


At the recent 2025 GRC Conference from ISACA and The IIA held in New York City, professionals in governance, risk, and compliance and other domains convened to learn, discuss and share best practices around GRC—and how rapidly their careers are evolving along with the dynamic technology landscape.
Managing Evolving Risk
Christina Cruz, director, cybersecurity, at Advance, and past board member of the ISACA New York Metropolitan Chapter, noted that the conference session “Avoiding the Urgency Trap of Modern Cybersecurity” especially hit home for her.
“It called out a challenge many of us face: the constant pull into daily fires and headline-driven distractions,” she shares. “What stood out was the reminder that our real value as cyber leaders lies in helping the business see beyond the noise. We need to be advising on risks that may not be urgent today but could materially impact the company down the line. That shift—from reactive to strategic—isn’t just a mindset change, it’s a leadership imperative.”
She adds, “Another point that resonated was the emerging ‘man-in-the-middle’ threat model involving companies, third parties, and customers. It’s a real and growing risk area that demands more attention. The session made a compelling case for rethinking how we outsource—especially in functional areas that aren’t core to the business. There’s a balance to strike between buy vs. build, and it’s not just about cost or speed. It’s about owning the right capabilities and managing risk with intention.”
Addressing Misconceptions Around Quantum Computing
Shelly Palmer’s closing keynote, “AI and Quantum Computing: Governing the Next Great Digital Transformation,” made an impact on Mary Carmichael, director, risk advisory, and BISO at Momentum Technology, and member of the ISACA Emerging Trends Working Group.
“I’ll admit, I used to think quantum computers might replace classical machines. Headlines declaring ‘the end of classical computing’ make it sound inevitable,” says Carmichael. “But those headlines oversimplify the truth. As Shelly reminded us in his closing keynote, that’s one of the biggest myths in tech and one worth debunking. Quantum isn’t a ‘supercharged laptop;’ it’s a completely different way of solving problems.”
She continues, “Classical computers remain the foundation of our digital world, and they’re not going anywhere. Instead, quantum will sit alongside them, handling the kinds of challenges classical systems can’t touch. Hearing that directly from an expert made me stop and ask: how many of our assumptions about emerging tech are built more on headlines than hard facts?”
In ISACA’s Quantum Computing Pulse Poll 2025, 62% of respondents are worried quantum computing will break today’s internet encryption and 57% think quantum computing will create new business risks.
“Quantum’s role isn’t replacement, it’s expansion,” Carmichael adds. “Not about doing everything faster, but about doing things that were impossible before: optimization challenges, molecular simulations, cryptography. For those of us in governance, risk, and assurance, the key question isn’t ‘When will quantum take over?’ but ‘How will quantum and classical work together, and what new risks and opportunities will that create?’”
Sizing Up the Impact of Emerging Technologies
Artificial intelligence infused much of the conference, including sessions on AI in risk, AI-driven decision making, and how quantum computing and AI intersect.
“The conference highlighted how rapidly emerging technologies like AI, cloud, and quantum computing are reshaping risk and governance,” says Michael Ratemo, principal security consultant, Cyber Security Simplified, who shared actionable steps to mitigate one of the most common sources of cloud risk at the conference in his session, “Mastering Cloud Security: Strategies to Prevent Costly Misconfigurations.”
“A key theme was the urgent need for organizations to embed these capabilities into their frameworks while balancing both technical and human factors.”
Whether starting to create an acceptable use policy for AI, as recommended during the “Leading Through Risk: Insights from the Chiefs” session, or having a process in place to report AI incidents to the board and understanding how these systems are performing, as highlighted in the “Navigating AI Integration: Managing Risks and Governance in Third-Party AI Models” session, according to the speakers in the “AI in Risk and Risk in AI” session, professionals need to “Start small. Start simple. But start now.”
And as Palmer noted in his closing keynote, “We have no idea what this evolves to. We don’t know the future.” But he emphasized that for professionals to thrive, “Create a culture of continuous adaptability. Be as agile as you can. All of this is going to change.”
Preparing for What’s Next
Following the conference, Cruz notes she is now even more interested in hearing how other ISACA and IIA members are approaching long-term risk strategy and vendor decisions, and looks forward to keeping the conversation going.
Carmichael says, “This is why ISACA conferences matter: they cut through the hype, sharpen our questions, and prepare us for what’s next.”
Stay connected on these topics through ISACA’s Engage Communities at https://engage.isaca.org/home. Learn more about ISACA’s upcoming conferences at https://www.isaca.org/training-and-events/conferences.