All About the GFIRST 2012 Conference

I'm at GFIRST 2012, the 8th Annual Cyber Security Conference hosted by the Department of Homeland Security. I spoke on Wednesday, August 22nd, with co-presenters David Roberts (General Dynamics) and Jonathan Quigg (Data Tactics), on the subject of "Social Networking: The Next Weapon Against Bad Actors."

The slides for the presentation will be online later. Meanwhile, I'd like to tell what the conference was like, how it differed from my expectations, and provide some thoughts about future directions for the conference.


At heart, I'm a techie. I'm used to technical conferences, i.e. - events which have hardcore technical content aimed at the professional practitioners in a given technology. An example is the Ruby programmers at the RubyNation Conference, where the audience is keenly interested in the content — most people are in sessions all day.

GFIRST was not like that. The conference itself was free and, because it was put on by the Department of Homeland Security, it attracted an extremely wide audience, including:

  • Software Developers
  • System/Network Administrators
  • Security Professionals
  • Management
  • Business Development
  • Marketing
  • Malware Analysts
  • Interested Lay-People

GFIRST expected about 1500 attendees (Editorial Note: It turned out to be about 1675 attendees.), spread across all of these attendee types. At any given time, there were at least 6 simultaneous tracks on a wide variety of subjects.

But many people were there for networking, job hunting, marketing, business development or even, on occasion, an organization-sponsored boondoggle. Add in a Vendor Area and a few other distractions, and I'd estimate that only 30 - 50% of the attendees were in any of the sessions at any given time.

Being used to technical conferences, this was an eye-opening experience for me.

Don't get me wrong, those other things are important, too, except for maybe the "boondoggle" factor that a small fraction of attendees represented. It just wasn't what I expected.


The venue was the Marriot Marquis in downtown Atlanta, GA. This was, quite frankly, the most amazing hotel I've ever seen.

The hotel was essentially hollow, with a 47-floor lobby that was open all the way to the covered skylight at the roof. All hotel rooms opened off open-air "corridors" that ran around the circumference of the interior.

Towards the back of this open lobby, there was a giant elevator "pillar" that ran to all 47 stories. Each circumference corridor had bridges that connected to the elevator stack. The elevators, of course, were enclosed in glass so everybody could get the full effect of the views.

Simply amazing.

For the conference itself, there were three levels underneath the main lobby floor, all accessible by escalators and/or elevators. There were one-and-a-half levels above the main lobby devoted to bars, restaurants, etc.

The setup for the conference was generally pretty good. The Vendor Area needed to be a little larger. Also, the primary sponsors of the event had their own Sponsor Area, which was tucked away and hard to find, so I don't think they were well-served by the layout.

Despite these quibbles, it was an amazing venue.

The Sessions

The sessions were a mixed bag for me. I'm a software developer and web expert, with an interest in social networking technologies. I'm not a malware analyst or a security professional.

Some sessions, such as those focused on system administration and deep-dive malware analysis, left me cold. Other topics were certainly of interest to me, and I managed to see a number of excellent sessions while I was there.

With such a diverse audience, this is to be expected. With so many tracks, though, there was almost always a talk that was worth seeing. If not, there was always the Vendor Area to check out.

As with any conference, the sessions ranged in quality. Most were at least competent and informative. A few were quite brilliant.

One was distinct by virtue of being the worst talk I've ever seen at any conference. Here's a guaranteed recipe for delivering an absolutely terrible talk:

  1. Have an interesting title to draw victims in.
  2. Just have 4 slides. There's no need to actually put any work into your presentation.
  3. Taunt the audience by putting so much content on your slides that they're unreadable.
  4. Highlight one graphic, so you can say: "Our system can produce visualizations similar to this one."
  5. Conclude with: "I can't tell you anything else unless you have a Top Secret clearance and have signed an NDA with my company."
  6. Don't feel obligated to fill more than 15 minutes of the hour-long block you signed up for.

Please note that this was a problem with the lack of professionalism of that single presenter, not with the GFIRST conference. A dud can sneak into any conference — GFIRST just needs to make sure she isn't invited back.

Overall, despite that one aberration, the sessions were thoughtful, well-organized and well-done.

The Parties

Ah, the parties. From the Cyblast party put on by General Dynamics on the Skyline level (the 10th floor, with floor to ceiling views of the city skyline created by excising all of the hotel rooms on that level) of the Marriot Marquis to the extravagant RSA "Biker" party, the parties at GFIRST rocked! Highly recommended.

This was Collective Soul, the nationally known rock band, live at the Hard Rock Cafe for the RSA Biker Party.

Thoughts for the Future

I run some small conferences, including RubyNation, DevIgnition and various Toastmasters-related events. I'm appalled that nobody pays for the conference, including both attendees and vendors.

There is a rationale for making the conference free for attendees, to further the goal of disseminating information to raise awareness about the general need for security measures.

At a minimum, though, the vendors should pay to have a booth in the Vendor Area. And Sponsors should pay for the privilege of being sponsors for the conference. They pay at most other events, including the smaller-scale events that I run.

Guess what? If you charge them something reasonable (and we're talking something reasonable for an enterprise, not for you or me), they will pay. Access to the kind of decision makers who attend GFIRST is valuable.

The Marriott Marquis is a world-class hotel. The conference took up 3 entire floors of this giant hotel. It had to be hugely expensive, even at favorable government rates, to host the conference.

That's OK. It was a high-quality event.

But let the vendors help subsidize it. The tax payers don't have to foot the bill for everything.


I had a great time at GFIRST. I learned some valuable things at some of the sessions. I gave what was, I think, an eye-opening talk for some of the attendees. I did some networking and attended some awesome parties.

The best compliment I can give GFIRST is this: I'd be happy to attend again. I can assure you that I'll be submitting a proposal for their next Call for Papers.


No comments yet. Be the first.

Leave a Comment

Comments are moderated and will not appear on the site until reviewed.

(not displayed)