Cons, they are the ultimate thrill ride for many in the Information Security business. A chance to get away from work for a week, to drink heavily and listen to talks, to try and get an eye full of your favorite InfoSec Rockstar as they hang out with other rockstars in the hotel lobby.
As many industries have learned over the past decade, conferences are big business, and a life cycle in and of itself in the industry. Speakers get paid to talk at conferences, sharing new ideas while also advertising for their employers. The masses flock to hear what a speaker says, using a company's allotted training budget. Conference attendance helps build an employee's experience and provides for Continuing Professional Education (CPE) points that apply to contract-mandated certifications. Knowing that such masses are gathered in one spot, large organizations shell out tens of thousands of dollars to sponsor and add their own pieces of flair to a designated conference under their advertising budget.
It's a win-win-win for everyone, and works at every financial scale of the industry. Grass roots conferences work at extremely limited budgets, while hundreds of thousands of dollars flow around Black Hat events where registration and training at Black Hat Las Vegas could put your company back $5,000.
And then... there's you. Fighting the crushing blow of continuous work cycles, not enough resources to even get an hour off for dental work, and no training budget to speak of. Working in the trenches, how do you get to experience this lifestyle and still make your numbers work?
What people fail to realize is that there are literally hundreds of security conferences, occurring year-round across the globe. It's often said that you can't go a single week without seeing news of a con, an issue that has been highly lampooned by others. But, there's no doubt that there is a conference that's ripe for educational pillaging in your neck of the woods.
Working in Ghetto Forensics, we need to focus first on our cheaper conferences so that we can build up the ammunition required for justification to the big ones. How do you find these conferences? Sites such as SECore (the SECurity Organizer and Reporter Exchange) track the various types of conferences, grouping them by industry, region, and cost.
Conference costs:
After finding a conference within your region, evaluate the sticker shock of the conference and logistics. A conference registration under $250 will likely require little negotiating for approval. A free conference will probably require none at all. This will vary per environment: if you typically have to fight to get valid licenses for just Windows and Word, you may want to stick to the free conferences. Remember your Risk Analysis; you will want to provide a number that won't immediately cause a refusal by management.
It is entirely possible to reduce, or skip, registration costs altogether. Many conferences have early bird specials where registration is reduced greatly months in advance. Others provide promotional codes to local companies or user groups to garner local attention. When a conference is in your town, being a member of a local security group, or Linux User Group, could pay dividends.
One can always generically search for promotional codes, a standard tactic for savvy web shoppers for years. Using sites like RetailMeNot, it's amazing what you may find...
For cons that are just completely out of your price range, or are already sold out, a possible way to attend could be to volunteer. This is especially useful at BSides events, where most functions are managed by volunteers. For professional conferences, however, you'll find that all of these tasks are managed by an event management company. It doesn't hurt to ask.
SANS conferences have a fair compromise for many attendees by offering a Work Study program. You can attend their training at a reduced rate of $900, but you will also be working 12+ hour days as a classroom helper and putting in a lot of effort to help make the class run.
"Time Off":
Time is one of the most critical items to your employer. Most will balk at paying an employee to spend three days away, so expect to use personal time (PTO) to cover your time at first. Don't worry, the goal is to eventually get your time paid for while in attendance, but it takes effort to get there. Many conferences are weekend-based, or at least Friday/Saturday, so there's often few hours to make up on client-site to be able to attend.
If using PTO is out of the question, inquire about front-loading your hours (working 4-10's) or making time up on another day.
Travel Costs:
Often times, the most expensive portion of a conference is in the logistics to attend it, such as airline and hotel lodging. These expenses are easily forgotten during conference planning and can could cause issues, especially as airline costs rise as the conference date approaches. It's important to plan early and monitor prices constantly.
Tracking airline costs has become easier in recent years. Kayak.com allows you to search for a flight across multiple airlines, and also continually performs that search weekly to provide you updates as the costs increase or decrease:
![]()
Both Kayak and Bing Travel provide Cost Confidence metrics, providing insight on whether it's best to buy now or wait for a lower price:
![]()
Old adages of travel still apply: Never book flights near the weekends. Always wait until Tuesday or Wednesday to do your searches, the days when fares are cheapest. However, for your Conference Proposal you'll want to build in price slack. Quote a Friday price and buy on Tuesday.
Remember: Even if your company is paying, you will profit by putting in the elbow grease to ensure the cheapest costs.
Lodging Costs:
Hotels often are the most expensive expense for many conferences, but the costs are usually offset by a block-discount rate for attendees at the conference. While this group rate is definitely cheaper than the "on-site booking" price, it may not be the cheapest rate. Gather the rates, then search for all other rates available which would include AAA and government rates.
Those on government travel often find the greatest deals with the per diem rate found at hotels. With travel orders or a government CAC (Common Access Card), one can register under the per diem rate. However, at times this may be more expensive than all other rates, especially in areas where there is a large military presence. Hotels know that govvy travel bookers automatically choose per diem rates, even when their standard hotel rate is cheaper.
Twice have I been asked to supply government ID (CAC) for receiving the government rate, in dozens of stays, so keep your ID on you just in case.
Alternatively, you may choose to stay off-site at another hotel. This approach has its benefits and drawbacks. You may find a slightly lower-class hotel a block down the road for half the price, a great savings in exchange for a short walk.
For example, with DEFCON currently being held at the Rio in Las Vegas, attendees face a room rate of between $104-118 per night. However, just one block away is the Gold Coast where a standard night is between $34-60 for a room just as nice. Having stayed at the Gold Coast in 2012, I found zero lines for breakfast and lunch, a much quieter atmosphere, and a six-night stay cheaper than three days at the Rio.
Using services like Priceline.com or Hotwire.com, I'd often received $45 rooms a few blocks away compared to the $150 conference rate. When staying for three nights, that's basically receiving two nights free. The major downside to this is that the chosen hotel may be too far away. At this past year's Shmoocon, Priceline put me at L'enfant Plaza while the conference was held near Union Station. While only a 1.5 mile difference, the DC metro stops and walking mandated a 30 minute commute each way. Being offsite also limits your baggage, forcing you to leave the laptop behind or check it with a concierge.
Don't just blindly search for hotels, especially when using sites like Priceline. Resources such as BetterBidding.com can provide details hotel listings (at each star level). For example, RVASec is approaching with the preferred hotel being the Crowne Plaza Richmond Downtown at $112/night. Not a bad deal, but let's dig deeper; we may be able to get into the same hotel for a fraction of the price. A search on BetterBidding's hotel list for Richmond Downtown shows eight hotels downtown, the preferred venue is a 3.5* hotel, and that there are two other hotels with the same rating:
![]()
We then take the addresses for these hotels and plot them in comparison to the venue and the conference hotel:
![]()
As the conference is off-site from the hotel, there is already driving involved. The conference is at the top-left marker and the con hotel is at the bottom-most marker. The rest are within the same area and a reasonable walk to the con hotel (for meeting with other attendees), with the exception of the one hotel off West Franklin (the Doubletree Hotel). However, as the Doubletree has the same star rating as our con hotel, there is a risk that we'll end up there. At a 12-block (0.8 mile) distance, the risk may be too high for some, who would then want to limit their bids to a lower star rating.
You may also want to scour other nearby Priceline regions. If the venue or con hotel is on the edge of your first region, it may be closer to hotels from a neighboring region.
Begin a Priceline bid and choose the selected region and highest star level that matches the con hotel. Find the "offensive" price by trying sequential low-ball prices in the dialog window ("Tab" out, but don't submit) until you find the lowest value that doesn't provide the bright red window below:
![]()
Our lowest non-offensive price is $30 for this star level and region for that time period. This price varies per date, so always check ahead of time. Anything with $10-15 above that value is likely to get rejected, so I attempt for $46. When faced with a rejected bid, you may have to reduce your start level or look to other regions. Each neighboring region has moved our distance from a less than a mile to about 8 miles away. I choose Richmond West, which has lower-end hotels.This eventually netted me a stay at a well-reviewed 2.5* hotel for for $47/night.
First off, find the schedule for the conference and note talks critical to your business infrastructure. Highlight these topics, taking special note of brand new topics or unique opportunities. Don't just show the topics, but put together an itinerary of which talks you will be attending for the entire stay, ensuring that there are no gaps. What you do when you arrive may vary, but you'll be presenting a solid case for a full work-day of training.
Leverage your certifications, such as the CISSP, which require continuing education "points". If your employer requires you to maintain a certification for contract bids or client work, then conference training should be presented as a way to ensure you maintain it.
Present a full budget for the trip, including hotel and transportation. Steer clear of requests for food, taxis, or car rentals; stick to the primary items. If you plan it well, you may not have to pay for those items once you arrive.
If you're finding little traction, be sure to emphasis the sacrifices that you're willing to take to attend. These could include using PTO, eating on your dime, or even paying for one night of hotel out of pocket.
Leverage your training budget, if you have one within your organization. There may be limitations on what this budget will cover, such as only the registration costs, but that does help lower the overall sticker-shock price of the trip.
And, overall, start small. Conference attendance is an exercise in trust between you and your employer. They want to see a return on their investment, but don't want to risk a large amount of money on that. But starting with small and inexpensive conferences, and continually showing your gained education and experience back to your organization, you'll pave a road for a greater budget.
Have additional ideas for saving money or convincing management to let you travel? Post them as a comment!
How exactly do you show off your learned experience on your return to guarantee funding for your next trip? How do you make a conference-friendly working environment to allow your coworkers to attend as well? How do you manage the day-to-day expenses while at the con? We'll cover those in Part Two of this post, coming soon.
Disclaimer: While these tricks can be used to travel as cheaply as possible, they should not be construed as indication of lack of training or expense reimbursement from my employer. I do have a training and conference budget, but my company is also an ESOP, so I go out of my way to ensure that I don't squander my training budget on unnecessary frills, allowing me to squeeze more conferences into the same budget.
As many industries have learned over the past decade, conferences are big business, and a life cycle in and of itself in the industry. Speakers get paid to talk at conferences, sharing new ideas while also advertising for their employers. The masses flock to hear what a speaker says, using a company's allotted training budget. Conference attendance helps build an employee's experience and provides for Continuing Professional Education (CPE) points that apply to contract-mandated certifications. Knowing that such masses are gathered in one spot, large organizations shell out tens of thousands of dollars to sponsor and add their own pieces of flair to a designated conference under their advertising budget.
It's a win-win-win for everyone, and works at every financial scale of the industry. Grass roots conferences work at extremely limited budgets, while hundreds of thousands of dollars flow around Black Hat events where registration and training at Black Hat Las Vegas could put your company back $5,000.
And then... there's you. Fighting the crushing blow of continuous work cycles, not enough resources to even get an hour off for dental work, and no training budget to speak of. Working in the trenches, how do you get to experience this lifestyle and still make your numbers work?
Conference Proposal:
Your primary solution to attend conferences it to provide the perfect pitch, in the form of a conference proposal. This is done either to your immediate management, your client, or to your significant other. Treat this as a Risk Analysis report, where your company and/or team may suffer from an immediate computer-related risk due to you not being able to attend. As with all Risk Analysis reports, you will have to keep a fine balance between costs and the return on investment.
Attendance will likely mean some sort of sacrifices on your part. Don't expect a full ride at first; be prepared to float most of the costs. Since we're likely working on a personal budget, as well as a miser corporate one, we'll need to source budget-friendly methods of attending.
Your primary solution to attend conferences it to provide the perfect pitch, in the form of a conference proposal. This is done either to your immediate management, your client, or to your significant other. Treat this as a Risk Analysis report, where your company and/or team may suffer from an immediate computer-related risk due to you not being able to attend. As with all Risk Analysis reports, you will have to keep a fine balance between costs and the return on investment.
Attendance will likely mean some sort of sacrifices on your part. Don't expect a full ride at first; be prepared to float most of the costs. Since we're likely working on a personal budget, as well as a miser corporate one, we'll need to source budget-friendly methods of attending.
Step One: Pick Your Conference
When asked about a prominent security conference, the top responses are usually Black Hat Vegas, RSA, DEFCON, or one of the SANS conferences.What people fail to realize is that there are literally hundreds of security conferences, occurring year-round across the globe. It's often said that you can't go a single week without seeing news of a con, an issue that has been highly lampooned by others. But, there's no doubt that there is a conference that's ripe for educational pillaging in your neck of the woods.
Working in Ghetto Forensics, we need to focus first on our cheaper conferences so that we can build up the ammunition required for justification to the big ones. How do you find these conferences? Sites such as SECore (the SECurity Organizer and Reporter Exchange) track the various types of conferences, grouping them by industry, region, and cost.
Security BSides
A casual perusal of SECore's immense database will show you a large number of "BSides" events. Security BSides started as a grassroots movement to empower up-starts to produce their own professional information security conference with little risk. Recognizing the potential for information sharing by providing a low-cost conference alternative to the big names, BSides events have popped up across the globe, some selling out within hours. Volunteer-run and managed, BSides conferences are often more relaxed and informal than professional conferences, in intimate environments that allow you to easily buy a beer for your favorite speaker and ask questions on how to apply their ideas to your environment. And, most important of all, BSides events are free to attend.After finding a conference within your region, evaluate the sticker shock of the conference and logistics. A conference registration under $250 will likely require little negotiating for approval. A free conference will probably require none at all. This will vary per environment: if you typically have to fight to get valid licenses for just Windows and Word, you may want to stick to the free conferences. Remember your Risk Analysis; you will want to provide a number that won't immediately cause a refusal by management.
It is entirely possible to reduce, or skip, registration costs altogether. Many conferences have early bird specials where registration is reduced greatly months in advance. Others provide promotional codes to local companies or user groups to garner local attention. When a conference is in your town, being a member of a local security group, or Linux User Group, could pay dividends.
One can always generically search for promotional codes, a standard tactic for savvy web shoppers for years. Using sites like RetailMeNot, it's amazing what you may find...
For cons that are just completely out of your price range, or are already sold out, a possible way to attend could be to volunteer. This is especially useful at BSides events, where most functions are managed by volunteers. For professional conferences, however, you'll find that all of these tasks are managed by an event management company. It doesn't hurt to ask.
SANS conferences have a fair compromise for many attendees by offering a Work Study program. You can attend their training at a reduced rate of $900, but you will also be working 12+ hour days as a classroom helper and putting in a lot of effort to help make the class run.
"Time Off":
Time is one of the most critical items to your employer. Most will balk at paying an employee to spend three days away, so expect to use personal time (PTO) to cover your time at first. Don't worry, the goal is to eventually get your time paid for while in attendance, but it takes effort to get there. Many conferences are weekend-based, or at least Friday/Saturday, so there's often few hours to make up on client-site to be able to attend.
If using PTO is out of the question, inquire about front-loading your hours (working 4-10's) or making time up on another day.
Travel Costs:
Often times, the most expensive portion of a conference is in the logistics to attend it, such as airline and hotel lodging. These expenses are easily forgotten during conference planning and can could cause issues, especially as airline costs rise as the conference date approaches. It's important to plan early and monitor prices constantly.
Tracking airline costs has become easier in recent years. Kayak.com allows you to search for a flight across multiple airlines, and also continually performs that search weekly to provide you updates as the costs increase or decrease:
Both Kayak and Bing Travel provide Cost Confidence metrics, providing insight on whether it's best to buy now or wait for a lower price:
Old adages of travel still apply: Never book flights near the weekends. Always wait until Tuesday or Wednesday to do your searches, the days when fares are cheapest. However, for your Conference Proposal you'll want to build in price slack. Quote a Friday price and buy on Tuesday.
Remember: Even if your company is paying, you will profit by putting in the elbow grease to ensure the cheapest costs.
Lodging Costs:
Hotels often are the most expensive expense for many conferences, but the costs are usually offset by a block-discount rate for attendees at the conference. While this group rate is definitely cheaper than the "on-site booking" price, it may not be the cheapest rate. Gather the rates, then search for all other rates available which would include AAA and government rates.
Those on government travel often find the greatest deals with the per diem rate found at hotels. With travel orders or a government CAC (Common Access Card), one can register under the per diem rate. However, at times this may be more expensive than all other rates, especially in areas where there is a large military presence. Hotels know that govvy travel bookers automatically choose per diem rates, even when their standard hotel rate is cheaper.
Twice have I been asked to supply government ID (CAC) for receiving the government rate, in dozens of stays, so keep your ID on you just in case.
Alternatively, you may choose to stay off-site at another hotel. This approach has its benefits and drawbacks. You may find a slightly lower-class hotel a block down the road for half the price, a great savings in exchange for a short walk.
The Hotel Next Door
For example, with DEFCON currently being held at the Rio in Las Vegas, attendees face a room rate of between $104-118 per night. However, just one block away is the Gold Coast where a standard night is between $34-60 for a room just as nice. Having stayed at the Gold Coast in 2012, I found zero lines for breakfast and lunch, a much quieter atmosphere, and a six-night stay cheaper than three days at the Rio.
Using services like Priceline.com or Hotwire.com, I'd often received $45 rooms a few blocks away compared to the $150 conference rate. When staying for three nights, that's basically receiving two nights free. The major downside to this is that the chosen hotel may be too far away. At this past year's Shmoocon, Priceline put me at L'enfant Plaza while the conference was held near Union Station. While only a 1.5 mile difference, the DC metro stops and walking mandated a 30 minute commute each way. Being offsite also limits your baggage, forcing you to leave the laptop behind or check it with a concierge.
Don't just blindly search for hotels, especially when using sites like Priceline. Resources such as BetterBidding.com can provide details hotel listings (at each star level). For example, RVASec is approaching with the preferred hotel being the Crowne Plaza Richmond Downtown at $112/night. Not a bad deal, but let's dig deeper; we may be able to get into the same hotel for a fraction of the price. A search on BetterBidding's hotel list for Richmond Downtown shows eight hotels downtown, the preferred venue is a 3.5* hotel, and that there are two other hotels with the same rating:
We then take the addresses for these hotels and plot them in comparison to the venue and the conference hotel:
As the conference is off-site from the hotel, there is already driving involved. The conference is at the top-left marker and the con hotel is at the bottom-most marker. The rest are within the same area and a reasonable walk to the con hotel (for meeting with other attendees), with the exception of the one hotel off West Franklin (the Doubletree Hotel). However, as the Doubletree has the same star rating as our con hotel, there is a risk that we'll end up there. At a 12-block (0.8 mile) distance, the risk may be too high for some, who would then want to limit their bids to a lower star rating.
You may also want to scour other nearby Priceline regions. If the venue or con hotel is on the edge of your first region, it may be closer to hotels from a neighboring region.
Begin a Priceline bid and choose the selected region and highest star level that matches the con hotel. Find the "offensive" price by trying sequential low-ball prices in the dialog window ("Tab" out, but don't submit) until you find the lowest value that doesn't provide the bright red window below:
Our lowest non-offensive price is $30 for this star level and region for that time period. This price varies per date, so always check ahead of time. Anything with $10-15 above that value is likely to get rejected, so I attempt for $46. When faced with a rejected bid, you may have to reduce your start level or look to other regions. Each neighboring region has moved our distance from a less than a mile to about 8 miles away. I choose Richmond West, which has lower-end hotels.This eventually netted me a stay at a well-reviewed 2.5* hotel for for $47/night.
Star Levels:
There are many pros and cons to various hotel star levels. As a personal rule, I tend to stay within the 2.5 to 3 star level range. Dropping to 2-star hotels often puts you into undesirable locations or very old and uncomfortable buildings. Anything higher than 3-star and you're being nickel and dimed for each and every expense. You don't want to blow your savings on $15/day Internet charges just to have the experience of a doorman.The Priceline Upgrade:
Often times, the hotel you get may be an upgrade. While attending Derbycon 2012, I chose the Priceline route and was booked at the Galt House. While it was a four-block walk, there were indoor walkways connecting the hotels, and I had a great room that overlooked the Ohio River for $48/night.Presenting Your Case:
The most important part is to provide your findings for approval. As many have found, simply asking to go to a conference will be met with quick rejection. As mentioned earlier, this needs to be pitched as a Risk Analysis. That requires that you build up a case for attending, and a case for not attending.First off, find the schedule for the conference and note talks critical to your business infrastructure. Highlight these topics, taking special note of brand new topics or unique opportunities. Don't just show the topics, but put together an itinerary of which talks you will be attending for the entire stay, ensuring that there are no gaps. What you do when you arrive may vary, but you'll be presenting a solid case for a full work-day of training.
Leverage your certifications, such as the CISSP, which require continuing education "points". If your employer requires you to maintain a certification for contract bids or client work, then conference training should be presented as a way to ensure you maintain it.
Present a full budget for the trip, including hotel and transportation. Steer clear of requests for food, taxis, or car rentals; stick to the primary items. If you plan it well, you may not have to pay for those items once you arrive.
If you're finding little traction, be sure to emphasis the sacrifices that you're willing to take to attend. These could include using PTO, eating on your dime, or even paying for one night of hotel out of pocket.
Leverage your training budget, if you have one within your organization. There may be limitations on what this budget will cover, such as only the registration costs, but that does help lower the overall sticker-shock price of the trip.
And, overall, start small. Conference attendance is an exercise in trust between you and your employer. They want to see a return on their investment, but don't want to risk a large amount of money on that. But starting with small and inexpensive conferences, and continually showing your gained education and experience back to your organization, you'll pave a road for a greater budget.
Have additional ideas for saving money or convincing management to let you travel? Post them as a comment!
Coming Soon in Part Two:
How exactly do you show off your learned experience on your return to guarantee funding for your next trip? How do you make a conference-friendly working environment to allow your coworkers to attend as well? How do you manage the day-to-day expenses while at the con? We'll cover those in Part Two of this post, coming soon.
Disclaimer: While these tricks can be used to travel as cheaply as possible, they should not be construed as indication of lack of training or expense reimbursement from my employer. I do have a training and conference budget, but my company is also an ESOP, so I go out of my way to ensure that I don't squander my training budget on unnecessary frills, allowing me to squeeze more conferences into the same budget.