Hello everyone! In this episode, I want to talk about VMconf 22. It was an experiment from the beginning. Is it possible to host a Vulnerability Management event with little effort and budget? Looks like no. So I would like to talk about why the original idea failed and the future of VMconf.

The initial idea was to create a website, announce the launch of the CFP in social networks and everything else will happen automatically. People will apply and all that remains is to choose the best talks and manage the stream of the event. Well, no, not really.

The hypothesis test cost me $5 for the vmconf.pw domain name. I used my main hosting, made a website myself in one evening, registered email addresses for the domain on a free service, and added a conference description to the wikicfp catalogue.

So the CFP time has passed and there have been no submissions. And after all my attempts to invite people directly, mainly on LinkedIn, the situation has not changed. There were exactly 0 submissions. But why? I think these were the main reasons:

1. There are not so few people who work in the field of Vulnerability Management. But we need an intersection of people who at the same time have something to say about, who want something to say and are ready to participate in this particular event. The number of such people is relatively small.
2. It is necessary to establish a connection with these people. It doesn’t happen automatically. It’s more like cold calling. To be effective, there must be a kind of sales funnel. This is a full-time job, quite stressful for an introvert.
3. It is natural for people to think that other people will react or behave in the same way as themselves. For example, I don’t remember turning down an offer to talk about Vulnerability Management at a thematic event. But most of the people I invited just ignored my messages, others refused. A minority said that they could participate, but did not submit anything. Anyway, I am very grateful to everyone who answered. And I understand those who did not.
4. Motivating speakers is a difficult topic. What can motivate a speaker? The prestigious status of the event, a huge audience, the opportunity to visit an interesting place for free, have fun, have a delicious meal, receive gifts or even some money. When there is none of this, but only ideas of community building, it is much more difficult to sell.
5. It is easier to find and negotiate with a security speaker (without specifying a specialty) than with a vulnerability management speaker. Because there are fewer of them. This is why it is easier to make a general security event than vulnerability management or other targeted event.
6. There are some places where you can find a lot of Vulnerability Management speakers. I am talking about VM vendors and their partners. These companies can even motivate the speakers to participate. It is much easier and more efficient to deal with such companies. But their main interest is, of course, marketing. And if you want to do a completely independent event, it can be difficult to find the right balance.
7. The second week of January is not the right time for events. This is just after the holiday season. December is a busy time because it is the end of the year. This year the situation with log4j also played a role.

So, I found myself in a situation where I did not have speakers for the upcoming event. What options did I have:

1. End the experiment and completely cancel the event.
2. Move the date somewhere in the middle of the year, restart the CFP, spend more resources on inviting people, order ads on social networks and seek help from friendly web-resources.
3. Delegate this organizational work to professionals and get help from one great VM vendor. Yes, that was an option, and I am very grateful for this offer. But there was a danger that over time it would become a classic one vendor event.
4. Convert VMconf to something completely different.

Well, after a little thought, I decided to choose the fourth path. I still want VMconf to happen, but I don’t want to spend much more resources on it and don’t want to give it away. That is why I decided that VMconf 22 would not be a one-day event, but a kind of “ongoing event” that will last until the end of the year. Anyone will be able to submit a YouTube video of the VM talk to cfp@vmconf.pw, and it will be added to the VMconf site and other resources. The only requirement is that at the beginning of the video it should be said that the video was made for VMconf 22.

Last year I made 34 videos for my blog. I’ll be recording them this year too, and some of these videos will be released for VMconf 22. This will be my contribution. If someone also takes part – it will be great! If not, then it will be my strange solo performance, but it’s okay. At the end of the year it will be more noticeable whether we have a community behind all of this and what the fate of VMconf 23 will be. So this is the new plan.