For me, I attended because they had several sessions on cybersecurity. I was able to attend for free because I volunteered at the conference as a member of ISACA.
So who are the groups behind this event? The Institute of Internal Auditors (IIA) is the professional association for those doing internal audits (financial, usually, but also IT) within corporations. They offer several professional certifications. ISACA is a professional association for those involved in IT controls, risk, and governance. They are the group behind COBIT. And they have a set of professional certifications. In recent years they have been getting more into cybersecurity with a new set of certs.
Now, the conference has presentations in one of 4 tracks:
- Cyber: Risks, Controls and Probabilities
- IT Audit Core Principles
- Internal Audit – Personal Brand Enhancement Strategies
- Internal Audit Core Skills Refinement
The work I do, I was most interesting in the Cyber track, and a bit in the IT Audit track. I do a lot of working with companies assessing and advising them on improving their overall security program, what is known as an ISMS (Information Security Management System).
There were several that I looked forward to, but the sad thing is for me many of these weren't at the level I was looking for. As someone who is more technical, thanks to several years of technical IT experience, I look for more technical presentations. The sort I find at the various infosec conferences I attend like BSides, ISSA, etc. I find that too many people from the audit side of things, even IT audit, too often don't have that level of knowledge and experience, so this is too often absent.
Not to digress, but this is part of my concern with ISACA getting into cybersecurity. Who is their target audience? IT audit folks trying to get into cybersecurity? Or the technical hacker types getting into infosec? One thing I see as a disconnect is in the cost of these events. I found this conference VERY expensive in compared to infosec conferences. Even ISACA's CSX conference, which is aimed at cybersecurity is over a thousand. As compared to ISSA or DefCon at a few hundred and the various BSides conference which are either nominal or free. And if infosec people are going to drop a lot of money, its more likely to be on SANS.
As I said, the sessions were good, but most not at the level I was looking at. Ira Winkler's session on security awareness program was great. I've long heard him criticize such programs, but didn't know what he felt was the right way to do things. Now I know. This will be useful in the work I do. The sessions on the NIST CSF was good, but would have like to have learned more about assessments then what the CSF is (am fully aware of that) and the CIS Critical Security Controls. Other sessions I got bits and pieces of interesting info. I thought it interesting that 2 sessions touched on the importance of corporate culture on IT auditing, as often the culture will affect how people will follow policies and procedures, which is something I look for.
The exhibit hall had a good number of vendors and groups. Was surprised by the several other orgs exhibiting, such as IT Service Management Forum, The Risk Management Society, and Society of Corporate Compliance and Ethics, along with CMMI Institute and Center of Internet Security. The rest were mainly made up of GRC and ERM vendors and some of the national/international consulting firms. Were a few I would have expected to be exhibiting who weren't there, tho they sponsored.
This is not a bad conference, just that I'm not quite the target audience for it.