This episode explores the themes, technologies, and community conversations shaping ISC2 Security Congress, with Jon France offering a forward-looking view of what matters most in cybersecurity today. Listeners gain a clear sense of why the event draws practitioners, leaders, and newcomers who want to strengthen their skills and stay ahead of industry change.
What Security Congress Reveals About the State of Cybersecurity
This discussion focuses on what ISC2 Security Congress represents for practitioners, leaders, and organizations navigating constant technological change. Jon France, Chief Information Security Officer at ISC2, shares how the event brings together thousands of cybersecurity practitioners, certification holders, chapter leaders, and future professionals to exchange ideas on the issues shaping the field today. 
Themes That Stand Out
AI remains a central point of attention. France notes that organizations are grappling not only with adoption but with the shift in speed it introduces. Sessions highlight how analysts are beginning to work alongside automated systems that sift through massive data sets and surface early indicators of compromise. Rather than replacing entry-level roles, AI changes how they operate and accelerates the decision-making path. Quantum computing receives a growing share of focus as well. Attendees hear about timelines, standards emerging from NIST, and what preparedness looks like as cryptographic models shift. 
Identity-based attacks and authorization failures also surface throughout the program. With machine-driven compromises becoming easier to scale, the community explores new defenses, stronger controls, and the practical realities of machine-to-machine trust. Operational technology, zero trust, and machine-speed threats create additional urgency around modernizing security operations centers and rethinking human-to-machine workflows. 
A Place for Every Stage of the Career
France describes Security Congress as a cross-section of the profession: entry-level newcomers, certification candidates, hands-on practitioners, and CISOs who attend for leadership development. Workshops explore communication, business alignment, and critical thinking skills that help professionals grow beyond technical execution and into more strategic responsibilities. 
Looking Ahead to the Next Congress
The next ISC2 Security Congress will be held in October in the Denver/Aurora area. France expects AI and quantum to remain key themes, along with contributions shaped by the call-for-papers process. What keeps the event relevant each year is the mix of education, networking, community stories, and real-world problem-solving that attendees bring with them.
The ISC2 Security Congress 2025 is a hybrid event taking place from October 28 to 30, 2025 Coverage provided by ITSPmagazine
GUEST:
Jon France, Chief Information Security Officer at ISC2 | On LinkedIn: https://www.linkedin.com/in/jonfrance/
HOST:
Sean Martin, Co-Founder, ITSPmagazine and Studio C60 | Website: https://www.seanmartin.com
Follow our ISC2 Security Congress coverage: https://www.itspmagazine.com/cybersecurity-technology-society-events/isc2-security-congress-2025
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
ISC2 Security Congress: https://www.isc2.org
NIST Post-Quantum Cryptography Standards: https://csrc.nist.gov/projects/post-quantum-cryptography
ISC2 Chapters: https://www.isc2.org/chapters
Want to share an Event Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.studioc60.com/performance#ideas
KEYWORDS: cybersecurity, ai security, isc2 congress, quantum computing, identity attacks, zero trust, soc automation, cyber jobs, cyber careers, cyber leadership, security operations, threat intelligence, machine speed, authentication, authorization, sean martin, jon france, identity, soc, certification, leadership, event coverage, on location, conference
[00:00:00]
[00:00:49] Sean Martin: Hello everybody. You're very welcome to a new episode of On Location with Sean and Marco. That is not Marco you're seeing. That's John France. And, [00:01:00] uh, I am Sean Marco's not with me. Um, but, uh, he's with me in spirit and, uh, we, we like to cover events that make us think. And, uh, I think the whole point of ISC squared is to.
Get people to think about, uh, security in the business and how to help businesses grow safely and securely and, uh, give them the tools to do that and demonstrate that they understand, uh, what's going on there. Not, not just security, but a lot of things, uh, ISC score is involved with. And, um, yeah, they held a conference, ISC squared Congress, and, uh, we're gonna catch up with John to hear all about it.
John, how are you?
[00:01:42] Jon France: I'm good. Thanks for having me on, Sean. Uh, appreciate the. It's time taken to you and your listeners to, uh, cover a little bit of what, uh, what I saw and what we saw. Um, security Congress this year.
[00:01:53] Sean Martin: Yeah, absolutely. Uh, before we get into that, two things. First, uh, a few words about [00:02:00] yourself and your, uh, your role at IC Squared.
[00:02:03] Jon France: Yeah, uh, well, as my name is on screen, it's John France. Um, I'm the chief. Chief Information Security Officer at IC two, um, being a veteran of the tech industry for coming up three decades so that the gray in Liberia be it, is, is age related, not just, uh, job related. Um, but I've been around technology for a long time, pure play security probably for about the last decade.
Um, and at RC two for, uh, four years now, um, as the inaugural cso. So, uh, really enjoying the role. Um, I, I do just, just to give you a little bit of, and your, and your listeners and, uh, potentially viewers, a little bit of background. Um, uh, I do the traditional role of the CISO protect the organization from threat, whether that be internal or external.
Um, I also do quite a lot of work on behalf of members, so I advocate for cyber leadership as well. So, um, as much as I do, uh, hands on the keys as much as any CISO does, I also [00:03:00] do hands on the industry. I suppose you could put.
[00:03:03] Sean Martin: And both are, uh, very intertwined. Uh, I think it's hard to do one without the other. Yeah.
[00:03:12] Jon France: I would
[00:03:13] Sean Martin: Yeah. Yeah. There you go. There you go. Well, well, perhaps, we'll, we'll have a chance to, uh, talk about some of your, your insights in, in the role. Um, if you wanna join me on my podcast, redefining Cybersecurity, but before, um, let's not, let's not distract at least myself there.
Uh, let's. Let's, uh, let's do this. Gimme the, the rundown of ISC two. I call it ISC squared. Maybe that's the old school way of me referring to it, but, um, give the elevator pitch for folks who I'm sure a lot of people are familiar with. Some of the certifications I hold, the C-I-S-S-P, for example. Uh, but give us an overview of the organization so folks know who it is.
[00:03:53] Jon France: no, no problem. Uh, ISC two, um, global organization representing, uh, cybersecurity [00:04:00] practitioners and professionals we're the largest, uh, membership body, uh, of those professionals. Um, totaling somewhere in the region of 275,000 certificated members globally. Um. Uh, and we, uh, we as an organization, uh, have the mission of a safe and secure cyber world.
Uh, and we do that through, um, education and certification. It's kind of the obvious ones that probably most people know us for. We do a lot of advocacy work as well, which is adv advocating for cyber leadership, cyber skills in the boardroom, um, as well as, um, uh, government and regulatory. Kind of advocacy as well, which is looking at obviously harmonized regulations as much as possible on a global footing.
Uh, and making sure that the, the rules and regs are, um, attacking the right things or defending against the right things, I really should say. Um, and something that the, um, industry, uh, can really get behind. So that's a little bit about us. Um, we've been around, oh, 30 plus years, uh, [00:05:00] as an org. So, um, probably one of the older.
Uh, professional bodies as well. Um, in fact, I think last year we, uh, uh, celebrated 30 years of the CISP certification, so that's been around a long time, but it's evolved over that time as well. Um, so, um, if you're not a member, um, come and have a look at us. If you're a member, um, uh, glad to have you board.
[00:05:20] Sean Martin: Yep, definitely. It's a good, uh. Good group and, uh, yeah, I'm happy to have, have, uh, cut my teeth early on with the, with the CER certification I have. And I, I keep that current. And they're also, uh, local, local events as well that, uh,
[00:05:37] Jon France: Yeah, so we're chapter led as well. So we've got a hundred and I'm gonna say around 150 chapters worldwide. So there's probably one close to you.
[00:05:46] Sean Martin: Yeah, absolutely. Kind of connecting back to the, uh, the community is important, so Congress, um, sadly I did not make it to Nashville. You, you made that journey from, uh, from, uh, England to, [00:06:00] uh, to Tennessee. And, uh, you're there for, uh, for the event. What, what, uh, what were some of the highlights for you, um, from, from that?
[00:06:10] Jon France: question. Well, security Congress is always a highlight for me because not only do I get to see how the sausage is made, I get to see how it's presented on stage. So, um, it was great to. Uh, great to meet members there. Um, uh, I think 4,000 attendees roughly. Um, about half on site and, and half virtual.
So mixed mode conference, um, tackling a whole bunch of topics, um, from the wonderful world of ai. 'cause you can't not have, uh, something to do with AI at a conference these days into my, my personal favorite, uh, a bit about quantum readiness and what quantum computes gonna do to our landscape, um, and what we should do about that.
All the way through to things like governance risk and compliance topics as well. Uh, we had, um, four great keynote, uh, through the three days. Um, and I just sort of [00:07:00] summarize them, uh, as best as I can. Um. Uh, so we had Mr. Venables, uh, of Google Fame. Uh, he used to be the CSO at Google until very recently, uh, he was talking about from artisanal to industrial, basically moving cybersecurity from a kind of an artisanal, um, kind of treatment to business, to more industrial and scaling and efficiency type things.
Uh, then we had Alyssa Knights, um, ex hacker, uh, reformed hacker now, um, consults, lots of companies and governments. Um, she was talking around, around, uh. Um, broken object level access controls and, um, how they can really hurt and showed us some demonstrations. And then sort of ended up on, um, AI versus AI and, um, basically threated machine speed, uh, and response to machine speed, which is, um, an eye opening.
Um, uh, talk. Uh, then we had ma Emison, uh, a female astronaut, um, uh, really talking about going into Stellar and about some of the problems that we may face doing that. So you think more. What relevance is that to [00:08:00] a cyber pro? Um, actually she walked it really back and saying a lot of the problems we face out there and going, instead we face on earth, um, uh, they're just problems and problem solving comes to the fore.
And a little bit about resilience and about creativity. Um, um, and then, uh, ended up with, um, Mr. Krebs, uh, sort of taking us through the wonderful world of cyber. What's going on? What's going on in the news? What sort of, um, hackers are doing, the state sponsored actors. Um, a little bit of insight from there.
So four great keynotes, and I said a whole bunch of sessions. Uh, Ida, I can't remember how many days worth of content there was there, um, across a number of tracks, but, um, highlights for me, um, definitely bits on ai, um, a lot on quantum because I, that's, uh, my, my favorite topic. And of course, pre-conference we ran some workshops on things like, um, uh, AI.
Strategy definition and cyber leadership. Um, so it was a full gamut of offerings there.
[00:08:56] Sean Martin: So talk to me about the, uh, well, I [00:09:00] guess first so many things there, right?
[00:09:02] Jon France: Too many
[00:09:03] Sean Martin: So, so many levels as well, which is great. Uh, you have the, you have the hacker, you have the, uh, the person looking at it from, from, uh. Outside in, right. The astronaut looking, uh, from astronaut, looking from outside in. Not necessarily thinking of it in terms of cyber, but thinking of it in terms of resilience.
And, and Marco, we've had conversations with, uh, several folks, uh, familiar with the space programs and we often hang our hat on or, or look at, look at it from the perspective of it's not just being able to go. Somewhere, but be able to come back. Right? So you have to, you have to plan for the full circle of, of, uh, the lifecycle of whatever the pro program or project is.
And the, and business is very much the same there. And, um, so touching on the community and you, you mentioned the, the, the workshops and the leadership part of this. Um. Leadership's hard to, hard to [00:10:00] teach. Right? So talk to me a little bit about people coming together and being able to share ideas and thoughts and best practices and,
[00:10:08] Jon France: So I, I, I think you've kind of hit the nail on the head. A lot of it is about coming together and, and, and sharing some stories. So whilst the workshops, um, focus on some of the more traditional concepts of, um, understanding the business and the traditional lever of business, things like finance and how to read a balance sheet and that kind stuff, which.
Cyber pros may not know how to do. So there is some practical elements, but there is also, um, a big wedge of um, just being able to talk to a group of peers around common challenges that we face and then really projecting that forward into things like getting outta the operational into the slightly more strategic, um, and, um.
The course leader was, um, was, uh, Brandon Dunlap, who, who was Al uh, also the mc on stage. Um, bit of a charismatic person. Um, he's been around the world of consultancy and, and the IC [00:11:00] for a long time. So he brings some sort of keen insights as well. Um, and really moving the needle away from, you know, the.
Almost the bits and bites of our technical world into, you know, how do you, how do you speak business? Because becoming a leader and managing people and managing into, um, non-traditional areas, IE um, communicating across the hallway as it were, um, is a, is a key skill. Some of it's, um, is learned. Some of this experienced and some of it can be taught.
So it's a mixture of all of those. Uh, but we're definitely seeing, um, a much bigger push, um, from what, 18 months, two years ago the SEC stopped just short of requiring cyber skills in the boardroom. Um, but they made sort of that push. Um, and, um, incident reporting is now, um, obviously I think it's the 10 K form, you've gotta, uh, uh, put something on in the us.
Um, so they put it more on a kind of regulatory, um, stance, which kind of invites [00:12:00] CISOs and senior leaders to lean in and, and really embrace that. Um. Open, open and start having those conversations. The quid pro quo is, um, we don't go and confuse people. We go and talk the language of business, the language of risk, um, and, um, one of my favorite adages is, you know, security is, it's not a treatment to business.
It's an inherent part of it. Um, so the wonderful world of cybersecurity, if you, you know, if you're just doing it at the end of a project and tick boxing it, you're doing it wrong. Um, life cycle business.
[00:12:34] Sean Martin: Yeah, absolutely. And it of course, um, well, not of course, uh, maybe when I, when I think of. Technical certification, like A-C-I-S-S-P? Um, I immediately think practitioner I was, when I got mine originally it was, uh, I, I was a product manager. I was building software and I just come out of the role of QA where I was doing AppSec before AppSec was a, [00:13:00] an official thing.
And so. Very, in my mind, very practitioner focused, but obviously leadership is more of a security leader and, and CSO oriented. Gimme a view of what some of the attendees are like. Are there a lot of practitioners, are there leaders? Are there students who, who's there and, and what are they, what are they going there for?
[00:13:25] Jon France: Uh, to, to Congress in general. We have all works, all walks, I should say, not works. Um, so right from the entry level, I'm just thinking about getting into cyber. My company's given me the opportunity to come along virtually or, or physically. Um, so a lot of offerings for sort of entry level, uh, bits and pieces.
Yet the core is definitely practitioner. Um, that's probably where we, uh, are best known, um, in the world, world, world of certification. So a lot of our, um, certifications are tech. Techn technical. Um, they're not technology based, so they're not, you know, vendor line, but, um, [00:14:00] uh, have obviously strong technical background in them, competency based as well.
So it's, it's the application of knowledge to situation. Um, and then all the way through to, um, yes, we have CISOs, we have business leaders, uh, that come along to Congress as well. Um, as lots of sessions pitched at either, um, either expert level or beginner level or leader level. Um, so, uh, we do offer the smorgasbord across.
Um, and whilst we're known for certification, um, a big part of what we do is professional development. Um, so it's not just about getting a certain, maintaining a cer, it's about, um, maintaining current practice, current knowledge. Um, and some of those disciplines are definitely business related. Um, so yeah, attendees, uh, all, all walks, um, uh, and all roles.
Uh, you, you're quite right, probably. Uh, the majority are practitioner, um, but um, definitely a bunch of leaders there. And I, you know, I'm very fortunate and privileged to.[00:15:00]
[00:15:03] Sean Martin: And so you, you touched on AI and Quantum. Um, I'm, I'm kind of, I'm, I'm loving using ai, but tired of talking about AI and, and very intrigued by Quantum. And um, so you mentioned those two that kind of stick out for you. Were there others? That you heard folks say, I'm glad we had a chance to learn more about this, uh, to talk about this together.
Um, perhaps those two still came up to the top of the list, but is there anything else that kind of swirled around the the congress.
[00:15:38] Jon France: Um, it's sort of general chit chat and sort of attack vectoring, um, uh, identity based attacks definitely were, uh, were a theme. Um, uh, so.
[00:15:50] Sean Martin: Because of the machine to machine stuff
[00:15:52] Jon France: little bit of machine to machine, but, um, you know, the, the, the cost of mounting and identity compromise is probably fairly cheap these days with [00:16:00] ai, with AI's help. Um, and, um, once you've compromised an identity.
Guess what? You look like a legitimate user within a system or a legitimate thing at least. Um, and the normal trip wires of many security postures don't go off because it's, hey, it's an authenticated account. Uh, Alyssa Knight was sort of getting into a little bit of that. It's not just about, um, um, authentication, it's about authorization as well, um, and sort of cutting off the bounds of what things can do.
So I enjoyed a lot of the discussions around sort of identity-based attacks. What's going on in the, in, in, in, in that world. Um, a little bit on operational technology, uh, type things and zero trust. That was interesting to me. Um, uh, again, based on identity, um, zero trust, sort of machine to machine type things and really the machine speed of things, um, starting to speed up and what that might do to things like security operation sensor, um, which traditionally have been sort of human heavy in terms of.
Crunching log files and looking for anomalies and [00:17:00] indicators of compromise and then making a decision, um, or, or escalation to a decision point, and that being sort of human in the loop. Um, and then sort of moving more to machine speed of, and I, to use the term Magen ai, but of on the, on the good side of, uh, how it's gonna help, uh, security operations, but how that, that's looking at the threat landscape and those threats that are coming in ai.
What we're tending to see and, and talk about is, um, the role of an analyst or a SARC analyst is changing. Um, uh, there was a little bit of fear that, um, a sarc analyst entry level position is gonna get a disintermediated. Um, but I don't think that's the case. I think they'll change what they do.
Absolutely. Um, but, um, AI and machine learning and deep learning. Are very good at sifting through lots of data and getting you to the right needle in the, in the, in the stack of needles, as it were. Um, and getting to a decision point much quicker and potentially taking some of those low hanging fruit [00:18:00] decisions, um, genetically.
So, uh, sort of. That was a, a key topic that I tuned into above and beyond just the kind of straight AI talk. Um, quantum, I, we saw a couple of different angles, you know, uh, briefings of sort of what is quantum, why is it going to be relevant? Um, a little bit on getting quantum ready. Uh, what are the new, um, standards that have come out, NIST and others.
What does preparedness look like? Um, uh, a lot of chat on when is Q day, um, you know, when, when, when are we gonna have to change by? And I think the answer ranged from anywhere between four years and, and, you know, 40 years, uh, no flippantly, sort of four years and, and 10. Um, but that window was shrunk, you know, I remember 18 months ago it was always a decade away.
Um, so yeah. Um, and I think the overall theme I got, um, is the rapidity of change. Uh, it's, you know, if, if we just pick on ai, I'm sorry to keep doing this, it really only [00:19:00] entered public consciousness probably two, two and a half years ago. And look at what it's done in that time. Um, it's, it's been one of the fastest adopted and changing technologies, uh, that I've seen in my career.
And I think Quantum is going to be the same again.
[00:19:16] Sean Martin: Yeah. Yeah. Super powerful. Um, a couple more things I wanna. As we wrap here, the, the first is obviously education and training and knowledge. Big part of, uh, what is C two is about, um, which we do that not just to feel good and be smart, but to actually apply our skills to the job that we have or want to get.
And so I'm wondering your, your view of. State of the job market and the role of education in, and certifications and training as part of that. What, what are, what are people talking about in that sense?
[00:19:55] Jon France: Wow. Big topic. Um,
[00:19:57] Sean Martin: It's, you have, you have 1 1, 1 sentence. Yeah. [00:20:00] We, we, maybe we should, but maybe just kind of an overview there on that.
[00:20:03] Jon France: Yeah, a couple, a couple of things we're seeing, um, the, the general macroeconomic, uh, condition of the world is pressured at the moment. As we know, lots of industries have seen, uh, layoffs. Um, I'm not saying specifically in security, it's just general job layoffs. So the job market is pressured. Um, we're still seeing, um, even though security budgets have come under pressure, and that sometimes translates through to, um, uh, lack of resources to undertake the job, um.
There are definitely jobs out there. Um, the nature of the jobs, um, are changing somewhat. Um, so a little bit of in the face of technology. Um, I think what we're also finding is, um, where we're having to do with more, with less, or at least the same with less. We, we look for efficiency gains and that's where tech can help us.
Um, in terms of sort of knowledge and skills, um, we've seen a slight shift away from some of the sort of core. I'm gonna call them technical skills into more things like critical and [00:21:00] logical thinking, being able to communicate. Um, uh, they're not quite business skills. Maybe they're more humanistic skills and they're really good indicators of, um, uh, sort of, uh, employability, which is if you can find someone that is a creative thinker, logical thinker, critical thinker, even, um, you can train in some empirical knowledge.
The quid pro quo is you will train it. Training isn't just formal, it's not just courses, it's experiential and on the job, um, kind of training as well. Um, so I think, yeah, uh, a change in the job market. Um, the macroeconomic, uh, conditions are not great for anyone. Uh, introducing a little uncertainty, but in times of uncertainty.
Um, if you've got one of those, um, skills that's in demand, leverage it, um, and teach it as well. Um, so, um.
[00:21:50] Sean Martin: And I'm glad.
[00:21:51] Jon France: is probably the way I would put it.
[00:21:52] Sean Martin: yeah, absolutely. I'm glad he didn't say his soft skills
[00:21:56] Jon France: Uh.
[00:21:59] Sean Martin: skills. [00:22:00] Much, much better. So the final question, you can obviously add something if, uh, if I failed to ask you, uh, something that was important, but um, kind of the. Next year is Congress. Um, and things leading up to that. What's the future of Via C Squared, if you will? Um, what's the, uh, what's the positive view of where things are headed and, and where can we, we missed those listening.
Either you were there and got to enjoy it and participate where you missed it. We wanna go to the next one. Gimme give us an update on where the next one and winter will
[00:22:35] Jon France: Yeah, sure. So, uh, next one is October. Again. Um, uh, we are moving from, uh, Nashville. Uh, so it was, it was, uh, the Gaylord in Nashville to the Gaylord in the Rockies. So, um, Denver is the core city. It's actually a little bit closer to Aurora, so up in, up in the Rockies, which would be nice. Um, I love the fall weather, so, um, sort of crisp sun over their eyes and I'm looking forward to that from the location [00:23:00] aspect.
In terms of content, what we're gonna see there. Well, who knows? Um, we, we start gathering, I mean, it's, we, we kind of do have some themes in, um, in thoughts and, and going out there. But we do for call, for papers if you wanna come speak on a topic, um, come onto our website, look out the call for papers. Um, but I'm sure in there we, we will look at the evolution of technology and where that's gone.
I'm sure AI is gonna be part of it. Quantum will be a bigger part of it, I'm sure, than it was this year. Um. Keynotes. We don't decide until much closer, but I'm, we always get stellar lineups on interesting subjects. Um, what I'm really looking forward to next year came meeting, seeing members, sharing war stories, really, uh, networking.
Um. Talking to some of the chapter leads, what's going on in their local geographies. So yeah, it sort of really is a little bit of a melting pot, great place to come, not only to have a good time to learn some things and really to share experiences. So, um, always an exciting [00:24:00] venue and lineup come and be a part of it.
[00:24:03] Sean Martin: Yep. I hope to, uh, hope to make that a reality. Uh, Denver is great. Aurora's great, actually. I've, uh, had a family friend that lived there for a long time. Uh, so looking forward to seeing you in October in Denver for the next Security Congress and, uh. Yeah, if you don't wanna wait till then find a, find a local chapter
[00:24:24] Jon France: Final local chapter.
[00:24:25] Sean Martin: connect with
[00:24:26] Jon France: There's a whole bunch of stuff coming on. We, we also do some sort of local events. Actually secure Londons next week. So if you're in the London area. Um, do look that up. I think registration still can still come along, but, uh, do, uh, around.
[00:24:41] Sean Martin: Yep. Perfect. And we'll have to, uh, figure out how to, how to be part of those as well and, and connect with those groups. John, it's fantastic to, uh, to meet you and, and chat with you, and I hope to do that in person, uh, next year, if not sooner. And, uh, congratulations on a successful security Congress [00:25:00] and thanks everybody for listening and watching this episode.
Uh, with. On location with Sean and Marco. Marco's actually in the background, so we're gonna let him in and, uh, have a chat with 'em after we're done recording here. Uh, but go to itsp magazine.com/on-location for all of our conference and event coverage, uh, including security conference and other stuff happening throughout the year.
And, uh, we'll see everybody soon, either virtually or in person. Take care.
[00:25:29] Jon France: Thanks, Sean.
​[00:26:00]