Technical assurance and vulnerability management have been parallel but complementary functions in organisations for a number of years. Technical assurance has included: testing the security of a system including penetration testing, hardware assurance, and cryptographic testing; compliance driven testing including web application testing and PCI/DSS; and now regulatory testing required by schemes such as CBEST, TIBER, and DORA including full threat led red team testing. In parallel the vulnerability management world has grown from vulnerability scanning, to vulnerability management, then proactive testing as part of the DevOps process with DAST and SAST, and now into continuous controls monitoring.

We’ve also seen the growth in expectation around the use of automation and machine learning in testing with automated stress testing with low setup cost high agility approaches popularised by Netflix and Google becoming more popular as vendors offer tooling to enable this.

This is creating pressures on traditional testing and assurance services and merging the capabilities with continuous controls monitoring to build success. This session will consider this journey, the move towards continuous controls management and looking to automate remediation as well as testing.

It will address some key questions including:

• How should be looking to build an evergreen and secure ecosystem

• when automation is useful and when it is not and

• whether we can achieve that aim of proactive cyber defence considering how we combine technology with human expertise, context and insights to ensure an organisation is as resilient as possible.

CISOs have been in the hot seat lately, as evidenced by charges levied by the U.S. Securities and Exchange Commission in October 2023 against Solarwinds and CISO Tim Brown for “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities”, in that he overstated the cybersecurity practices and understated or failed to disclose known risks.

In May 2023, Joe Sullivan, Former CISO for Uber was sentenced to three years’ probation and ordered to pay a fine of $50,000 USD, after being found guilty of two felonies, one for obstructing justice by not revealing the breach to the FTC and another for misprision (concealing a felony from authorities).

This session will discuss the current state of the CISO, these cases and their implications, the approaches the CISO should take to avoid prosecution, and the insights from the CISOs. The presenter has had one on one interviews with both the CISO from Solarwinds, as well as the Former CISO from Uber (after the conviction) and can share these perspectives. The session will be interactive as we discuss these cases, as well as the security program itself, and where else the CISO may become liable in the future.

For several decades, the presenter has used an innovative approach to delivering content - props, videos, sound, and audience participation to create a memorable entertaining and informative experience with actionable material. The speaker is a top-rated RSA speaker and ISACA top-rated speaker.

Just a normal day for the security architects at a DSO (Distribution System Operator) being in the midst of the Energy Transition Race.

Time for an Enterprise Security Architecture upgrade.

The journey starts on the contextual layer of the Business, right?

The Business context.

Right?

Cool. “Dear business, can I see your documents, your requirements?”.

“Oh, you’ve just released OGSM’s containing loads of items and performance targets on KPI’s?”. Thanks, we will analyze those.

But wait... these don’t really align to what’s been described as business targets and some of it conflicts with the Strategy we’ve seen in the presentations.

“Can we have a quick chat about this?” –silence–

We better team up with the EA team, as it turns out they are ahead, and we can piggyback on their relationships with the business.

And then when you’ve just established an opening with the business, they re-organize. The person you had on your side is now focusing on a different area.

What next?

In this highly interactive session we would like to present our challenging journey, discuss our observations, our challenges and learn from the participants how we can do better, what should be our next steps.

System hardening plays a pivotal role in bolstering cybersecurity defenses, and the adoption of immutable operating systems coupled with containerization technologies offers a promising approach for organizations requiring flexible solutions, which can scale with the enterprise. This presentation delves into the benefits and challenges associated with utilizing an immutable operating system with multiple independent containers, while also examining the distinctions between various containerization technologies including separation kernel technologies, virtual machines, Docker containers, and Kubernetes containers.

Immutable operating systems, characterized by their unmodifiable nature once deployed, provide inherent security advantages by reducing the attack surface and minimizing vulnerabilities associated with system modifications. When combined with containerization, which encapsulates applications and their dependencies in isolated environments, organizations can achieve enhanced security, scalability, and resource efficiency.

However, the choice of containerization technology influences the efficacy and suitability of the overall architecture. Separation kernel technologies offer strong isolation between containers at the kernel level, ensuring robust security but often at the expense of flexibility and performance overhead. Virtual machines provide greater isolation through hardware emulation, but their heavier footprint may impact scalability and resource utilization.

In contrast, Docker containers offer lightweight virtualization with efficient resource utilization, enabling rapid deployment and scalability. Kubernetes containers provide orchestration capabilities for managing containerized applications at scale, offering features such as auto-scaling and self-healing.

In discussing these options, a notional architecture that combines the strengths of immutable operating systems with flexible container and orchestration options will be proposed. This architecture leverages the security benefits of immutability while harnessing the flexibility and scalability afforded by containerization and orchestration. A list of candidate applications and operating environments/systems will also be provided as a starting point for further study.

By adopting such an architecture, organizations can establish a robust cybersecurity posture characterized by enhanced resilience, agility, and scalability, while mitigating potential risks associated with system hardening and containerization technologies.

In January of 2015 a qualified academic was appointed as the Finance Minister of Greece with a mandate to renegotiate a disastrous programme that had sent the deficit of Greece further into the red. Upon his second meeting with the “troika” (decision group) he was told by one of the powerbrokers of the Eurozone “Elections cannot be allowed to change an economic programme of a member state!”.

Many times, per month, quarter, or even per year, qualified information security professionals are appointed as Chief Information Security Officers the world over. They are armed with a mandate to negotiate, steer, traverse (choose your verb) organisations to uplift their cyber security programs and capabilities, to hopefully manage cyber risk and enable opportunity. Upon starting they are often told by their stakeholders (typically C-suite, sometimes the board) that they have no budget, save for whatever may have been allocated to the role for years, but they are expected to materially turn around the security posture and culture of the organisation within 12 to 24 months, if they’re lucky.

To quote that Finance Minister: “It’s lunacy”.

This session will look at the challenges faced by the role of a CISO, through the lens of Europe’s post-GFC crisis, and the absurdity that is commonly faced by leaders in information security who are tasked with an immense, complex challenge with both arms tied behind their back.

The aim is to have a discussion with the audience and posit pragmatic ideas on how a CISO may manage such futility so as not to find their mission over before it even begins.

In other words, unlike the radical, ‘game theory’-loving Finance Minister, can the CISO find a way to avoid further “austerity” and make a positive impact on the organisation’s cyber security.

While major cloud providers offer comprehensive reference architectures for implementing functional technical structures such as landing zones, these models often lack direct alignment with core business motivations. This misalignment frequently results in architectures developed from the bottom up, focusing on technical specifications rather than strategic business outcomes. Such an approach can meet technical requirements precisely yet fail to deliver on security and operational efficiency due to poorly defined service management and the absence of an effective operating model.

This session proposes a different approach using a top-down, business-driven approach to cloud architecture. It will outline a method for using business motivations and objectives to drive cloud strategy and design, ensuring that the technical deployment of cloud environments inherently supports and enhances business goals.

Participants will learn how to:

• Consider cloud architecture design from a business perspective, ensuring that every technical decision is made with strategic objectives in mind.

• Implement frameworks and methodologies that bridge the gap between business leaders and technical teams, fostering a shared understanding and vision.

• Develop effective service management practices and operating models that are tailored to the business, enhancing security, efficiency, and adaptability in cloud environments.

Through real-world examples, this session will demonstrate how a business-driven approach not only mitigates the risk of misaligned cloud implementations but also creates an architecture which spans all 6 of the SABSA layers rather than just the Component and Physical layers which the cloud vendors would lead you to believe is enough. Attendees will leave with practical strategies for delivering cloud architectures that are operationally secure not just technically.

Quantum Computing is going to be the next disruptor that has a potential of turning security upside-down. I like to draw a parallel with AI and ML, that were discussed and researched for many years, until a sudden breakthrough that has rapidly accelerated the adoption and resulted in disruption we see today. The same will happen with Quantum Computing, but there is an important difference - while the use of AI introduces new attack surfaces, the advancement of QC disrupts and invalidates current defences, which is much harder to tackle post-fact.

In this session we will gain a common understanding of quantum computing and challenges it brings. We will then look at specific threats to the way we use and rely on traditional encryption to protect long term secrets. Using SABSA, we will identify a number of practical things organisations could do in order to achieve ‘crypto-agile’ architecture that will enable them to manage the risk of current defences becoming obsolete.

NOTE: This is not a lecture in physics or mathematics, the session is practical in nature and examples I will be sharing are from real-world implementations.

If you’ve been keeping up, the latest buzz in the IT and cybersecurity world is the adoption of Outcome-Driven Metrics (ODMs). These metrics aim to measure the effectiveness of specific investments in a way that bridges the communication gap with the boardroom. Their purpose is to enable stakeholders to directly link cybersecurity investments to the levels of protection delivered. Importantly, ODMs are designed to be easily explainable to non-IT executives, using clear and simple language.

While this all sounds promising, it’s natural to wonder if it’s too good to be true. That’s why I’ve decided to use them. In this interactive session, I’ll share my experiences and views on ODMs, and in good COSAC fashion, we’ll examine them and address the following questions.

1. How do they work?

2. How do you implement them?

3. In what scenarios are they likely to work?

4. In which scenarios will they fail?

5. Can they track return on investment?

6. Can they track effectiveness?

7. Are they likely to be biased?

8. Are they just old wine in new bottles?

Are you curious? Let’s dive in.

Now that your SASBA security architecture is effectively managing and governing the risks to your organization and enhancing the business value, what does it actually look like? Is it something that anyone can easily recognize and understand their responsibilities in relation to what has been implemented or is it operating “under the covers” and is assumed to be mostly technology? Your SABSA security architecture is now operating as your Information Security Program and you need something to “glue” all the various artifacts, processes and responsibilities together into a framework that you can see and easily manage.

An Information Security Program Framework is a reference point for the collection of artifacts, processes and responsibilities that support the ongoing operation and management of information security governance, architectures, vulnerabilities, threats and risks, resilience, remediation and reporting processes, as well as adapting to the shifting business requirements. The Framework is used; as an anchor point for discussion and decision, as the reference for managing the collection of RACI charts to illustrate everyone’s role in the security program, and illustrates how a business decision becomes a requirement to be incorporated or accommodated into the information security program. The Framework becomes the anchor point for the security services from your services catalog if you have one.

This session will outline the need, value and use of an Information Security Program Framework and how you can define one and put it to work for your organization. We will identify the attributes of an effective Framework and the various framework components and connections to consider. There are various frameworks and standards available but the one-framework-for-all seems to be elusive. We will look at several sources and references to draw from and discuss the considerations for defining and using an effective Framework that is right for your organization. An Information Security Program Framework should represent the operation of your SABSA Security Architecture. Do you already have one or more frameworks in your own organization and have some insights to share? Maybe together we can put frameworks to better use.

“Do you have offsite backups?”

I’d answered this due diligence question many times before, always with the same answer – encrypted backups, on tape, stored offsite, in a dedicated third-party storage facility. But when I saw it last year, I realised this answer and even the question were out of date. These days almost everything we do is offsite with a major cloud provider. We take advantage of their high availability, distributed data storage solutions. Is that equivalent to the old offsite backup control, or is it better? I wasn’t sure we could explain that to ourselves yet.

Over the next couple of months, I started digging around the topics of backups and recovery. So, when I attended COSAC 2023, I was keen to join the Masterclass session on Resilience: From Hardware to Humans and Everything in Between. By the end of that day, I had a new view of what resilience means, and I realised I wasn’t asking all the right questions. Spoiler alert – it’s not all about backup and recovery!

In this talk I will describe an initiative to clarify what resilience means in our organisation and what it should look like. I’ll describe how we got started down this path, the questions it is raising, how we’re responding, what we’re learning, and where I think the path takes us next. This is a real-world example of responding to an idea sparked by a day at COSAC and the impact that might have.

According to the Dutch Corporate Governance Code, Supervisory Boards should take care to consider the impact of new technologies and cybersecurity on their long-term value creation strategy, and include cybersecurity, supply chain dependencies and data protection in their risk management.

This aligns with new European regulation like NIS2 and DORA, that put forward much more stringent requirements for board members on having knowledge about and being accountable for cybersecurity or they risk of being held personally liable. These new requirements come at a time when 13% of the Top 100 Dutch Board Members have had any dealings with IT in their career, and only 1% has indirect experience with cybersecurity.

This is reflected in the way most of them talk about cybersecurity in their annual reports - a section that is often missing or minimized. “Cybersecurity is a top priority for us” and “we have done many things to improve cybersecurity the last year” are about as much food for the thought the average annual report gives its reader. Although presenting information about the state of cybersecurity potentially puts a target on the back of a company, security by obscurity should never be the answer.

Investors and citizens have a right to know how well-guarded their information and the continuity of the organisation is from a cybersecurity perspective. Many organisations, even critical infrastructure, seem to conveniently neglect the systemic risk to society of them being unable to operate for multiple days like with a ransomware attack. We need to understand the likelihood of that happening, how the organisation is addressing those risks and whether there’s a plan B.

This session contains the following segments with the aim of providing attendees with the ammunition to challenge cyber security public reporting in their organisation:

• - A passionate plea for why not sharing the state of cyber maturity and resilience is harmful to society and ought to be delivered through a standardized reporting mechanism.
• - A round-up of cybersecurity reporting requirements of major corporate governance codes around the world.
• - A deep dive into the state of cybersecurity reporting in the annual reports of major Dutch companies, with some best-in-class examples.
• - A proposal for and discussion with the audience on which cybersecurity elements should be reported on and disclosed, without causing harm to the company.
• - Guidance and a call for action to the audience who can play a leading role as subject matter experts in moving their organisations to enhance cybersecurity reporting.

In the fast-paced world CxOs are generally seeing their cyber security position improving in their organisations, but continue to face considerable challenges. A number do not see that increasing the security technology foot-print in their business as the answer, and staff attrition, and rapid adoption of the cloud continue to cause great concern and uncertainty.

Furthermore, the cyber landscape itself is changing. Regulation through NIS 2, Telecommunications Security Act (TSA) and Digital Operational Resiliency Act (DORA) have emerged making cyber much more directly financially impacting. New technologies and innovative working (e.g. AI) is creating more and different risks to be responded to, and the industry of ‘threat’ continues unabated.

But how does enterprise security architecture respond to these, and if it does, how might it have to think differently or apply itself differently to best support the enterprise?

This 40 min presentation explores these trends, the application of SABSA and Q&A covering:

• a. Cyber trends and emerging technologies.
• b. How these trends impact our thinking as ESAs.
• c. Where does SABSA support overcoming these trends for stakeholders and where does our focus in SABSA need to shift.

A case study of the Dutch Government

The legislation and regulations for the use of Cloud applications for the Dutch Government have changed significantly in recent years. While in the past it was not done to store or process data in the cloud, the current policy is based on Cloud for certain confidential data, as long it is done in a secure manner. One of the conditions set is that a targeted risk assessment takes place and the correct measures are taken to protect the data.

The content of the presentation is about a case at the central government in the Netherlands of how a targeted risk analysis was carried out, what lessons were learned and what steps are being taken to streamline this process.

The case will mainly focus on which elements are used in the risk analysis, how risks are constructed, which positive or negative effects a risk entails and how security control frameworks, GDPR, Cloud Acts and other legislation are dealt with. In addition, selecting and adapting a risk analysis methodology is an important part of the case. SABSA can help us in selecting the important elements within risk assessments.

Lessons learned:

• - Risk analysis methods and the risk management process
• - Risks when using the Cloud.
• - Legislation for processing data in the Cloud and information security aspects

Recipients of the Bursary award share their personal experiences embarking into their cyber journey and how the Bursary helped shape their career transition and welcome them into a global community.

Sharing the love. In 2020, Ghariba Bourhidane and Clara Grillet started career transitioning in cybersecurity by following courses. In 2022, their cyber career go deeper and was boosted by receiving the first ever SABSA Founders Bursary award. Two years later, they want to share feedback on how the award was seminal in making their career transition successful:

- Certifications like SABSA are a major plus for job-seekers

- COSAC values out-of-the-box problem-solving where non-traditional profiles feel welcome

- Exposure to professionals with diverse life paths builds self-confidence and give value to non-technical skills

- Profound sense of belonging from joining a well-established community

- Receiving an award alleviates impostor syndrome and self-deprecation

Being part of the SABSA community gave them additional tools to facilitate and secure their sense of belonging to the cyber community.

Highlighting value. Non-traditional profiles bring new approaches and innovative thinking. They draw on diverse soft skills that can lift hurdles in interpersonal relationships and team projects. Hiring managers, coworkers, company culture and HR staff can all play a role to attract, welcome and keep atypical practitioners.

Thinking back and paying it forward. In this session, we share personal stories that show the immense value of the SABSA Founders Bursary for newcomers to cybersecurity. We will interact with the audience to encourage them to share their own experiences either being a newcomer themselves or working with newcomers. We will interrogate how each team can support inclusion so non-traditional colleagues in the broadest sense (nationality, gender, academic background, past experiences,…) thrive.

Global supply chains are undergoing massive strains in 2024 due to geopolitical conflicts, rapid technological evolution and regulatory changes that pose challenges to organizations irrespective of the industries they operate in. The extended supply chain for hardware suppliers and service providers spans several countries and continents while the sprawl of software components and open-source projects further increase the sophisticated nature of supply chain attacks. Another internal challenge for organizations is the governance and ownership of supply chain security which is usually shared amongst security, procurement and legal teams. Securing the supply chain and ensuring uninterrupted business operations have become top of mind for business and security leaders in their day-to-day job responsibilities.

In this interactive session, we will discuss a real-life case study of a Canadian multinational financial services company where the challenge was to securely manage the organization’s supply chain across the 36 countries it was operating in. For this organization, we leveraged and applied SABSA principles to build in traceability from the key business objectives of the executive stakeholders to the specific security services, mechanisms, and components that every security and procurement teams needed to incorporate to secure their supply chain. These security components were utilized to build a supply chain architecture that weaved in governance for the security and procurement teams involved. The result is an adaptable security architecture that is used by security teams as well as business objectives that matter to the CEO and Board.

Admiral Group Plc is a UK-based insurance group that provides a range of insurance products and financial services to over 9 million customers worldwide. In 2018, Admiral embarked on its cloud journey to achieve its strategic vision of becoming a data-driven organisation and leveraging its customer base and data for a competitive advantage. In this talk, I will share how we built, secured, and scaled our capabilities, and discuss the challenges we faced, the lessons we learned, and how that lead us to rip up the rule book on Security Engagement and develop a de-centralised and democratic approach to securing our investments into cloud by making it everyone's responsibility and the cultural changes this forced.

We will cover three main topics: What led to us deciding to move to Cloud? how we initially approached securing our cloud environment and how we realised that this approach was wrong and the steps we took to create a de-centralised security model and finally what this looks like and how we would approach it if we were going to do this again.

The Key take aways for the audience will be how to approach this type of model, What benefits this model can have on an organisation and what are the pitfalls of doing it.

This presentation aims to demonstrate the benefits of onboarding diverse profiles to security teams. It is part of a continuous effort to formulate a framework which helps security teams perform better while optimising diverse skill sets already present in the organisation. This presentation will provide proof-of-concept on how an internal talent pipeline has given professional growth opportunities to staff with the relevant transferable skills while also making the security teams more effective.

Complexity is in the nature of the problem (securing an organisation and building cyber resilience), as well as in the complex tasks needed to address them (high-dimensionality and high-interdependencies).

The number of tools and the combination of tools being used in the industry, and the introduction of new technologies - all these change at an incredible pace. Teams need to be agile, flexible and adaptive, and need both a broad, as well as deep knowledge of various domains in order to work with diverse stakeholders. How do we face complex challenges with a limited team budget for human resources and the seemingly small talent pool?

“In complex adaptive systems, diversity makes fundamental contributions to system performance.” - Scott E. Page

Building diverse teams with the necessary skill sets to meet these challenges and adapt to the changing tech and threat landscape is necessary - but also not an easy task. The question is how.

Through the lens of the PPT framework:

The success of organisations are tied to talented people and effective teams - and how well they can adapt to a complex business environment by managing the the dynamic nature and interdependencies of these three components:

• People (human weaknesses, strengths – identifying potentials, highlighting current skills and understanding competencies needed, optimising the skill set of a team),

• Processes (business landscape is changing with demographics and innovations, risks in the supply chain are increasing), and

• Technology (disrupting industries, way of working and living).

How can we enable our teams to manage challenges involving the the above three

components?

Through the lens of “Quality of Hire” indicators:

Organisations must learn to work with uncertainty, and manage talent and resources when the long-term nature of the present skills shortage is considered a major security threat. Success depends on hiring, managing and retaining talent and resources within security teams – while also learning how to make these teams highly effective.

For this, hiring managers need to have an understanding of how to measure the effectiveness of teams, in order to create a strategy for improvement and optimisation.

The use of “Quality of Hire” indicators may provide a way to determine an effective talent recruitment and retention strategy, while creating a reliable pipeline for atypical profiles with relevant transferable skills into the different security teams.

This presentation will focus on three indicators (Performance, Tenure and Engagement) as a guide to creating a clear picture of how well a team works and adapts to a highly dynamic environment.

Promoting Reskilling: Could promoting cognitive diversity - reskilling diverse profiles with transferable skills - be a sustainable answer to addressing the skills shortage in the industry, while also providing a way to address the challenges in the complexity of the challenges?

The ever increasing reliance on technology has drastically shifted how organisations function. The interconnectedness and convergence of the digital solutions, together with the business opportunities they bring, increase the number of critical failure points. The latter explains why regulators, across the globe, have been particularly active in this topic and consequently resilience has become the latest global hot topic in many sectors.

A key premise of building cyber resilience is to develop an in-depth understanding of ‘what is materially important’ for the business. Analysing the important business services into the processes, technology and people defines the quantitative and qualitative characteristics of those assets which need to be preserved even during a successful cyber attack.

This presentation will demonstrate how SABSA methodology can be leveraged to capture the business context and how the business context in turn becomes a strong foundation to build a robust cyber resilience. Instead of addressing the challenge from a theoretical point of view, real-life use-cases will be presented from the financial services and energy sectors. Emphasis will be given on the operationalisation of SABSA methodology to capture the idiosyncrasy of the organisation, demonstrate the relevance of the security services, model the security posture and become the conduit that brings together the risk management framework, threat scenarios, control library and operational controls.

In the complex field of cybersecurity, the term "threat intelligence" often becomes a catch-all, encompassing everything from basic incident reports to in-depth vulnerability analyses. My presentation, "True Threat Intelligence - What You REALLY Want to Know," aims to clarify this ambiguity by distinguishing the various layers of what is generally classified under threat intelligence. More critically, it zeroes in on the essence of what constitutes "true threat intelligence"—a nuanced, actionable insight that goes far beyond the surface-level accumulation of data.

True threat intelligence is an art form that demands a deep, covert infiltration into the underbelly of hacker organizations. It's about gaining trust within these groups, understanding their dynamics, and extracting valuable information that can be used to preempt and neutralize potential cyber threats before they strike. This session will delve into the intricate, resource-intensive process of gathering genuine threat intelligence, highlighting the essential elements of patience, substantial resources, and keen judgment required to navigate the shadowy corridors of cyber threat actors.

A focal point of my talk will be the innovative role of "evil chatbots" in the realm of cyber espionage. As we venture deeper into the age of AI, these chatbots emerge as a critical tool for engaging with and understanding hacker communities. They serve a dual purpose: as instruments for gathering intelligence and as subjects of ethical debate, reflecting the complex moral landscape of cyber intelligence operations.

This presentation will demystify the concept of true threat intelligence, drawing a clear line between generic cybersecurity reporting and the strategic, high-stakes operation of acquiring actionable insights. Attendees will gain a comprehensive understanding of the challenges and intricacies involved in true threat intelligence gathering, as well as the pivotal role this intelligence plays in enhancing cybersecurity defenses against increasingly sophisticated digital threats.

Prepare to embark on a journey into the heart of cyber espionage, where the pursuit of true threat intelligence reshapes our approach to cybersecurity strategy and operations. Join me for an in-depth exploration of what it truly takes to uncover the actionable intelligence you REALLY want to know.

Alchemy: the art of purifying the impure by imitating and accelerating the operations of nature in order to perfect matter. How do alchemists transform base metals into gold? The metaphorical aim of the alchemist is the purification of the soul, the progressive metamorphoses of the spirit. The alchemist's journey in Paulo Coelho's book is transmutation: elevating the imperfect to perfection. The main character of the book travels and lives according to the different cultures and traditions of each visited country. He eventually returns to his starting point but completely changed, grows up, conscious and strong. A real human firewall!

How does the combination of European and African values help find out solutions in Cybersecurity? What impact does the factor: "ethnic cultural values" have on the development of a stronger cybersecurity program? What if the evolution of an organization's cybersecurity maturity also depends on the cultural diversity of individuals of the organization?

Coming from a cultural duality: African and European, I am often categorized in one or the other culture and rarely in both at the same time. Yet, I am what I call "a cultural bridge".

My power: Using my two cultures in the development of solutions. Beyond easy and generic classifications, I see cultures as a spectrum and an endless combination.

African values vary widely from one country to another due to the diversity of its folklore, cultures, traditions, and religions.

Values common to African countries can be identified as - Communalism - Respect for elders – Hospitality – Spirituality - The importance of family and community ties.

These values often emphasize interconnectedness, harmony with nature, and a strong sense of identity and belonging.

My European values also differ depending on the country in which we live, but we can still identify some common ones. In Europe, the common values are - Democracy and Rule of Law - Human Rights and Privacy - Freedom of Expression and Information - Individualism and Critical Thinking - Equality and Inclusivity.

Based on these, what are the existing or future bridges that allow you to build a robust cybersecurity program. What added value does each of these cultures bring to its robustness?

By sharing my personal experiences and research, I would like to provide to the participants food for thought on how to think about cybersecurity differently and sharing some tools that they can use and apply in their challenges.

In a world where cyber threats are evolving at an alarming rate, organizations are expected to do more with less, employees are given ever increasing workloads, and human error remains a significant contributor to data errors and security breaches, automation emerges as a crucial solution.

Businesses are increasingly looking toward automation to streamline processes, improve productivity, and “enhance operational efficiency”. A naïve security team might be afraid of the risk that automation poses. But, using a SABSA perspective, we can see that risk from a different angle and recognize it as an opportunity: both to focus on what is important to the business and to reduce the exposure of systems to the human factor.

Through real-world examples, we will illustrate how automation can enhance security posture and minimize the impact of human errors on an organization. We’ll also explore the various ways automation can support security risk assessment, such as enhancing anomaly detection and fortifying defense mechanisms. Facilitated by a member of your friendly neighborhood automation team, participants can expect to discuss the best ways to communicate and partner with groups modifying their processes so that security can take advantage of a rare chance to course-correct across their organization.

In the traditional landscape, threat modelling has been a predominantly manual and meticulous process, demanding substantial expertise and time. However, the advent of cutting-edge technologies is set to transform this scenario radically.

Our presentation delves into how an amalgamation of sophisticated technologies across the tech stack can automate and enhance the threat modelling process, making it more efficient and accessible. At the heart of this transformation is the integration of Generative Artificial Intelligence (GenAI) tools, such as GPT-4, which is significantly lowering the skill barriers traditionally associated with creating threat models.

During our presentation we will:

● Explore the unique contributions of technologies like Security Copilot, Gemini, and other elements of the technology stack that, when chained together, offer a robust methodology for automated threat modelling.

● Glimpse at a 'Promptbook on ChatGPT,' aimed at simplifying the entry into technical security architecture work.

● Discuss the possibility of generating dynamic architecture documents, analysing the security estate comprehensively, and employing chained GPT models for a holistic threat analysis.

The intersection of AI and traditional security tooling is paving the way for a new era in threat modelling - one where automation, efficiency, and inclusivity are at the forefront, transforming the landscape of cybersecurity architecture.

The shortage of cyber security skills is well known and this is only getting worse. So what can we do about it? When we step back from the problem we can see that many organisations are not efficient in their security engagement. Security teams perform triage and process work which does not require advanced security skills, and often we still see late engagement of security in projects and business decisions, introducing delays and requiring re-work.

Things can be different if cyber security activity is embedded in the day today work of other professionals and functions. Security requirements can be specified by procurement professionals, security configurations and patching owned by IT functions and security objectives specified by business executives.

In this talk, Paul will share experiences across a range of different sectors showing practical examples of how security and business goals were aligned and the security workforce expanded by placing cyber capability into other jobs.

How security architecture can help you keep your new year’s resolutions and other lifestyle objectives.

Everyone dreams but few turn them into reality. Making it happen does not need to exact a taxing price on social life and comfort. Using my own personal challenge, I draw on my experience as a relatively newcomer to SABSA and to cybersecurity in general to show how the SABSA problem-solving approach can be used to tackle private goals. In my case, it enabled me to overcome health limitations in order to fulfill my parents’ last wishes.

Frustration begets frustration. Most adults have at least once in their lifetime promised themselves they would change their behavior. Few ever succeeded, let alone maintained that new good habit beyond a few weeks. What was supposed to make them feel better about themselves ended up feeding a sense of failure. This creates a vicious circle: you are less likely to dream big and experience stress when you have been repeatedly confronted with failure. When frustration is imposed (e.g. poor health diagnosis), its limitative power increases tenfold. What a waste of human energy!

Applying SABSA to tackle human challenges. Who said security architecture was limited to complex IT questions? Thinking of a life goal as a project just like any other work project, whose vision and success can be articulated, as well as broken down to the smallest step increases the likelihood that you can track your progress and therefore keep up with your promises. SABSA doesn’t impose a direction, rather you are more likely to commit to a plan that you’ve come up with yourself and which follows your own logic. The SABSA framework can be used to boost self-satisfaction and virtually eradicate a sense of failure or dissatisfaction with yourself.

Powering through life. Life goals might seem insurmountable, even more when you attempt to tackle different goals at the same time. Security architecture forces you to identify possible links between goals, thus multiplying the impact of each step. Using diverse and creative trackers, you can monitor progress every week. Even when you don’t achieve 100% of your stated goal, your achievements are visible. This has tangible macro effects: when you feel better, others around you benefit from your positive energy (family, friends, coworkers, everyday interaction with strangers,…). This creates a virtuous circle where by helping yourself, you are more likely to feel generous with others and create a positive environment.

Using personal examples, I bring the SABSA mindset to the private realm. I wish to give participants the tools to apply it to their own challenges.

DOING WHAT YOU CAN WITH WHAT YOU’VE GOT WHERE YOU ARE

This paper proposes an unconventional yet highly effective approach to helping information security teams deliver better security outcomes by blending the organisational, technical, and process reality that surrounds them with human-centric methodologies, including design thinking and negotiation techniques drawn from the practice of conflict resolution.

Leaning on inspiration from a real-world project I have led in public sector healthcare, my idea is to illustrate with pragmatic and reusable examples how security practitioners can achieve useful consensus about what their teams and wider organisations should focus on. In so doing, they can build buy-in for their strategic and operational security initiatives, making a real difference for their organisations and feeling for themselves that their contribution matters.

THE IDEA

Traditional approaches to information security tend to be technology-heavy and often overlook the human element, where teams operate under an oppressive feeling of constraint and with a scarcity mindset. This can impede good critical thinking and lead to sub-optimal decisions and operational practices, which ultimately leads to gaps in defences.

By embracing a human-centric approach rooted in design thinking and leveraging integrative negotiation techniques, security teams can foster outcome-oriented collaboration and innovation in tackling cybersecurity challenges, making the most of the available time and resources.

This talk explores the intersection of information security, design thinking, and negotiation in a real-world context where human life is what is at stake (public sector healthcare) and where the application of an unconventional approach yielded unconventionally positive results.

• Design Thinking to Uncover What Really Matters

In the public sector healthcare project, design thinking principles guided the development of a strategic roadmap that prioritised patient outcomes. By empathising with healthcare professionals and patients, the security team identified unique security needs and co-created solutions that seamlessly integrated with existing workflows.

The iterative nature of design thinking allowed for continuous improvement and adaptation to evolving threats, resulting in a robust security framework tailored to the needs of the healthcare environment.

• Negotiation Techniques to Address Intractable Disputes

Negotiation techniques played a pivotal role in garnering buy-in from stakeholders across diverse departments. By framing security concerns within the context of patient outcomes, the team facilitated productive discussions that aligned competing interests and neutralised inter-team and interpersonal conflict toward a shared goal that everybody committed to. This was a game-changer.

Through principled negotiation and active listening, we managed to reach a consensus on the priority initiatives that the security team needed to focus on, balancing risk mitigation with operational efficiency, paving the way for a successful implementation of the new 3-year strategic initiative and garnering the goodwill and active commitment of all contributors.

• Facilitated Discussions to Make Sure Every Voice is Heard

Facilitated discussions served as a cornerstone of the approach, providing a structured forum for stakeholders to voice their concerns and contribute to the decision-making process. Skilled facilitators adeptly managed group dynamics, ensuring that all perspectives were heard and respected, particularly those of neuro-diverse team members who had previously struggled to communicate their ideas and who, it turned out, had an incredibly impactful role to play.

Conclusion

By embracing human-centric methodologies like design thinking and best practices from other professional domains such as conflict resolution, this talk will show how security practitioners can unlock untapped potential from existing human talent in their organizations, orchestrating this energy into better security outcomes.

The real-world examples from public sector healthcare demonstrate the tangible benefits of design thinking, negotiation techniques, and facilitated discussions in establishing focus, achieving consensus and buy-in, and keeping teams on track to achieve superior security outcomes.

Let’s embark on an unconventional journey together, where we’ll learn to leverage the power of human ingenuity to build even better defence in depth in our organizations and safeguard what matters most.