Halfpoint - Fotolia
Not every information security professional can make it to the Black Hat or RSA cybersecurity conferences. Fewer still look forward to the tribulations of travel, lodging and standing in long lines with tens of thousands of other infosec pros jammed into evermore bulging venues.
This year, as the corporate pitches flooded in to solicit meetings at the Black Hat conference in Las Vegas, SearchSecurity queried back with an informal poll, asking "Which cybersecurity conferences -- outside of RSA and Black Hat -- are worth going to?" Dozens of executives responded by email, sharing their favorite cybersecurity conferences held outside of Las Vegas and San Francisco.
"I go to RSA and Black Hat because I have to," said John Bambenek, threat research manager at Fidelis Cybersecurity. However, he added, "if I were using my travel budget, in terms of professional development [and] things that are interesting to me, those two would never be on my dance card."
"The trouble with Black Hat and RSA is that they have become so expensive to execute; especially from the vantage point of a startup," said Jason Thomas, marketing director at BluVector. "Smaller shows allow for the least amount of travel; a smaller, more engaging atmosphere; and a referral/comraderies potential that is [a] harder experience [to get] at a larger show."
John Bambenekthreat research manager, Fidelis Cybersecurity
While no smaller conference has the overpowering attraction of the Black Hat or RSA cybersecurity conferences, there are smaller events aplenty to choose from. And while most are more modest in scope, many of them still draw national, and even global participation.
Jim Ivers, vice president of marketing for the Synopsys Software Integrity Group, told SearchSecurity, "Security conferences tend to cater to a specific audience. The marquee security events, like Black Hat and RSA, attract senior-level security delegates on the business side of security, whereas other grassroots events, like [Security] BSides, and educational events, like the ones hosted by SANS Institute and (ISC)2 [International Information Systems Security Certification Consortium] draw practitioners and security professionals in the trenches."
Troy Gill, manager of security research at AppRiver, said that choosing the most important cybersecurity conferences to attend "may hinge on the time of year and any recent security discoveries that most line up with the systems you are trying to secure."
According to Gill, "many of the larger conferences afford you the opportunity to make both professional contacts, as well as developing relationships with new vendors, while some of the smaller ones may give you a better chance to get some hands-on experience, if that is what you are after. If training is your top priority, then SANS Institute events would be hard to beat."
The best alternative cybersecurity conferences
DerbyCon was the number one choice of the experts SearchSecurity polled for an alternative to RSA and Black Hat, followed closely by Security BSides, ShmooCon and CanSecWest -- all of which were often mentioned together.
Held once a year in Louisville, Ky., DerbyCon, scheduled for Sept. 20-24, 2017, is heading into its seventh year -- but getting tickets can be difficult, as quantities are limited, and they usually sell out well in advance of the event. Tickets sometimes become available from ticket buyers whose plans have changed; the DerbyCon organizers frown on ticket resales for more than the original ticket price, and they reserve the right to ban predatory sellers from future events.
According to its organizers, "the idea of DerbyCon started in a pizza shop in Louisville, after a few of us thought how awesome it would be to create a conference in Louisville, Kentucky."
Brian Klenke, vice president of incident response at Morphick, called DerbyCon "the most underrated security conference in the U.S.," and added that "year after year, our team rates it as the single best event to learn from their peers and network."
Sam Elliott, director of security product management at Bomgar, told SearchSecurity that DerbyCon is not just another cybersecurity conference.
"It's a community where security professionals can come together to share ideas and concepts," Elliott said. "Whether you know Linux, how to program, are established in security or [are] a hobbyist, the ideal of DerbyCon is to promote learning and strengthen the security community."
Joey Peloquin, director for cloud security operations at Citrix, called DerbyCon the most important cybersecurity conference of the year.
"It is a small conference with above-average content that is well attended, and [it] enables birds of a feather easier access to one another than other, much larger cons."
First conceived in 2009, the Security BSides event series was named for the flip side of a record.
"The B side of a record was always our favorite. They were the artist's edgy, artistic and passionate songs. The songs that may not appeal to the masses or been [in] vogue, but truly showed the artist in their natural light. The A side was for record producers and mass media, but the B side was where the real band lived. That is exactly how we feel about Security BSides conferences," wrote the founders, Mike Dahn, Jack Daniel and Chris Nickerson, in 2011.
As noted on the Security BSides website, the event functions as a "do-ocracy; in other words, if you want it, then you do it or make it happen. We do not have members, but rather participants. You are the 'we' and we can only be successful if you make that happen for yourself."
As a result, Security BSides conferences can have a very different flavor from other cybersecurity conferences. As community-oriented events that rely more on local interest and volunteers, Security BSides events are intended to foster connection, collaboration and conversations among information security professionals within their local communities.
In addition to Security BSides Las Vegas, which is usually scheduled around the Black Hat and Defcon events, Security BSides events are held throughout the year in cities and towns across the U.S. and the world.
"BSides is a purely crowd-sourced set of conferences that started as an alternative -- the B side -- alongside a bigger conference," Dwayne Melancon, vice president of product at Iovation, told SearchSecurity by email. "Since then, it has evolved to a global security event collection that brings together thought leaders from around the world, using a model where the crowd votes for what gets presented -- very democratic! Don't miss the Lockpick Village."
Security BSides cybersecurity conferences are a good alternative for those looking for local contacts.
John Seymour, senior data scientist at ZeroFox, said, "local BSides conferences are great for meeting local security folks. Typically, they're also very cheap, meaning they have almost zero cost. However, they tend to still have comprehensive talks, high-tier vendors, lock picking, and CTFs [capture the flags], all of much higher quality than one would expect. Finally, they're small enough to find the people you want to see again without outrageous amounts of planning and communication."
Seymour added that if he had to choose just one conference to go to each year, "I'd choose my local BSides. The people I've met there are amazing, and because they're close by, we keep in touch throughout the year. And, odds are, they would have attended all the conferences I've missed, and could catch me up."
Chris Eng, vice president of research at Veracode, said the quality of some of the Security BSides events may be surprising.
"Being smaller regional events -- outside of SF [San Francisco] and Vegas, again -- they can be hit or miss, with less experienced speakers," he said. "But sometimes you'll get some very interesting talks."
Upcoming Security BSides include events in Amsterdam; St. Louis; Zurich, Switzerland; Southington, Conn.; Augusta, Ga.; Delhi, India; and many others.
Held in Washington D.C. and usually scheduled in January or February, ShmooCon describes itself as, "an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues."
The organizers limit the number of tickets, and do their best to keep the cost low. In 2017, the tickets were priced at $150 each.
Like DerbyCon, ShmooCon tickets are limited -- and they sell out early. In 2017, all of the 1,460 tickets were sold out -- in three rounds -- in under 10 seconds. But don't let that stop you from attending: Ryan Kovar, staff security strategist at Splunk, said if he could only attend one event, it would be ShmooCon.
"Hands down. Even if you can't get tickets ... show up," he said. "The LobbyCon is almost better than the conference itself, and you can usually find tickets once you are there."
Kovar was only one of several experts polled who felt ShmooCon was the one event they would choose if they could attend only one of the year's cybersecurity conferences. Stephen Coty, chief security evangelist at Alert Logic, agreed.
"It focuses on hacks that affect people and businesses on a daily basis -- what we call the nonemerging threats," he said. "People tend to get caught up with the most sophisticated and duplicitous exploits that capture headlines in the media, but often times, it's the age-old hacks, exploits and bugs that continue to wreak havoc in enterprises, like failing to patch an old Windows exploit, a vulnerable WordPress plug-in or the tried-and-true phishing scam. ShmooCon is less commercialized or focused on a specific industry."
Gary Hayslip, CISO at Webroot, found ShmooCon to be surprisingly enjoyable.
"I got talked into attending one and had no idea what I was in for. What I found was a security/hacker conference that was laid-back, but intense," he said. "There were some seriously smart people there who I hung out with, and their level of knowledge on hacking and just plain breaking things was sobering, but it was cool."
Billing itself as, "the world's most advanced conference focusing on applied digital security," CanSecWest does indeed focus on applied information security, and it includes the Pwn2Own hacking competition. Held annually in Vancouver, B.C., the next CanSecWest is scheduled for March 2018.
"Personally, my interests don't focus on the exploit or hardware side of information security," Kovar said. "Because of that, CanSecWest has been the most surprising conference I've attended. I was interested to see so much phenomenal content dedicated to the subject. It definitely made me realize how important CanSecWest is to the security community."
Jeannie Warner, security strategist at WhiteHat Security, told SearchSecurity that CanSecWest is always a positive experience.
"When I have attended CanSecWest, I always walked away with new knowledge about attack vectors, ideas and methods being discussed -- often with new RFCs and amazing networking opportunities."
The opportunities can come at any time, as Warner related: "[I] even had a midnight call to my hotel room -- 'Jeannie, we're down in the lobby. Do you know any DNS [domain name system] programming experts from anywhere attending? We need someone for our attack team.'"
Tyler Reguly, manager of Tripwire's Vulnerability and Exposure Research Team, also spoke highly of the event, even though it's been almost ten years since he last attended.
"My best conference experience was definitely CanSecWest," he said. "It was a highly technical, single-track conference where I met a number of amazing people.
"It also had one of the best conference parties I've attended. Buses took attendees to the mountains, where we rode gondolas to a lodge. While the content was interesting, the party was one of the most unique conference parties I've seen."
Choosing the right ones
Ultimately, the decision of which cybersecurity conferences to attend will depend on which ones best meet the needs of the individual.
"It kind of depends on what you want to get out of it," Bambenek said. "As a professional, Black Hat and RSA are marketing sales events. Most of our industry is there, so it's a chance to meet with a bunch of people that are in the same city at once, and that has value. But I can't think of a Black Hat talk that says, 'I need to go see that talk.'"
Read about how former mechanic Jack Daniels started the Security BSides community events
Learn about the best certifications for cloud security professionals
Find out whether in-house cybersecurity training is worth it