The cybersecurity landscape is evolving rapidly, driven by the increasing complexity of technologies and the emergence of new threats.
As the world addresses these challenges, ISACA, a global association of IT and cybersecurity professionals, is at the forefront of solving these problems. With more than 180,000 members worldwide, ISACA plays a crucial role in shaping the future of the industry.
The group enters its 55th year and has been under the leadership of CEO Erik Prusch since June 2023.
A little over a year after taking over as CEO, Prusch spoke exclusively with Information security to discuss some of the organization’s recent accomplishments and spoke about the challenges AI poses for training, workforce shortages, and budgetary pressures on cybersecurity professionals.
Infosecurity Magazine: In your first year as CEO, what have been some of your biggest accomplishments at ISACA to date?
Erik Prusch: We have accomplished a lot of work. We are at 228 chapters and 188 countries. In particular, we now have a chapter in Mongolia, a chapter in Georgia and another in the US state of Florida. What we have done is focus on areas of opportunity for ISACA and our members.
We have a new strategy, focused entirely on our members. It’s all about what we offer to help fill some of the gaps in the market.
We’ve also been able to launch products faster and more meaningfully than I’ve seen in some time.
IM: You mentioned the launch of new products, particularly around AI training and frameworks. What are some of these new products that you have put effort into?
EP: We recently launched a few new initiatives, one of them being our digital trust framework.
We are bringing this to market after committing capital to develop these capabilities. There aren’t many good frameworks out there, especially for businesses of different sizes. There is a lot more focus on very large companies. Frameworks can also be adopted in smaller organizations.
We also released now seven new AI training modules. This attempts to not only satisfy the demand for additional training in this area, but also to ensure that it comes from a source you can rely on. We manufacture quality products which we ensure are very strong in terms of technical sense. Our way of training is based on 55 years of experience.
These seven new modules are important milestones and range from AI essentials to governance and policy. They allow our members and foreigners to learn about the fundamentals of AI and then being able to expand that skill set in much more technical applications.
We see that when AI really hit the scene earlier this year, many people adopted it, but few knew how to control it.
A lot of people had rigor, a lot of people had a policy, but there’s definitely a gap between what people think they understand and what they understand and we’re trying to reduce that.
That means we need to cut to the chase and make sure we build capacity and deliver it in bite-sized chunks to improve that understanding.
IM: What do you think is the biggest demand for knowledge and learning around AI?
EP: The knowledge needed around AI must come from a trusted source and must relate to the areas you are trying to solve. When we think about AI and cybersecurity, or policy and governance, these are things that can be applied to the enterprise.
If you don’t understand the fundamentals of AI, there’s no point in talking to you about governance. Anyone can insert a policy, anyone can copy a policy, but can you create a policy tailored to your organization and how do you deploy AI?
People can access AI through their phone, they can access it through their home computer.
You need to raise awareness; you have to train everyone on the fundamentals. How does AI work? How do major language models work? Most organizations try to keep this within limits, which is why they place the instances behind their file wall.
I support this 100%, but let’s see where the vulnerabilities are. Let’s see what we should discourage and try to create mechanisms for that.
Let’s make sure we address the root of the problem rather than just a symptom.
“There’s a huge amount of money chasing AI and so there’s a big money grab going on.”
IM: You mentioned the need to make sure people get information from a reliable source. Why is this important and is there a lot of incorrect information in the market?
EP: My view is that there is a huge amount of money chasing AI and therefore there is a big money grab going on. Anyone who owns a business that depends on AI is going to try to make some money from it, whether it’s from a reputable source or not.
We attach great importance to the qualification of the sources that provide us with content and to the fact that we use or have experts in the field.
We do not take this lightly, as we know our model is widely exploited. We reach 180,000 people just in our current ecosystem, and then we go beyond that when you think about the businesses we support.
We take our reputation very seriously. So we are making this effort. I can’t say the same for all organizations, and there are some very good organizations that may be technically competent but don’t know how to train them. There are good trainers who don’t have a lot of technical expertise behind them, and then there are a few who have both.
So we want to be that advisor. We want to be that coach. We want to be that guide to dealing with this.
IM: ISACA released a study earlier in 2024 that showed that 52% of cybersecurity professionals believe their budget is underfunded. What is your view on budgets as they are today?
EP: There is perpetual underfunding. I don’t know if there was a time when we received adequate funding.
These pivot points or changes in funding trajectory always occur around the onset of a problem.
And then all of a sudden it’s ‘throw any money at it to go fix it’, right? Rather, let’s make sure that we are well protected and that we understand what the best practices are and try to achieve that as aggressively as possible.
The part that should scare us all is that it’s over 50% of cyber professionals consider themselves underfunded. Which is not trivial.
It’s not that we’re down to 10 or 15% or just at the limit. We are at 50% of organizations that say they are underfunded. This therefore involves an even greater risk.
When you have so many companies not spending enough on cybersecurity, you have a serious problem.
IM: Labor shortages and stress remain a major problem when it comes to cybersecurity. What more do we need to do to move away from this cycle of burnout and stress that is a theme in cybersecurity?
EP: It starts with making sure we have a adequate staffing.
You can’t have a labor gap and a budget deficit and we hope that the people currently occupying the seats that do so will soon be relieved of this stress.
There is nothing that can cure the existential crisis we find ourselves in overnight. This crisis is great, it is not understood. And new technologies appear very quickly, which increases these needs and demands.
It starts with the workforce and ensuring jobs are filled. I think we’ve made modest progress in 15 months, but at this rate it will take many years to resolve this problem.
Next is ensuring that there are adequate budgets, adequate technology and adequate training.
It’s not just about people, you can’t just assign them to a position and hope to fix it. They must be trained. They must be educated along the way.
We participate in it and we are proud of it. We’re kind of at the beginning of that cycle, where we’re bringing people in, encouraging them to go into professions and helping to train them and qualify them for those professions.
This means we have an important role to play, but we need to find a way to attract more people, and perhaps non-traditional people, into the areas we serve.