Halfpoint - Fotolia

DerbyCon's Dave Kennedy: The conference 'got too big'

DerbyCon co-founder Dave Kennedy discusses his decision to close down the conference and what he would have done differently.

DerbyCon has been one of the more popular smaller infosec conferences, but last week, its co-founder, Dave Kennedy, announced this year would be the final event.

Kennedy, who is founder of TrustedSec LLC and co-founder of Binary Defense Systems, said in a blog post that DerbyCon had gotten to the point where he and his team didn't "want to manage it anymore."

He cited repeated problems, such as handling incidents between volunteer security staff and attendees, and an overall "toxic environment" in which organizers saw "a small, yet vocal group of people creating negativity, polarization, and disruption, with the primary intent of self-promotion to advance a career, for personal gain, or for more social media followers."

Kennedy asserted that, in general, the issues DerbyCon faced were present at other conferences, and they were "getting worse each year."

We spoke with Kennedy via Twitter direct messages. He declined to discuss specific incidents that led to the decision to shut down the conference, but he shared his thoughts on the challenges facing industry conferences and what he would have done differently with DerbyCon.

Editor's note: This interview has been edited for clarity.

What are issues you would suggest smaller conference organizers look out for and maybe learn from your experience?

Dave Kennedy: Not really sure what advice I can issue to other conferences; it's more of what the current state of conferences are today. It's not just us -- quite a few [are] looking at throwing the towel in.

I would just say, in general, keep conferences in smaller sizes and don't grow large. Large groups of people become difficult to manage.

You did say in the blog that DerbyCon grew much faster than you expected. If you had to do it again, would you have tried to limit that growth more?

Kennedy: Without question. Our goal with growth was really made out of feeling bad because we sold out so quick, and [we had] no good way to get folks that wanted to come to the conference. Looking back, I think that was a mistake. Staying around 1,000 [attendees] would have been a more manageable number.

Why couldn't outside services help with the growing needs? How difficult is that for smaller conferences?

Kennedy: Extra security usually isn't a problem, even for smaller conferences. We have off-duty police officers at our events, and [that] has worked well.

It wasn't always like this. The first few years were amazing. Then, we got too big.
Dave Kennedyco-founder, DerbyCon

Charities can be tough, because you are looking at the attendees to help with it and usually the more, the better, but [that's] not always the case. We raised more than DEF CON year after year for [Hackers For Charity] with much smaller numbers.

How did DerbyCon vet potential security staff, and what training or policies were implemented?

Kennedy: DerbyCon is largely a volunteer staff based on recommendations or individuals that are in the security industry that come highly regarded or referred. As [are] most conferences, such as ShmooCon, DEF CON, BSides and more. We rely heavily on off-duty law enforcement at the events, which are present, and the security team to address any conference issues. There is formal training before the conference, established escalation criteria, and incident reporting through the conference. After the conference, we have an after-action debrief, and go over each incident and identify any areas for improvement.

There have been some complaints about DerbyCon in recent years, and it seems like there's been too much smoke not to suspect fire.

Kennedy: We ran almost a decade -- no fire, but everything was made out to be one. It consumed our time. We just burned out. People aren't civil anymore, and it became more than we wanted to handle. It wasn't always like this. The first few years were amazing. Then, we got too big. We will hold one more as a last hurrah and celebrate the awesome times we've had.

I really do wish we just laid everything out on the table. But, honestly, it wouldn't help the situation anymore. And, honestly, it's not appropriate to single anyone out or to go after people. It's over with, and there's no reason to rehash. What I'll say is that while it broke my heart to do it, I know it was the right decision. What I see on the [Twitter] timelines is so far removed from actual events that it's just not worth it. It was time, and I always said when I'm not having fun anymore, it's time to stop. We all as organizers got to that point.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing