Why Derbycon is so good for the security community

I had a chance to go to Derbycon for the first time this year.  I was amazed at how great it was and a lot of fun of course, but there was more to it than that. I’ve been to many regional conferences, as well as Defcon, Blackhat, RSA, and even Gartner security conferences, but Derbycon was altogether different and felt like there was a higher benefit that I couldn’t put my finger on. Then I saw an article by Jon Oltsik in CSO magazine recently titled “What’s Holding Back Enterprise Security Technology Transformation?”   His first point was that there is a cybersecurity culture clash.

In today’s market, there is a huge cultural gap between suppliers and customers.  Cybersecurity professionals are paid to look at every angle of technologies looking for vulnerabilities open for exploitation.  This makes them skeptics by nature.  Alternatively, new technologies are often pushed by startups marketing silver bullet solutions.  And let’s not forget about Sand Hill Road VCs.  Once they invest in a company, they turn marketing staffers loose to pump up portfolio companies with buzzword bingo claims.  These mixed agendas set up a situation where risk-averse CISOs looking to bolster the security of their business are met with rhetoric and hyperbole.  Little wonder why it takes so long for vendors to develop trust and bridge this cultural gap.

It led me to think that Derbycon is almost the anti-conference.   Of course there were vendors like and booths, but there was no divide between people.   Everyone was in it together.   You just don’t see this very often. Amit Serper wrote a fantastic piece that goes into great detail about the experience:

DerbyCon is not your typical security conference; It’s rather small, people are super friendly, there is a lot of emphasis on the “family” feel, you can even see that on Twitter when people are talking about the “DerbyCon Fam.”

#Trevorforget was pretty awesome too and demonstrates how people can come together for good at a security conference. There was even a news column from KSL about it: “Roach found in milk shake at Smashburger and hackers at #DerbyCon make a memorial for it. Trevor fan Jim Kennedy started a #TrevorForget memorial fund*, which has raised over $4,000.

“As you know, the Info Sec community lost a beloved member over the weekend. Trevor the Roach,” the GoFundMe campaign reads. “To make matters worse, his entire family is also caught up in the disaster in Puerto Rico. Funds contributed will go directly to 'Friends of Puerto Rico'. A long-standing and respected nonprofit working to better Puerto Rico.”

$4K (as of 10-10-2017) for a roach goof that helps people in dire straits…amazing! Of course, Derbycon had learning at the core, and that comprised the bulk of the activities.   However, there’s more to learning than just sponsored talks - You really see the interpersonal learning and bridging of the cultural gap all over the place – in the sessions, in the lobby, in the vendor areas, on the street, in the smoking area, everywhere. And that’s what makes it great. It’s hard to find people you can trust with the right motives.   Certainly, everyone needs to make money to live, thrive and survive, but the “pumping up of companies” is making it almost impossible for regular folks to cut through the noise.    And even though they are “skeptics by nature,” the community there sees how various people help each other out in many ways…and it’s these small examples (and a few big ones) that demonstrate how we’re going to bridge the security culture clash.  Not with hyperbole and no shortcuts for sure, but in time, the truth always comes out.   Derbycon is a place where Right Makes Might and not the other way around.