Home / Blogs

The Missing Piece of the Security Conference Circuit

So far this year I think I’ve attended 20+ security conferences around the world—speaking at many of them. Along the way, I got to chat with hundreds of attendees and gather their thoughts on what they hoped to achieve or learn at each of these conferences.

In way too many cases I think the conference organizers have missed the mark.

I’d like to offer the following thoughts and feedback to the people organizing and facilitating these conferences (especially those catering to local security professionals):

  • Attendees have had enough of stunt hacking presentations. By all means, throw in one or two qualified speakers on some great stunt hack—but use them as sparingly as keynotes.
  • Highly specialized—border-line stunt hacking topics—disenfranchise many of the attendees. Sure, it’s fun to have a deep-dive hacking session on voting machines, smart cars, etc. but when every session is focused on (what is essentially an) “edge” security device that most attendees will never be charged with attacking or defending… it’s no longer overwhelming, it becomes noise that can’t be applied in “real-life” for the majority of attendees.
  • As an industry we’re desperately trying to engage those entering the job market and “sell” them on our security profession. Trinket displays of security (e.g. CTF, lock-picking) sound more interesting to people already in security… and much less so to those just entering the job market. Let’s face it, no matter how much they enjoy picking locks, it’s unlikely a qualification for first-line SOC analysts. Even for those that have been in the industry for a few years, these cliche trinket displays of security “skill” have become tired… and look like wannabe Def Cons.
  • Most attendees really want to LEARN something that they can APPLY to their job. They’re looking for nuggets of smartness that can be used tomorrow in the execution of their job.

Here are a few thoughts for security (/hacker) conference organizers:

  • Have a track (or two) specifically focused on attack techniques (or defense techniques) where each presented session can clearly say what new skill or technique the attendee will have acquired as they leave the hallowed chamber of security knowledge goodness. This may be as simple as escalating existing skills e.g. “if you’re a 5 on XSS today, by the end of the session you’ll have reached a 7 in XSS against SAP installations”, or “you’ll learn how to use Jupyter Notebooks for managing threat hunt collaboration”. The objective is simple: an attendee should be able to apply new skills and expertise tomorrow… at their day job.
  • Get more people presenting, and presenting for less time. Encourage a broader range of speakers to present on practical security topics. I think many attendees would love to see an “open mic” speaker track where security professionals (new and upcoming) can deep-dive present on interesting security topics and raise questions to attendees for help/guidance/answers. For example, the speaker has deep-dived into blocking spear-phishing emails using XYZ product but identified that certain types of email vectors evade it… they present proposals on improvement… and the attendees add their collective knowledge. It encourages interaction and (ideally) helps to solve real-world problems.
  • An iteration of the idea above, but focused on students, those job hunting for security roles, or on their first rung of the security ladder… a track where they can present on a vetted security topic where a panel of security veterans that evaluate the presentation—the content and the delivery—and provide rewards. In particular, I’d love to see (and ensure) that the presentation is recorded, and the presentation material is available for download (including maybe a backup whitepaper). Why? Because I’d encourage these speakers to reference and link to these resources (and conference awards) in their resumes/CV’s so they can differentiate themselves in the hiring market.
  • Finally, I’d encourage (and offer myself up for participation) a track for practicing and refining interview techniques. It’s daunting for all new starters in our industry to successfully navigate an interview with experienced and battle wary security professionals. It takes practice, guidance, and encouragement. In reality, starter interviewees have less than 15 minutes to establish their technical depth, learning capability, and group compatibility. On the flip-side, learning and practice sessions for technical security hiring managers on overcoming biases and encouraging diversity. We’re an industry full of introverts and know-it-all’s that genuinely want to help… but we all need a little help and coaching in this critical area.

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix


Sponsored byVerisign