RSAC Week is upon us, and with it will come a flurry of social media postings emphasizing the lack of value behind the event. Common criticisms include: an overwhelming focus on marketing, a lack of compelling technical content, and overemphasis on glitz. One could describe the event as a gigantic information security ‘sugar rush’ with no real benefit.
First, a disclosure: I will facilitate a ‘Peer2Peer’ session at RSAC for the second year in a row (you can find info here if interested), so I have some link to the event. As this implies, I will be in attendance for most of the week.
That out of the way, I agree with some of the criticisms of RSAC – and similar complaints that are levied against other large events, such as increasing complaints around BlackHat as ‘the new RSA’. The exhibition halls and vendor-sponsored parties often seem to overshadow technical discussion and information dissemination which really reduces the value of these events. But critics must also recognize that bringing together so many people within the information security industry in one place provides truly unique and valuable opportunities to forge new connections and facilitate future knowledge sharing.
One of the primary reasons I like to attend conferences is people – even for an introvert who does a terrible job at initiating conversation such as myself. The people I meet and discuss topics with provide for potential insights and avenues of inquiry I never anticipated previously. When combined with good content and sensible Q&A, a ‘good’ conference can be an amazing event to really drive further work.
Critics will likely retort that RSAC (and increasingly BlackHat) defeat this ‘networking’ goal due to sheer size and the ‘dilution’ of attendee technical ability. The former is a legitimate complaint that I share, as the huge extent of these flagship events make individual connections very difficult. But the latter I believe to be unfounded and wrong-headed for multiple reasons.
First, size has some advantages in attracting and enabling people to attend. Small, exclusive events certainly facilitate information exchange but by their very nature exclude many from participating. Hence phenomena such as ShmooCon’s instant sell-outs. In the process, many individuals – especially newer or less experienced persons – are shut out of these venues or never have a chance to participate. This set of circumstances does us, as a community, little good in attempting to broaden our reach and help others along their path in information security. (I will return to this point from a different perspective later.)
Second, the ‘less technical’ audience is a blessing depending on your ultimate goal in attending. For those interested in disseminating information, a ‘less experienced’ audience is potentially your ideal audience: those who really need and want to hear what you have to say on a subject. For those interested in learning, an event that allows for an ‘all comers’ approach enables individuals from novices to experts to attend without fear of being out of place – or looking like an idiot.
Third, and pivoting somewhat from the ‘less technical’ complaint, concerns a perspective that RSAC is for ‘management’ – and BlackHat increasingly so as well. This may be a valid complaint if you really want to swap stories on assembly adventures and exploit development (in which case, you should just limit your calendar to events such as RECon and Infiltrate), but for most security practitioners I strongly believe the predominance of ‘non-technical’ decision-makers is an opportunity. This belief stems from the reality of security operations: organizations never exist solely to run a secure network (another entire blog post). Rather, organizations exist to provide some service, capability, or other benefit to their customers, users, or stakeholders. Information security may form a vital part of ensuring this mission is achieved, but never really stands as an ‘end in itself’. Thus the ability to communicate with (and potentially influence) those who have influence and control over operations as they apply within the broader organization presents an extremely valuable platform for security specialists to make their case. Yes, your potential audience might be composed of CISOs, ISSOs, line managers, and other non-technical types, but informing this group is a vital step toward ensuring the adoption of and buy-in toward best security practices.
So as not to come off as completely apologetic toward big events, one major criticism I have not mentioned thus far is cost – and this I feel is one of the main drawbacks of ‘big’ events such as RSAC and BlackHat. The cost of attendance plus the cost of lodging simply places these ‘big tent’ meetings out of reach for many of the organizations that need exposure to new and valuable concepts the most. For this reason, I really like to stress local, lower-cost events – from the plethora of BSides meetings to inexpensive gatherings that attract good talks, such as Infosec Southwest or especially Art Into Science. Investing in these events by submitting top-notch papers and talks ensures that messages reach the widest possible audiences, especially those that cannot afford ‘prestige’ events.