Bruce Schneier has artfully committed electrons to decay in an article he recently "penned" for Wired in which he has once again trumpeted the impending death of Information Security as we know it and illustrating the changing why's, how's, when's and who's that define the security industry singularity that is sure to occur.
While I thoroughly enjoyed Bruce's opinion on the matter and will address it in a follow-on post dedicated to the meme, the real gem that sparkled for me in this article was his use of how the behemoth RSA Security conference is actually a bellweather for the security industry:
Last week was the RSA Conference, easily the largest information security conference in the world. More than 17,000 people descended on San Francisco's Moscone Center to hear some of the more than 250 talks, attend I-didn't-try-to-count parties, and try to evade over 350 exhibitors vying to sell them stuff.
Talk to the exhibitors, though, and the most common complaint is that the attendees aren't buying.
It's not the quality of the wares. The show floor is filled with new security products, new technologies, and new ideas. Many of these are products that will make the attendees' companies more secure in all sorts of different ways. The problem is that most of the people attending the RSA Conference can't understand what the products do or why they should buy them. So they don't.
...
The RSA Conference won't die, of course. Security is too important for that. There will still be new technologies, new products and new startups. But it will become inward-facing, slowly turning into an industry conference. It'll be security companies selling to the companies who sell to corporate and home users -- and will no longer be a 17,000-person user conference.
What attracted me to the last paragraph and a rather profound point draped in subtlety that I think Bruce missed was reinforced by my recent experiences in Boston and Munich which framed RSA, which quite honestly I could almost care less about attending ever again...
Specifically, I recently attended and spoke at both SourceBoston (in Boston) and Troopers08 (in Munich, Germany.) These are boutique security conferences with attendee counts in approximately the 200 person range. They are intimate gatherings of a blended and balanced selection of security practitioners, academics, technologists, researchers and end-users who get together and communicate.
These events offer a glimpse into the future of what security conferences can and should provide: collaborative, open, educational, enlightening and fun events without the pretentiousness or edge of confabs trying too hard to be either too "professional" or "alternative" in their appear and nature.
Further, these events lack the marketing circle-jerk and vendor-centric detritus that Bruce alluded to. What you get is a fantastic balance of high-level as well as in-the-weeds presentations on all manner of things security: politics, culture, technology, futurism, hacking, etc. It's an amazing balance with a refreshing change of pace. People go to all the presentations because they know they are going to learn something.
These sorts of events have really been springing to life for years, yet we've seen them morph and become abstracted from the reason we attended them in the first place. Some of them like BlackHat, DefCon, and ShmooCon have all "grown up" and lost that intimacy, becoming just another excuse to get together and socialize in one place with people you haven't seen in a while.
Some like HITB, CanSecWest, and ToorCon might appear too gritty or technical to attract a balanced crowd and the expectations for presenters is the one-upmanship associated with an overly-sensationalized exploit or the next move in the fanboy-fanned flaming game of vendor 0day whack-a-mole. Others are simply shows that are small or regional in nature that folks just don't know about but remain spectacular in their lineups.
My challenge to you is to discover these shows -- these "Non-Cons" as I call them. They offer fantastic networking, collaborative and learning opportunities and you'll be absolutely blown away with some of the big names presenting at them.
Don't turn up your nose simply because of locale and use the excuse that you're saving your budget for RSA or InfoSec. When is the last time you actually *learned* anything at those shows? It costs thousands to attend RSA. Many of the Non-Cons cost a measly couple of hundred dollars.
Take a close look at where your favorite InfoSec folks are presenting. If five of them happen to be converging on, say, Ohio <wink, wink> for 2-3 days at a security conference you've never heard of, it's probably not because of the beaches...
/Hoff