I recently attended the RSA 2009 Conference in San Francisco. Upon arriving back at work, one of the first tasks assigned (besides catching up) was to write a summary of the conference and what I learned /as it applied to the company/. Well, to say the least, this can be a daunting task. You can learn lots of interesting things at a major conference like RSA, but will much of it apply to your real world everyday job? With this in mind, I began to wonder "is there value in security conferences for companies?" and this, of course, has gotten me onto a little rabbit trail that must be followed.
Before I launch into some sort of boring analysis or commentary, let me first preface all of this by saying: Yes, you and/or your team should absolutely go to conferences and training programs. Get out of the office, meet other people, see what else is going on in the world. This is a philosophy that my original home school for Gracie Jiu-Jitsu subscribes to, and one that I would hope that everyone would appreciate. In technology - and particularly in information security - you cannot live in a vacuum. You absolutely positively must get out and see new things, new people, new ideas, new places, new techniques, etc. We don't all tackle problems in the same way, and that means that there are some really cool new things out there to learn, if only you go look for them.
Hopping back down from my soapbox, then, let's look at how you can make attending a security conference worthwhile. In my mind, there are three keys to having a good conference while demonstrating value to your employer (who's hopefully footing the bill). First, you need to go into the conference with a plan that includes learning objectives. Second, whether you're comfortable doing it or not, you need to get out and be social with vendors on the expo floor. Third, whether you're comfortable doing it or not, you need to get out and be social with your colleagues. Allow me to go into a bit more detail.
Plan + Learning Objectives
Any learning opportunity will only be maximized by the amount of effort you put into it. If you walk into a learning opportunity blindly, with no direction, and with no real inclination or interests, then you're quite likely going to walk away disappointed. On the other hand, if you enter with at least a moderate degree of curiosity - at least in specific areas related to the conference - then you will greatly increase the value of your experience.
This whole "make a plan" concept really applies more to large, multi-track conferences than it does to small, single-track conferences. Showing up for SOURCE in Boston will be a completely different experience from attending RSA or CSI where there are a wide variety of topics and tracks. So, in the case of these large conferences, find out ahead of time what's being offered, and develop a plan. Moreover, since you're employer will be looking at ways for you to incorporate the value proposition into the company, make sure your plan looks at what is important to your job beyond your basic interests (hopefully these align, but you never know). This is where learning objectives really come into play, because you can then go to a conference seeking specific knowledge or information and, hopefully, walk away having found some of it.
Socialize with Vendors
Yes, yes, I know. If you talk to a vendor, they'll probably get your contact info, and then they'll call you all the time, over and over and over again, whether or not you want them to do so. Don't panic. Talking to vendors is a good way to find out what they have to offer and, more importantly, what's coming down the pipe. Especially for security management, it's definitely worth your time to seek out, in particular, the younger, hungrier startup-ish vendors specifically to learn what is being seen as emerging trends. These companies frequently have millions of dollars invested in research, so you might as well make use of it as best as possible.
Now, for those in the audience who aren't big talkers, don't worry. Here are a couple tips from, well, a big talker:
* Don't feel obligated to give information away.
* Get the sales flack talking and maintain eye contact to prove you're listening.
* Resist the demo unless you're actually interested. If you're interested, /ask/ for a demo!
* If you're more technical, don't be afraid to ask to talk to the techie. (if no techie, flee!;)
* Try to toss out leading questions to help the sales flack along.
As with everything, you'll get out what you put in, and sometimes even more. At big conferences, many vendors have parties at night, and so spending some time showing the vendors love can help get you into the thick of things, which brings me to my third point.
Socialize with Colleagues
As smart as you are, there are other people who know things that you don't. Hopefully they're friendly! One of the best ways to find out is to go hang out with them. Hey, it's a conference, you're probably on the road, what's the big deal? Even if you are introverted and scared to death of crowds, you can meet some amazing people (hey, I met Dan Farmer at RSA this year - he's a huge reason I got into infosec!) and even learn a few things along the way.
Don't believe me? Well, that's fine, but consider this: last year I didn't know many people, and was known by even fewer. This year, having hung out with folks last year and then interacted with them over the course of the year (blog/twitter), I was now much better prepared to find folks, talk to folks, and so on. What did this get me? Well, for starters, I found out about MiniMetriCon 3.5, the Monday before RSA started, at which I got to hear some excellent presentations on security metrics, including one by Jeremiah Grossman of Whitehat Security and one by Wade Baker of Verizon Business. Both gentlemen went through real life data that was not only sobering, but also information and educational (e.g. PCI is apparently not a complete waste of time and money, despite how it feels).
If you get out and meet people and swap stories, you will quickly find that you're not the only person fighting the good fight, but that you in fact have commiserators in the grand scheme of things. It feels good knowing that I'm not the only one dealing with various issues - and hopefully you'll get to enjoy that sense of camaraderie, too.
Bonus: What Not to Say When You Return
Several times I've returned from a conference and been asked minutes after walking into the office "hey, how as it?" to which I've stupidly said "eh, it was ok, nothing great." D'OH! The last thing your boss wants to hear is that s/he just wasted a few thousand dollars to send you to a conference that wasn't worthwhile.
So, take a tip from me. Before you get back to work, start developing a storyline about how the conference was good and useful and educational. Pull out those learning objectives and developing talking points about how it met the company's needs. Pull out your notes from talking with vendors to demonstrate that there might be technology solutions for given problems. Put a positive spin on the conference as much as possible, and - assuming you actually want to go to another conference - don't make it sound like it wasn't worthwhile.