How do you evaluate the risks of third-party AI solutions—and what does quantum readiness really look like? In this episode, ISACA leaders Mary Carmichael and Dooshima Dabo’Adzuana share practical guidance, global perspectives, and a vision for building a stronger cybersecurity community through education, conversation, and connection.
As anticipation builds for the RSAC Conference 2025, ISACA leaders Mary Carmichael and Dooshima Dabo’Adzuana join Sean Martin and Marco Ciappelli to preview what the global technology and cybersecurity association has in store for attendees this year. With a focus on expanding community, AI governance, and professional development, their conversation reveals how ISACA is showing up with both timely insights and tangible resources.
Mary Carmichael, President of ISACA’s Vancouver Chapter and a CPA focused on cybersecurity risk and governance, highlights the session she’s co-presenting with Dooshima Dabo’Adzuana: Third-Party AI: What Are You Really Buying? Their talk will explore the increasing complexity of evaluating AI solutions procured from vendors—especially those embedding large language models. Topics include due diligence during procurement, monitoring post-deployment, and assessing whether vendor practices align with internal risk and privacy requirements.
Dooshima Dabo’Adzuana, a researcher at Boise State University and leader from ISACA’s Abuja Chapter, shares how ISACA members across regions are grappling with similar questions: What does AI mean for my organization? What risks do third-party integrations introduce? She emphasizes the importance of frameworks and educational tools—resources that ISACA is making readily available at their booth (South Expo #2268) and through new certification tracks in AI audit and security.
Alongside the AI focus, visitors to the booth can explore results from ISACA’s Quantum Pulse Poll and access guidance on encryption readiness for a post-quantum future. The booth will also feature a selfie station and serve as a meeting point for the diverse ISACA community, with members from over 220 chapters worldwide.
The conversation rounds out with a critical discussion on cybersecurity career development. Both Mary and Dooshima share personal stories of transitioning into the field—Mary from accounting, Dooshima from insurance—and call for broader recognition of transferable skills. They point to global tools, such as career pathway frameworks supported by ISACA and the UK Cyber Security Council, as essential for addressing the persistent workforce gap.
This episode offers a preview of how ISACA is connecting global conversations on AI, quantum, and professional development—making RSAC Conference 2025 not just a tech showcase, but a community gathering rooted in learning and action.
Stop by booth 2268 in the South Expo to explore how ISACA are equipping professionals with practical tools for AI governance, quantum readiness, and cybersecurity career growth—and how your organization can benefit from a stronger, more connected community.
Learn more about ISACA: https://itspm.ag/isaca-96808
Guests:
Mary Carmichael, President of ISACA’s Vancouver Chapter | https://www.linkedin.com/in/carmichaelmary/
Dooshima Dabo’Adzuana, a researcher at Boise State University and leader from ISACA’s Abuja Chapter | https://www.linkedin.com/in/dooshima-dabo-adzuana/
Resources
Mary and Dooshima's session at RSA Conference: https://path.rsaconference.com/flow/rsac/us25/FullAgenda/page/catalog/session/1737642290064001tqyq
Learn more about ISACA's AI resources: https://www.isaca.org/resources/artificial-intelligence
Learn more about ISACA's credentials: https://www.isaca.org/credentialing
Learn more and catch more stories from ISACA: https://www.itspmagazine.com/directory/isaca
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsa-conference-usa-2025-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
______________________
Keywords: ai, quantum, cybersecurity, risk, governance, audit, certification, encryption, rsa, rsac, third-party, compliance, career, skills, education, community, brand story, brand marketing, marketing podcast, brand story podcast
______________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
[00:00:00] Sean Martin: Marco
[00:00:02] Marco Ciappelli: Sean,
[00:00:02] Sean Martin: room. Room.
[00:00:04] Marco Ciappelli: it's about time. I'm already run out of gas once. I'm already halfway, halfway there.
[00:00:09] Sean Martin: run outta gas or battery?
[00:00:12] Marco Ciappelli: No, I don't think the battery's enough. Uh, we'll, we'll go gas. Unfortunately, we're, we're not there yet. I wish, but we're not there
[00:00:20] Sean Martin: All right, well, we'll, we'll manage, uh, the risk. We don't wanna run outta gas on the way we wanna arrive safe and sound so we can see all our friends and have some good chats. Uh, and speaking of which, we have our, our good friends from I, so on with us, uh, Mary Carmichael and Dima. How, how are you both
[00:00:39] Mary Carmichael: Oh.
[00:00:40] Dooshima Dabo'Adzuana: We are doing great. It's a pleasure to be on podcast today. Thanks for having us.
[00:00:46] Marco Ciappelli: Of course, we're here to share some excitement and to learn what, uh, Isaka is. Uh, he's planning on, uh, on location. I mean, as a
[00:00:57] Sean Martin: we haven't even said where we're heading, Marco. We just said we're driving. [00:01:00] We're on our way
[00:01:00] Marco Ciappelli: know, I think, I think at this point people already know, but you know what, if somebody just jump in and, uh, it's the first one that they hear from us. So yes, we're going to RSAC conference for our what, 11, 12.
20th time for you? Probably. Um, you know, uh, it's always as exciting as the first time for me though, so that, that's why I don't even think about making the proper introduction. I wanna just get down to the point,
[00:01:26] Sean Martin: Get done to business.
[00:01:28] Marco Ciappelli: to business.
[00:01:29] Sean Martin: Well, this year I, I have to say there's a lot of, a lot of excitement. Around the, around the conference. Um, which it's hard to say that there isn't every year, but there seems to be a little extra something going on this year and, and certainly around the community as well. uh, and the, the venues expanded and I think there'll be many more people joining us this year.
Um. Uh, Mary and, uh, Dima, maybe before we get into what Isaka will be doing, where your booth [00:02:00] is, what you'll be talking about, who you hope to meet, all that stuff. Maybe just a quick few words about your role, uh, with the organization and what you're up to. And maybe we'll start with you.
[00:02:11] Mary Carmichael: Oh, hi. Hi. Greetings from Vancouver, Canada. So my role with the Saka, I am, uh, well Mary Carmichael, but I'm the president of the Saka Vancouver Canada chapter. So I'm excited to, uh, head down to RSA and represent our Vancouver community, but also represent the Saka and the great work we're doing, especially when it comes to our AI resources, whether it's.
Risk assessments, governance, or even audit, but also, uh, hearing the results of the quantum pulse poll as well. And I think another thing that excites me about RSA is it's my first time, so I'm a newbie, so I hear Sean, Marco, you've been there 20 times. I did get some tips, uh, from you in terms of what's the must do.
And also coming from Canada, I'm looking forward to the weather. So I'm assuming there's me sunshine. Can you help me? Can you promise me sunshine and some
[00:02:55] Marco Ciappelli: I cannot promise you sun
[00:02:56] Sean Martin: Come on, Marco.
[00:02:57] Marco Ciappelli: It's San Francisco. I have to say that [00:03:00] lately, the last few events has been really sunny and warm, so hopefully we'll stick with that.
[00:03:07] Mary Carmichael: Sounds good.
[00:03:08] Sean Martin: Let off. I'll check the weather as, uh. Ashima tells us a little bit about herself.
[00:03:13] Dooshima Dabo'Adzuana: Right. We've gotta know what to pack as we pack up the microphones and all the, um, I've been a soccer member for. A little over six years now. Um, I'm a chapter leader, um, just like Mary from the Abuja chapter. Um, but right now I am a researcher in Boise, Idaho, at Boise State University. So, um, like Mary, I've been, um, involved with Isaka, um, for as long as I've been a member, um, on various.
Um, boards and advisory groups, and it's just a, a great community. So the theme for RSA this year really resonates with both of us, many voices, one community, and we're just looking forward to gathering in San [00:04:00] Francisco.
[00:04:01] Mary Carmichael: I, I do wanna highlight the one community, 'cause actually my background is I'm a CPA, so with the CPAI just, uh, I've been getting more involved in cybersecurity assessments, the budgeting, the. Reporting. So it shows that the cybersecurity committee has grown, especially the past few years, to include, uh, a county professionals risk audit.
So it's great to see that trend, to show that cybersecurity is broadening in terms of its roles and also its function like expense, especially the business risk aspects of it.
[00:04:30] Marco Ciappelli: Well, it's expanding and also it's, it's getting even more complex. Like if it wasn't already right. I mean, Mary, you, you started your introduction with AI and Quantum, which is already a mouthful, but I'm expecting to
[00:04:46] Sean Martin: mix those together too.
[00:04:48] Marco Ciappelli: Exactly. We could actually mix the two together and then it get really scary. But I, I'm expecting actually those to be two very, very relevant topics this year.
Not that AI already [00:05:00] wasn't, but I think we're to a different level. I mean, one year in ai, uh, it's, it's a long, it's a long way to go and to get in into all. Into people's mind and awfully into strategy for cybersecurity. So, uh, you, you actually are presenting, um, at RSAC conference as well. So what, what we'll be talking about.
[00:05:25] Mary Carmichael: Oh yes, we're gonna be talking about ai. So third party ai. And I think what triggered this session was a number of companies are choosing to procure AI solutions. So when you procure, part of that is what's your security and privacy requirements, what's the, what's the vendor's background in terms of its own AI lifecycle development?
And also the LLM, like how is. The data being stored is our data being used to train that model. So I just found the past two years, especially with chat GBT and the expansion of lms, now this capability's now being embedded into these third party solutions that companies wanna buy. But part of that [00:06:00] is you have to do the due diligence.
So the question is, so with that process is like, what questions do we ask to support companies in procuring these solutions? And also making sure there's due diligence afterwards. Even when you deploy the solutions in monitoring its performance.
[00:06:16] Sean Martin: And Ashima what, um, in connection to the, the. Presentation that you're, you're giving together. What, what are some of the things on top of mind for Osaka members, um, around AI and, and more specifically, the third party risk that comes with it. Um, what, what drives them to come together as a community and what, what answers are they seeking from you that you hope to, uh, to share with them during your session?
[00:06:42] Dooshima Dabo'Adzuana: Well, our session is going to cover, um, a lot of the questions that ISCA members have had over the last year as AI sort of takes over the conversation in our space. Um, most importantly, for Isaka, we have a lot of tools and resources that we're gonna be [00:07:00] talking about. We're also gonna be sharing. With the community at our booth.
Um, we've got some upcoming certifications that touch on ai, audit, ai, security management. Um, we've got some polls, you know, we've, um, sent out some questions in our community and got some interesting feedback. So we're gonna have some results from those polls being released as well.
[00:07:23] Marco Ciappelli: And this has been. Inserted, let's say into your certification programs. And I, I, so when I think about AI, that there is more questions than answers in my head. And I think in a lot of people had, not only for the third party, but in general, uh, you know, how is received and how easy it is to, you know, train on something that is so still up in the air, right?
So, I don't know if it doesn't make sense as a question, Mary.
[00:07:54] Mary Carmichael: Oh, it makes sense. I think part of that is the Saka has its fundamentals courses, so just even what is AI [00:08:00] 1 0 1 and AI is really a broad set of technologies. So like na, natural language processing, predictive analytics, uh, robotics, even a genetic ai. Just so starting with the fundamentals, like what is ai?
What are the different types of technologies? What's the applications in terms of the business case? And then when you're looking at deploying those technologies, kind of goes back to a framework. And Asaka provides a nice framework, like what is your business strategy? What do you hope to achieve? And then what's the governance model to make sure that the use case and the technology you pick is actually delivering the results.
And I think within the SCA community, there's lots of discussion. Is AI overhyped. So are we in a hype cycle? So part of that is this providing our members with education. So when they are going through these AI lifecycle steps, they're able to ask the right questions to confirm that the technology is sound and that the business is in track to achieve its objectives with its use cases.
[00:08:58] Sean Martin: So clearly, [00:09:00] uh, the, the members and, and the, the member community are what IAC was all about, right? So bringing people together and giving them tools and, and resources and education and, and the ability to leverage all of those things, uh, to enhance and improve their careers. Um. You have your, you have your chapter meetings.
RSA comes together. It's a chance to bring multiple chapters and multiple community members together to have conversations that you might hear different things from different, different parts of the country, different countries, Canada, us, wherever else, uh, the teams are coming from. Um. What do you expect the, the vibe to be like at the, at the booth, which happens to be S 2, 2, 6, 8.
So south 2, 2, 6, 8, the iau booth. What, what do you hope to hear and feel and say and, and communicate with the members, uh, in the booth?
[00:09:59] Dooshima Dabo'Adzuana: So [00:10:00] I think definitely there's going to be the isaka energy, um, which is fun, which is vibrant. Um, I heard we are gonna have a selfie station, so we're gonna be able to take, you know, lots of pictures and capture memories. Um, but I think. The biggest part of the Isaka community is the conversations, as you mentioned, we have people not coming only from the US and Canada.
Isaka has over 220 chapters spread across all the continents. Um, so it's just a melting pot of different voices. Um, leading back to the RSA theme, many voices, one community. Um, so there'll be diversity, there'll be conversations and there'll be selfies.
[00:10:43] Mary Carmichael: And this kind of relates to how EM and I first met. So we met at a Nasca conference last year, uh, in Phoenix, the North American conference, my first time meeting Dima, and we both were speaking about RSA and we both had an interest in attending. And then here we are, a year later, I. Attending RSA for the first [00:11:00] time together and presenting, so it kind of shows the power of the community.
So like, uh, Sima, she writes several of my articles on risk management on the Saka blog and then she spoke to me at the conference. So I do find a Saka is great in terms of spreading ideas. They have the Engage platform for blogging. You also have a SCA now in the Journal. So it's a great platform in terms of sharing your viewpoints and people do reach out to you and wanna have conversations, hear more of your thoughts on topics.
[00:11:28] Marco Ciappelli: That's really cool and I have to agree. I mean, going, going to San Francisco at RSA. See conferences really like going into some kind of different dimension where, where you do run into so many people from different part of the world. So it's really, really cool compared with other conference that are really a little bit more localized.
But I think that's, that's the beauty of it. So do you feel, uh, oshima that. When you talk to different people, um, from other part of the [00:12:00] world, different people from different part of the world, are they worried about AI in some kind of a different way than maybe in other part of the world or is very unified?
The feeling about AI and cybersecurity? Okay.
[00:12:15] Dooshima Dabo'Adzuana: Oh, I think it's very diversified depending on where you're having, you know, the conversation. Um, definitely in North America it's, um, based around governance, um, and creation of ai. Um, I think in the global south it's um, sort of based around use their competing priorities. You know, businesses have competing financial priorities.
So investing in ai, certain AI tools is not practical, but I think, um, at the baseline, what is consistent in all the conversations is educated. So whether you live in North America, whether you live in Nigeria, whether you live in Japan, we all need to have more education about ai. Understand the risk.
Which Mary [00:13:00] and I are gonna be covering in our session. Um, and those gaps in terms of education, um, that's the great thing about ISACA's resources. Depending on your situation where you are in the conversation, there's a tool or there's a resource that can support you and meet your needs there. So.
[00:13:17] Marco Ciappelli: Very cool. What about the booth? Tell me a little bit more about what people can expect when they come there. Selfies, we know that hugs and you know that, that the vibe, the Isaac vibe, but what else? Do you have demos going on? Do you have anything that, that they can look into?
[00:13:35] Mary Carmichael: I think kind of talking about the quantum pulse poll as well. 'cause uh, I think this is an area where there needs to be more education. So last year the Sac of Vancouver chapter hosted an event on quantum. So part of that is what is Q Day? Do people know what Q Day is? And that's the day where monitor encryption will be broken and that may come sooner.
Than expect, especially like 2030 or 2031. So I think part of that is discussing the pulse poll and just sharing the [00:14:00] results and then providing resources. In terms of readiness. Have you done a risk assessment on your encryption systems? What's your plan for migration? So I think with the booth it's there to share information, especially about emerging tech, the AI resources or certification courses on securing AI as well as auditing, but then also quantum, that's the next big threat.
So. What does the Pulse poll say and how can we support our chapter members in providing guidance to the organizations they work for? And next steps in terms of how to avoid a QA.
[00:14:31] Marco Ciappelli: And Dima, anything you want to add to that? 'cause I also have a question 'cause we're gonna go longer than 20 minutes here 'cause I have another
[00:14:38] Dooshima Dabo'Adzuana: Well, what I'll add is that you've gotta come see us at RSA to get the rest of the answer. I'm, I'm gonna give our whole session and all the goodies we're gonna have at our booth. So, um, if you wanna know more, you've gotta come see us
[00:14:51] Marco Ciappelli: Yep. Yeah. And the, and the thing, and then I'm gonna let Sean have the last question 'cause he loves that. But, uh, first of all, in a, a special [00:15:00] announcement, I just checked the weather and apparently you're in luck. It gives sun every single day of the conference. So Mary, you're good.
[00:15:09] Sean Martin: No, just, just shy of 70 Fahrenheit.
[00:15:12] Marco Ciappelli: sunny and beautiful.
So that's the good news now. My quick question is, I know that of course you do so much for people professional, not only that are already in the, in the community, in the, in the cybersecurity professional community, but also the one that wants to get into the community and is, as long as I've been going to RSA, I've been in this industry that I hear about, you know, the skill gap.
Um, where are we standing with that?
[00:15:44] Mary Carmichael: Oh, I was asked this question last week, so it's like the weekly question. I'm actually going to another event tonight. We're having a sac, a Women in Tech event, so that's usually the number on questions like, I'm interested in cybersecurity, how do I. Break into cybersecurity, but also what's the skills gap?
And I do have an [00:16:00] opinion about this. I do feel there's a lot of unconscious bias in terms of recognizing people's skills and other jobs and making, and how transferable those skills are. Even me as A-A-C-P-A, I never started off as a cybersecurity. I just fall into this career. I think just until recently.
Universities or colleges are now launching cybersecurity courses. So I think part of that is recognizing people's backgrounds. Like even with accountants, we do auditing, we do testing. Those skills are transferable to cybersecurity. So part of that is, I'm not sure if it's this, having people be open about experience.
And also within Canada, even like with immigrants, part of that is the immigrants with a cybersecurity background are having a difficult time finding work, and part of that is recognizing their overseas experience. So I do think as a part of a larger conversation, so in terms of being open to people's backgrounds, recognizing the value, transferrable skills, and providing a path to support people as they move into this field.
And even with C Cybersecurity, um, I do wanna highlight the work the [00:17:00] European Union has done. So the European Union has. Mapped 12 different career routes for C cybersecurity. So if you're interested in this field, here's 12 different pathways, whether it's auditing risk, soc pen testing, so on. Here's the skills you need and here's the credentials to help support that journey.
So I think we need to have more toolkits like that, talking about what a cybersecurity career looks like, and helping people identify what is their area of interest and supporting their, um, journey through that, that, uh, that, that, uh, career progression.
[00:17:30] Dooshima Dabo'Adzuana: Yeah, the skills gap is probably a whole other. Episode of the podcast. Um, but the resource that Mary mentioned, um, they actually do have a lot of frameworks, um, in the European Union that help Isaka actually worked on another one with, um, the UK Cybersecurity Council. And it has, um, like an interactive quiz where, you know, based on your interests, it's sort of.
Sets out the playing field for you. If you're interested in this, these are the skills that you [00:18:00] need. This is how to build them up. These are the certifications that map. Um, so to not get overwhelmed, definitely if anyone has any questions or they're wondering, which way do I go? Start from there. Assess your.
Skills with one of these, um, tools or quizzes and then build from there. It's a marathon journey. You know, like Mary said, she came from a CPA background. I started out in insurance. Um, if you try to learn everything in one day, it's impossible. So it's a marathon mindset and you build as you grow in your career and as the technologies change.
[00:18:35] Marco Ciappelli: Yep.
[00:18:35] Mary Carmichael: I do wanna say that cybersecurity has changed a lot. When I look at cybersecurity careers. Before the pandemic, it was more network based. Not many people were talking about zero trust. Now it's whole now. It's a, a changing landscape, especially the increased business focus and reporting to the board. So I think we need to have a broader.
Definition what a cybersecurity career is versus thinking back to a network-based, uh, pen testing from like five to 10 years ago.[00:19:00]
[00:19:00] Marco Ciappelli: I, I like the mindset. It's a, it is a culture. Either you, you're prone to it, like to think securely, and then from wherever you come, you can, you can, you can apply that mindset. Of course, then you need certain skills, but it's not the other way around. So I, I, I feel strongly about, uh, strongly about that.
Sean, you can go with your last
[00:19:23] Sean Martin: well, probably not a question. I think the, a few statements, um. So I think the first thing, and everything you said resonates so well with me in terms of understanding what technologies are being used within organizations. We have new technologies coming. With that comes new exposures and new risks.
So understanding all of that is important. Uh, AI and quantum we're speaking to specifically there. And then broad, more broadly speaking, understanding the role of cybersecurity in the business and the different. Roles and skill sets required for different parts of [00:20:00] cybersecurity within the program. Um, and knowing that all of that is.
Fluid. Right. So, and depending on where you are in your journey, you might have different needs for, uh, training and skills, new skill sets and certifications to help you move along or, or perhaps even just enter if you're looking to enter the space. So I'm. I'm excited for all that Isaka does and, and the community that you pull together in different parts of the world and the opportunity to have many of those folks come together at our CR six conference here and to visit you, your booth, S 2 2, 6, 8.
And that's the other thing I wanna note as we wrap here is this isn't the last conversation. I get to have a, a chat with, uh, Jamie Norton on location, uh, next week. And, uh, perhaps we'll talk skills. Perhaps we'll talk CCOA. Um, we're gonna determine what their, that conversation's gonna look like. I think if, if folks listening to this have questions they want me to ask, let me know, uh, [00:21:00] which, uh, via direct message, and now I'll pose those to Jamie, uh, during the conversation.
And then the last thing I'll note is. A very good friend of mine who I've known for many, many, many years, uh, Mr. Rob Clyde, he, and I'll have a chat, send Marco too as well, uh, post event to kind of get a recap of what you heard, what you saw, the things, where things are headed and where I saw a can help, uh, continue to prepare, prepare us for the future of.
Cybersecurity roles and, and programs. So that's all I have to say. No questions. I, I'm grateful that, that the two of you spent this time with us and, uh, gave us an insights into what you're talking about, what the booth will have and, uh, what the community can expect from their fellow I Soca members.
[00:21:50] Dooshima Dabo'Adzuana: Thank you for having us, um, and we look forward to seeing you in San Francisco, seeing you at our booth, and hopefully seeing you at our presentation. Right? We we're speaking [00:22:00] on Thursday the first at 8:00 AM Um, but I don't think we have a room number yet, but once we do, we will share, um, and let you know.
So follow us on LinkedIn and everywhere. IAC is on every platform, so.
[00:22:13] Marco Ciappelli: Stay tuned because Isaka has a page on now on ITSP magazine, so we'll keep it updated and, uh, yeah, excited to see you there. Excited to have many more conversations on location and for those that can't make it to San Francisco and like us, they can, uh, follow us. With, uh, with all the other recording that we will publish from there.
And like Sean said, after the event, so subscribe, come with us to San Francisco. Even if you're not gonna be there in person virtually, you can drive in the car with us. I don't think we'll get a ticket if there is few thousands people in the car virtually.
[00:22:52] Mary Carmichael: Oh, it does. San Francisco still have the robotic taxis.
[00:22:56] Sean Martin: They do.
[00:22:58] Mary Carmichael: Okay,
[00:22:59] Marco Ciappelli: yeah.[00:23:00]
[00:23:00] Mary Carmichael: let's do the robotic taxi.
[00:23:02] Dooshima Dabo'Adzuana: we.
[00:23:04] Marco Ciappelli: Get, get the app. Get the app, and uh, and there'll be probably a lot of competition there because everybody wants to try it. But if you're lucky, you'll get one of those as well. So that's it. We'll see you there very soon.
[00:23:21] Sean Martin: Thank you both. Thanks everybody for listening and watching.
[00:23:24] Mary Carmichael: Thank you.
[00:23:25] Marco Ciappelli: Bye-bye. Thank you.