Soon, in various publications, articles will appear with advice for folks attending Black Hat and DEF CON for the first time. Advice for newbies is important, and I’ve written my own survival guide for that over the years.
But for this post, I’m speaking to the battle-hardened veterans who have made the journey repeatedly over the years.
Having attended too many of these to count, I consider myself a veteran. Or, to put it another way, I consider myself among the jaded.
“Jaded” is a negative word. It’s typically used to describe someone who is burned out and no longer impressed with what’s going on in their industry. The hard truth is that when you spend enough time in the information security world, it’s easy to become jaded — especially when attending conferences like Black Hat and DEF CON, which is set to take place this year from Aug. 1-9 in Las Vegas.
After 10 or more trips to this so-called security summer camp, it becomes difficult to learn anything new. Attending talks is no longer the exciting activity it once was, so people spend more time at the bar wondering why they made the journey.
But here’s the thing: If we’re honest about these things, we can move forward and find new ways to benefit from the events.
To that end, four thoughts:
1. You’re not in your 20s anymore. Some of us have fond memories of all-night drinking sessions spent with infosec peers playing the myriad casino games. The memories are so fond it’s easy to want to relive the experience every year. But we don’t bounce back the next day like we used to. Is the answer to abstain from adult beverages? Hell, no! Drink if you wish to. But I dare suggest that you pace yourself more carefully. The more you beat on the liver, the more likely you are to develop what many of us have come to know as “con flu” — that cruddy feeling that keeps you off balance for a full week after you’ve returned from Vegas.
2. You don’t go to talks anymore. So What? I’ll admit it: I haven’t attended a Black Hat talk in a long time. It’s not that I think talks are worthless. They’re not. It’s just that when you deal with the same security challenges over and over again, the content of the talks starts to feel like an eternal showing of the Bill Murray movie “Groundhog Day.” The conferences are about so much more than talks, though. The most important thing to me is the networking done in the hallways, coffee shops and bars of the Vegas Strip. If speakers want you to attend their talks, it’s their responsibility to make it new and interesting. Make them tell you what you’re going to learn that you don’t already know. If you don’t see news value in the talk description, skip it without guilt. You’re only wasting your employer’s money if you stay in your room all week and weekend. Speaking of networking:
3. When you seek out old friends, you will still make new ones. Another lament I’ve heard over the years from fellow conference veterans is that we only spend time with old and trusted friends; and that doing so fosters the clique mentality. I still learn new things from old industry friends, so I’ll never apologize for gravitating back to them at each conference. But here’s the thing: When I find old friends, they’re usually accompanied by people I haven’t met before. And so new relationships are still born. When you can mix the old and new into your networking, a rich learning experience is likely.
4. It’s not what it used to be. Get over it. It’s easy for us veterans to pine for the good old days, when Black Hat was more of an underground event and DEF CON was held at Alexis Park Resort. It can be a bummer to see these events become so mainstream. I know people who get bummed out because Black Hat now features a vendor exhibit hall that rivals that of RSA Conference. Some people miss Caesars Palace, too (Black Hat got so big it had to switch venues to Mandalay Bay last year). Now DEF CON has outgrown the RIO and will be held at Paris and Ballys. I see things differently, and I know I’m not alone. Security as an industry is maturing, and so must its conferences. The past was awesome, but change is the law of life.
Embrace the change as an opportunity to freshen up the experience. That’s the best thing for a jaded soul, really.
As a InfoSec leader, it is really hard for me to endorse most of my staff attending these conferences anymore. For a large staff I may be asked to spend nearly 100K annually and the usual result is as in this article: “strengthened my network”.
For my money there are many better ways to gain access to information about current trends and to build and grow a network of peers. There are few better ways, of course, for an all expenses paid trip to Vegas.