Halfpoint - Fotolia

This year's DerbyCon conference will be the last

Citing an inability to manage 'negativity, polarization, and disruption' at the conference, DerbyCon organizers unexpectedly announced this year's show will be the last.

Independent infosec conference DerbyCon will shut down after this year's show, and the unexpected development has sparked strong reactions from the infosec community.

DerbyCon, which was founded in 2011, will host its final conference Sept. 4 to 8 in Louisville, Ky. The infosec conference had grown from a small, grassroots gathering to one of the more popular and beloved events in the community.

But in a blog post announcing the closing of DerbyCon, co-founder Dave Kennedy wrote "a small, yet vocal group of people creating negativity, polarization, and disruption" had made it increasingly difficult to manage the conference. As a result, he said, the organizers felt the best option was to end the show after this year.

"What we have had to deal with on the back-end the past few years is more than just running a conference and sharing with friends," Kennedy wrote. "The conference scene in general changed drastically and small pocket groups focus on outrage and disruption where there is no right answer (regardless of how you respond, it's wrong), instead of coming together, or making the industry better."

Kennedy, who is also founder of infosec consulting firm TrustedSec in Strongsville, Ohio, criticized the small but disruptive minority that, he claimed, was interested only in "self-promotion to advance a career, for personal gain, or for more social media followers." As an example, he described one situation that occurred during last year's conference where an attendee was "verbally and mentally abusive" to DerbyCon volunteer staff and security; organizers, however, declined to remove the individual from the conference for "fear of repercussion" and a concern that such action would "upset the masses."

In a statement on Twitter, Kennedy clarified his blog post and emphasized the decision to close DerbyCon wasn't based on one person's behavior. "It was a culmination of things we've had to deal with over the years, not just one thing."

SearchSecurity contacted Kennedy for additional comment. He declined to discuss further details about DerbyCon and the decision to end the conference, but in a conversation via Twitter direct message, he wrote he was concerned about "the current state of conferences" in the industry. "It's not just us -- quite a few looking at throwing the towel in," Kennedy wrote, though he did not mention specific conferences.

Reactions from the community

DerbyCon's announcement elicited a range of reactions from members of the infosec community. Many security professionals, such as Marcus Carey, CEO of Austin, Texas-based cybersecurity company Threatcare, lamented the end of DerbyCon and praised Kennedy and the organizers for their efforts over the years.

Casey Ellis, founder and CTO of Bugcrowd, a crowdsourced security platform headquartered in San Francisco, commended Kennedy and the organizers and noted the positive effect DerbyCon has had on his career.

Lesley Carhart, principal threat hunter at Dragos Inc., an industrial control system security provider based in Hanover, Md., praised DerbyCon for its focus on technology and industry networking over vendor-driven business.

Other members of the industry were critical of DerbyCon and its organizers. Johnathan Nightingale, author and former vice president of Firefox at Mozilla, took issue with Kennedy's blog post.

Kennedy noted in his blog post that he wanted "DerbyCon to be a bright light in the darkness where regardless of race, gender, demographics, or worldviews, you could feel welcomed by a group that would accept you." However, instead of people "coming to a conference to learn and share," Kennedy said it became more "about how loud of a message a person can make about a specific topic, regardless of who they tear down or attempt to destroy."

Despite this message of inclusivity and community, a large portion of those responding to Kennedy's announcement on social media came from an angry contingent complaining about "social justice warrior" sentiment and attacking those who wanted DerbyCon to take complaints more seriously and provide a safer environment for attendees.

Cris Thomas, a noted cybersecurity researcher and global strategy lead for IBM's X-Force Red, penned an extensive Twitter threat that criticized several aspects of how Kennedy and the organizers handled the overall situation.

In his blog post, Kennedy said DerbyCon's organizers did explore several options to address the conference's issues but felt that wasn't the direction they wanted to go. "We looked at hiring third-party crisis management companies to deal with people directly, we looked at having entire companies run the conference where we would become more of the direction and vision, but at the end of the day, that is not why we started DerbyCon," he wrote. "It's taken a personal toll on our lives, our businesses, and our friends, and it has gotten to the point where we don't want to manage it anymore."

Editor's note: Senior reporter Michael Heller contributed to this report.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing