Skip to content ↓ | Skip to navigation ↓

I’ve always loved the ISACA CACS conferences. Why? I guess because I love auditors. Not all auditors, mind you, but auditors that have a risk-based orientation, and who understand that the achievement of any goal (regardless of whether we’re talking about information security, operating effectiveness, or compliance goals) hinge on effective controls.

And IT auditors congregate at the fantastic ISACA conferences and chapter events. It’s one of the few conferences that have a good balance of IT risk and business risk. I don’t know of any other conference where you can not only learn about application and network security, but also bone up on how to audit and secure SAP and PeopleSoft systems!

I’m a fan of this conference. I usually like to make sure I attend the entire week. After all, it’s been years since I’ve actually touched an SAP instance, and knowing more about SAP makes me feel smarter.

Image courtesy: (this is not a real pic from CACS conference, btw…)

Given the throngs of people at the Infosecurity Europe conference, I expected a similarly huge crowd at the ISACA North American CACS conference, held on April 27-May 1. Alas, this wasn’t the case.

The last NA-CACS conference I was at was probably three years ago, when it was in Las Vegas at some huge hotel. I’m guessing there were about 3500 people at that conference, which was one of the largest ISACA events I had been to. This was around the same time as the huge buildup/panic around SOX-404.

This year, I’m estimated that there were only around 1300 attendees. It was a fantastic program, with lots of senior practitioners, spanning information security, IT audit, even some chief audit executives speaking, and IT governance.

Given that this is probably one of the best put together curriculums, I think it’s unfortunate that it didn’t attract the numbers of Infosecurity Europe. Why? These are only my speculations:

  • IT audit training budgets are shrinking, unlike the bushels of money being thrown around in information security
  • ISACA is not effectively reaching the radar screens of information security practitioners

If true, this is too bad. Information security could use a good dose of learnin’ about risk-based application of IT controls.