Blackhat. SchmooCon. Bsides(insert city name here). InfoSec. SANS. SOURCE. As in any industry, the security field is packed with conferences, training sessions, exclusive summits, and meetups. These gatherings represent fantastic opportunities to learn, share research, and network with peers — from rock stars to interns, SysAdmins to marketing VPs.
But not all cons (short for conferences) are created equal.
Although every event has upsides and downsides, there are very clear divides between the corporate atmosphere, big name speaker, and well-suited attendees involved in national scale shows like RSA, and the more informal, community-run regional events like the BSides series. Outside of these well-known cons, new regional events such as DerbyCon, 44Con, CircleCityCon, and more have popped up around the world in the last five years, signaling a need to do events differently.
Not everyone wants to attend a mega-show, just as some people cannot see the value in going to a smaller conference, or even a meetup. According to OpenDNS researcher Josh Pyorre, it all boils down to personal preferences. “As a security professional who is really passionate about this work, I prefer the smaller to mid-sized conferences because it’s possible to see others speak about their work and even hang out with them at lobbycon afterwards.”
When it comes to deciding which events to attend, three main categories should be considered: cost, content, and community:
One major challenge with attending shows like Blackhat USA and RSA is the cost. Full conference badges can run a company upwards of $2000 — if you’re an independent researcher or a small consulting firm cost can quickly become an issue. However, ticket prices to these events not only cover the cost of attending presentations, parties, and the expo hall, it also pays for access: badges can get you into certain areas of the venue or show floor that non-badge holders cannot enter.
On the other hand, medium-sized, regional conferences (such as DerbyCon) are much more reasonably priced, with tickets ranging from $100 – $400. Also, due to their locations in cities like Indianapolis, Chicago and even Detroit, these events carry less travel overhead, making them much more attractive to potential attendees who may be on a budget. One major exception to this rule is DEF CON — more explanation below.
Finally, there are smaller events like BSides, which are often free to attend (although occasionally require pre-registration). These represent the real grassroots segment of the industry, and are a great place to break into the field.
There’s a reason badges at Black Hat and RSA cost so much — they represent the biggest national stages for security, and therefore attract the most high-profile researchers and speakers. Vulnerabilities that impact vehicles, healthcare, and national security have all made their debut during these events, with plenty of press available to cover the disclosures.
However, regional cons don’t exactly disappoint when it comes to content, despite the lower cost of attendance. Agendas are only so big, and many researchers who just missed the cut at the major national shows will also apply to these events. Smaller cons are also a good place to find specific, esoteric presentations that, while important and interesting, don’t quite fit the bill for audiences at RSA or BlackHat.
This trend continues at community events, where speakers can cut their teeth in front of a friendly, knowledgeable audience. But even at BSides, speakers must get their presentation past a panel of organizers to make the schedule — guaranteeing an informative event featuring brand new voices in security.
Perhaps the most obvious differentiator at each event is the community. At major shows, there are tens of thousands of people from every aspect of a company: sales, marketing, executives, evangelists, and researchers. It can be overwhelming to schedule meetings, as everyone has their own agenda and objectives to accomplish. On the flip side, these shows are large enough to attract security folks from all over the world — meaning you may get to speak with someone you haven’t seen in years, or meet someone with a completely new viewpoint on the industry.
Smaller conferences may average a few hundred attendees, but they often inspire fanatical followings — for example, at DerbyCon, if you’re attending, speaking, or working, you’re part of the “family”. The regional locations also contribute to this close-knit feeling, as these events provide opportunities to develop relationships with peers close to home. The smaller size of these events makes networking easier — just pull up a chair in the lobby or bar of the con venue, and be open to conversation! BSides represents this idea in the most extreme example, as the entire event is built by the community, for the community.
The DEF CON Exception
DEF CON is a national conference that takes place alongside Black Hat and BSides Las Vegas, making up the third event of “Security Summer Camp”. But it serves as an interesting exception to the general characteristics of other long-running security cons, that have gradually become more reserved and conservative over time. While evolving into a respected national venue for research and breaking news, it has clung tightly to a counter-culture ethos, a hacker spirit of community that you’d be hard-pressed to find in the besuited halls of Black Hat.
The cost to attend DEF CON is $230, cash at the door, as it has always been. DEF CON delivers a fantastic event for a nominal fee, complete with all the hacking types hollywood promised: cyberpunk grrls, mohawked dudes, and combat boots aplenty. The conference sessions are quality too: many of the speakers at DEF CON also present at Black Hat. Of course, despite the great value, there is the inherent danger of getting hacked — but that’s what your phone’s airplane mode was made for!
There are as many events in the security world as there are types of security professionals — and there is, without a doubt, a event (or even several) that will fit your budget, training requirement, or desire to lobbycon. For a comprehensive list of events coming up, visit this website from Concise-Courses, and be on the lookout for OpenDNS researchers at your next con!