I had the opportunity yesterday to visit and speak at the ISC2 Security Congress 2012 in Philadelphia, co-located with the ASIS International Conference. Since this was only the 2nd ISC2 Congress, and my first visit to it, I thought that I'd post a few quick notes.
If you've ever been to the US RSA conference and thought "wow, this is really big" - let me tell you, there's a whole other scale out there. The ASIS event was quite massive. It was held at the Pennsylvania Convention Center in downtown Philadelphia, which spans 3+ blocks. The expo floor was above ground about 30-40' and it was very impressive! Imagine standing inside a room that's about 2-3 blocks long with a multi-story-high ceiling. And then fill that room with physsec vendors. That was the ASIS event. I never knew there were so many vendors for video surveillance, gates, and physical access management (plus a few other random topics thrown in, such as training attack dogs, NBC detection gear, mobile command posts, etc.). Some of the biggest vendors there were Stanley, Honeywell, Samsung, and Sony. It was quite the sight to see.
That said, as a GRC vendor in the infosec space, I can't imagine ever exhibiting there. It would be literally place oneself as the needle in the proverbial haystack. You'd have to put up a massive booth (and layout a massive expenditure) to stand out in the crowd. And, even then, you're competing with robots and creepy automation and video surveillance. I just can't see it being a good investment.
Sadly, I think this theme extends further... I think ISC2 is greatly dwarfed by the ASIS event. There was a dedicated hallway for all the ISC2 talks, but this almost struck me as an bad decision in that it created considerable physical separation from the ASIS event and its attendees. I'm told ISC2 event registration was up 3-fold over the initial event last year, which is good. It seems to me, however, that ISC2 either needs to launch their own separate event, or they need to work more aggressively to get their talks and booths better placed and promoted.
A perfect case-in-point, ISC2 did have a vendor seminar area setup within the expo, but on the opposite end away from where the talks were. When I walked by, some vendor was giving a talk about mobile security, and almost all the seats were filled. ASIS attendees are clearly interested in the "cybersecurity" topic, and yet I'm not sure this year's layout got them exposed to those talks. Given how large the facility was, I can easily see ASIS people staying over near their tracks, and not ever venturing down to the ISC2 talks. About the only good thing going for ISC2 on location is that their talks were in the hallway that connected to the adjoining Marriott, and were next to the ASIS event book store.
Because of my limited time on-site for the event, there's not much more I can speak to. The venue was huge (and the layout was funky at times - for example, registration was located at one end, rather than in the middle, meaning I literally had to walk 2+ blocks down the length of the convention center just to get checked-in). I felt very much like ISC2 was a mini-David to ASIS' Goliath. As is my usual luck, my talk slot was the last of the conference, so attendance at my presentation was sparse. I do know that some other talks drew a much bigger crowd (including one offering to "demystify" pentests??).
Overall, I think ISC2 should branch out and hold their own conference. If they want to continue the partnership with ASIS, it should be simply as an integrated participant, with say 1-2 dedicated rooms amongst all the other talks, plus better vendor space management on the expo floor (e.g., a large, emblazoned "cybersecurity zone") so that the area will stand out and the sponsoring vendors might have a hope of realizing some sort of value from exhibiting (for instance, there's no reason GRC vendors shouldn't be there, since physsec is certainly in-scope for us, but I just can't see investing in a booth the way it was this week since the ability to attract interest would be severely limited). If cybersecurity is so important, and if ASIS members are really so very interested, then ASIS needs to throw ISC2 a bone and help truly highlight the participation of cybersecurity vendors and speakers. Oh, and they should actually take better care of their speakers, too.
Bottom line: With nothing against ISC2, I do not favor supporting this event until ISC2 either spins off separately or is shown more respect by ASIS.
