Of the hundreds of security conferences, large and small, the vast majority are interchangeable in terms of content, speaker profiles, and outside events. However, some up-and-coming conferences are working to reduce what's become an "army of noise," providing better opportunities for attendees and novice presenters. In order to best do this, they need to consider the types of attendees that most conferences attract, which generally includes three types of personas:
- Speakers and teachers
- Sponsors and business builders
- (Well, and boondogglers, but this post isn't for them)
You can read claims about the "rapid growth of today's threat landscape" in every security conference press release. And while that phrase is overused in our industry, there is truth to it, and that growth has also spurred the creation of more security conferences. But how do any of the personas above know which, if any, are right for them?
Analyze the strength of the content.
Don't consider the size of the show, or the names of the speakers, or even the giant marquees of sponsors. As a marketer, I can say with 100 percent authority that the ones with the larger bling and pizzazz are not always the most effective for any of the above (well, except for the boondogglers, but I digress). And we all know how it easy it is to self-market and create a name for oneself in this industry.
But will you learn what is going to be education or career or goal-changing (and how can you demonstrate that to your manager)? Will there be a diverse audience that is truly going to listen to what you say, and be better for it? Finally, especially as startups grow their brands, community affinity is as important as lead generation, so is the audience and the theme of the conference aligned with your mission and will you learn as well as grow your business?'
Content is Conference King
The "right" content is the highest quality, most interesting and useful information, for the audience/attendees in question. But although "right" means "highest quality possible" wherever you go, what is most interesting and useful also varies by purpose of an event.
O'Reilly Security Conference is a good example of a young conference that is addressing the tough challenge of showcasing lesser-known talent while keeping larger names who draw. It also has a focused theme of defense, with a focused mission of serving practitioners. O'Reilly has also accomplished some conference firsts, including the debut of the interactive, multimedia hacker art exhibit háček at last year's event.
Allison Miller, product manager, security and privacy at Google, as well as program chair for O'Reilly Security Conference, has been on the board of many other conferences, and is a frequent speaker on both the business and technology side of security. She shared with me some of the observations the O'Reilly program committee has made, and how they work to strike an innovative new balance.
"Primarily, I see in the industry larger events are going through a process of differentiation. This makes sense: the security industry has broadened and hosts multiple specializations; different events are looking to draw new or targeted audiences, you see this in how they design the program," Miller said. "This is one place where O'Reilly's done pretty well: the focus on defense has led to an event that where we are looking to highlight the contribution of builders and defenders in addition to the traditional breakers, and the focus on 'what works' has led to drawing in practitioners, not just researchers."
Differentiating as a conference and differentiating on content are not easy tasks. If you recall, when Security BSides launched years ago, it was to give an opportunity for those lesser known with amazing topics to speak, versus being subjected to rejection from larger conferences who were looking for the marquee draw.
Chris Eng, vice president of research at Veracode, founding member of now SOURCE Conferences, and advisor to many other events, agrees that more national-level conferences should consider a dedicated track for new speakers. He says that Black Hat has done a better job in the last couple of years, but not at the expense of high profile speakers: "They just add more tracks." He does specifically name BSides Las Vegas as providing a good track for lesser known speakers to engage with the community and share their research.
"BSidesLV started this in 2012 with its "Proving Ground" track, and it's a fantastic idea that not only encourages newcomers but also provides a support structure by pairing them with an experienced speaker who will help them develop their content and mentor them through the process," Eng said. "I've been a mentor every year since they started the program, and it's not only personally rewarding but an excellent way to introduce some fresh faces."
According to Miller, O'Reilly conducted "blind reviews" as an experiment, which worked out very well for its inaugural event.
"We wanted to amplify promising new voices, and blind reviews was a great way to keep the focus on the ideas and quality of the proposal, rather than get distracted by the name or affiliation on the submission," she said.
However, this can only be done well with a strong program committee with varying skillsets, experiences, and philosophies around security. And that committee also needs to be committed to reducing the noise and increasing the value for its attendees.
"Reviewers tend to have richer feedback and more confidence reviewing proposals in their domain," Miller continued. "If you want a broad program, you need a committee that can dependably identify talent and interesting ideas across a wide spectrum of topics."
Although I don't love to throw my own people under the bus, marketers who largely own the conference sponsor dollars do not always make it easy for conferences of any size or cadence to maintain editorial control when, in the end, many of the national conferences also need to generate revenue, and at the very least be able to pay for their space, meals, lighting, insurance, speaker stipends, and even some travel.
"Every review committee that I've been on has been strictly "editorial" and thus not involved in the marketing machine," Miller said. "That said, even from a purely editorial perspective, I also want events I'm working on to appeal to a large audience: so speakers, practitioners, and attendees all get as much as possible from the event.
"In that respect editorial and marketing are aligned: we want the agenda to be interesting enough that it's worth the time and attention for decision makers and leaders, as well as earning tech cred from seasoned professionals, and drawing interest from newcomers."
Eng believes conferences should take it a step further and be willing to say no to the marketing team of a sponsor if they aren't aligned with the goals of a conference.
"This is an easy thing for me to say as somebody who doesn't have to balance the conference budget, but the more you give sponsors the ability to control or influence your program, the more you'll find it dilutive to your identity over the long term," he said.
Eng believes that there is a solid challenge to the premise that bigger names guarantee more lead generation.
"Put together a strong program year over year, and you'll fill the seats."
Unfortunately, according to Eng, some of the larger conferences will override their program committees to accept certain speakers employed by a major sponsor, even if the committee didn't feel the talk was strong enough on its own merits. He said this is something he's experienced personally, as well as heard from others on review boards.
Miller's main concern about some of the perceived imbalance around security conferences is that some tactics may scare away up-and-coming speakers who have a lot to say, and need the experience to build gravitas to eventually get to a bigger stage, and more importantly, do more in their day jobs to empower practitioners of defense.
As a matter of fact, that was recently a hot-button issue in the security community on social media after a member of the Black Hat U.S. review board suggested that submitters really think about if their submission is "blackhat quality" [stet]. This drew strong community reaction, however Katie Moussouris, founder and CTO of Luta Security said it best:
"If the question is: should I submit a proposal for a talk to event X? The answer is always yes," Miller said. "Don't psych yourself out."
In terms of choosing what to attend or submit to, Eng says he gives his team at Veracode a lot of leeway, since everyone is interested in different topics. His only rule is to consider the value.
"What I aim for, more broadly, is balance," he said. "By engaging with a diverse set of practitioners from different worlds, so to speak, it makes us well-rounded as a team."
Eng also suggests asking the conference organizers how they plan to increase diversity, and whether it is even important to them.
"The biggest for me, is not just the fact that we see the same speakers over and over, but on top of that, many of them aren't even practitioners," Eng said. "You have some people who speak very eloquently and invent clever sound bites, but haven't actually done the thing they're talking about in years (or ever!). It's fine to have a grand vision, but it's frustrating to listen to somebody who's disconnected from the real work being done."
In the end, both Miller and Eng agree that the hardest challenge of any conference, in terms of attracting both speakers and learners, is creating an identity. After creating that identity, the next hardest thing is determining the submissions that provide the most value, especially when many people submit the same topics.
"This is the one area you introduce a lot of uncertainty with a completely blind review process - you reduce bias (good!), but you also have no idea how capable or qualified the speaker is (scary!)," Eng said. "But that's a risk you have to take if one of your goals is to find great new speakers.
"We were all first-time speakers once."