Get in contact with us by email, phone or just stay social and connect with us on LinkedIn & Twitter
For 27 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. For the first time, COSAC is going virtual with COSAC Connect going live in September 2020.
View the schedule for our 2-day event or check out our panel of world class speakers ready to bring the COSAC ethos of collaboration and information security wisdom online. Registration is free of charge with sessions spread across world time zones to ensure COSAC continues to deliver value, wherever in the world you are located.
Welcome & Introduction
Chairman, COSAC (Northern Ireland)
David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.X
Speaking Security Innovation Fluently: Taking Enterprise Security Architecture from Boardrooms to Lego Rooms
Managing Director, CyberWayFinder (Belgium)
Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas, Salesforce.com, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.X
Mentor / Director, CyberWayFinder (Belgium)
Leader of Transformative Security Initiatives: Patrick Wheeler is a specialist in combatting cybercrime and has been involved in IT consulting, business and security for over 20 years. Originally from California’s Silicon Valley and San Francisco, and now as a naturalized Belgian he focuses on the European Financial sector (e.g. SWIFT, Euroclear, BNP Paribas) specializing in security, compliance and innovation with rubric of ‘Cybrepreneurship’ which he defines as including opportunistic...X
Global and local enterprises are all pushing ‘innovation’ mantras, from Agile-IT or Netflix-HR. The rush towards decentralized-small-squad-self-governed-code-fast-publish-now-fail-early-apologize-later-if-needed (Agile, DevOps, etc) place known and growing challenges to ESA. Design Think (Stanford [ref1], Hasso-Plattner [ref2]; radical-collaboration, bias-toward-action, mindful-of-process, beginners-mindset, show-don’t-tell, embrace-experimentation, prototype-to-discover) is one the latest widely adopted methodological approaches to innovation. Often placed upstream of Agile. Applying the SABSA framework to Design Think in an enterprise can embed ESA concepts early into corporate strategies (boardrooms) and product lifecycles (lego rooms). By embedding ourselves at the earliest stages in decision-making processes we carry ESA to the boardrooms, differently.
What? Business decisions from fintech acquisition, business partnerships through strategic bet-the-company pivots are being made via this process. We propose an introduction, workshop and exercise to get in front of enterprise strategy and setting enterprise security architecture priorities by reverse engineering design think orthodoxy and credos in the enterprise. Includes a 3-hour learning-by-doing exercise on how to identify design opportunities, generate diverse ideas, and create and test prototypes using principles and mindsets of design thinking. This business focus exercise focuses on Business and the Contextual and Conceptual layers. Our presenters are practitioners who can speak to using this throughout all layers in Financial sector (e.g. SWIFT, Euroclear and BNPPF) and governments (e.g. EU).
Why? While we may speak the language of risk, business and enterprise, we must be fully conversant with the buzzwords, concepts and methodologies to be fluent in the language of innovation. Ideas are always in abundance, how do we turn them into concrete, and desirable products, processes or campaigns? In security we strive to create a positive impact and bring value to our teams and relationships. We are faced with complex situations or challenges with known or unknown conditions and uncertainty. These challenges often require creative solutions that actually work, feel right and meet core needs. Using the on-going communications frameworks are key to success. Co-creating solutions is just the beginning.
How? While this can be used as design think for security (and we have indications of success in enterprise security teams) we will focus on the business context of embedding ESA concepts and securing the design think and innovation eco-system process. By making ourselves conversant in and demonstrably using of the design thinking process, by bringing into action the mindsets of creative confidence, tactical empathy, iteration, learning from failure, radical collaboration and embracing ambiguity - we increase the likelihood of gaining real insight on the real and often hidden needs of our audience, users or stakeholders. We look at the mental barriers to security adoption, differently. There are design opportunities for which we could create prototypes and iterate to drive organic adoption (pull, not push) of ESA. (warning: if special dispensation is granted, there may be commercial product placement of Lego’s™ [ref3], the presenters have no direct or indirect commercial involvement and choking hazards are assumed an acceptable risk)
SA B[S]Akery: The Story of ESA Architects Turned Bakers
Esther Schagen-van Luit
Esther Schagen-van Luit
CISO, Deloitte (Netherlands)
Esther is a Specialist in Security Architecture at Deloitte Cyber Risk Services. Her ambition is to be a Leading Lady In Cyber, who is the best in her craft (security architecture) and makes societal impact as a role model through making girls & women feel they (could) belong in world of cybersecurity. For her work on getting more women into Cyber, Esther has been awarded prizes and nominations such as the Cybersecurity Award, Techionista Award, VIVA400 and Change in Business Award.X
Creating security architecture for a real-life organization can be a daunting task. As we model all aspects of the business, our diagrams grow more complex and we need longer to move through the architectural layers. It could help budding architects to first apply SABSA to a very simple situation before moving into real-life territory. Enter SA B[S]Akery.
SA B[S]Akery is your typical bakery on the corner. SA B[S]Akery was started by four friends that met at a local security architecture conference: David, John, Zika and Matt. Their goal is to be the go-to bakery for the inhabitants of Killashee. But the road of baking bread is not for the faint-hearted. Fortunately you can take the architect out of SABSA (and put them in a bakery), but not SABSA out of the architect. They still know how to apply the SABSA Risk Management Process (RMP). Join them on their journey to understand the risks of running a bakery and how to guard their livelihood. On the way they may have to deal with hungry raccoons, rambunctious children on a birthday party and of course, ransomware.
The goal of this session is to show how part of the SABSA methodology can be applied to a simplified case study, and thereby provide greater clarity on how to approach complex environments. Secondly, it aims to show the usefulness of SABSA in a variety of situations beyond the information security of large corporations to which it is often applied. This case study serves as the basis for my SABSA exam papers and the ESA board game to be presented at COSAC in February 2021.
Rise of the Weird Machines
Director, Transformation Strategy, Zscaler (USA)
Lisa is Director of Transformation Strategy at Zscaler, specializing in secure application access and digital transformation. For more than 20 years, she has worked in a variety of network and information security roles and has contributed to open standards for endpoint integrity and network security from the Trusted Computing Group (TCG) and Internet Engineering Task Force (IETF). Lisa is currently focused on helping customers achieve their security goals and create a seamless user experience...X
One of the key assumptions in programming is that computers execute code that performs the function intended by the programmer. However, as programs become more complex, so do their inputs - giving rise to situations where specially-crafted data can trigger unexpected computations in targets ranging from executables to OS elements to embedded hardware. These "weird machines" give rise, then, to exploits in targets ranging from ELF metadata to X86 page handling to embedded font handlers.
We'll discuss how weird machines are born, take a tour of the weird machine zoo, and talk about some of the frameworks, tools, and techniques available to counter the rise of the weird machines...