Come for the Sun.
Stay for the Bright Ideas.

In a digital transformation context, this article scrutinizes the critical need to align cybersecurity strategies with business objectives. It points out the gaps in cyber risk communication and the imperative for a cohesive strategic approach. Using the three lines of defense model, the role of the second line is underscored as central in steering strategic decisions and aligning cybersecurity goals with the business objectives and key results. The piece also addresses the necessity of ongoing assessment and extensive training to bolster a comprehensive enterprise risk culture, thus ensuring the resilience and growth of organizations in the digital era.

Cybersecurity is now a board conversation. So is digital trust and the safety and security of Artificial Intelligence (AI). All are technology-driven challenges without a solution. Technologists can handle on their own. It requires collaboration up and down the organizational chart and globally. CISOs are charged with the safety and security of information in all forms. To succeed, CISOs need the active engagement of other parts of the business and often the engagement by external third parties. Who does the CISO engage? How? What do we ask of them? We will begin by discussing why these are suddenly important business topics. We will also talk through the historical trends of technology adoption still present today. That historical perspective will help us frame what works and does not. We will talk about what Digital Trust means, what it is, why it is important, what the studies show, and what resources are available. When it comes to AI, we will talk through the fundamental drivers underlying AI and how it differs from anything we have seen before. We will discuss AI's major concerns, what to do about it, and relevant global efforts. We will talk through the major threats of AI. Special consideration will be given to misinformation/ disinformation including Deep Fakes and the potential impacts to national security like the upcoming Presidential election.

Unlike many programs, we will be looking past technical controls. We will talk about the organizational structures that work the best, who in the organization needs to be engaged, and how to handle third parties. A survey of national and international efforts promoting the safety and security of AI will be included.

After completing this session, the participant will be able to:  

• Define what digital trust is and its relationship to AI. 
• Articulate the major issues and challenges of achieving safety and security of AI.
• Articulate the most significant national and global AI efforts.
• Articulate five things you can do to ensure the safety & security of AI in your organization.

Intelligence quotient (IQ) is useful in academia, but what about in our work environments? Is there something missing that IQ doesn’t address? Emotional Intelligence (EI) allows us to identify, assess, and manage our own emotions and understand those of others. This presentation will help you recognize and understand emotions while guiding your actions. EI is vital for effective leadership in today's complex and dynamic work environments. This session explores the key principles of leading with EI and provides practical insights and strategies for enhancing EI in leadership roles. Participants will gain a deep understanding of EI, its components and its significance in leadership, enabling them to apply these principles to drive better team dynamics, communication and organizational success.

By the end of this session, participants will be well-prepared to lead with EI, resulting in stronger relationships, improved team dynamics and more effective leadership in their respective organizations. The content will be delivered through presentations, discussions and practical tools to ensure a comprehensive and engaging learning experience.

After completing this session, the participant will be able to: 

• Understand EI and its usefulness in the workplace.

On Wednesday afternoon our SheLeadsTech Advisory Council is going to be taking over the ISACA Booth! Stop by for a Happy Half Hour and grab a beverage and some swag while supporting future and current women leaders in the global tech economy.

Are you struggling to evaluate risk in a timely fashion? Traditional risk analysis struggles to keep pace, making swift yet accurate assessments a pressing need. This session explores the transformative potential of Artificial Intelligence (AI) in expediting risk evaluations without sacrificing depth or security. This talk will delve into AI's capacity to rapidly detect patterns and vulnerabilities, emphasizing the importance of diverse training datasets to prevent biases. The presenter will address the balance between AI's computational strength and the irreplaceable intuition of human analysts, advocating for a collaborative approach. He'll highlight real-world successes, potential pitfalls, and provide a roadmap for integrating AI responsibly into risk assessment processes. Attendees will leave with a clear vision of AI's role in future-proofing risk analysis. In addition, attendees will learn immediate, actionable activities to immediately begin assessing risk rapidly with AI.

After completing this session, the participant will be able to:  

• Use the AI prompts discussed to evaluate contractual as well as regulatory compliance based risks.
• Learn the pitfalls of trusting AI too much and how to check it's work.
• Discover blended approaches to their current risk management processes that will help catch up on their backlogs.
• Understand appropriate use of AI based on the data that will be analyzed.

What are the key technology risk areas that companies are now facing on a day-to-day basis? Where is IA focusing its efforts from a digital/technology perspective to create the highest impact and deliver the most business value to the organization? IT IA should be focused on the greatest technology risks to the organization in a way that enables the company’s business strategies and elevates IA’s value, impact, and trusted advisor status to its stakeholders.

As part of the presentation, we will discuss the evolving technology risk landscape and the risks it introduces and accelerates throughout the business environment and our organizations. We’ll introduce an IT risk framework that can be used to drive IA’s own IT risk assessment process for enhanced results – with the goal being to identify the greatest digital technology risks to the organization and what the optimal IA responses should be. We will dive into a top ten of IT IA high-impact focus areas for all IA functions to consider. Using real-life examples, for each topic area we’ll talk through the key risks involved, the questions IA groups should be asking, and suggested IA focus and response options to drive collaborative group discussion during the session.

After completing this session, the participant will be able to:  

• Learn what key digital and technology risks are most impacting companies today.
• Understand leading practices for when conducting an IT IA risk assessment.
• Identify leading areas of IT IA focus for consideration in their own IA plans.
• Take away real-life examples and lessons learned from past high-impact IT IA audits performed.

Imagine you're a superhero. You protect the people who rely on and exist within and around your organization from the ever-changing and ever-growing cyber threats across the globe. You need the right tools and the right strategies to fight against these digital threat actors. And what's the first gadget in your toolbelt? A clear understanding of the threat landscape to build a comprehensive threat assessment program.

For this program to succeed, you need four main components: your asset landscape, threat landscape, processes/controls and partners. While connecting these seemingly disjointed pieces sounds daunting, the industry offers several publications, mapped mainly through the Center for Thread Informed Defense, that act as a handy-dandy sidekick when brought together: MITRE ATT&CK®, Vocabulary for Event Recording and Incident Sharing (VERIS), NIST 800-30 Guide for Conducting Risk Assessments, and NIST 800-53 Security and Privacy Controls for Information Systems and Organizations. As for the partners' piece of this program, observe the people around you and find the other superheroes to join your team. 

Finally, like any good superhero team, a Nick Fury exists – the executives. The magic lies within translating technical data-driven approaches and results into actionable tasks that support the business strategy. This translation, combined with your threat assessment program, will set you up to take on emerging threats as the world changes. 

Join us as the "Cyber Threat Assessment Avengers" assemble!

After completing this session, the participant will be able to:

IT security, cybersecurity and privacy protection are vital for companies and organizations today. The ISO/IEC 27000 family of standards are designed to assist organizations in developing comprehensive information security and data privacy programs to avoid threats from evolving cybercrimes, lack of employee awareness and training and violations of laws and regulations and the costly fines and reputational damages that could result should a breach or other incident occur. ISO/IEC 27001 is the perhaps one of the world’s best-known standards for information security management; however, additional best practices in data protection and cyber resilience are covered by several other standards in the ISO/IEC 27000 family. Together, these standards enable organizations of all industries and sizes to manage the security and privacy of their information assets and those entrusted to them by third parties. We’ll also discuss where these standards stand now that ISO/IEC 27001:2022 has been published as of late 2022.

Specific standards that we will cover in our presentation will include:

• ISO/IEC 27001 (ISMS)–the foundational element

• ISO/IEC 27017 (cloud services security)

• ISO/IEC 27018 (protection of PII in public clouds for PII processors)

• ISO/IEC 27701 (PIMS) and complementary GDPR certification frameworks such as Europrivacy Seal and the overlap with the EU Cloud Code of Conduct

After completing this session, the participant will be able to: 

• Understand the application and intent of the main additional standards in the ISO/IEC 27000 family of standards outside of the most well-known in ISO/IEC 27001.
• Understand why organizations would look to align their ISO/IEC 27001 certification with additional sector-specific standards in the ISO/IEC 27000 family and the associated benefits.
• Understand how their data privacy programs can be enhanced through the adoption of either ISO/IEC 27018 or ISO/IEC 27701 (or both) and know which is most beneficial for their organization.
• Understand how obtaining the Europrivacy Seal GDPR certification can be facilitated by already having an ISO/IEC 27701 certification and the overlap with the EU Cloud Code of Conduct.

Multi-agent systems are the future of AI. Rather than building monolithic AI models, multi-agent systems distribute capabilities across specialized modules—for example, separate agents for computer vision, language, planning, API automation, etc. By combining multiple AI models, data sources and technologies, multi-agent systems execute complex goals without requiring general artificial intelligence. To build and run multi-agent systems at scale, organizations need an intelligent operating system. This OS should provide a visual workflow builder for non-experts to develop agents, scalable runtimes for deploying agents, data pipelines for sharing information, monitoring tools for governance, and APIs for external integrations.

With the right OS, enterprises can transform operations by embedding AI agents into processes. Use cases span supply chain, IT, customer service, finance, manufacturing, healthcare and more. The modular approach allows starting small and expanding. Multi-agent systems do require thoughtful change management. New levels of automation can disrupt people and processes. Recommended practices include starting with narrowly defined pilots, involving stakeholders early, setting appropriate expectations, and proactive communication. By distributing capabilities across specialized agents, multi-agent systems represent the most effective and ethical approach to implementing AI. With an enterprise-grade OS, any organization can build the AI workforce of the future, one intelligent agent at a time. This pragmatic approach captures tremendous value without requiring human-level artificial general intelligence.

After completing this session, the participant will be able to:

This session delves into the pivotal role played by the SEC cyber disclosure rule in corporate governance of cyber risk. It commences with an exploration of established methods for ascertaining financial materiality and examining their inherent limitations. Subsequently, the presentation delves into the intricacies of computing cyber materiality thresholds, informed by the presenter's original research in this domain. Drawing on comprehensive industry insights, the presenters scrutinize prominent cybersecurity breaches and retroactively benchmark them against conventional financial materiality standards. The results underscore the necessity of a shallow threshold, as low as one basis point, for a comprehensive evaluation of cyber materiality. This finding is the bedrock for the presenter's proposition of introducing a quantitative dimension to complement traditional qualitative materiality approaches. Moreover, attendees gain insights into the Cyber Materiality Heuristic process, offering a practical exemplar for organizations embarking on the development of their materiality frameworks. 

The session takes an expansive approach by illustrating how materiality thresholds can be seamlessly integrated into a firm's Enterprise Risk Management (ERM) governance processes. Furthermore, the presentation scrutinizes recent 8-K and 10-K/20-F SEC filings from organizations affected by the new regulatory landscape, evaluating their transparency and the adequacy of their disclosures from a quantitative perspective. Finally, the session underscores how these newfound tools can be harnessed to make informed strategic decisions regarding risk transference and mitigation. As a takeaway, attendees depart equipped with tangible tools and methodologies for computing materiality, thereby enhancing their ability to govern their cyber.

After completing this session, the participant will be able to:

In the current Artificial Intelligence (AI) transformation era, professionals must grasp the fundamentals of AI and its associated risks to foster digital trust. In this talk, we will journey through the AI landscape, exploring the basics, identifying key risks, and learning how to establish trust in AI systems. We will also delve into emerging regulatory frameworks, practical control mechanisms, and the potential of AI to enhance digital trust. Starting with an AI introduction, attendees will gain a shared high-level understanding, exploring core concepts and terminology. The discussion delves into key AI risks using real-world examples, highlighting issues like bias, privacy, security, and ethics that require diligent mitigation.

The session then explores essential responsible AI principles, emphasizing fairness, transparency, accountability, and ethics for building trustworthy AI systems. By analyzing AI regulations, the session illustrates frameworks like the European AI Act, showcasing their impact on developers and users and promoting responsible AI adoption. Practical insights are provided into embedding control measures throughout the AI lifecycle to mitigate risks, ensuring secure, ethical, and regulatory-compliant AI systems. Lastly, the session considers AI's role in enhancing digital trust, showcasing applications like anomaly detection, natural language processing, and behavioral analysis in strengthening security and privacy.

After completing this session, the participant will be able to:

As a series of tsunamis continue to crash into the tech labor force, what does this mean for professionals forging careers in cybersecurity, audit, risk, governance and privacy? 

One colossal wave is the proliferation of fast-moving, high-momentum technologies that rapidly and radically redefine competitiveness and alter the securing of new business models. Mounting pressures on employers to restructure their workforces are creating brand new job and career opportunities in security and substantially change what it takes to be a tech professional. Another massive wave is the so-called Great Workforce Reshuffling that took root during the COVID-19 pandemic (changing how, when, where, and with whom we work) and is now becoming normalized. This trend has significantly altered how tech professionals are managed and paid, how their performance is evaluated, and how security is being strategized and operationalized. It’s also altered the demand balance between hard and soft skills and reordered the composition of work teams.

This session will draw from Foote Partners’ unique research base (4,300 employers) to challenge conventional thinking about how the unfolding Future of Work will play out in the security workforce in the next 5-10 years. Valuable insights will be provided about new job and career prospects driven by the powerful integration of emerging technologies and workforce transitions. AI Revolution(Applied AI, ML, Generative AI); Compute/Connectivity(Cloud/Edge, IR); Digital Future-Building(Next-Gen SW development, Trust Architecture/Digital Identity); Cutting-Edge Engineering(Mobility, Bioengineering, SpaceTech); and Sustainability(Electrification/Renewables, ClimateTech).

After completing this session, the participant will be able to:

Even champions need a break sometimes. Whether you have some downtime between sessions or need a few minutes of peace and quiet to catch up on your work, if you are an ISACA Platinum and Gold Member, our Loyalty Lounge offers the perfect respite to help you stay refreshed and focused.

This presentation will discuss the latest NIST CSF v2.0, which was updated to deal with increasing threats to critical infrastructure and organizations of all types and sizes. This government-authored cybersecurity framework is the gold standard for cybersecurity defense, and everyone who upholds digital trust can benefit from understanding and implementing it. Ironically, it is only as ironclad as the level of understanding of relevant stakeholders within the enterprise, most of whom are probably ISACA members or hold ISACA certifications. Hence, this session will also talk about how key enterprise stakeholders can adopt and integrate this cyber security framework into their governance, risk and compliance practices, boost enterprise-wide digital trust and ultimately elevate the value of IT audit, risk and compliance professionals within the organization. 

The recent cyber security incidents and ransomware attacks that hit the US hospitality and medical care industries are consequential for anyone who works to uphold the level of digital trust in this country. That and the advent of tools that can give malicious actors an edge, such as generative AI, is among the reasons behind the recently updated NIST CSF v4.0. NIST or the US National Institute of Science and Technology updated their Cyber Security Framework. The new framework contains several cyber security requirements that can scale to mitigate these threats and boost digital trust. For instance, it added the Governance function to the other five, as well as expanded its scope to provide cybersecurity for all organizations beyond critical infrastructure.

After completing this session, the participant will be able to:

For every organization, there is a delicate balance to strike between innovation and risk — one that informs every interaction between your employees, customers, key stakeholders, and the supply chain. We’d be hard-pressed to name a more seismic innovation than the explosion of artificial intelligence (AI), particularly generative AI (GAI) with its ability to generate highly realistic and contextually accurate outputs dynamically. Scaling alongside this innovation are the risks, whether they are preexisting risks such as the proliferation of disinformation or emerging risks such as AI “hallucinations,” the leakage of sensitive information or inference attacks.

Obviously, there’s no going back to the days before large language models (LLMs), such as OpenAI’s GPT-4, broke into mainstream public consciousness. The AI genie is out of the bottle. The question we now face is, how do we move forward responsibly? The best answer: proactively building into your organization’s AI ethics model a focus on governance, risk mitigation, and compliance.

In this talk, we will discuss considerations while establishing an AI Governance Framework that balances.

After completing this session, the participant will be able to:

With the lines between traditional IT and industrial control systems blurring, the addition of Internet of Things technology means IT auditors need to focus on SCADA and related technologies in the light of greater connectivity. This presentation will start by briefly explaining the different technologies involved, such as Manufacturing Execution systems [MES], SCADA, Human Machine interfaces [HMI] and Programmable Logic Controllers (PLCs) and then describe the different implications of these technologies from a controls perspective. 

This session will cover the implications of the Internet of Things to SCADA, a hugely increasing area of exposure for factories and plants, as vendors move to remotely maintained and managed systems. This also ties in with further testing programs we have deployed in networking and the tools we have written and deployed to analyze network weaknesses at plants and factories.

In addition, the presenter will show how important it is to have control over PLCs, and accurate asset management, spares, stock control and records—this is now a vital area for security, patching and cost control. We will also show how these audits affect ESG auditing and the value an IT auditor can add.

Finally, this session covers related systems often integrated into plant networks, such as entry systems and CCTV and the security issues these systems are exposed to. This will all be based on practical experience over many years in the field, plus recent in-depth reviews of current ICS's utilized in manufacturing. An up-to-date and practical session with plenty of case studies from real systems.

After completing this session, the participant will be able to:

More Information Coming Soon!

Do you ever feel like the answer is right in front of you? With Word to the Wise, ISACA’s quiz game, the answers will be on the tip of your tongue — just don’t shout them out! Contestants will compete on stage to solve humorous digital trust-themed word games and trivia questions. Audience members can play along, and lucky audience members will even win prizes right from their seats!

• Test your knowledge
• Solve puzzles
• Select the correct answer
• Have fun and maybe win some prizes!

As AI advancements revolutionize business decision-making, understanding how to evaluate and mitigate AI-associated risk is top of mind for all companies. In this session, participants will learn practical ways to scope and prioritize where to start when including AI risk in their wider risk assessment methodology. Participants will learn to evaluate if AI risk is present critically, assess the potential impact and navigate the potential risks of AI-powered companies. 

We will focus on the following five domains of risk:

Security: Understand key questions to assess potential security implications of how an AI solution is developed, where it is hosted and how it is accessed.

Privacy: If personal information will be used in the scope of an AI initiative, what are the additional considerations? The domain explores these considerations and how to critically evaluate any given AI system to ensure responsible AI deployment, data security, and compliance.

Availability: Some AI functionality is a bolt-on to established workflows; however, it will be the whole product for other use cases. We’ll discuss ways to identify what availability and business continuity concerns could arise if AI technology is relied on for extended periods.

Intellectual Property: When it comes to generative AI, there are several aspects to be mindful of, including whether the AI was trained on data to which legal rights were obtained and who owns the content outputted by the model. By carefully addressing IP concerns, companies can better assess and manage the potential risks of integrating AI into their business operations while safeguarding their intellectual property rights.

Quality: Employees often undergo rigorous hiring exercises and evaluations to determine if they can perform the role. They also have managers and performance expectations. Therefore, how this same paradigm plays out for artificial intelligence needs to be determined. It is critical to know if what is getting generated will work. We'll explore techniques to understand how quality in AI can be assessed and monitored.

Once we lay the groundwork for top AI risks, we’ll discuss common mitigation strategies. This will be a combination of controls you should assess for within the technology itself, in addition to activities you can implement within the business processes when AI is relied upon to avoid these top risks. In closing, we will dispel some common misconceptions about Generative AI and LLMs, reinforcing the need for informed and thoughtful use of AI. Participants will better grasp the difference between perceived risks and genuine threats to their company and leave empowered to navigate AI implementation and vendor relationships with greater resilience and efficacy. This session is ideal for risk, security, and privacy professionals, but decision-makers at firms leveraging AI will also benefit. The ultimate goal of this session is to ensure that participants comprehend the potential nuances of AI usage, enabling them to make informed decisions around AI and steer clear of the pitfalls often associated with its incorporation into business activities.

After completing this session, the participant will be able to:

• Prioritize where to focus risk assessment efforts as it relates to AI use at your organization.
• Assess the potential impact of AI to a given process or business objective.
• Understand potential mitigations for elevated AI risk (with real world examples!).
• Avoid common misconceptions and be aware of top risks related specifically to Generative AI/LLMs.

Applied Data Management for Privacy, Security and Digital Trust provides information to enable privacy and governance professionals to position enterprise data management programs to support privacy and security programs. This book describes the components and practices to develop an effective data management program, addresses the challenges enterprises face when incorporating data management into privacy and security, and includes an example use case scenario. The primary audience of Applied Data Management for Privacy, Security and Digital Trust has privacy professionals and data governance professionals intending to support privacy efforts.

Technology permeates today's enterprise ecosystem, and the basic customer concerns of data availability and data quality must be addressed to ensure that the enterprise concerns of privacy, security, regulatory compliance and profit are met. Cybersecurity, privacy, data integrity, data governance and regulatory compliance are among the top 10 risk concerns identified by IT audit teams. A lack of security creates vulnerability risk. Not addressing privacy creates noncompliance risk and privacy harms to individuals, increasing the probability of loss of revenue, reputation, and trust.

The purpose of executing data management well is to support privacy and security, ultimately supporting digital trust. Digital trust is the confidence in the integrity of the relationships, interactions, and transactions among providers and consumers within an associated digital ecosystem. This includes the ability of people, organizations, processes, information and technology to create and maintain a trustworthy digital world. Digital trust requires strong privacy and security programs that are supported by effective data management practices.

After completing this session, the participant will be able to:

The auditing world stands at the cusp of a transformative era, with the emergence of Large Language Models (LLMs) like ChatGPT. This session comprehensively explores LLMs, from their history to their multifaceted functionalities. We begin with a LLM primer, covering their evolution, working mechanisms, and notable variations like Bard, Llama2, and Co-pilot. The session emphasizes the versatility of LLMs, highlighting that they aren't confined to mere text interactions but hold immense potential in data analysis. Building on this foundational understanding, participants will be introduced to the diverse prompt formats available, ranging from zero-shot prompting to complex data analysis. Real-time exercises with ChatGPT ensure that participants gain theoretical insights and practical, hands-on experience.

The heart of the session lies in the exploration of the audit lifecycle. We investigate how LLMs can seamlessly integrate into various audit stages, from planning and execution to reporting and continuous improvement. Participants will witness practical examples, like using LLMs for scoping, testing, work program documentation, and even simulating interview analysis. However, as with any powerful tool, LLMs come with challenges. The session concludes with a critical examination of the risks posed by LLMs, including data privacy concerns, hallucination, and prompt hacking. To ensure responsible and secure usage, we also discuss potential controls and safeguards. This session is a holistic exploration of the intersection of AI and auditing.

After completing this session, the participant will be able to:

Do you have a plan for your Digital Trust career? Not long ago, the choices were limited, falling into two major buckets: security and audit. Today, Digital Trust careers are staggering in their variety. Advances such as generative AI and ambient computing promise to open even more avenues for professional exploration. But how do you choose, and how do you get where you want to go?

This discussion will help participants plot a course to develop the Digital Trust career of their dreams. From picturing your success as you receive your future award for contributions to the profession, we will work backward to the steps you can take in the short and medium term to help you achieve success. What experiences do you need to have? What do you need to learn? What certifications should you work toward? Each participant's answers will differ, but this session will help them start the process.

After completing this session, the participant will be able to:

To address the concerns and the growing demand for internationally accepted guardrails and safeguards around the use and development of AI, ISO and IEC have created the ISO/IEC 42001 (ISO 42001) standard, which provides a certifiable AI management system (AIMS) framework which specifies the requirements for establishing, implementing, maintaining and continually improving an AIMS for organizations who are looking to implement AI in a safe and transparent manner. The AIMS will utilize a risk based approach with controls and guidance to implement organizational and technical measures to mitigate risk, including system level controls. Legislators and ISO have both never been great at keeping pace with the developments in technology, but the game-changing nature and widespread / exponential growth in the use of AI has prompted a lot of attention in the areas of regulation, governance and compliance. Many people are suspicious of AI and the objective of ISO 42001 is that the critical issues that AI faces in the areas of trust, ethics and social concerns are addressed as the technology continues to progress and spread its influence. AI must be reliable, fair and transparent–all promoting overall trustworthiness. ISO 42001 will provide a model for accountability and governance, rooted in how organizations approach risk management and responsible use of AI with the objective that AI system should be trustworthy along multiple dimensions including fairness, accountability, transparency, reliability, robustness, safety, privacy, security and accessibility.

After completing this session, the participant will be able to: 

• Understand the main AI risks and concerns that ISO/IEC 42001 addresses in the areas of security, privacy, safety, fairness, unwanted bias, and transparency.
• Understand the ISO/IEC 42001 standard structure necessary to implementation of the AIMS, including clause requirements and controls and guidance.
• Understand how the AIMS can be integrated with existing, prominent management system processes such as ISO 9001 QMS or ISO 27001 ISMS.

In an era where Generative AI is pushing the boundaries, the need for robust governance has never been more critical. As IT leaders and management professionals, understanding how to manage Generative AI systems effectively is paramount.

This presentation delves into the intricate Generative AI ecosystem and explores the essential elements of a comprehensive governance framework tailored to this transformative technology. We will explore:

• Challenges of Generative AI: Uncover the unique challenges and risks associated with Generative AI, including bias, accountability, and transparency.
• Foundations of Governance: Discover the foundational principles that underpin effective governance for Generative AI, including ethical, legal, compliance, and security protocols.
• Risk Mitigation Strategies: Learn practical strategies and best practices for mitigating the risks of Generative AI.
• Compliance and Regulatory Landscape: Navigate the evolving regulatory landscape surrounding AI and Generative AI technologies and understand how to maintain compliance.
• Use Cases and Industry Insights: Gain insights into real-world use cases and examples from the Singapore AI Governance Framework at the forefront of Generative AI adoption, demonstrating the impact of effective governance. 
• Building a Governance Framework: Receive actionable guidance on building and implementing a governance framework tailored to your organization's unique needs, ensuring alignment with business objectives.

Join us to explore how a well-structured Governance Framework can empower your organization to harness the potential of AI while maintaining ethics, transparency, and compliance. Together, we'll journey to navigate the challenges and opportunities that Generative AI presents to IT governance professionals.

After completing this session, the participant will be able to:

Ransomware groups invest a lot of time, money, data, and technology in their business. They are no longer lone wolves, traditional threat actors working in dark, dingy basements. They collaborate with other threat actors, develop in-house solutions, and create customer success teams. Defenders are cyber-crime startups building billion-dollar empires.

After completing this session, the participant will be able to:

As organizations increasingly rely on vendors that have access to sensitive data, effective vendor risk management is more important now than ever. Navigating this dynamic risk environment requires organizations to re-imagine their approach to vendor risk management. The adoption of attack surface monitoring coupled with AI-driven risk assessments is transforming how organizations address vendor risk. The shift towards immediate result verification and continuous threat intelligence is key to safeguarding critical data, while maintaining cost efficiency.

After completing this session, the participant will be able to:   

• Understand challenges organizations face in addressing vendor risk.
• Understand how AI and attack surface monitoring are transforming the vendor risk management process.
• Understand the importance of having a fully-integrated vendor risk management platform.

Don’t miss out on our booth takeover by the ISACA Foundation, formerly known as OneInTech. Grab some swag and snacks and ask how you can get involved with the ISACA Foundation.

Organizations must examine risk through the lens of our dire talent retention issues. Organizations have control over retaining talent, and yet the statistics are horrifying. Cybersecurity professionals are not happy with their current employment and move jobs regularly. Talent retention controls seem greatly necessary, being that organizations are not following best practices for retaining and or hiring cybersecurity professionals. This negligence puts an organization in a higher risk bracket, and therefore compliance control is needed greatly.  

After completing this session, the participant will be able to: 

• Utilize CyberSN's proprietary data and industry insights to uncover the exact causes of why cyber pros are leaving their jobs, enabling a comprehensive grasp of the challenges faced by both organizations and supply chains due to frequent job changes.
• Reveal successful strategies employed by organizations to retain cybersecurity professionals.
• Stress the critical necessity for all organizations to adopt and uphold strong retention policies and practices.
• Provide practical steps and methodologies to create tangible impact on cybersecurity retention.

The concept of privacy online feels like a joke right now - users have become the product. GenAI can make this problem much worse if not used responsibly. For example, imagine a model that can get to know the most intimate details of your private life - your insecurities, personality type, and attachment style. A model could be trained to take all of this and give the perfect persuasion pitch to convince you to buy something. GenAI could become what a casino is to a gambling addict, what cigarettes are to a smoker, and what Black Friday sales are to a shopping addict if not handled correctly. 

There's good news, though. This doesn't have to be our path. We can learn from the past and restore trust and privacy online. The Internet wasn't intended to be a place to have our privacy invaded; it became that way. That being said, a new generation of search tools puts ethics and trust front and center, pledging not to take ads or share data. GenAI has the potential to have a transformative, positive impact on the way we learn, how we communicate, how much time we have, and what we get to work on. In this session, we'll explore what it will take to leverage GenAI for good and ensure it doesn't exacerbate existing privacy issues.

After completing this session, the participant will be able to:

In a SOC 2 examination that addresses the confidentiality criteria, the system boundaries would cover, at a minimum, all system components as they relate to the confidential information life cycle: the collection, retention, use, disclosure, and disposal or anonymization of information by well-defined processes and informal ad hoc procedures. In SOC 2, "confidentiality” applies to various types of sensitive information which varies from organization to organization, but often includes nonpublic information such as the following: regulatory compliance information; financial information used for both internal and external reporting purposes; confidential sales information, including customer lists; confidential wholesale pricing information and order information; confidential product information including product specifications, new design ideas, and branding strategies; and proprietary information provided by business partners, including manufacturing data, sales and pricing information, and licensed designs. Sensitive information also includes personal information. Personal information is nonpublic information about or related to an identifiable individual, such as personal health information or personally identifiable information (such as personnel records, payment card information, and online retail customer profile information).

In this session, we will discuss ways a service auditor might approach a SOC 2 examination that addresses the Confidentiality Trust Services Criteria, including best practices for evaluating the confidential information life cycle and defining the boundaries of the System.

After completing this session, the participant will be able to:

When asked, most organizations still need a complete list of their vendors. They need to be made aware if those vendors are maintaining the same level of security and privacy controls required of the organization to meet legal, regulatory, and contractual obligations. There needs to be consideration or desire to know what data elements are shared, where it is shared, or if there is legal justification to share the data. 

Most existing privacy laws only require organizations to disclose categories of data; however, it is important to know the data elements too and always received pushback. Often, for the rational being, it is hard enough to manage categories of data and compliance obligations; it is impossible to manage to the data element layer. While that may be true, the fact is, laws require it and most are unaware of this requirement. Colorado Student Privacy Law requires all third parties to disclose the data elements obtained, whether it was provided to the third party or added to the record by the vendor, and this information must be publicly available to parents and caregivers. Suppose an organization with student data, such as a school, does not perform adequate security and privacy due diligence of the third party before engaging into a contract. In that case, the third party may lose the ability to do business in the entire state. That is huge and could significantly impact organizational growth and revenue. This level of detail is needed to meet other privacy requirements such as records of processing activities, data flows, inventories, privacy notices and much more.

Inadequate third-party risk management leads to increased breaches, data loss, more laws, and executive orders. This session will present a third-party risk management program driven by compliance, privacy, and security that organizations can use entirely or use components to strengthen their existing program.

After completing this session, the participant will be able to:

Celebrate those who exemplify the best of the IS/IT industry by attending the ISACA Awards. Mingle with winners and network with industry leaders, all in a friendly atmosphere. 

All registrations come with an Awards and Social Event ticket, to purchase a guest ticket, please visit here

As artificial intelligence algorithms keep improving, we see their use increasing in many fields, including use in bionic limbs. For example, PSYONIC’s Ability Hand is the fastest bionic hand on the market, the first to provide users with touch feedback, is robust to impacts, and covered by Medicare in the US. These technological advances use AI in several ways:

1. Pattern Recognition: AI algorithms can analyze signals from residual muscles or nerve endings in the user's residual limb to recognize patterns associated with different movements. This allows users to control their bionic hands intuitively, with gestures and muscle movements translating into corresponding actions of the prosthetic hand.
2. Machine Learning: Bionic hands can employ machine learning algorithms to adapt and personalize their behavior according to the user's preferences and habits. For example, the prosthetic hand can learn the user's preferred grip patterns for different objects and adjust its response accordingly over time.
3. Sensory Feedback Integration: Advanced bionic hands equipped with sensors can provide sensory feedback to the user, such as pressure sensations when grasping objects. AI algorithms can interpret these sensory inputs and adjust the grip strength or hand posture in real-time to provide a more natural and intuitive user experience.
4. Predictive Control: AI algorithms can anticipate the user's intended movements based on their previous actions and environmental cues. This predictive control allows the bionic hand to respond more quickly and accurately to the user's commands, enhancing dexterity and reducing the cognitive effort required for controlling the prosthesis.

However, along with these advances come risks associated with using AI, including the following:

1. Reliability and Safety Concerns: AI algorithms may not always perform as intended, leading to unexpected behavior or malfunctions in the bionic hand. This could pose safety risks for the user, especially in situations where precise control is critical, such as handling fragile objects or operating machinery.
2. Privacy and Security Risks: Bionic hands equipped with AI capabilities may collect sensitive user data, such as muscle signals or sensory feedback patterns. There is a risk of this data being intercepted or exploited by malicious actors, potentially compromising the user's privacy and security.
3. Ethical Considerations: AI algorithms used in bionic hands may raise ethical concerns related to autonomy, consent, and decision-making. For example, who holds responsibility if the AI-driven prosthesis makes a decision that leads to harm or injury? Ensuring transparent and ethical design principles is essential to address these issues.
4. Dependency and Overreliance: Users of AI-powered bionic hands may become overly dependent on the technology, potentially reducing their ability to adapt to situations where the prosthesis is unavailable or malfunctioning. It's crucial to provide users with appropriate training and support to maintain their independence and resilience.

In this talk, you will learn about the advances made in bionic limbs using AI, especially as we these human-machine interfaces become more seamless. You will also learn about the risks associated with this technology and how we might be able to mitigate them.

Artificial Intelligence and Machine Learning, Digital Trust, and Smarter Devices are just a few of the technology trends. As we continue to move along the Digital Transformation spectrum, join us for a panel discussion with the Chiefs: a Chief Risk Officer (CRO), Chief Audit Executive (CAE) and two Chief Executive Officers (CEOs). These four experts will discuss some of the most prevalent emerging technologies, their impact on the business community, and best practices on how to assess and manage them. 

Even champions need a break sometimes. Whether you have some downtime between sessions or need a few minutes of peace and quiet to catch up on your work, if you are an ISACA Platinum and Gold Member, our Loyalty Lounge offers the perfect respite to help you stay refreshed and focused.

Risk became a 4-letter word during the pandemic, but as ambitious professionals and organizations hungry to meet our potential, we need to take risks at work.  

Risk-taking sounds good in theory, but most of us need help moving from wishful thinking to execution. Why? Because when we have a chance to take a risk in the moment, we feel awkward—and that awkwardness bumps up against our deep desire for others to approve of us and what we do. As it turns out, what we improve in the face of taking risks—often despite others’ judgment—leads to the greatest growth. After all, the fastest path to major improvement comes from strengthening what’s weak rather than what’s strong.  

Join 2x TEDx Speaker, Executive Coach, and Workplace Performance Expert Henna Pryor and learn why conditioning for awkwardness is your secret weapon for strengthening your risk-taking muscle—and how to do it right.  

After completing this session, the participant will be able to: 

• Pinpoint the exact reason it’s been difficult to take risks at an individual or organizational level - and how to move past it.
• Learn how to use the concepts of deliberate discomfort and strategic microstressors to strengthen mental muscle.
• Formulate a personalized game plan to be risk-ready whenever the chance arises.