Conference Angst

I've been to my share of InfoSec conferences, and there seems to be a universal undercurrent of dissatisfaction regardless of the conference. There are the complaints that the speakers are chosen poorly, or the content is inappropriate or unsatisfying, or the assertion that InfoSec conferences do nothing except perpetuate the echo chamber.  The disconnect, in my opinion, is that conferences are rarely solution based.

These all follow the same general format that has been followed for decades: multiple "tracks" with hour long slots (occasionally a lightning talk track that enables shorter presentations), separate training offerings (normally pre-conference, or sometimes during conference as a track), sometimes a vendor room, sometimes side-events or contests, and usually some form of after party during which vendors collect leads and partygoers make connections.

Attendees may leave a presentation better informed about a topic, but most presentations are unlikely to grant new skills to the audience. Training is, for the most part, a separate goal. Presentations are frequently one way communiques designed to generate thought or debate, or introduce a new tool or methodology. But, it's rare, even at B-sides events, for presentations alone to achieve the type of engagement that results in solutions and deep collaboration.

The excuse to bring people into narrow physical proximity generates some of this synergy in the form of "hallway con." And many argue this is the real value of conferences: a 'safe' forum in which like-minded people can have informal discussions off the books that result in ideas, agreements, or collaboration that more broadly influences or improves things.

In response to the solutions disconnect, some have proposed "hack-a-thons" in which talented individuals come together for a set period of time and a specific goal to program solutions. But, this approach is likely to alienate community members who don't code, and is more likely to hinder innovation across the lines between policy/process and tools manufacture/usage.

I would like to see "tracks" around workgroups and workshops instead of presentations. Topics that are designed to bring like-minded people together to discuss and even generate solutions, or share skills. Put the power-point in an isolated track of 15-30 minute presentations designed to quickly introduce questions or ideas designed to stir innovation. Does this exist? Is there any interest in making it exist?


John Kozlowski said...

Are you proposing structured learning by bringing a lab environment into these Cons? I think that's a great idea; however my opinion doesn't matter because I am part of the bubble, an inexperienced nub trying to figure out where I fit in this community.

I think your idea is great; structured/ shared learning experience is a wonderful teaching method, for those who enjoy learning that way. Something like this could start helping fill the gaps between Maker/ Breaker. It would also promote teamwork; icebreaker for up n00bs.

I do see a downside though; Most of the community is extremely advanced in their ways. Many refer to themselves as 'Gods' or 'Rockstars'. These individuals reference, out running the bear; this causes isolated thinking, due to sharing a solution could turn it into a vulnerability.

Your idea would eventually eliminate the need for conferences though; you can stream your lecture and have everyone remote in to the class room from their basements.

I enjoyed reading what you said, and would be willing to help out. So if you need an infosec n00b, who's going to ask lots of stupid questions, is loud, and outspoken, by all means keep me in the loop.

Heather said...

On the contrary, John. I think you are part of the reason this format change is needed. Practical applications are frequently more informative than theoretical learning or awareness-based presentations as far as the realities of doing what we do are concerned.

Many of these do have labs before the presentations - for example, Derbycon had great Metasploit education prior to the main event.

But, yes, I would like to see people get together with their laptops and start (or work on) a solution.

Even the "Gods" and "Rockstars" are collaborating. But, it's difficult to match skill levels. The good people in infosec don't let their egos get in the way of the right solution.

If you want to see educational stuff, I'd suggest checking out SecurityTube. I don't know if people really learn from a lecture. I think people become more aware, but it's not until things are put in practice that people actually learn.

I will definitely keep you in the loop. I consider your feedback about what is and is not useful to be valuable.

John said...

Thank you for a response, it's extremely meaningful.