I had the good fortune over the pass week to attend two excellent regional conferences, as well as to speak for the OWASP MSP chapter. Overall, the trip was very positive (despite my allergies triggering a cold) and it was a good reminder that you do not need to attend the "major" conferences to hear good speakers.
OWASP MSP (5/9/11)
I offered to speak at an OWASP MSP chapter meeting the first night I was in St. Paul, that is, if they were having a meeting. Chapter president Adam Baso quickly organized a meeting, forcing me to make good on my offer. ;) Since I don't generally like hearing my own voice, I reached out to Christophe Veltsos (aka @drinfosec) to help me out (which he did).
Rather than spend a lot of time on a boring lecture, I instead opted to give my new "Talk Pretty" firetalk, which spends 10 minutes covering 7 quick recommendations on how to give better presentations. After that, Christophe and I then adopted a "fireside chat" format where we led discussion on a wide range of topics based on audience selection and participation. All told, it was a fun evening. Several other Secure360 speakers and attendees joined us throughout the night, which culminated in a social gathering. It was great!
This was my first time attending Secure360, despite its being in my home state of MN. The conference has been around for a few years now and has been growing nicely. I first took notice last year when several well-known speakers converged on the event. Overall, this was a good conference, though one with room for some small improvements. They had very good vendor support, which I always find encouraging. There were many good talks; in fact, quite possible too many.
The good: well-run, good speaker selections, an ever-growing history of success, and growing respect in the local market. St. Paul was easy to get to, the venue was very nice, and people in the area are quite enthusiastic. This was definitely a successful event.
The less-than-good: there wasn't much to complain about, but I'll give it a try nonetheless. ;) There were a couple key challenges that should be considered in the future. First, there were way too many sessions. I understand the desire to create space for more speakers, and to accommodate sponsors with speaking slots, but 10-12 tracks is simply too much for a regional conference. Three suggestions I have:
1) Create an actual "vendor" track, which will host all non-keynote vendor talks. Along with this, because space is limited, make the sponsor-talk slots more expensive. Not all vendors need, or should, give talks. This method may help keep things in check.
2) Reduce the number of tracks to no more than 6 (excluding special tracks, like the CISO forum). This is a regional conference, not RSA. I know, it's hard picking talks, but having too many options cheapens the experience for the speakers if their rooms are mostly empty.
3) Switch from the "featured speaker" hour to a track. Having 6-8 high caliber speakers scheduled at the same time was frustrating for attendees and speakers, who often miss good talks as it is. People shouldn't have to make so many trade-off decisions for featured speakers.
The only other negative from the event was the closing panel. Honestly, I felt bad for the panelists. First, the topic was fairly dry, especially for the end when people are already tired. Second, the format was boring. It was less a panel and more a bunch of short talks (in a dark room!). Third, there seemed to be little incentive for people to stay, especially since the awards had been given out earlier.
My suggestions are:
1) Give people a reason to stay. That can be done in a number of ways. Give away awards. Bring in a paid keynote. Or, pick a topic about which people are reasonably passionate.
2) If doing a panel, then it had better be fun. In general, I don't think a panel is the way to go, even if it's highly entertaining. However, there are ways to spice one up. Energetic moderation is key. Having an enthusiastic moderator will help hook the audience. Still, you have to get the audience n the room in the first place.
3) Save the best for last, or just don't have a closing session. Large conferences will often bring in a "hired gun" for the closing keynote (RSA is known for this). However, there's nothing that says you even need a formal closing session. While it may be nice for organizers to get closure, is it adding value? On the flip side, as a speaker, I appreciate strong closing talks that hold attendees. Something to balance out the day.
Again, as noted, this was a very good conference, and one that I highly recommend - especially to people in the region. No conference ever goes perfectly, which is also to say that there's always room for improvement. I'm looking forward to future Secure360 events!
I love smaller events done well, and the Rocky Mountain InfoSec Conference certainly was done well. It was a great 1-day event (actually, they had a half day for workshops before the conference) comprised of about 4 tracks, and underwritten by a good slate of sponsors. One of the biggest challenges for smaller events is getting a good slate of speakers, but Denver has a good base to draw from, which was supplemented effectively by a handful of other speakers (like me).
As often happens, my choices of talks suffer from confirmation bias. I greatly enjoyed hearing my friends Mark Kadrich and Chris Nickerson speak. I was sorry to have missed David Navetta's talk. Additional, I sat in (for a while) on Ira Winkler's opening keynote (what a joke) and a GRC panel, which highlighted once again the fundamental disconnect between the auditors of ISACA, ITGI, and OCEG, and the rest of the world. (I could rand hard on the GRC panel, but will spare you at this point - suffice to say, you should not be taking GRC or biz advice from freaking auditors).
Overall, I felt this was a good, well-run event. If you're in the Denver area, or relatively close proximity, then it's well worthwhile!
And, that's about it on my week... as usual, it was great to see everybody!