On the Value of Security Conferences

Thursday, April 19, 2012

Rafal Los


Something to think about... had an interesting topic come up at the OWASP AppSec APAC in Sydney recently about the value of security conferences.  

Now, I enjoy the talks, the comradery, and the community around security conferences as much as the next guy but I'm starting to believe that maybe we're doing it wrong.

I can't remember who on the panel brought it up, but the question was of the actual value of a pure security conference, like OWASP for example, to the broader business community.  

While the value to ourselves isn't difficult to spot for all the reasons I've already mentioned, perhaps what's interesting is the question of business value.  

Management sends employees to 'security conferences' to learn something and bring it back to the organization.  This is all well and good - but what value do the ever-increasing number of security conferences provide as stand-alone events?

The proposal, which I personally believe is a fantastic one, is to start to decrease the focus we put on stand-alone security conferences and start to run these types of events alongside other conferences that would otherwise have nothing to do with security.  

So for example, if you're trying to spread the word of the OWASP software security community, perhaps there needs to be an OWASP track at a developer conference like JavaONE, or at a software quality conference like StarEAST or StarWEST or Quest Conference.

Think about that... here's the rub - developers, QA professionals, and business folks don't show up at security conferences... so they miss the message and we end up talking to ourselves a lot of the time.  

As more and more security people "get it", we need to do a better job of spreading the word out there to the world - right?  After all, isn't that why we're employed?

Just something to think about for those of you who attend or organize security conferences, and even more important to those that organize business-oriented conferences where security would never show up... why not have a 'security' track or leave room for security-related topics?

Something to think about as we try and raise the bar just a little bit...

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Security Training
Information Security
OWASP Enterprise Security Training ROI Information Security Infosec Professional Conferences Value
Post Rating I Like this!
Krypt3ia Raf, yes, this has been something I have been referring to as the "deadhead" effect. People just going from con to con and for what really?

I actually wrote about it last summer.

Meh. It's an insular crowd we travel in so what is the real value other than to perhaps sell a service or to promote one?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.