It’s that time of year when my email in-box starts filling up with invitations to events surrounding the RSA conference in San Francisco. Whether from vendors, current friends, former colleagues or other security pros who just want to connect, the new offers seem to get more creative every year. There are huge parties, forums, get-togethers, breakfasts and even totally separate conferences (or one-day workshops) running at the same time or before the event.
Of course, the assumption – no, the strong expectation – is that you’ll be in San Fran that week. If you write back that you’re not going this year, the surprised response is always some rendition of “Is everything ok?” Some of you are probably wondering that about me now – no, I'm not going in 2012 and yes, everything is fine.
Now, before I go on, I need to say that this is not a promo for RSA. Yes, I’ve been, and it’s an excellent conference with an unparalleled number of industry exhibitors, training seminars, exciting keynotes, new announcements of products, award ceremonies, etc. More than that, it is almost like “reunion time” where you can get together with friends from around the world from the Department of Homeland Security (DHS) to leading companies in Europe. Speaking at RSA is a huge honor. If you’ve never been – it’s worth going at least once, if at all possible.
Which is where I’m heading with this piece - it’s not possible for the vast majority of state and local government employees to attend RSA or other large conferences like Black Hat.
Most state and local government cyber pros are forbidden from traveling out of state on business, unless given a “special exception.” In the majority of government cases, training conferences don’t qualify for this exception – unless you are presenting and the conference is paying the travel expenses. Of course, government employees cannot accept gifts or trips from vendors, which means that many of the best security conferences are out-of-reach for many government security staff who could often benefit from the training.
(Side note: this same training problem exists for other government professionals in many different fields when the economy is bad and revenues down.) Every state is different, and there are a variety of variations on this theme. Nevertheless, online training, web conferences and local training are now the norm.
What’s to be done locally?
There’s an age-old phrase that I learned way back when I started my career at NSA in the mid-80s. It starts with the question: Who’s the expert?
Answer: The guy from out of town.
Since perception is often reality, there’s an element of truth to that popular statement. But what about cybersecurity conferences? Are all of the good security conferences out of town (or out-of-state)? I think not.
So what’s the solution? If you can’t bring the people to the conferences … bring the conferences to the people. This is what’s being done all over the nation. Here are a few examples:
SecureWorld Expo Events: These 2-day security conferences have been going on in major US cities for almost a decade. I always look forward to the Detroit event (which is close to Lansing). We’ve been able to get 50+ state employees to that event each year, and we can often get discounted (or free) tickets for government employees. I know the great professional team running these events, and I’ve had the opportunity to speak at SecureWorld events around the USA. I highly recommend attending and encourage active participation in your part of the country.
Government Technology Magazine Events – These events are run by the Center for Digital Government (CDG), and they are very well done – often with a local flavor and great nationally-known keynote speakers. In Michigan, we’ve been holding an annual Michigan Government Summit for years, in partnership with GovTech. What sets these events apart is the state-local collaboration that occurs before, during and after the annual events. The process of building the agenda with state/local IT leaders is almost as helpful as the event itself at fostering cooperation.
Many of these events have a track or even an entire day on cybersecurity. In 2009, we held a one-off cyber summit in partnership with CDG. And the second afternoon of the GovTech conference focused on cybersecurity in 2010.
Which leads to my last idea on this conference topic and starting home-grown technology events. If there is nothing going on in your area, build it yourself. Last year, we launched Cyber Security Awareness Month for the nation at the Michigan Cyber Summit. Each year, our Michigan State Police partners hold a great event in Grand Rapids called the Great Lakes Homeland Security Conference.
My point is that there are plenty of excellent opportunities to learn and be trained right where you are. Look around. Google it.
Sure, RSA is fun and unique. If you really want to go, brush up on your Toastmasters skills and try to become a speaker at a breakout session (but submit a proposal early - it's tough to get accepted). It is always fun to travel, and I’ve been blessed to speak at events around the world. Nevertheless, some of my best experiences have been at security and technology conferences near home. Best of all, you get to sleep in your own bed and stay near family.
I'd love to hear about your experiences or ideas for cyber or technology training. Feel free to leave a comment.