DerbyCon Values, Safety, and Code of Conduct

This discussion spans much more than just DerbyCon as a conference, but conferences in general and how to handle situations that arise.

DerbyCon since its inception has been an inclusive con for everyone (regardless of gender, race, or geographic location) in the INFOSEC community to work together to drive the industry forward, where barriers of cliques and statuses are removed and everyone can share their awesome life experiences, research, and work together. Also, since its inception, DerbyCon has always touted family values, which is apparent from some of our conference themes, as well as what we post on our website (all in the family, etc.). This year, we experienced a higher than average amount of diversity – people traveling from all over the world, a larger population of women, and a larger population of children.

We don’t have direct numbers to substantiate this, as this isn’t something we track, but it felt much different this year as far as a mixture of gender, race, geographic locations, and new attendees. This was also communicated by con attendees on several occasions on how this year was by far the best year ever for representation of diverse cultures and genders at the conference.

This year by far, for us as organizers, was one of the best years we’ve ever had. The feedback from conference attendees was that this year was the most prolific and hands down best (and safe) DerbyCon that they’ve either A. ever attended, and B. first time attended, and C. best conference they have attended. Opinions vary for sure, but the consensus was that we hit this year out of the park with a safe and amazing conference.

We want this trend to continue, and it’s an amazing experience to see.

This is what makes DerbyCon: the ability for everyone from anywhere to come and experience an amazing conference and feel comfortable and safe.

It is truly an amazing experience to hear children in the rooms laughing and learning how to lockpick or program as well as witnessing a social community that struggles with social environments actually sharing, meeting new people, being introduced, and welcoming. This is what DerbyCon is all about and has been since its inception.

This year, there were statements made from predominantly outside individuals not attending the conference around perception towards DerbyCon and concerns on safety for con attendees, most specifically centric around a code of conduct and enforcement of a code of conduct. We wanted to clarify and expand on how we handle situations and ensure safety at the conference.

About Our Code of Conduct

1. A code of conduct (albeit not directly called that, but it will be), has been printed in handouts of each and every DerbyCon of what we expect as far as behavior and our values as a conference. This is and has always been enforced. When issues are identified they are handled, and the security team has done an amazing job each and every year.

2. We made improvements by posting a code of conduct on our site this year. This was done before the conference started, enforced (which it has been every year), placed in our handouts, and communicated during opening ceremonies.

https://www.derbycon.com/about/

From the site:

“DerbyCon is a conference where everyone and anyone is welcome. We are here as friends to share ideas, to learn, and to have an awesome time. Diversity makes us strong, and having a place where folks can be open and inclusive is our goal at DerbyCon. This means having equal respect and treating con attendees, staff, security, speakers, hotel staff, and anyone else attending DerbyCon with the same level of kindness and friendliness which align with our core values at DerbyCon. During your time at the conference, you can expect a safe, welcoming, and friendly environment. DerbyCon is a private event, and if there is unacceptable behavior, you may be asked to leave the con with no refund. If you are subjected to behavior that is unacceptable or unsafe, please report it to a staff or security member (designated in red). You can be assured that issues are taken seriously, and dealt with accordingly on a per case basis.

Our goal at DerbyCon is to have a safe and resonating impact on the security industry and at the conference. Thank you to all who make DerbyCon a success and for the continued awesomeness of the community.”

From many, this isn’t a sufficient statement for most, and we recognize that we can get better and detail this out more on what acceptable behavior is and how to best report incidents. We will get better. More info on this later in the post.

3. Failure to abide by our guidelines for a private event are enforced.

A good example of enforcement this year is that we had an issue with an individual causing altercations with con attendees. This individual was quickly removed from the conference lobby area by security, police notified and responded (within 4 minutes), and asked to not return. Additionally, we received accurate updates during this incident until the individual was in his room (and passed out 30 minutes later). This was in turn received by attendees impacted by this individual by compliments both publicly and privately and that the situation couldn’t have been handled any better.

In addition, after the conference was over, a review was launched into what occurred and how we could handle incidents better (lessons learned). In this case we decided that the individual didn’t meet the expectations of the conference as spelled out in our code of conduct and was notified that he was no longer able to attend DerbyCon in the future based on the amount of issues experienced. We also followed up privately with the impacted conference attendees to let them know of our actions and how the issue was dealt with.

This is how we handle incidents, and we do this every year and it is not new on how we handle incidents. DerbyCon has always been and always will be a safe and welcoming conference. We also communicate this in our handouts as well as in opening ceremonies around expected behavior and enforcement of behavior which includes removal from the conference if not meeting appropriate and expected behavior.

Most security issues are handled with and dealt with privately, as they are private matters and don’t involve the entire conference as a whole. As incidents are reported they are dealt with to our guidelines as a conference, and we improve and learn each time something new and unique happens.

4. Handling situations that happen outside of a conference are a difficult and delicate matter.

When issues that occur outside of the conference (such as domestic disputes), it’s a fine balance around prior events that have occurred outside of a conference and how to appropriately place protections in place to ensure nothing happens at a conference with allegations. Issues that occur outside of the conference technically do not violate a code of conduct as the behavior did not occur in the conference.

This doesn’t mean that actions can’t be taken in order to ensure safety or prevent issues from happening. For example, if there is historical evidence of a con attendee being problematic at other conferences and we can investigate those, there are direct actions we can take to ensure that these do not occur in our conference. This could be contacting/removing the individual based on severity, additional security around the individual and communicating to security staff. In the past when allegations of individuals have been brought up, we have properly and formally launched investigations to identify if the individual(s) would be an issue to the conference safety. This included contacting other conference organizers, evaluating legal options and reviewing submitted information, and placing additional security measures in place to ensure safety.

In addition, DerbyCon is a volunteer staff that makes the conference work. This means that there are times where personnel, both staff and security, make statements that are not on behalf of the conference. If any staff or security do not follow the same values, they will no longer be welcome on staff or security.

An example of actionable measures is that an individual spoke on behalf of the conference with inappropriate comments – clearly inappropriate, hostile, and not within the values of DerbyCon. In addition, they mentioned they were on staff for DerbyCon. We want to be clear, they were inappropriate and do not represent DerbyCon values or principles. This individual was (within minutes) removed as staff and did not attend the conference.

What Precautions Are Taken

1. We overstaff on security and have a security presence known at all times. This includes after hours and outside of the conference area (in the lobby, and through the bar locations). This is in multiple areas of the conference, and well represented. The security staff is friendly, approachable, and the security staff goes through escalation handling training prior to the conference in order to handle appropriate escalation based on severity.

2. We work very closely with local law enforcement outside of the conference event during parties in order to ensure if there is an incident that can’t be contained within the conference event, that they can easily be turned over to law enforcement seamlessly. Fortunately, this year was the only year we’ve had to involve law enforcement due to a problematic attendee and we had an extremely low incident volume as a conference.

3. We investigate any issues reported to us immediately. They are handled with accordance to our security staff training, as well as escalation criteria to all of the DerbyCon staff.

What We Can Do Better

1. Outlining a more refined code of conduct – we have already embarked on this by asking a number of conference organizers around how they handle code of conducts as well as soliciting feedback from a number of prominent individuals within the community on this topic and it is well underway. This was a commitment we publicly stated, and the discussion and work started the day after DerbyCon. Expect more from us soon on this front.

2. Contact information – in the event of an incident and you can’t locate or identify a red shirt, the ability to report incidents that occur. This is important to us, and it’s also a comfort level with attendees to know that in the event that something occurs, they have someone they can immediately reach out to. That is why we have such a high security presence at DerbyCon, for availability. Having contact information in form of a monitored email address or other methods is something we will incorporate in the future (and well before the conference starts).

3. Actions speak louder than words – continue to show our commitment to the attendees, and to the conference, its mission, and its safety. We do this every year, and will continue to improve and learn as new experiences and challenges are presented to us.

4. Having a larger presence of security personnel in the bar location area in order to address issues before they happen (hopefully) or issues that arise for quicker response times.

Wrapping things up

If there are staff and security that do not reflect the conference values and code of conduct, they also will no longer be staff or security. We want to be clear, free speech is free speech, but there is a line that gets crossed when an individual claims to represent our conference and is speaking on behalf of it. That is not appropriate and will be dealt with accordingly.

This year we enjoyed a substantially lower volume of incidents than any other year we’ve had in the past. That’s a testament to the security staff, but also to the amazing conference attendees. We always look to get better, and will continue to do so. We also recognize that how we handle situations isn’t always public, and could be perceived as not handling situations.

We recognize that some may think we may not go “far enough” and in how we handle incidents. We want to ensure that every incident is reviewed and investigated based on the information and evidence we are provided. Actions are taken based on the investigation and reviewed to see how they can be improved upon in the future. Our first priority is the safety of every single attendee. That’s a fact. Our actions that we take, and have taken in the past speak that way, and we will always ensure a safe conference. We are always open to discussion on how we can handle situations better, and if there are ways for us to improve.

We also understand that as a conference, you have many other conferences to choose from and that DerbyCon may not be for you. We want to assure you that we have an amazing and safe conference, and it’s something that is built into the core of our values as a conference, and what we demonstrate each year.

We also recognize, that based on our event and our inclusiveness for all and the INFOSEC community, DerbyCon is held in a much higher standard and light to other conferences. You can be assured we will always look and strive to get better as a conference. Harassment will not be tolerated under any circumstances towards any attendees.

We would like to thank everyone who is speaking up and discussing, positively, ways for conferences to improve and be safer. We would encourage if you haven’t attended DerbyCon, to ask other former attendees about their experiences and the welcoming community we have at DerbyCon. It’s amazing to see individuals bring their children, their families, and attend every year and meet and collaborate on new ideas as one community. DerbyCon is a warm, safe, welcoming, and amazing place for everyone and we aim to stay that way.

We started with an idea of DerbyCon in a pizza shop with a few friends. Never once had any of us run conferences before. We learn as we go, and we look to get better, and we always will. It’s clear actions speak louder than words, and we will continue to improve on how we communicate and handle situations.

Thank you all for making this year at DerbyCon wonderful, and we look forward to seeing EVERYONE next year.