Security conferences
Having dragged James into the debate about Pamela’s post, and having spent most of the week at a security conference I thought I’d throw some of my own thoughts into the ring.
Let’s start with attendees, or ‘plankton‘ as Pamela calls them, and the idea that attendees learn something by going to conferences. I think this is partially true – for people that are new to the field or a given role; but doesn’t actually apply to many attendees, where you quickly get the usual suspects showing up year after year. Some events have clearly now got to the stage where their only value to many attendees is meeting with the other usual suspects, and as Pamela points out you can do most of that without buying a ticket. I’m also less than convinced that there’s really much educational value in vendor presentation. Mileage varies (according to the quality of the event) between outright product pitches and ‘here’s one of our smartest people letting you know why we think this is a problem (that needs our solution)’, but it’s still SUV mpg that you get for your money. If you outsource your thinking to vendors then don’t be surprised to get a bunch of dumb stuff for your money. This is why I’ve been leaning towards more academic conferences over the last few years. They have their own rough edges, but there’s no vendor spin, and you get a lot of new information for your money.
James asked me to report back on whether the shift from network security to application security was in evidence. I can’t give a completely straight answer to that, as I’ve spent all of my time this week meeting people and introducing them to my successor. I’m kind of glad that I wasn’t spending time looking for cool new stuff, there doesn’t seem to be any. As for whether people are getting the need to move from the network to the application that seems to depend who you talk to. If this was politics then I’d say it was split along party lines; but it’s technology so it’s split along vendor lines. If measured by floor space then I’d say that we’re mid transition, as it was the host security guys that seemed to be trying the hardest (to differentiate commodity products by having larger and louder stands than the next guy).
Filed under: security | 4 Comments
Tags: conference, security
Subscribe
Recent Comments
Tim Coote on Ross Anderson RIP iain on Skiing in Espace Killy (Val… Chris Swan on Getting more from a British Ga… Murray Cowell on Getting more from a British Ga… JL on AI MacGuffin 
Pinboard.in bookmarks- Meta.ai Oh My!
- Looking for AI use-cases — Benedict Evans
- the biggest threat facing your team
- Why has Hugh Grant settled his phone hacking claim against the Sun?
- Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
- AI isn't useless. But is it worth it?
- Pluralistic: The true post-cyberpunk hero is a noir forensic accountant
- Subaru battery drain due to missing 3G network
- Paying maintainers: the HOWTO
- SARS-CoV-2 airborne infection probability estimated by using indoor carbon dioxide | Environmental Science and Pollution Research
Chris Swan's Weblog 
Hi Chris
In my experience, security conferences vary wildly in their educational value. For applied learning, I favour eusecwest and then Black Hat (I hadn’t been in a long time and was pleasantly surprised by some of the talks just given at BH EU).
There may be other solid conferences that I haven’t been to, but those keep on givin’.
The more vendors present, the less likely the people I want to listen to will attend. I’m not anti-vendor (can be a lazy generalisation) but the larger the number, the lower the signal to noise ratio.
Are you moving on or just changing roles?
Enjoying your blog,
Craig
If you want to learn about security, I highly recommend attending local OWASP user groups. They are free, local and have a low signal to noise ratio…
Interesting question whether the focus is shifting from network to application security. My very biased slant on the answer is that it’s neither – the shift is that identity is becoming the fulcrum for enforcement decisions. Incorporating identity as a parameter allows for enforcement decisions to made on the transactional context – which encompasses both application and network tiers. But when you consider the shift in criminal intent, from malice and disruption, to outright thievery, it would seem that application security should take higher priority. Cisco made an announcement about how they are using cloud computing’s economies of scale to improve the accuracy of IPS. I am not sure that really resolves the problem.
As an analyst, I find the conversations and personal interactions useful at a general event like RSA. The sessions don’t provide much in the way of content.
Certainly I find that thanks to the internet and search a lot of what I tend to read comes from academic sources and I’m not the only one looking there either:
http://zerodaydefense.blogspot.com/2009/04/why-hackers-love-academic-research.html