This year’s annual Isaca Europe conference is entirely focused on AI, digital governance, and finding a balance between innovation and control.
While AI is being directly implemented and used by many companies, ISACA emphasizes the need for responsibility. “AI comes up in every conversation these days,” says CEO Eric Prush. “It’s the first form of technology that touches every layer of an organization, and that’s quite scary.”
From IT Audit to Digital Resilience
ISACA, active for 55 years and boasting 190,000 members worldwide, built its reputation around four pillars: IT audit, cybersecurity, risk, and governance. According to Prush, the mission has never been commercial: “We are not driven by profit, but by improving the competencies of professionals, and thus indirectly of the companies they work for.”
The organization is currently responding to the extreme growth of AI applications with two new certifications: AI Audit (AAIA) and AI Security Management (AAISM). These are designed to teach auditors and security managers how to assess algorithms for reliability and risk. “We were first to market,” says Prush. “Our exams are set according to the American National Standards (ANSI). Believe me, they are difficult. Many participants only realize during studying how much they still don’t know.”
European Complexity
ISACA’s Chief Global Strategy Officer Chris Dimiatriadis outlines another problem: Europe and its regulations. “It’s a large and diverse world in terms of legislation,” he states. Through more than 230 local chapters, ISACA tries to translate its global vision into national reality.
The organization is in the process of updating its well-known frameworks, such as COBIT and CMMI, to align them with new laws like DORA, Cyber Resilience Act, and AI Act. “We directly link our training and certifications to the needs of these regulations,” says Dimiatriadis. “But honestly: the regulations change faster than our update cycle of two to three years.”
Skill Gap Grows Significantly
Dimiatriadis warns of an impending shortage of specialized talent. “Almost sixty percent of European organizations say their cybersecurity teams are understaffed, and half struggle with retention issues.” This shortage slows down the adoption of security frameworks. “Everyone is talking about AI, but almost none of these companies have established an AI policy,” he says. “That’s a big risk for safe implementation.”
Aligning Perspectives
Belgian chairman Egide Nzabonimana sees the same pain points. “We have a shortage of talents and resources,” he said. “That makes IT governance more difficult: organizations want to create value, but lack the people to do so.” His chapter tries to address this through training and partnerships with, among others, the Cyber Security Coalition and the Data Protection Institute.
Yet he notices that many companies are still in the discovery phase. “They now know that AI exists… That’s something,” Nzabonimana laughs. “Much more needs to happen in terms of training and methodology. Some companies simply ban AI in the workplace out of fear, while others handle it better by training and guiding their people.”
read also
Belgium pioneer in NIS2 regulation: why?
Collaboration is crucial in this. “The parties don’t reinforce each other enough,” he explains. “Belgium already has numerous cybersecurity organizations, from the CCB to Vlaio and the new Cyber Security Center Flanders, but they often still work too isolated.” ISACA tries to build bridges. COBIT is again mentioned as a framework in this context. “COBIT is developed by global experts,” says Nzabonimana. “Companies don’t need to reinvent the wheel, but just knowing that these tools exist is already a step forward.”
Reducing the Knowledge Gap
A similar message is heard in the Netherlands, but with more pragmatism. “We are a knowledge association for IT audit, risk, and security professionals,” said Dwayne Valkenburg, chairman of ISACA Netherlands. His team organizes weekly networking events for hundreds of participants, but he also notices that compliance is lagging behind.
“When something new comes along, like a regulation, organizations first react with a wait-and-see attitude,” he says. “CIOs often aren’t eager to comply with regulations first, they have other priorities.” Especially SMEs find frameworks like COBIT too complex. “For large organizations, it remains a solid foundation,” Valkenburg admits, “but for small businesses, it’s often too much.”
ISACA Netherlands tries to address this feeling through collaborations with universities and by offering more affordable training. “We want to reduce the knowledge gap,” he clarifies. “That’s why we provide training with discounts and integrate our material into academic courses.”
AI: Productivity or Chaos?
Prush analyzes the rapid AI transition. “Everyone is talking about AI. Every opportunity, big or small, is seized for millions of dollars. That’s chaos.” However, his biggest concern is the loss of intellectual property. “If someone steals our content and puts it into a large language model, it’s lost forever,” he said. “We’ve invested millions in knowledge. How do we protect that in a world where everything is one button press away from slipping out of your hands?”
We need to talk to each other more often, because tomorrow everything will be different again
Eric Prusch, CEO at ISACA
ISACA wants to influence regulations but sees that governments are struggling to keep up. “Many countries are still at the beginning. We try to help them understand what risks are at play and what steps they need to take now.” The organization works with the British Cyber Security Council and the European Commission, but this too remains a long-term process.