Independent infosec conference DerbyCon will shut down after this year’s show, and the unexpected development has sparked strong reactions from the infosec community.
DerbyCon, which was founded in 2011, will host its final conference Sept. 4 to 8 in Louisville, Ky. The infosec conference had grown from a small, grassroots gathering to one of the more popular and beloved events in the community.
But in a blog post announcing the closing of DerbyCon, co-founder Dave Kennedy wrote “a small, yet vocal group of people creating negativity, polarization, and disruption” had made it increasingly difficult to manage the conference. As a result, he said, the organizers felt the best option was to end the show after this year.
“What we have had to deal with on the back-end the past few years is more than just running a conference and sharing with friends,” Kennedy wrote. “The conference scene in general changed drastically and small pocket groups focus on outrage and disruption where there is no right answer (regardless of how you respond, it’s wrong), instead of coming together, or making the industry better.”
Kennedy, who is also founder of infosec consulting firm TrustedSec in Strongsville, Ohio, criticized the small but disruptive minority that, he claimed, was interested only in “self-promotion to advance a career, for personal gain, or for more social media followers.” As an example, he described one situation that occurred during last year’s conference where an attendee was “verbally and mentally abusive” to DerbyCon volunteer staff and security; organizers, however, declined to remove the individual from the conference for “fear of repercussion” and a concern that such action would “upset the masses.”
In a statement on Twitter, Kennedy clarified his blog post and emphasized the decision to close DerbyCon wasn’t based on one person’s behavior. “It was a culmination of things we’ve had to deal with over the years, not just one thing.”
SearchSecurity contacted Kennedy for additional comment. He declined to discuss further details about DerbyCon and the decision to end the conference, but in a conversation via Twitter direct message, he wrote he was concerned about “the current state of conferences” in the industry. “It’s not just us — quite a few looking at throwing the towel in,” Kennedy wrote, though he did not mention specific conferences.
Reactions from the community
DerbyCon’s announcement elicited a range of reactions from members of the infosec community. Many security professionals, such as Marcus Carey, CEO of Austin, Texas-based cybersecurity company Threatcare, lamented the end of DerbyCon and praised Kennedy and the organizers for their efforts over the years.
It’s a loss for the community that @DerbyCon is shutting down.
— Marcus J. Carey (@marcusjcarey)
January 14, 2019
Casey Ellis, founder and CTO of Bugcrowd, a crowdsourced security platform headquartered in San Francisco, commended Kennedy and the organizers and noted the positive effect DerbyCon has had on his career.
#derbycon 2013 was pivotal in my infosec career – first @bugcrowd sponsorship, @jcran joined the company, and the ~1M cyber > irl connections showed me that i was part of a much bigger & more awesome tribe than i’d realized before.
— caseyjohnellis (@caseyjohnellis)
January 14, 2019
Lesley Carhart, principal threat hunter at Dragos Inc., an industrial control system security provider based in Hanover, Md., praised DerbyCon for its focus on technology and industry networking over vendor-driven business.
What DerbyCon gave us that will leave a big void to fill: a medium-size, multitrack con which attracted a large swathe of OG and newer infosec folks, had a good lineup of speakers, but was not overrun by booth sales and marketing. It also encouraged chilling out and networking.
— Lesley Carhart (@hacks4pancakes)
January 14, 2019
Other members of the industry were critical of DerbyCon and its organizers. Johnathan Nightingale, author and former vice president of Firefox at Mozilla, took issue with Kennedy’s blog post.
Lot of security folks in my TL with love for Derbycon and sad that it’s going away. This post, though, oof. I dunno what happened last year, but if you had failed some marginalized attendees and wanted to shift blame, this is what it would sound like. https://t.co/bYiGCntjPb pic.twitter.com/LK1tYPQ8qK
— Johnathan Nightingale (@johnath)
January 14, 2019
Kennedy noted in his blog post that he wanted “DerbyCon to be a bright light in the darkness where regardless of race, gender, demographics, or worldviews, you could feel welcomed by a group that would accept you.” However, instead of people “coming to a conference to learn and share,” Kennedy said it became more “about how loud of a message a person can make about a specific topic, regardless of who they tear down or attempt to destroy.”
Despite this message of inclusivity and community, a large portion of those responding to Kennedy’s announcement on social media came from an angry contingent complaining about “social justice warrior” sentiment and attacking those who wanted DerbyCon to take complaints more seriously and provide a safer environment for attendees.
Cris Thomas, a noted cybersecurity researcher and global strategy lead for IBM’s X-Force Red, penned an extensive Twitter threat that criticized several aspects of how Kennedy and the organizers handled the overall situation.
</rant on> I am going to upset some people with this thread but I’ve been seething about this for days now and I need to say some stuff, about DerbyCon, publicly. TLDR; I am sad to see the con end but the entire situation has been handled very very poorly. /1
— Space Rogue (@spacerog)
January 17, 2019
In his blog post, Kennedy said DerbyCon’s organizers did explore several options to address the conference’s issues but felt that wasn’t the direction they wanted to go. “We looked at hiring third-party crisis management companies to deal with people directly, we looked at having entire companies run the conference where we would become more of the direction and vision, but at the end of the day, that is not why we started DerbyCon,” he wrote. “It’s taken a personal toll on our lives, our businesses, and our friends, and it has gotten to the point where we don’t want to manage it anymore.”
Editor’s note: Senior reporter Michael Heller contributed to this report.