Ireland COSAC Connect Melbourne

Welcome to COSAC Connect!

For 27 years COSAC has provided a trusted environment in which to deliver information security value from shared experience.

COSAC Connect brings the COSAC Information Security Conference format online for the first time in 2020. Participation and interaction will be encouraged and facilitated by the COSAC team. View our agenda to get a taste of what to expect from our panel of expert information security speakers.

Tuesday 29th September 2020

09:00 BST Introduction & Welcome Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
09:30 BST ​Securing the Digital Transformed World Speaker(s): Siân John MBE

Siân John MBE

Chief Security Advisor, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...

As organisations go through digital transformation Cybersecurity practices need to evolve to keep up. This half day session will explore some of the challenges and approaches to evolving security risk management to unlock the opportunity of digital transformation by managing and mitigating some of the threats. Topics will include:

-Changing control and risk frameworks – and reporting on risk to support digital transformation

-Identity as a perimeter and Zero Trust Networks

-Forensics and threat hunting in the hybrid cloud world

-Incident response, triage and remediation

-Securing the intelligent cloud and the intelligent edge – IoT, machine learning and hybrid cloud solutions

10:30 BST Using SABSA to Architect Zero Trust Networks Speaker(s): Chris Blunt

Chris Blunt

Security Architect, Aflac NI

Chris is a seasoned cybersecurity professional. He has recently moved to Belfast from New Zealand where he co-founded and ran a highly successful information security and privacy consultancy. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables organisations to achieve their business objectives.

In 2014, Google threw away its traditional approach to securing its services and reimagined what security should look like to be truly effective in today's world of distributed teams, systems, and applications.

But is it practical for an organisation without the resources of Microsoft, Amazon Web Service and Google to adopt these concepts?

This session will provide a brief overview of the zero-trust concepts before exploring how SABSA can be used to architect zero-trust networks. Finally, we will discuss the real-world applications of zero-trust, together with some of the challenges and how they might be overcome.

11:30 BST Dependency Modelling in SABSA - Dynamically Visualising Risk Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.

Dependency modelling is a way of analysing risks to an enterprise.  It uses a variety of different approaches to describe and predict how different systems components interact and interdepend.  Typically it provides graphical representations of these relationships that help systems engineers design and implement resilient systems.

A dependency model is based on goals and objectives and the prerequisites to satisfy these goals.  It is a positivist, top down approach that contrasts with other models that focus on faults, disasters and failures.

I first learned of Dependency modelling many years ago having been introduced to the subject by Professor John Gordon.  He had developed a toolset specifically designed to help systems engineers, among other things, model risks to critical infrastructure. I was particularly interested in how his techniques were based on 'good' things - goals that he called 'paragons' and the Bayesian engine he developed that enabled you to build a dependency model and then 'drive it in reverse' to infer the most likely elements to cause compromise of each paragon.  It occurred to me at the time that there were great similarities between paragons and SABSA Business Attributes and that, when I had time, I would explore that further.

In this presentation I shall outline John Gordon's excellent work and use some examples to highlight how it can be applied to SABSA Business Attribute-based Dependency Modelling.  I hope it will be of interest to both delegates who are expert in the field and others to whom it is new - my goal is to produce a catalyst for some of us to work together to use Dependency Modelling within SABSA to make the design of resilient business systems easier.

12:30 BST Digital Ethics : A BluePrint For The Future Speaker(s): Valerie Lyons

Valerie Lyons

COO & PhD Scholar, BH Consulting & DCU (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.

Digital ethics, together with privacy, was one of Gartner’s top ten strategic technology trends. In the world of Cybersecurity, we are acutely aware of what privacy means but are we so clear about digital ethics? The current discourse on digital ethics focusses either on the intended ethical breaches resulting in damage to consumer trust – in other words ‘not doing right’ or on the potential misuse of big data and artificial intelligence. However digital ethics reaches far beyond this. With digital ethics comes the added variable of the ethical implications of things which may not yet exist, or things which may have impacts we cannot predict. Organisations continue to struggle to recognize and anticipate the unintended ethical issues associated with digital technologies. For instance, who twenty years ago would have anticipated the ethical issues now associated with current digital technologies such as reduced social skills, addiction, bullying and loss of self-determination - or in a broader digital context - the emerging erosion of democracy and the socio-political divisiveness of national security surveillance?  The biggest challenge right now is in thinking we can regulate digital ethics with compliance type checklists. This is because digital technologies are not neutral; they enshrine a vision and reflect a worldview which cannot be checklisted. What if, instead of checklists we could construct a navigational tool which guides our teams to focus, and refocus, on key areas more likely to be vulnerable to ethical compromise? Drawing on nascent research from the Omidyar Network and Institute for the Future, an overview of the 'Ethical OS' toolkit is presented including an overview of the process of undertaking a digital ethics review and the 8 key risk areas that organisational teams need to focus on. This toolkit doesn’t make an organisation ‘ethical’ but it does provide the organisation with an essential guide for its digital endeavours now and into an unknown future.

Wednesday 30th September 2020

17:00 BST Welcome & Introduction Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
17:15 BST Speaking Security Innovation Fluently: Taking Enterprise Security Architecture from Boardrooms to Lego Rooms Speaker(s): Rosanna Kurrer,

Rosanna Kurrer

Managing Director, CyberWayFinder (Belgium)

Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas,, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.
Patrick Wheeler

Patrick Wheeler

Mentor / Director, CyberWayFinder (Belgium)

Leader of Transformative Security Initiatives: Patrick Wheeler is a specialist in combatting cybercrime and has been involved in IT consulting, business and security for over 20 years. Originally from California’s Silicon Valley and San Francisco, and now as a naturalized Belgian he focuses on the European Financial sector (e.g. SWIFT, Euroclear, BNP Paribas) specializing in security, compliance and innovation with rubric of ‘Cybrepreneurship’ which he defines as including opportunistic...

Global and local enterprises are all pushing ‘innovation’ mantras, from Agile-IT or Netflix-HR. The rush towards decentralized-small-squad-self-governed-code-fast-publish-now-fail-early-apologize-later-if-needed (Agile, DevOps, etc) place known and growing challenges to ESA. Design Think (Stanford [ref1], Hasso-Plattner [ref2]; radical-collaboration, bias-toward-action, mindful-of-process, beginners-mindset, show-don’t-tell, embrace-experimentation, prototype-to-discover) is one the latest widely adopted methodological approaches to innovation. Often placed upstream of Agile. Applying the SABSA framework to Design Think in an enterprise can embed ESA concepts early into corporate strategies (boardrooms) and product lifecycles (lego rooms). By embedding ourselves at the earliest stages in decision-making processes we carry ESA to the boardrooms, differently.

What? Business decisions from fintech acquisition, business partnerships through strategic bet-the-company pivots are being made via this process. We propose an introduction, workshop and exercise to get in front of enterprise strategy and setting enterprise security architecture priorities by reverse engineering design think orthodoxy and credos in the enterprise. Includes a 3-hour learning-by-doing exercise on how to identify design opportunities, generate diverse ideas, and create and test prototypes using principles and mindsets of design thinking. This business focus exercise focuses on Business and the Contextual and Conceptual layers. Our presenters are practitioners who can speak to using this throughout all layers in Financial sector (e.g. SWIFT, Euroclear and BNPPF) and governments (e.g. EU).

Why? While we may speak the language of risk, business and enterprise, we must be fully conversant with the buzzwords, concepts and methodologies to be fluent in the language of innovation. Ideas are always in abundance, how do we turn them into concrete, and desirable products, processes or campaigns? In security we strive to create a positive impact and bring value to our teams and relationships. We are faced with complex situations or challenges with known or unknown conditions and uncertainty. These challenges often require creative solutions that actually work, feel right and meet core needs. Using the on-going communications frameworks are key to success. Co-creating solutions is just the beginning.

How? While this can be used as design think for security (and we have indications of success in enterprise security teams) we will focus on the business context of embedding ESA concepts and securing the design think and innovation eco-system process. By making ourselves conversant in and demonstrably using of the design thinking process, by bringing into action the mindsets of creative confidence, tactical empathy, iteration, learning from failure, radical collaboration and embracing ambiguity - we increase the likelihood of gaining real insight on the real and often hidden needs of our audience, users or stakeholders. We look at the mental barriers to security adoption, differently. There are design opportunities for which we could create prototypes and iterate to drive organic adoption (pull, not push) of ESA. (warning: if special dispensation is granted, there may be commercial product placement of Lego’s™ [ref3], the presenters have no direct or indirect commercial involvement and choking hazards are assumed an acceptable risk)

18:15 BST SA B[S]Akery: The Story of ESA Architects Turned Bakers Speaker(s): Esther Schagen-van Luit

Esther Schagen-van Luit

Specialist Security Architecture, Deloitte (Netherlands)

Esther is a Specialist in Security Architecture at Deloitte Cyber Risk Services. Her ambition is to be a Leading Lady In Cyber, who is the best in her craft (security architecture) and makes societal impact as a role model through making girls & women feel they (could) belong in world of cybersecurity. For her work on getting more women into Cyber, Esther has been awarded prizes and nominations such as the Cybersecurity Award, Techionista Award, VIVA400 and Change in Business Award.

Creating security architecture for a real-life organization can be a daunting task. As we model all aspects of the business, our diagrams grow more complex and we need longer to move through the architectural layers. It could help budding architects to first apply SABSA to a very simple situation before moving into real-life territory. Enter SA B[S]Akery.

SA B[S]Akery is your typical bakery on the corner. SA B[S]Akery was started by four friends that met at a local security architecture conference: David, John, Zika and Matt. Their goal is to be the go-to bakery for the inhabitants of Killashee. But the road of baking bread is not for the faint-hearted. Fortunately you can take the architect out of SABSA (and put them in a bakery), but not SABSA out of the architect. They still know how to apply the SABSA Risk Management Process (RMP). Join them on their journey to understand the risks of running a bakery and how to guard their livelihood. On the way they may have to deal with hungry raccoons, rambunctious children on a birthday party and of course, ransomware.

The goal of this session is to show how part of the SABSA methodology can be applied to a simplified case study, and thereby provide greater clarity on how to approach complex environments. Secondly, it aims to show the usefulness of SABSA in a variety of situations beyond the information security of large corporations to which it is often applied. This case study serves as the basis for my SABSA exam papers and the ESA board game to be presented at COSAC in February 2021.

19:15 BST Rise of the Weird Machines Speaker(s): Lisa Lorenzin

Lisa Lorenzin

Director, Transformation Strategy, Zscaler (USA)

Lisa is Director of Transformation Strategy at Zscaler, specializing in secure application access and digital transformation. For more than 20 years, she has worked in a variety of network and information security roles and has contributed to open standards for endpoint integrity and network security from the Trusted Computing Group (TCG) and Internet Engineering Task Force (IETF). Lisa is currently focused on helping customers achieve their security goals and create a seamless user experience...

One of the key assumptions in programming is that computers execute code that performs the function intended by the programmer. However, as programs become more complex, so do their inputs - giving rise to situations where specially-crafted data can trigger unexpected computations in targets ranging from executables to OS elements to embedded hardware. These "weird machines" give rise, then, to exploits in targets ranging from ELF metadata to X86 page handling to embedded font handlers.

We'll discuss how weird machines are born, take a tour of the weird machine zoo, and talk about some of the frameworks, tools, and techniques available to counter the rise of the weird machines...