On Skipping Security Cons

On Twitter last month, friend and fellow infosec professional Marcus Carey suggested industry peers place too much importance on conferences:

One can take the tweet several ways.

Mood music:
https://youtu.be/gWWWBvxEXZM

Some might say he’s criticizing conference organizers for roping in people who spend all their time speaking at and attending conferences and too little time in their organizations working on the daily challenges the bad guys throw in front of us.

Others might say he’s picking on people who attend a lot of conferences simply to be seen. I don’t think he is, especially since every time I’ve seen him in person, it’s been at a security conference. The conferences I attend have a lot of repeat speakers who I’ll never get tired of listening to, such as security pioneer Dan Geer. (Watch him speak at Black Hat 2014.) Other famous speakers have done a lot of important work over time but have become less relevant lately. I won’t name names here, but yeah, I’m tired of seeing them as keynoters.

The debate over security conferences will go on into infinity. Carey’s soul searching sparked something within me, though, and it’s unlikely it has much to do with his intent.

I love security conferences. I love traveling around the world to attend them. I’ve made countless connections that have taught me many lessons in how this industry ticks. It wouldn’t be a stretch to say my conference attendance led to my current job.

But I have to admit that as the years have gone on, I’ve become almost obsessive about getting to conferences. To skip them is to be invisible and irrelevant. To stay away is to no longer be respected.
That’s how my mind presents it, anyway.

In an earlier post I called it the security rock star mentality — the notion that you had to be seen to be relevant and that by getting around a lot, I thought I was somehow better than I really was.
Early on, as a journalist, I had to attend as many conferences as possible to generate content and feed the needs of a daily news machine. In my current role, the mission is more about promoting what my company does and collecting research I can bring back to base for future use.

My current job also involves less frequent travel. Some of that is because I can easily communicate face-to-face with colleagues around the world through Skype and other video-conferencing programs.
But I’m also traveling less because there’s a lot going on in my family right now. My kids have a lot of activities I want to be there for. My father has been in hospice and I’m trying to get in all the time with him as I can. And so it goes.

I’ve noticed something since grounding myself, however: My absence at security conferences hasn’t hurt my career or workmanship. Not one bit.

The people I like to see at conferences are all available to me on Twitter, Facebook, and increasingly on Skype. Most talks are recorded and end up on YouTube within hours of being delivered. And most importantly, less travel has meant more time immersed in my company’s research. I’m working with some of the best researchers in the industry, learning more from them than I’d learn from a hundred conference keynotes.

I’m not retreating from the conference scene forever. I still get too much value from events like DEF CON, Black Hat, RSA, ShmooCon and BSides to completely stay away. I expect to travel more frequently next year.

In the meantime, I’m staying home, being around more for my family and constantly working to improve my craft.

RSA 2015 Crowd Shot

Drinking at Security Cons

A friend from the security community, Rob Fuller, has written a post about drinking at conferences. It’s an activity I engaged in with abandon until I decided to quit drinking on New Year’s Day 2010. His post reminds me of what the transition to sobriety was like in conference settings.

I drank my way through the first few RSA conferences to cope with nerves. You could drink all you want for free at the vendor parties, so it was an easy crutch to grab for. At RSA 2010, I was in hell. I stayed sober but didn’t know quite how to behave or deal with people who were drunk. I looked back at my posts from that week, and found this snapshot of what I was feeling:

So here I am in San Francisco for the RSA conference and Security B-Sides events. I’m at a lot of events that involve drinking and instead of wine I’m sucking down club sodas and Red Bull. And, truth be told, I still have trouble feeling at ease in the crowd without the wine buzzing beneath the skin of my forehead.

Fortunately,  each subsequent event got easier for me, and now I’m at ease in a crowd full of drinkers. I also realized from the beginning of sobriety that there is a support system. People have held AA meetings during RSA and ShmooCon. And when you let it known you are no longer drinking, there are people who look out for you. Getting that support from the outset definitely helped cement my affection for the security community.

I’ve been asked more than once if I ever get pressure to drink at these events.

Never.

In his post, Rob wrote that he believes there’s too much drinking going on and wants his peers to throttle back.

It’s certainly not an issue that’s unique to the security community. I know people from other industries who tell similar tales of drinking and debauchery at conferences they attend.

Do conference attendees drink too much? Do they need to get better control of themselves? I think it really depends on the individual. Most people handle their liquor just fine. I wish I had that ability. It really comes down to whether the individual feels they have it together.

If you feel like conferences are nothing but a blur of hangovers and you don’t like it anymore, you probably need to consider a modified lifestyle.

Of course, someone with a drinking problem can think they have it together but be a total wreck. If conferences are nothing but a drunken blur, whether you like it or not, you should sober up.

I’m just grateful I found a way through my own challenges.

men toasting each other

How To Avoid Becoming #RSAC Roadkill

Last year was a first: I had a stay-at-home vacation a week before flying out to a big conference. We took the kids to the Museum of Fine Arts in Boston and did a lot of relaxing. It worked so well I’m doing it again.

Mood music:

The kids are on their February school vacation, which was my main reason for choosing this week. That it fell the week before RSA — one of the biggest security conferences of the year — was pure luck. That it’s happening two years in a row is even luckier.

I always run myself ragged the week before a conference. A couple years ago it caught up with me. This time I have a chance to soak up some quality family time and rest my brain before getting on the plane.

That should allow me to be at the top of my game in San Francisco next week. It certainly did the trick last year.

Conferences have always brought out the the good and bad sides of my OCD. On a professional level it gives me the extra push to write more, network more, stay awake later for said networking, and get up and at ’em early. It also takes over the parts of my brain that manage my pacing and ability to stop and breath.

Not helping is that usually, the week before, I work in overdrive mode to get as much business out of the way as possible. In doing that, I’m already half burned before my plane takes off.

I won’t always get to vacation right before RSA like this. So I’ll be making the most of this week.

I’m especially going to need it this year, because a couple hours after the plane lands Sunday, I’ll be darting back and forth between BSidesSF, the hotel, the Moscone Center registration area and quite a few evening events.