On Schneier, the RSA Conference’s Swan Song and the Rise Of the Non-Con…
Bruce Schneier has artfully committed electrons to decay in an article he recently "penned" for Wired in which he has once again trumpeted the impending death of Information Security as we know it and illustrating the changing why’s, how’s, when’s and who’s that define the security industry singularity that is sure to occur.
While I thoroughly enjoyed Bruce’s opinion on the matter and will address it in a follow-on post dedicated to the meme, the real gem that sparkled for me in this article was his use of how the behemoth RSA Security conference is actually a bellweather for the security industry:
Last week was the RSA Conference, easily the largest information
security conference in the world. More than 17,000 people descended on
San Francisco’s Moscone Center to hear some of the more than 250 talks,
attend I-didn’t-try-to-count parties, and try to evade over 350
exhibitors vying to sell them stuff.
Talk to the exhibitors, though, and the most common complaint is that the attendees aren’t buying.
It’s not the quality of the wares. The show floor is filled with
new security products, new technologies, and new ideas. Many of these
are products that will make the attendees’ companies more secure in all
sorts of different ways. The problem is that most of the people
attending the RSA Conference can’t understand what the products do or
why they should buy them. So they don’t.…
The RSA Conference won’t die, of course. Security is too important for
that. There will still be new technologies, new products and new
startups. But it will become inward-facing, slowly turning into an
industry conference. It’ll be security companies selling to the
companies who sell to corporate and home users — and will no longer be
a 17,000-person user conference.
What attracted me to the last paragraph and a rather profound point draped in subtlety that I think Bruce missed was reinforced by my recent experiences in Boston and Munich which framed RSA, which quite honestly I could almost care less about attending ever again…
Specifically, I recently attended and spoke at both SourceBoston (in Boston) and Troopers08 (in Munich, Germany.) These are boutique security conferences with attendee counts in approximately the 200 person range. They are intimate gatherings of a blended and balanced selection of security practitioners, academics, technologists, researchers and end-users who get together and communicate.
These events offer a glimpse into the future of what security conferences can and should provide: collaborative, open, educational, enlightening and fun events without the pretentiousness or edge of confabs trying too hard to be either too "professional" or "alternative" in their appear and nature.
Further, these events lack the marketing circle-jerk and vendor-centric detritus that Bruce alluded to. What you get is a fantastic balance of high-level as well as in-the-weeds presentations on all manner of things security: politics, culture, technology, futurism, hacking, etc. It’s an amazing balance with a refreshing change of pace. People go to all the presentations because they know they are going to learn something.
These sorts of events have really been springing to life for years, yet we’ve seen them morph and become abstracted from the reason we attended them in the first place. Some of them like BlackHat, DefCon, and ShmooCon have all "grown up" and lost that intimacy, becoming just another excuse to get together and socialize in one place with people you haven’t seen in a while.
Some like HITB, CanSecWest, and ToorCon might appear too gritty or technical to attract a balanced crowd and the expectations for presenters is the one-upmanship associated with an overly-sensationalized exploit or the next move in the fanboy-fanned flaming game of vendor 0day whack-a-mole. Others are simply shows that are small or regional in nature that folks just don’t know about but remain spectacular in their lineups.
My challenge to you is to discover these shows — these "Non-Cons" as I call them. They offer fantastic networking, collaborative and learning opportunities and you’ll be absolutely blown away with some of the big names presenting at them.
Don’t turn up your nose simply because of locale and use the excuse that you’re saving your budget for RSA or InfoSec. When is the last time you actually *learned* anything at those shows? It costs thousands to attend RSA. Many of the Non-Cons cost a measly couple of hundred dollars.
Take a close look at where your favorite InfoSec folks are presenting. If five of them happen to be converging on, say, Ohio <wink, wink> for 2-3 days at a security conference you’ve never heard of, it’s probably not because of the beaches…
/Hoff
These events offer a glimpse into the future of what security conferences can and should provide: collaborative, open, educational, enlightening and fun events without the pretentiousness or edge of confabs trying too hard to be either too "professional" or "alternative" in their appear and nature.
The majority of individuals in any given field will never attend 'boutique' events. Ever. That is what makes them 'boutique'.
Remember Comdex? Neither do I. Its dead which is of no surprise to anyone. I've never attended an RSA conference and never will. RSA is InfoSec's Comdex.
Bruce's point remains very valid.
This is nothing new, Hoff. These boutique conferences have appeared and disappeared with regularity for the entirety of my 14-year career, and I'm sure they will continue to operate in this manner.
I think the error is in believing that the RSA Conference is anything more than a large social gathering. I definitely disagree with the Bruce's assertion that RSA is a "bellweather" – it's simply an annual aggregation event where we can get lots of vendors to pay for lots of partying, and we hopefully get to see a bunch of people in meat space who've until that point been words or images on a screen (nice eye-liner, btw;).
This was my first RSA Conference, and I went in with the view that it was a social networking event (meat-space style), not some place I'd go for in-depth technical learning. I went hoping to meet a bunch of security people, get a few books signed, hear a few speakers who I might not otherwise get to hear (e.g. Malcolm Gladwell, Al Gore). And then any time I stumbled onto really amazing talks, like the ones given by Jeff Hawkins and Paul Kocher, I felt I'd hit the bonus round.
As for the vendor expo… well, nobody should be surprised by that experience… I was a bit annoyed by all the vendor "keynotes" and their pointlessness… but I used the time to go wander the expo floor and see if there really was anything new out there (I found a couple interesting things, too).
The RSA Conference will live on, in the same way that Interop and the big tech vendor and car shows live on, but nobody should attend these expecting to attend workshops that will reveal the world. That's where the SOURCE, SchmooCon, etc., mini-cons of the world fill the gap. Unfortunately the mini-cons have to be nearby, because they lack the name support to convince many employers to fund the trip…
RSA has been for security management types for years, but cons such as DefCon, ShmooCon, etc continue to have good technical content. Both serve a purpose. Both will continue as long as companies need to keep sending their CISSPs for CPEs.
As for vendors making sales from RSA, did they ever make sales from RSA's con?
Having attended all types of conferences in the past I have to say I find the smaller conferences better, more educational and better bang for your buck. Top of my wish list every year is COSAC, http://www.cosac.net. The fact that it is based in Ireland which means I don't have to face airline security is an added bonus
Brian
I think Bruce's personality leads him to overlook the value in the social and networking aspects of RSA. It was my first RSA conference and I was surprised by the number of people who attend just for the connections.
It was a good event for me personally and for my corporate overlords, too. I met and reconnected with people, saw a few good presentations and even learned a few things. The overlords did some business, made some connections, and got a pile of leads.
For the vendors, both RSA and InterOp are pretty much "mandatory" events, and pretty expensive. If a bunch of vendors decide to really do the math on cost per lead, closing ratios, etc. and start comparing that to other marketing venues there could be a problem for the big shows. I think vendor revolt over the cost is as real a threat to RSA as anything else, and if it happened the results could be catastrophic- we might have to buy our own drinks!