

The organizers never should have put her on the agenda in the first place. I have no issues with Violet Blue and her chosen topics. But this talk was billed as the stuff of “party conversation fodder.” I’m all for having fun, but I’m also a purist in that I believe a security event should have an agenda that stays on topic.

If Blue is indeed suggesting the few women on the agenda are an ill fit for a security conference, perhaps her thinking has evolved, too.

Update:

Violet Blue clarified her position in this post. She wrote:

My concern is that by taking a handful of women respected in their fields and by placing them in the male arena of infosec and having them as a majority speak only about issues and topics seen as specific to their gender – i.e. concern for families and babies – furthers the destructive infantilization of the perception of women’s roles in infosec. It is this infantilization that I see as most destructive to the facilitation of women owning a deserved lion’s share of equality in infosec. I feel that if the majority of women in positions of power in a speaking capacity at RSA were seen as speaking about interests of interest to infosec as a whole, rather than pertaining particularly what is seen as an interest to their gender, we’d have more of the progress we’d like to see.

 

RSA Conference USA 2015

That Restless Feeling When You’re Waiting to Travel

This time next week I’ll be traveling to Las Vegas for three security conferences, and I’m finding myself in a restless state of mind. It’s that point where the planning and logistics have been worked out, and I’m itching to just get on with the mission at hand.

It’s a mindset that conflicts with the “one day at a time” system of living I’ve worked hard to adopt in recent years.

Mood music:

http://youtu.be/Skq1llOdeQs

I do “one day at a time” a lot better than I used to. But as a human being, I’m occasionally going to slip and become unanchored. I know a lot of people who get this way right before an important business trip.

In my case it’s not a fear thing; I’m looking forward to it. The challenge is in remembering where I am and what I’m supposed to be doing until travel day arrives.

True, as conferences go in my industry, this Vegas trilogy is big. There are a lot of people to reach and a lot of writing and networking to be done. A lot of energy goes into doing it well. For now, that energy is bottled up, waiting for the appointed time. That ratchets up the feeling of restlessness.

But there’s a lot of life going on between now and when I fly — things I also look forward to.

It’s up to me to keep the restless energy in its proper place and focus on the here and now.

I’ll let y’all know how that goes.

tornado funnel

Black Hat, BSidesLV, DEF CON Anxiety Leads to Stress Dreams

I typically don’t remember my dreams, but Tuesday night I had a doozy of a stress dream. You could say my brain was smacking me for making light of other people’s anxieties in the run up to Black Hat, DEF CON and BSidesLV.

Every year at this time I start to hear people worrying aloud about their Vegas schedules, which is understandable. I used to create detailed schedules but threw out the script a few years ago when my fear of the unexpected diminished.

But Tuesday night’s dream proves that I still get as anxious as other people on occasion.

Mood music:

In the dream, I wake up in the middle of a food court in Vegas. I’m apparently in Vegas for just a day, and I realize I’ve slept through most of the one day I was scheduled to be there. It’s 7:28 p.m., and I realize I’ve missed all of that day’s conference proceedings. To make matters worse, I have to pack my things and change hotels before I can salvage any networking I can squeeze out of the trip. I walk two miles in the desert with all my luggage to the next taxi line. Somewhere in there, I check my voicemail and find a message from my father asking me to call him.

Then I wake up, relieved and pissed off at the same time.

There’s something about RSA and Black Hat/BSidesLV/DEF CON that bring this out of me in the two weeks leading up to showtime. They are indeed monster events for our industry — places to be seen, contribute content, pitch your company’s message and catch up with friends and far-flung colleagues. To miss it seems like a fail to a lot of people think as the moment closes in. It’s an irrational fear, but it’s there nonetheless.

I’m framing this by the industry I work in, but this anxiety isn’t strictly a security community issue. It’s something people in all walks of life deal with.

Such anxiety used to be much worse. I used to panic months in advance about the flights and whether the planes would stay in the air. I’d worry about how many stories I had to write to be considered successful at the event.

Now, it seems, my issue has narrowed to the obsession with simply getting from points A to B.

It’s progress, but I can’t help feeling stupid when I succumb to a pressure no one instigated but me.

sign: welcome to fabulous las vegas nevada