The Value of "Security Conferences"

Something to think about ... had an interesting topic come up at the OWASP AppSec APAC here in Sydney this last week about the value of security conferences.  Now, I enjoy the talks, the comradery, and the community around security conferences as much as the next guy but I'm starting to believe that maybe we're doing it wrong.


I can't remember who on the panel brought it up, but the question was of the actual value of a pure security conference, like OWASP for example, to the broader business community.  While the value to ourselves isn't difficult to spot for all the reasons I've already mentioned, perhaps what's interesting is the question of business value.  Management sends employees to 'security conferences' to learn something and bring it back to the organization.  This is all well and good - but what value do the ever-increasing number of security conferences provide as stand-alone events?


The proposal, which I personally believe is a fantastic one, is to start to decrease the focus we put on stand-alone security conferences and start to run these types of events alongside other conferences that would otherwise have nothing to do with security.  So for example, if you're trying to spread the word of the OWASP software security community, perhaps there needs to be an OWASP track at a developer conference like JavaONE, or at a software quality conference like StarEAST or StarWEST or Quest Conference.


Think about that ... here's the rub - developers, QA professionals, and business folks don't show up at security conferences ... so they miss the message and we end up talking to ourselves a lot of the time.  As more and more security people "get it", we need to do a better job of spreading the word out there to the world - right?  After all, isn't that why we're employed?


Just something to think about for those of you who attend or organize security conferences, and even more important to those that organize business-oriented conferences where security would never show up ... why not have a 'security' track or leave room for security-related topics?


Something to think about as we try and raise the bar just a little bit...

JGO(anon) | ‎04-16-2012 10:26 PM

I think this is a fabulous idea. Just from what I have been learning and observing in the Utility/SCADA communities, Security means different things to different groups. This doesn't mean they aren't concerned about it, but rather the approach may be different, and results in one area are not effective in another. On top of that, each group is an expert in their own field. What developers know as common knowledge, security professionals may not be as accustomed to, and vice versa. As a result we end up with Silos of information, an 'Us' and "Them" mentality, hoarse throats from ranting (or bruised fingertips if blogging) and redundant results. Both sides end up frustrated or confused by the other and nothing is accomplished.  In some cases, a mere difference in terminology can create obstacles. In others, the environments dictate different needs. I do believe that we all want (optimistically perhaps) to improve security, and a proactive approach is a step in the right direction. 

Andrew Waite(anon) | ‎04-17-2012 05:28 AM

I've given a couple of security focused presentations at local generalist IT/Business events. Each time the audience always seems interested and ask intelligent information, clearly 'getting' the message. But after several years with the same group, I'm not sure the general level of protections has been increased by my presentations/attendance.


I agree that a broader interaction from the infosec field in general life will be beneficial, but I'm not sure a security track at general conferences would improve matters. I'd expect non-technical management to ignore the track as either, "that's for the security guys" or "we're fine, the external pentest said so".

Pete Hillier(anon) | ‎04-17-2012 06:10 AM

Raf, I believe we've talked about this before, but I've mentored many security professionals over the years, and I've always advocated the value in actively participating in conferences. By actively, I mean presenting! With that, I've always promoted injecting oneself into conferences that are not security centric, writing for periodicals that will resonate with the masses, not just your peers. Who else in IT reads IT Security mags? Why are we continuing to preach to the proverbial choir! You can achieve much of the same self-branding ROI if you were delivering content to a non-security event.

Todd H Manom(anon) | ‎04-19-2012 10:37 PM

This is a good point and a great idea, particularly for the software end of security where getting the ears of developers and pulling these thoughts into development are central to the goal.   Network security folks aren't quite as dependent on admins to work with side by  side quite as much, but here'd still be value in, say,  patch implementers or GPO wizards understanding vuln scan teams and internal pen testers better obviously.   Breakers can learn much from builders and vice versa.

But you have to be careful -- just as developers and QA folks don't go to security conferences, are hardcore net or app breakers going to be attracted to a blended event or will that be too mainstream and lose its hax0r shine?   Will mohawks be available on the conference floor for a donation to EFF? 

Neira Jones(anon) | ‎04-22-2012 10:49 PM

Hi Raf,


Yes, it's a balanced act and we all have a role in it... See my post on thee topic


Thnks for a great post as usual! :)



Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About the Author

Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation