Thoughts on MM-ISAC's 2025 Annual Conference

Now that I've returned home from MM-ISAC's Annual conference and have caught up a bit, I wanted to share my thoughts on this year's conference.

First off, the event.  Thank you to all of you who took the time to present at this year's event.   The quality of the content was, as always, world-class.  Some of the key highlights for me from the event:

We started with training on the Incident Command System (ICS) and its application to mining industry incidents, particularly those affecting OT.  I want to thank those in the room and those online for serving as the beta test group for the new content and courseware.  Your participation really made the event.  We're all set to deliver the training next year in conjunction with our roundtables.  Right now, we're looking at Toronto, Vancouver, Denver, Perth and either Santiago or Lima as the locations - watch this space or our website for updates.

Now onto the main event.  We started with Brock Tenny discussing leadership.  It was fitting that he focused the talk on his origin story and how leadership is built on that.  I'm not sure he knew he was giving that talk right across the hall from where the ISAC was born, where we worked with Deb from the International Association of Certified ISAOs to take lessons from other ISACs and build the framework that MM-ISAC still uses today.   Brock's talk really helped focus me on that origin and the hard work that got us to where we are.

Following Brock, Mornay Walters joined Flavius Plesu from Outhink, to discuss the success Anglogold Ashanti has had in building an engaging, effective awareness and education program.  Outhink really embraces positive reinforcement and targeted training for those who need it most, optimizing for not only people's time but also delivering engaging content in a way that supports the building of trust and relationships, rather than the traditional "gotcha" approach that research shows is not only ineffective but also destroys trust.

As we moved into the afternoon, Scott McEleny from Weir had an engaging session walking through the impacts of cyber incidents on not only the resilience of the technology, but of the company and the people within it.  We often think of cyber incidents as technology or business impacts, but forget that behind that technology, and working within the business, are people.  The stresses of a major incident can have lasting implications for people, and Scott did a great job walking through those stresses and the best practices to keep people engaged, healthy, and performing during an extended incident.

Rounding out the first day, Nicolas Davis from Komatsu reminded us that autonomous technology is not just about the tech, the features, or what it can do to save money for an operation. It's about the people, the culture, and the way it can change the way we work.  With all autonomous or AI-based technology, digital ethics must be considered at all levels in ways that did not have to be when humans and our ethical filter are involved.  It is incumbent on all of us who develop or implement autonomy or AI to consider the ethics of what we build and hold ourselves to a higher standard.

Day 2 of the event started with a bang, with our own Director of Intelligence Operations, Cherie Burgett, presenting her threat briefing, once again set to the lyrics of REM.  Cherie's presentation not only walked through this year's statistics, with the number of cyber attacks increasing from 30 last year to nearly 90 at conference time this year, but also dug into the challenges of AI-generated threat intelligence content.  That content, often produced without sufficient human review or input, risks causing more damage to organizations impacted by cyber incidents than the incident itself.  We must continue to push back against AI intelligence reporting, to ensure humans evaluate it for correctness, helpfulness and ethics before it is published. 

Following Cherie's talk, the conference turned to a future focus, with Debbie Taylor Moore from Quantum Crunch not only level-setting on what quantum is, and how it might impact the mining industry, but also providing a realistic view on what mining companies, as consumers of encryption technology, should be doing to prepare for the widespread availability of quantum computing.  Debbie did a great job cutting through the hype to provide actionable guidance that can be applied by all in the mining and metals industry.

The other highlight of the morning of Day 2 was Steve Shelton from Green Shoe Consulting, a performance psychologist now turning his attention to improving the performance of cyber responders.  Steve presented his research on CISO mental health, painting a picture of a segment in crisis.  He also showed how the results of the MM-ISAC mental health survey were well aligned.  This led to a call to action to work together to improve the mental health of those who work in our industry.  His practical advice is something we can all implement.

The afternoon of Day 2 continued the future-looking view, with Umang Handa from the EY mining centre of excellence presenting a view on what mining might look like ten years from now.  As security practitioners, we are often focused on the now and maybe the near future.  By understanding what the mine of the distant future might look like, we can begin to consider the security controls.  It was great to get an actual mining engineer who is thinking and advising our operational teams on the future to give us that insight.   The session ended with a fireside chat featuring Umang and MM-ISAC's chair, Kristi Cook from Peabody Energy, who dug into how security practitioners can best support this new innovation, working hand in hand with practitioners to reduce friction and speed this critical innovation to market.

The 2025 MM-ISAC conference was one of the best yet, not only because of the outstanding presenters, but because of the conversations, networking and relationships formed across our industry.  It is for that engagement that I think all who attended.   Feel like you missed out, please join us at the 2026 conference.  Registration is open.  For information, see the MM-ISAC website here: MM-ISAC 2026 Conference Information.