I wasted many an early year going to InfoSec conferences and security events only to find them useless. Well, they weren't totally useless, I'd often come back with a bag full of goodies that more often than not included stress balls, USB drives, and some stickers.
My colleagues and I would often bemoan how rubbish conferences were. There was literally nothing of value in them other than a day or two out of the office. Which, when you're doing IT security incident response is the equivalent of a five star holiday on a beach.
Some years ago I was complaining to a mentor about how conferences were a waste of time, that he turned the question on its head and asked what my objectives were for attending a conference.
To be honest, I really hadn’t given it much thought up until then. My colleagues used to go, so I used to tag along too. There wasn’t a plan as such. You’d just go along and hope for the best.
But a conference is what you make out of it, and having an objective has helped me immensely over the years in getting the most I can out of the experience.
Personally, I break down my conference attendance into three core components:work, education, and networking. These are not mutually exclusive, and many activities overlap with others.
![]()
Work
WorkPrimarily, I’m looking at whether I have any official ‘work’ business to tend to whilst at a conference. Unless I’m attending a conference on my own time and money, there needs to be some benefit for my employer in it. This can manifest itself in many ways depending on the nature of your work. If you sell a service or product, then perhaps generating leads is needed, or working out what trends are emerging.
Perhaps you want to raise awareness of some of the research your company has undertaken, and weave it into an educational presentation.
Enterprises users can catch up on what trends are prevalent in their particular industry, connect with peers, or attend relevant talks and take back the knowledge gained to the office and share with colleagues.
Education
Conferences are an absolute goldmine for knowledge. Education can be in the more formal environment of attending talks or workshops. But it can also come from informal avenues such as "hallway con" whereby there is no shortage of people discussing and sharing ideas. Often times these can be even more informative than formal presentations as more intimate details can be shared privately.
The pitfall to look out for is that there can be almost too much free education. Which is why it is important to understand your objective prior to attending. For example, sayyou're looking to understand more about incident response processes. Try to identify in advance the talks, products, and the individuals that you can connect with at a conference on this topicto help further your cause.
For large conferences, this preparation can begin weeks, and sometimes months in advance. Reach out to people and try to get some time to chat with them in advance of the event.
Don't forget vendors can be a particularly good source of information. It can be a good idea to contact them on social media and ask if they'll have someone available to show a demo, or help answer a few questions for you. You may be surprised at only how often you can get face time with some extremely knowledgable individuals.
Networking
Networking means different things to different people. Some will classify going to as many after-parties as possible that stretch into the early hours as 'networking'. There may be some truth to this, but it's not the only way.
I try to maintain a healthy mix of catching up with old friends and colleaguesand meeting new people. I'm not much of a party person, so I tend to book breakfast, lunch, dinners, and coffee breaks to be my networking time.
If you have planned things well, you will have a reason to meet up with people - be it to maintain ties, discuss employment opportunities, share ideas around research, etc.
I don’t measure networking by the number of cards I collect or the number of new LinkedIn connections. But rather by the quality of conversation, and whether or not there was a meaningful exchange that can form the basis of an ongoing relationship.
Post conference roundup
Without measuring the effectiveness of actions, it isn’t possible to accurately determine whether or not it has been a useful activity. So I find it valuable, usually on the flight home from a conference, to quickly write down a list of things that went well, and a few things that I could have done better or approached differently.
I’ve personally found even spending 15 minutes on this to be invaluable. It helps aligns thoughts as to what was achieved, and plan out my objectives for the next conference. This has allowed me to benefit far more from conferences than in the past. In some cases, even allowed me to decide which conferences I attend fully, partially, or skip altogether.
Knowing your objectives and having a post-conference roundup shifts the balance from expecting a conference to provide what you desire, and puts you in control of the outcomes. A conference can only create the environment – attendees need to take advantage of the opportunity. I advocate not beinghow I used to be, simply whining about it being a poor event. Taking a more proactive approach will allow you to get more out of the InfoSec conferences you attend.
