The 2024 edition of the Forum will not be generated by artificial intelligence. Instead, the actual intelligence and experiences of the attending delegates will be focused to analyze and solve (not just admire) current and emerging information security issues, many more political or organizational than technical. This is where the real-world experience (positive and negative) of battle-hardened COSAC delegates adds significant value to the session. Specific technical or vendor-focused solutions might work fine in one environment but fail or be disallowed in another. Historically, delegates have always been willing to listen to and learn from others who’ve encountered things they might not have, not shy about sharing strategies and techniques. In short, committed professionals.

An ancient security dinosaur will moderate as a roomful of you and your peers dig into current events, trends, and publications. We seek solutions or, at least, pathways to solutions. It’s a front window into the conference, a full-bodied immersion in the COSAC way. Divergent viewpoints are not just expected, but welcomed. Reality and professional experience trumps theory.

Come help us shine light on and solve the latest (and some of the oldest) issues.

Returning for a 8th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

For over a decade we have been undergoing digital transformation with rapidly evolving technology changing the way we live and work. That brings great opportunities for organisations but also bring new threats. This in turn brings challenges for budgeting and planning to manage the risk over multiple years. How do we predict investment to allow us to fully address the security challenges we may face to ensure that we are preparing for the future? Often the business or sales-people sit on 'happy island' when considering emerging technology landscapes whilst many security people sit in 'despondency dell'. This workshop will help us to develop the futures literacy needed to be able to plan for different emerging futures.

Workshop Part 1

This session will provide an overview of futures thinking techniques and approaches. It will cover some of the key theory of futures thinking, providing guidance on the creative process required to rigorously model emerging technologies, to navigate risk versus opportunity, and to manage the tendency to consider the future in binary terms as offering either utopia or dystopia.

These theories and approaches will include an introduction to:

• Futures literacy through narrative

• Futures and systems thinking

• Strategic foresight

Workshop Part 2

This session will look at some of the technical and threat modelling approaches most relevant to cyber security. We will explore how we can most usefully model the economic, societal, political, and cyber threats. This isn't about doom and gloom but about thinking about broad pressures on thinking. Items covered in this session will include:

• Scenario Planning

• PESTEL and VUCA analysis

• STRIDE threat modelling

• Bow Tie analysis

Workshop Part 3

This part of the workshop will put into practice some of the theory and in groups we will work through some scenarios and futures modelling.

Prizes will be given for the most innovative solutions and a special booby prize given for the weirdest.

Building on last year’s success the team decided to upgrade the “ From Hardware to Humans and Everything in Between” course. Resilience is widely considered the antidote to many of the problems that plague cybersecurity. The problem is that resilience definitions vary, and solutions typically fail to address all aspects of resilience, thereby resulting in a significant variety in security profiles of “resilient solutions”. This year we decided to upgrade the workshop by including a practical discussion based on a real living network.

This 4-part workshop opens with defining and discussing the challenges of how to identify, measure and improve resilience in existing environments. We set the overview for each day by introducing each of the areas covered to include hardware, operating systems, software, networks, data, users, and residual security gaps, using the framework of “as is”, “to be” and “reality”. The workshop will center around the Living Lab Network, a student real world laboratory housed at Purdue University Indianapolis.

Part 1: What’s new with 2.0? Like releases, this has not been tested. We open with a discussion of the exemplar network. We will examine the network from various viewpoints, noting where the 4 Rs of resilience are already present, and identifying residual gaps. We also will discuss the high level overview (OV-1), the goals of the institution and how the Living Lab Network supports those goals.

Part 2: Part 2 dives into the hardware, firmware, and IoT devices. Understanding fault rates, failure rates, supply chains, vendor data, and transparency goals will be explored. These values will be applied to the exemplar network within the “as is” followed by steps to get to the “to be” state, and finally concluding with the “reality state” where financial concerns are reconciled with risk tolerance..

Part 3: Software & Data Resilience – We will open with a discussion on software resilience (or lack thereof), and reliability. We will discuss secure coding, DevSecOps and other software security solutions along with their effectiveness. After discussing software we will move onto data resilience. Trust, privacy, and data fidelity have various points of potential vulnerability and exploit, which are not easily solved. Using the “as is” followed by “to be” and finally the “reality”state we examine how data can be both trustworthy and resilient. We will discuss the various complexities with this to explore different approaches to trust, privacy and data fidelity determining how we can achieve better transparency with regard to trust and privacy.

Part 4: Intelligence: Artificial (AI) and Human(HI) and Policy Resilience – AI continues to expand in cybersecurity. What are the strengths and limitations? Where do AI outperform HI and where does HI outperform AI? Training, education, decision-science using the “as is” followed but “to be” and finally the “reality”state. How do cognitive models work in the resilience framework? Should ethics be included in this analysis? How can different cognitive models be navigated in the HMI? What is possible through understanding the human mind, and how can this knowledge inform policies and procedures? What guardrails are in place to address various biases with the models? What are the requirements to remove flawed cognitive data?