The Hacking Economy

How to tap the braintrust on cybersecurity

It turns out that one of the keys to hosting a successful conference on a complicated, technical and contentious topic like cybersecurity is great food and booze.

Jeff Moss said he learned that lesson early on in his days as the hacker community's best-known security impresario. "I know this sounds really petty," Moss said, "but I fed people really well." Open bar was key, too, he said: "The other conferences had all these drink tickets. I just wanted people to enjoy themselves at the event."

Isaac Brekken | AP

It worked out. Moss founded the underground hacker convention Defcon in 1992, starting with a group of about 100 of his hacker friends and whatever cybersecurity experts he could track down. "I put the conference in Las Vegas—I did that because I needed a place where the hackers wouldn't burn down the hotel at night," he said. "It gets really crazy."

Read MoreInside a cybersecurity start-up

By 1997, Moss said he felt a need for a more professional conference to go alongside the raucous Defcon underground event. "The announcements for Defcon were kind of over the top, like for a rock concert," he said. "People started asking me for more professional announcements. They said, 'My boss will never let me go to an event that looks like that.'"

Moss founded the more corporate Black Hat cybersecurity conference that year, which quickly attracted attention: By 2012 there were more than 6,500 attendees at the annual event, and last year there were more than 9,000.

Moss's hacker empire is one of the most visible in the exploding array of cybersecurity conferences around the world. The growth of that conference circuit mirrors the rapid expansion of the industry as a whole: Moss estimates that there are more than 350 annual conventions today around the world. Among them are events with names like NullCon, IoT Devcon, SchmooCon, and even a Kentucky-based security event called DerbyCon.

The granddaddy of them all may just be the global RSA Conference, which is sponsored by the cybersecurity company RSA. It's grown from a 50-person event in 1991 to an event with more than 28,500 attendees, 405 exhibitors and 550 speakers.

But Moss, who goes by the alias The Dark Tangent on Twitter, said there was more to the popularity of his early Defcon events than just food and drink—especially their open and inclusive vibe, which went against the grain in a typically secretive cybersecurity industry. And, he said, because he owned the event himself, he could invite any speaker on any topic and not have to answer to a corporate master. It was so inclusive that Moss invited federal security agencies to come to his early sessions, reasoning that they'd show up undercover anyway.

Read MoreMeet the NSA's hacker recruiter

And he said he tried to keep his events from being about selling products to focusing on sharing tools every participant could have access to. "This crowd is really applied," he said. "They want to invent something, fix something, do something."

Another advantage in separating Black Hat from Defcon was that Moss could accept lucrative corporate sponsorships for Black Hat and keep Defcon to its more independent roots. That event still does not take sponsorships.

A turning point came in 2005, Moss said, when Cisco sued a speaker for revealing flaws in Cisco routers. For Moss that confrontation was enormously stressful. "There I am at this event trying to entertain, and then I'm getting sued, and it's on the front page of the Wall Street Journal," he said. But the suit also brought widespread publicity and a realization of just how valuable the cybersecurity conferences had become. In late 2005, Moss sold Black Hat to CMP Media for what he said worked out to be a $14 million payday for Moss and his early employees. "One person got a house," he said.

There have been other touchy legal issues. In 2008, PCWorld magazine reported that a U.S. District Court judge ordered the cancellation of a Defcon talk by three MIT students who planned to reveal design flaws in the Massachusetts Bay Transportation Authority's electronic ticketing system. That year, the Electronic Frontier Foundation began a drop-in service to give legal advice to Defcon presenters.

Read MoreHack attacks on hospitals jump 600% this year: CEO

Today the conference industry is fragmenting, with specific events launched to focus more and more on narrow sub-specialties within cybersecurity. Moss said there are events focused on everything from reverse engineering malware to financial cryptography.

Nevertheless, he said he still enjoys going to the eventsparticularly the ones he isn't hosting. "I like to go and hang out with friends," he said. "And not be in work mode."