Postcard from the 2023 ISACA Pittsburgh Information Security Awareness Day

Since our dedicated IT Risk Advisory and Cybersecurity professionals are so heavily involved with ISACA, I jumped at the opportunity to attend the annual ISACA Pittsburgh Information Security Awareness Day to learn more about their world.

Though I came to the conference as an infosec newbie, 2023 happened to be a great year to get my feet wet. There are several reasons this is a fascinating time to be paying attention to the world of information security.

“Era of Transparency”

The day kicked off with a keynote address from Facebook whistleblower Frances Haugen. She talked us through some recent legislation and litigation and explained how they are transforming the expectations of transparency from organizations moving forward.


Both the European Union (EU) and United Kingdom (UK) have recently passed standard-setting legislation. For Haugen, the silver bullet of both the EU’s Digital Services Act and the UK’s Online Safety Act, is that they alter the incentive structure for social media companies. By requiring regular disclosures, both pieces of legislation effectively build transparency and accountability into an organization’s governance structure, which gives companies the freedom to take the short-term loss of, say, a teenager’s social media click, for the more long-term gain of maintaining compliance.


Haugen also cited the recent suits 41 states brought against Meta for knowingly endangering children and teenagers, as well as the recent ouster of Sam Altman from OpenAI, as the beginning of a new “era of transparency.” Expectations of companies are changing and, according to Haugen, we can expect more whistleblowers and regulations going forward as the “black box” mentality becomes less and less acceptable.

My main takeaway from her talk was that organizations must proactively develop stronger audit processes and internal controls to prepare for the world Haugen envisions—where “lies are liabilities.”

Opportunities for Women

Another exciting development in the information security world is the increasing number of women seizing opportunities to get involved. Later in the program, the conference audience heard a panel of women from One in Tech, an ISACA foundation whose mission is to increase awareness of barriers and foster opportunities for underrepresented groups to join the tech world.

The panel discussed how mentorship, sponsorship and allyship—from both men and women—were critical to shaping and enabling their impressive careers. They explained how, since more women have entered the field, there are more opportunities for female mentorship. And, in the wake of COVID and as conversations are changing around DEI, there is more opportunity to find flexible and supportive leaders who prioritize keeping their top talent.

Threat Actors are Adapting

Schneider Downs’ own Stephen Bish gave a talk on the current state of the cyber world and shared some insights into the tactics he’s seeing threat actors gravitate towards in 2023. A takeaway I found particularly surprising is that cyber criminals are responding to the increasing sophistication of cyber defenses by becoming…less sophisticated.

Stephen explained that he’s beginning to see threat actors dipping into more manual hacking tactics and relying less on automated approaches that are more likely to be detected and prevented as companies become more aware of cyber risk.

In the same vein, Stephen noted that while “switching off” defenses may have been a go-to tactic for the threat actors of the past, this is more often a technique of last resort for today’s cyber criminals, who know that it would likely blow their cover in a more cyber-savvy world.

Innovative Approaches to Best Practices

As Stephen emphasized in his talk, every organization, of any size and within any industry, is a potential target for cybercrime. To help organizations shore up their defenses therefore, several speakers at the conference focused on some best practices.


Since an organization’s people or “wetware” (a term I had never heard before) are its greatest vulnerability, several speakers justifiably spent a lot of time talking about training.

  • Dr. Bob Hausman, of ProofPoint, explained how to harness neurological insights into learning, motivation and retention to structure internal information security programs.
  • Gregory Toulhill, current lecturer at Carnegie Mellon University and former first Federal CISO for the U.S. Government, emphasized the importance of investing in hardening the workforce over hardening tech, and he described a creative twist on phishing simulations he used in the military.

As several lectures stressed, good information security policy starts at the top. Some speakers, like Frances Haugen, highlighted the importance of building transparency into governance. Others, like Gregory Toulhill, underlined the necessity of frequent and regular communications between technical teams and leadership. And Jon Zeolla of Seiso, outlined some innovative strategies for how to write good policy and avoid some of the common policy pitfalls that might lead a company to fail an audit.

Artificial Intelligence

Best practices surrounding artificial intelligence (AI) were, of course, on everyone’s mind at the conference. The One In Tech panel detailed some safety considerations organizations must keep in mind when deciding to adopt or prohibit the use of AI. And, on the topic of AI safety, Sanjay Chopra, of Cognistx talked about the limitations of LLM’s like Open AI’s Chat GPT and Google’s Bard and explained how truly safe organizational AI tools can be transformative, but subject to a slow implementation.

It seems that true deployment of AI tools will march to a beat much slower than the one I’ve come to expect after the rapid explosion of interest following the release of Chat GPT.

I feel incredibly fortunate to have attended the ISACA Pittsburgh Information Security Awareness Day. Though I certainly was no help to my team in “InfoSec Jeopardy,” at the end of the conference, I do think I learned quite a bit about the exciting and changing world of information security. I can’t wait to learn more.  

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit our dedicated Cybersecurity page.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Get the Low Down Before You Download: Exploring the Temu App’s Security Risks
Understanding SOC Report Opinions
Six-Figure Ransomware Attack Hits Washington County, PA
SOC 2 - What is ACTUALLY required?
Romance Scams: Guarding Your Heart and Wallet
Update on GLBA for Higher Ed
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.