What if you could organize your own Security Architecture conference?

Then, let’s face it, it should be like COSAC. Period. What follows is an eye-witness account of the incredible value that COSAC brings. Why? Because I tell many of you to come and join me at COSAC and then you don’t show up! You make all kinds of excuses about partners and children (bring them!), holidays (in October?!), bosses (do you normally listen to them?) and the money (come and speak == conference is free). I think that some of you stayed away because nobody has been able to convey the true value of the COSAC Security Conference to you. They have tried here, here and here though! But now it’s my turn and I will do so in excruciating detail to ensure you fully get the picture. Thank me later.

As mentioned in an earlier article, me crossing paths with COSAC was mere coincidence. Maurice Smit contacted me on Twitter to come and speak and the rest was history. That was almost six years ago. I was young(er) and this was actually one of the first conferences I was speaking at on behalf of Deloitte. I did not know what to expect. I arrived on the Dublin airport with the instructions to wait in front of the coffee kiosk for a shuttle bus driver. At some point I noticed various people eyeing each other in this vicinity. “Are you going to the same conference?” you could see them thinking. There are always some people that know one another. They get together, shake hands, laugh out loud and mention COSAC. This is a sign for the singular new people that this is indeed ‘the COSAC herd’. We all join in, shake hands, exchange names, and immediately forget names. As one does.

The drive to COSAC takes about an hour in a very comfortable shuttle bus. Does one strike up a conversation with someone you know? Do you read a book? I tried the latter I tried in my first year — I failed. Socializing already starts in the bus, no matter how awkward that might be for introverts like me. But now I usually know some of the people, it’s much easier. At some point you drive up a grandiose lane and arrive at Killashee Hotel & Spa in Naas. I have been here for 5 years and I still haven’t seen every room in this venue. The reception hall comes straight out of Belle & the Beast, the garden is gorgeous and the ‘cemetery’ behind the garden is melancholic. The rooms are countryside stylish, beds are supersoft, conference rooms are well-equipped. I have only been able to go to the Spa once, but it was FA-BU-LOUS. There is the main bar where they serve fabulous alcohol-free cocktails, and there is a ‘secret’ Irish pub in the back. They also serve something called Guinness, but I tend to stay very far away from that. The meals are served in the various grand (ball)rooms of the hotel. Typical of COSAC you may find out that there is a hidden room next to that where you can play casino games. It is therefore also a great place to bring your family to — they can enjoy the countryside, good food and facilities. A highlight is Newbridge Silverware visitor center in the vicinity, where I have bought wonderful jewelry over the years.

I mention alcohol-free cocktails because I have learned about ‘pacing’ throughout the years. My first year I was astounded by all the food and drink COSAC had to offer. Food is one of my biggest passions, and COSAC never disappoints. And the drink. Can you imagine ‘international drinks evening’, with more than 25 national alcoholic beverages? Or opening your COSAC meal with a whiskey tasting? Right. And pleasant company makes for good conversations. So we’d stay up all through the night and then were expected to sit in (or even speak at) sessions the next day! Now, that makes for a very long four days of conferencing. Both my professionalism and my waistline were disappointed in me. In that order. But during that first COSAC I met some friends from all over the world that I am still in touch with over the years. We keep in touch through our Signal group and even have weekend conference calls during this lockdown. It’s funny how we’ve also ‘grown’ together over the years — many of us have become vegans and vegetarians and have (almost) stopped drinking. I don’t know whether this a direct response to COSAC’s sumptuous plating, but #justsaying. So here’s the fine-tuned strategy. In the morning limit yourself to healthy yoghurt, fruits, eggs and #millennial avocado on toast. Do not, I repeat DO NOT go full English breakfast. For lunch there’s usually a buffet or 3 courses served. If it’s the buffet, go for a sampling strategy. Keep it minimalist. If it’s 3 courses, that’s fine — just don’t eat the dessert that somebody else chose not to eat ‘because it’s a waste’. That is a rookie mistake, my friend. For dinner, you’ll have anything from 3 to 6 courses. Eat the food, that’s fine. Don’t eat all the bread they keep replenishing even if your courses take a while (or you will risk doubling your calorie intake). The Killashee staff will kindly offer you a glass of wine with every course — this is where you must be strong and go for water instead. Pro-tip is to put your wine glass upside down. Or have 1 glass for the entire dinner if you insist. Between meals there are scones, brownies, fruit cakes, hors d’oeuvres, alcoholic beverages in the bar (before and after dinner). Do you understand why I tell you to pace yourself? Oh, and forget about that plan where you bring your running gear to take a morning run in the garden to compensate for the food. Believe me, I tried that. But you have got to choose between going to sleep at a reasonable time and talking with your new best security friends until you can’t stay awake. Turns out even introverts choose the latter. So let’s move on before you think COSAC is only about the food. It is not. It is just a very important, memorable part of it. Many times I have sworn not to eat anything in the week after COSAC.

After you arrive in the hotel on Sunday there is an opening reception and dinner. Organiser David Lynas, one of the original founders of SABSA, addresses the crowd. This is both welcoming and disconcerting to newcomers. He always famously says: “There are no strangers here. Only friends you haven’t yet met.” This is true. He also tells you that if you put any form of sales content in your presentation, the audience will throw tomatoes at you. And that you may have made 40 slides, but you won’t make it past the 1st slide as a gigantic discussion ensues over just the title of your session. Having discussions is secretly what COSACians enjoy best.

Monday kicks off with a full-day Masterclass. COSAC in its entirety is split up into three tracks (which I would classify as Non-technical Security, Technical Security and SABSA). Participants are still fresh and eager to do whatever speakers tell them. A wonderful tradition is the SABSA Design-Off in the SABSA track. Its participants are asked to design a quick architecture for a real business case. Can’t be too enthusiastic about it, because I have my own Masterclass to host this year. Still need people to show up to my session instead of theirs. And this brings us to COSAC FOMO. At any point of the day you have to choose between three sessions that may be of equal interest to you. I know what you’re thinking “Nah, I’m fine at other conferences — I have specific preferences”. COSAC is not like this. To be accepted in the Call for Papers you need to bring something unique, innovative or quirky. Take it from a sixth-year speaker (having up to four talks accepted in a year). And this may also mean that you miss one or multiple of your best friends’ sessions, and this is sad.

Tuesday and Wednesday are filled with one-hour sessions on a variety of topics. People are reasonably awake at this point of the conference. You will however find that some times during the day participation is becomes lower or less active. For instance, people might still be at breakfast at 9:30am after a late night in the bar. The session after lunch is infamously called ‘the graveyard shift’ as everybody will be sleepy due to sugar crash. At 5pm you as a presenter are the only thing standing between the audience and their beer + canapes. In between you can expect participation in a session like you’ve never seen it. Some guidelines in case you are presenting:

• First of all, sales content is prohibited, so the session is actually about something. I have not personally tried what happens if indeed you get tomatoes thrown at you for including sales content. In general, I go no further than including the Deloitte logo on my slides.

• Secondly, as a presenter you are more there to ‘facilitate a discussion’ then to get through your slides. This means that as a presenter you can never fully predict where your session will go — except it won’t go the way you practiced it. This makes presenting at COSAC a great place to hone your presenting skills. Just make sure you bring the right mindset.
• Also, don’t be sad if only 10 people show up. You might be up against ‘legends of COSAC’ in the other tracks. Or they might be having the greatest of security conversations over scones. It doesn’t say anything about the quality of your session or the value those 10 people will get from it.
• Sessions may last longer than the intended time frame, if the great discussion taking place calls for it. Participants don’t mind, the next speaker won’t mind. Yes, there have been sessions that have overrun dramatically, eclipsing entire follow-up sessions. Don’t be surprised if it happens.

If you are not going to present, good for you. It means you get to sit back, relax and meet great people. I call the people from COSAC ‘my security family’ — really, I even said it on video, so it must be true.

From the newcomers you can almost immediately tell who’s COSAC-material and who’s not. If I’ve met you IRL and told you to come to COSAC, then I’ve deemed you COSAC-material. The following tips apply for newcomers:

• Tip 1: Do not wear a suit. COSAC dress code is quite difficult to be fair. There is a ‘gala night’ but close to nobody shows up in gala. I blame the men — most of the women still try but it’s a bit embarrassing if all your friends show up is a T-shirt. I’ve tried business casual, I’ve tried casual and then there’s always the COSAC polo / T-shirt handed out every year. It’s complicated. But it’s definitely not a suit.
• Tip 2: Do not hand out business cards. At least no without having talked to each other in the bar for at least an hour. You wouldn’t hand out business cards to your family, would you?
• Tip 3: Do not talk about security all the time. To make a proper connection with the person standing in front of you is the most important thing to do. We are all seasoned security professionals and have likely discussed the intricacies of Zero Trust over and over. No need to spoil good Guinness over it.
• Tip 4: Embrace the ‘Dutch Contingent’. We always show up with a surprisingly large number of Dutch people despite this being a global conference and us being a tiny country. This means there will be plenty of Dutch jokes and counter-Dutch jokes. You can make yourself seem like a regular by yelling “Blame the Dutch!” through the room during one of David’s speeches. Everyone will nod in agreement. The Dutch will loudly protest.
• Tip 5: Participate in shenanigans and pranks to feel like a true COSACian. COSAC simply requires that shenanigans take place. You can join or imitate the regulars. Do I really need to tell you about a multi-year feud over the disappearance of forks or the misplacement of somebody’s favourite tea?
• Tip 6: Do not try to attend all the sessions. A big part of the value of COSAC is to be found outside of the sessions, sitting and talking on the couch in the main hall. I know that’s weird to do for a conference you may have paid good money for, but trust me. And go and get some extra sleep if you need to. Since you were probably having a great discussion with somebody in the bar until very late the night before, there’s no shame in it!
• Tip 7: Bring a prize for Quiz Night. Quiz Night is one of the most highly anticipated and dreaded COSAC evenings at the same time. Partly because dinner lasts well after midnight, partly because there is no way you’ll know any of the answers to the quiz. But you can try. Valiant souls that persist throughout the evening get a prize brought in by participants. This is typically something from their own country, such as cheese, chocolate, wine and strong booze. You’ll fit right in like a regular!

There are various special sessions at the end of Tuesday and Wednesday. One of them is the Plenary Session (about the highest scoring paper that year — I did one two years ago). Another is the rump session. This session is ‘a conference in an hour’. Throughout the week everybody gets to submit supershort abstracts that can be about any topic you’d like to talk about. Sometimes these are serious, sometimes they are about your personal hobby, and sometimes they are very silly. You get about three minutes on stage in front of all conference participants — and don’t you even think about going over time! Thursday is a day where participants are clearly tired from the week. If you have a session on Thursday, don’t plan anything too ambitious — participation is lower, some people will be flying out earlier and they are generally sleepy. I have a Thursday Masterclass this year and we’ll be designing a Security Architecture board game and having the participants play it after an introduction on the design process. This is about the level of complexity people can take on Thursday.

If the above did not convince you, I would like to share the conclusions of a rump session from my friend and fellow COSACian Valerie Lyons. She distinguishes four types of conferences:

1. Those with many sponsors. The organisers of these conferences typically make their crust from vendors who pay a sponsorship package and in return get a half-hour slot on a stage — and they profit again from the ticket charge for attendees. Sponsors can pay in excess of €25,000 for a key half-hour on a stage. Some conferences can charge even more for a keynote slot.
2. Those with one or two key sponsors. Typically, these sponsors cover the cost of a dinner or drinks reception and receive a slot in the agenda in return.
3. Those who have a ‘call for papers’ and blind review the submitted papers. A committee typically selects the best papers and invites speakers based on their selection. These conferences profit from either annual membership charges, or tickets, or both. These types of conferences can also frequently have a key sponsor also, who may sponsor a drinks reception or a key event.
4. Those who do not have a call for papers and do not have a sponsorship programme. These conferences tend to be not-for-profit and are typically run by expert groups. Speakers will be invited by the chair of the group.

There is little to no quality control on sessions from sponsors. They therefore end up being quite high-level or simply a sales pitch. Those with a Call for Papers (like COSAC) tend to attract high-quality speakers, with practical and thought-provoking presentations. As both the COSAC conference and the networking takes place in the same hotel, it creates a wonderful immersive experience. Read Valerie’s full blog on how to pick the best conference for yourself here. But it should be COSAC. Period.*

I have nothing to gain from writing this article that puts COSAC in a rather positive light. Well, apart from expanding my security family there with your attendance. I am in no way remunerated or reimbursed by the COSAC Security Conference team.

Read more about COSAC’s COVID-19 measures here. They include a provisional booking facility, social distancing preparation and contingency plans.

Originally published at https://www.linkedin.com.