Thousands of security professionals flock to cybersecurity conferences such as RSA Conference and Black Hat, but...
what is the value of conferences to CISOs? Are any cybersecurity conferences more valuable than others for hiring and security strategizing?
Cybersecurity conferences have become a lucrative business for the organizers, the venues and the vendors that seek face time they would not otherwise have with participants. Multi-track, multi-session conferences introduce new concepts and approaches, and can provide a refresher in a particular topic. They can also be a means to comply with continuing professional education credits for maintaining a certification. Conferences do not help security professionals develop proficiency in any particular topic since the sessions are typically 50 to 90 minutes long. Even more technical seminars that include hands-on training for a certification do not replace actual on-the-job experience.
Thousands of people attend the RSA Conference, Black Hat, DEFCON and ISACA conferences. The majority of those who attend are professional cybersecurity practitioners, auditors, cybersecurity consultants, vendors and developers. But should the CISO attend or should she be satisfied with sending staff and focusing on those skills they deem necessary for their development?
CISOs are key targets for cybersecurity vendors. They will receive numerous calls and emails per day from vendors touting the best products and services in the market for their needs. Vendors will offer to pay for luncheons, free demos of their product, and even pay for a flight to their headquarters to try out their product and visit with key vendor staff and management. But, over time, the CISO will have most of her calls screened. Cybersecurity conferences are the perfect place for vendors to meet CISOs they would have otherwise had a difficult time meeting.
Most cybersecurity conferences will have CISO luncheons or special events for CISOs by invitation only. Free conference registration for CISOs is also likely. But is this of any value to the CISO? Of course they can and should be valuable. Cybersecurity conferences are a great opportunity for CISOs to become aware of new technologies, new cybersecurity protection and monitoring tools, and to network with other cybersecurity professionals and other CISOs.
CISOs need training just like anyone else. This training should not just cover how to be a better CISO, but should also include technical training to help better manage projects in the enterprise. However, the last thing a CISO wants is to get railroaded during vendor fairs by those whose calls she has purposely avoided -- which can be hundreds during a given month. The CISO can sometimes be a bit of a celebrity at these conferences. Vendors stumble over themselves to greet the CISO and grab whatever amount of time they can to introduce their product or service.
Another question is whether cybersecurity conferences are good venues to meet and identify potential candidates for hire. Unless the CISO happens to meet someone she likes, most cybersecurity conferences are geared toward providing education and vendor exhibits, not for hiring.
Regardless of the aim, CISOs should attend these conferences. They should go to keynote addresses, sessions of interest and the vendor fairs. CISOs can blend into the crowd of attendees if they do not want to be noticed, but they should attend the CISO luncheons to meet other CISOs and exchange business cards. Cybersecurity conferences are a good opportunity for CISOs to earn their continuing professional education credits. However, they should not feel obligated to have sponsoring vendors visit or have a proof of concept done unless there is a particular value.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn how to hire for specialized cybersecurity positions
Check out the pros and cons of untraditional security staffing
Find out more about the changes in CISO responsibilities
Dig Deeper on Security vendor mergers and acquisitions
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading