The cybersecurity landscape is rapidly evolving, driven by the increasing complexity of technology and the emergence of new threats.
As the world tackles with these challenges, ISACA, a global association of IT and cybersecurity professionals, is at the forefront of addressing these issues. With over 180,000 members worldwide, ISACA plays a crucial role in shaping the future of the industry.
The group is entering its 55th year and has been under the leadership of CEO Erik Prusch since June 2024.
Just over a year into his role as CEO, Prusch sat down exclusively with Infosecurity to discuss some of the organization’s recent achievements and spoke on the challenges AI poses to training, the workforce shortage and budgetary pressures placed on cybersecurity professionals.
Infosecurity Magazine: In your first year as CEO what have been some of your biggest achievements with ISACA to date?
Erik Prusch: We've done a tremendous amount of work. We're at 228 chapters and 188 countries. Particularly, we now have a Mongolia chapter, a Georgia chapter, and we've got another one in the US state of Florida. What we've been doing is focusing on the areas of opportunity for ISACA and our members.
We've got a new strategy, which is all about our members. It's all about what we're delivering to help satisfy some of the gaps in the marketplace.
We have also been successful at launching products faster and in a more relevant way than I think we have in a while.
IM: You mentioned the launch of new products, especially around AI training and frameworks. What are some of those new products you've been putting the effort behind?
EP: We recently launched a couple of new initiatives, one is our digital trust framework.
We're bringing this into market after we committed capital to develop these capabilities. There aren't very many good frameworks out there, particularly for businesses of varying sizes. There's a lot more concentration on very large businesses. Frameworks are something that can also be adopted at smaller organizations.
We also came out with now seven new training modules relating to AI. This tries to not only satisfy demand for more training in this area but make certain that it's from a source you can rely on. We build quality products we make certain are very strong in terms of technical acumen. The way we train is based on 55 years of experience.
These new seven modules are important steps, and they range from AI essentials to governance and policy. They're allowing our members and outsiders to be able to become knowledgeable about the fundamentals of AI and then be able to expand that skill set into much more technical applications of it.
We're finding that when AI really came to light at the beginning of this year, there were lots of people adopting it, but not a lot of people knowing how to control it.
A lot of people were putting in the rigor, a lot of people having a policy but certainly there’s a disconnect between what people think they understand, and what they do understand and we're trying to narrow that.
This means we need to go to the fundamentals and make certain we're building up capability and giving it in bite-sized pieces to improve that understanding.
IM: What do you see as the biggest demand for knowledge and learning around AI?
EP: The knowledge that needs to be done around AI has to be from a reputable source, and it must be within the domains that you're trying to solve for. When we think about AI and cybersecurity, or policy and governance, those are things that have applicability into the enterprise.
If you don't understand the fundamentals of AI, there's no point in talking to you about governance. Anybody can put a policy in, anybody can copy a policy, but can you create a policy that's right for your organization and how you're deploying AI?
People can access AI through their phones, they can access it through their home computers.
You've got to build awareness; you've got to train everybody on what the fundamentals are. How does AI work? How do large language models work? Most organizations are trying to keep it within the confines, so they're putting instances behind their file wall.
I support that 100%, but let’s figure out where the vulnerabilities are. Let's figure out what we should be discouraging and trying to create mechanisms for that.
Let's make certain that we're addressing the root of the problem rather than just a symptom of it.
"There's a tremendous amount of money chasing AI and so there's a large money grab that's going on."
IM: You mentioned about making sure that people are getting information from a reputable source. Why is this important and is there a lot of information in the market that's incorrect?
EP: My view is that there's a tremendous amount of money chasing AI and so there's a large money grab that's going on. Anybody with a business that hangs off AI is going to try and make some money off it, whether they're a reputable source or not.
We put a lot of emphasis on making certain that we qualify the sources that provide content for us and that we bring in or have at our disposable experts in the field.
We don't take that casually because we know our model is widely leveraged. We go to 180,000 people just in our current ecosystem and then we extend past that when you think about the enterprises we support.
We take our reputation very seriously. So, we go through that effort. I can't say the same of all organizations, and there are some very good quality organizations out there that may be technically competent but don't know how to train it. There are good trainers that don't have a lot of technical expertise behind them and then there are a few that have both.
So, we want to be that advisor. We want to be that coach. We want to be that guide to handle this.
IM: ISACA released research earlier in 2024 that showed that 52% of cybersecurity professionals feel their budgets are underfunded. What is your view on budgets as they stand today?
EP: There is perpetual underfunding. I don't know that there's ever been a time that we were adequately funded.
Those pivot points or trajectory changes of funding always happen around an occurrence of a problem.
Then suddenly, it's ‘throw whatever money at it to go fix it’ right? As opposed to, let's make certain that we're well protected and that we understand what best practices are and try and work our way there as aggressively as possible.
The part that should have us all scared is that over 50% of cyber professionals who believe they are underfunded. Which is not insignificant.
It's not we're down to 10 or 15% or just around the edges. We're at 50% of the organizations that are saying that it's underfunded. So that implies even greater risk.
When you've got that many companies that may be underspending on cybersecurity you've got a serious problem.
IM: The workforce shortage and stress remains of major issue in cybersecurity. What more do we need to do to steer us away from this cycle of burnout and stress being a theme within cybersecurity?
EP: It starts with making certain that we've got an adequate workforce.
You can't have a workforce gap and a budgetary gap and expect that the people who are in the seats currently doing it are going to be relieved of that stress anytime soon.
There isn't something that's going to cure the existential crisis that we're in overnight. That crisis is big, it’s not understood. And new technologies are coming out very rapidly around it, which increases those needs and demands.
It starts with the workforce first and making certain that we're getting jobs filled. I think we've made modest progress in my time, 15 months, but at this pace, it's going to take many years to solve that.
Then it follows with making certain that there's adequate budgets, adequate technology and adequate training.
It's not just people, you can't just put people into the job and expect to fix it. They've got to be trained. They've got to be educated along the way.
We play a part in that and we're proud about that. We're kind of early in that cycle, which is we bring people in, encourage people to come into the professions and help train them and qualify them for those professions.
And that means we have an important role but we've got to figure out a way of attracting more people and maybe non-traditional people into the into the domains that we serve.