I often mention how much I attend conferences, and often asked what makes a good conference.  I’ve been to many over the last five years, and not just Information Security, or even technology conferences, but for the sake of context I’ll use Security conferences as examples. I’ll mention some factors in how I define a good conference then a summary.

Content:
This should go without saying, because the talks are usually a reason people go to conferences, but when I mention the content, I also mean the audience the talks are geared toward. Most conferences have talks that are interesting for all parties, but there are conferences that for lack of better word do a better job catering to the upper management and C level folks vs the folks in the trenches.

Despite what a lot of people in the trenches believe, those folks that work on the more risk management side of things, the ones more focused on policies and information assurance are needed to help us justify the need for the more skilled folks on the ground.  The most effective Security Engineers out there that know how to do all the fun technical stuff need an advocate that can speak to the rest of the business particularly those C level folks that aren’t as familiar with buffer overflows, Incident Response, and memory forensics.
Location:
This is a tough one, and can sometimes make a conference more expensive with hotel costs, or make the conference much harder to manage from a logistics perspective. For example, with DEFCON can sometimes be a hard enough sell to managers that don’t already work in, have an interest in Security or have never been, but the fact that its in Las Vegas does not help. On the upside considering the location, it is not that far from the airport, and despite it being located on the strip, there are plenty of places to eat and entertainment on the strip. Keep in mind that despite all of those rather minor downsides, DEFCON is still my favorite, and my plans for it evolve every year. One of the best

Cost:
The cost is an obvious one, but if you factor in the location as well this can change significantly (specifically for DEFCON unless you live in or have family in Las Vegas).  Some conferences whether offer additional training, giving attendees a deeper dive with a more personal approach.  Lastly, depending on the volume of vendors (selling merchandise), your spending can go up significantly.  I have found some of the best books at either Blackhat or DEFCON, and then there’s the hardware you may also find.

Hands-on stuff (Village people):

Regardless of the size, I must say that the conferences without some sort of hands on component aren’t all that memorable.  If people just wanted to talk about security, then they could do that online without having to interact.  Ironically, the hands on stuff at conferences gives people a hands-on experience and encourages interaction with people.

If someone is at a conference from the outside looking into what makes this stuff so much fun, or where to start, this is a great start.  A CTF is a great way to determine if you’re going to have fun doing this kind of work and will definitely let you know what your strengths and weaknesses are.  Trust me, if you are doing a CTF for the first time, there is a lot you wont know how to do.  I get marginally less clueless each time.

This last one will vary from one venue to another and while its not a requirement, it does make things more interactive.  When I mentioned it depends on the venue, you may not be able to have a full size hardware hacking village, where you can find or even build things that involve soldering, 3d printing, etc.  A big conference like DEFCON will have villages for nearly every aspect of security and hacking and if it isnt there this year, it will be in the future.  A lot of conferences commonly have at least one CTF or some other competition going.  Vendors may even have live demos at their booths.  There’s something special about product bake-offs!

Not that every conference needs or can support multiple village, but something like a lockpicking village is fairly easy to set up.  a pile of locks, a couple extra picks, and something as simple as a post it letting people know its a lockpicking village.  If a venue cannot provide that, it may not be a conference you’re looking for.