I’ve been the training chair for the Annual Computer Security Applications Conference since 1990. In my over 20 years in this position, I’ve seen what was a very popular training program decrease in attendance. Whereas in the past we regularly had attendance for courses in the 15-35 student range, of late the attendance has been in the single digits (of course, there are always a few exceptional courses). That’s true again this year, even with (what I believe to be) one of our strongest training programs in years (look at Monday and Tuesday). [I certainly encourage all of my readers to attend the conference, and to encourage your friends to attend and take training courses.]
I’ve been trying to figure out the reasons for the decline in the program, and what to do about it. This post is part of that effort: I’d love comments that might help me figure out how to move the program forward in the future. Here’s what I think are some of the problems:
- Publicity. As always, our publicity for the courses is poor. They tend to be subsumed into the technical program, and it is difficult to figure out what is a tutorial/training course and what is not. Part of this is due to how the Advance Program has changed: there used to be a separate section highlighting the training program and the courses, and it’s not there anymore. Part of this is due to a change in format: I’m of the strong belief that our move to electronic notification methods makes publicity in general less effective. People ignore email blasts and web pages except when they are seeking information. At least with mailed advance programs, if the target wasn’t interested, they could put it on a board or hand it to a colleague.
- Growth of the Field. When ACSAC started back in the late 1980s, it was one of three major computer security conferences: ACSAC, IEEE (Oakland), and the NCSC. Today? There are hundreds and hundreds of conferences, each providing their own aspect of training. There are also online webinars, courses at local universities, and such. People don’t need to go to ACSAC to get their training, especially in a short course format for which they pay $$$.
- Changing Budgets. Related to the last point is the change in budget. It is harder and harder for commercial contractors, defense contractors, and government to get funds to go to conferences. When they do, they need to be able to get something they can’t get elsewhere. That’s certainly true for the technical program–you only get the papers at the conference. That’s also true for workshops, where there is interaction with others in the field. Training courses? As noted above, those are increasingly available. With tighter budgets, it is harder to justify travel dollars for courses, even with CISSP requirements.
- Changing Audience. One problem the conference has had is a changing audience. We’re working to fix that, but right now, the conference has become more academic. Contractors and government need tutorials to keep abreast of a changing field (and to maintain their CISSPs). Academics? Much less so. As the conference has become more academic, I believe the interest of that side for tutorials has gone down.
So what should the conference do about the situation. I haven’t fully worked that out yet. We already have an effort underway to restore the mix of the conference. Hopefully, this will increase the participation of industry and government. Doing that should help out the training courses some. Beyond that, however, what should we do? Here are some ideas:
- Reduce Tutorial Days. If we reduce the number of paid tutorials, we can ensure that what we do present are the strongest and most attractive. I’m thinking right now of experimenting with only a single tutorial day (3 tracks), and using the second day for something training-related in a different way. Perhaps this might be more workshops related to the conference theme; perhaps this might be more interactive seminars.
- Integrate Tutorials Into The Conference. Right now, we have two training approaches. We have our formal tutorials, for which attendees pay separately, and our government track, which has training sessions during the conference and is included in the conference fee. We could eliminate the training as a separate gated event, and just have a training track across all the days of the conference. This would provide more space for technical papers and discussions, and may increase attendance at the training courses.
- Fix the Topics. I’ve begun to realize that general introductory topics are not good draws, even though they may be good courses. If I could get the material at a local university course, why have it at the conference? Our topics need to either be unique or something that clearly cannot be easily gotten elsewhere. Looking at our top draws this year, they are topics you are not seeing elsewhere. In past year, a regular strong draw was a tutorial on botnets. We need ACSAC-unique topics… and I need to find presenters to propose them.
Right now, I’m just at the musing stage on how to fix things. I’d welcome your ideas.