Ireland Melbourne

Welcome to COSAC - Conferencing the way it should be!

For 26 years COSAC has delivered a trusted environment in which to deliver value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

Monday 2nd December 2019

COSAC APAC 2019 Welcome Dinner

18:45 Drinks Reception
19:15 Dinner

Tuesday 3rd December 2019

09:00 - 09:30 Delegate Registration & Coffee

09:30 1A: Using SABSA to Architect Zero-Trust Networks Part 2 Speaker(s): Chris Blunt

Chris Blunt

Chief Strategy Officer, Axenic (New Zealand)

Chris is the Chief Strategy Officer at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 26 years of experience in the ICT industry, specialising in security and privacy for the last 14 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives.
X
 

At COSAC APAC 2017, I presented a session discussing how to apply SABSA to architect a zero-trust network. This session explored the basic concepts of zero trust networks and showed how SABSA was used to deliver an Enterprise Security Architecture (ESA), which included a Conceptual Architecture for a zero-trust network.

But what has happened since then? Is it practical for an organisation without the resources of Microsoft, Amazon Web Service and Google to adopt these concepts? This session seeks to shed some light on this by building on the original sanitised NZ organisation case study.

This session will provide a brief overview of the zero-trust concepts, together with the pertinent details from the ESA and the Conceptual Architecture before exploring how they were used to develop and implement a solution architecture using cloud services, discussing the real-world challenges and how they were overcome.

Finally, if time and the demo gods permit there will be a demonstration of how zero-trust networks can work in the real-world using a replica of the NZ organisation’s implementation.

09:30 1B: Digital Identity -The Core of Digital Transformation Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in shaping the information security practice as a transformative business driven and risk oriented discipline.
X
 

Objective of the session is to illustrate how Digital Identity is a fundamental enabler for digital business strategies underpinned through customer Identity and Access Management capability. 

Session will cover aspects as it relate to emerging business drivers, customer user stories, a new security stack required for Digital Identity that satisfies business objectives, as well as an architecture model required to synergise the use of identity. 

In addition, session will also provide insight into the future of identity leveraging emerging trends and technologies.

10:30 2A: SABSA in Mission Critical Systems Engineering Projects Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect, Thales (Australia)

Alex is a Senior Security Architect with in Thales Australia Cyber Security team with 20+ years' experience in Information & Communication Technology in the defence (national security), critical infrastructure and financial services sectors. Alex's role is to provide specialist security advice, design decisions and engineering review to enable projects and Thales' customers to devise, develop, acquire and maintain reliable, secure, accreditable and economically viable technology solutions.
X
 

The discussion of architecture frameworks and mission critical systems often misses the ‘elephant in the room’ since it excludes use system engineering practices to deliver large complex solutions. This is counter-intuitive since architecture frameworks were originally conceived to deal with complexities in delivery of systems and outcomes and often derived from system engineering principles.

Although the SABSA training content does highlight the system engineering pedigree of the SABSA framework and methodology, many SABSA trainees and practitioners are unfamiliar with the formal practice of system engineering. This often results in a great deal of misunderstanding when architects from an enterprise ICT background join an engineering organisation.

As a SABSA practitioner working in a System Engineering organisation and on large scale mission critical systems, I have developed a depth of experience and insights into the application of SABSA architectural practices and methods within the framework of system engineering and the challenges of integrating into a system engineering organisation. Often these challenges highlighted that non-technical considerations were just as important (if not more important) than purely technical considerations.

The presentation will familiarise SABSA practitioners with the practice of system engineering and its application to mission critical systems. It will provide guidance in applying SABSA methods in a system engineering context. This presentation is an example of how to apply SABSA security architecture practices even though the engineering / technical organisation has not ‘mandated’ the use of the SABSA framework.

10:30 2B: Understanding Trust for Digital Identity Speaker(s): Andrew Stephen

Andrew Stephen

All of Govt Enterprise Architect, Dept of Internal Affairs (New Zealand)

Over the past three decades Andrew has worked across many aspects of the information and technology industry, from deeply technical to security management and architecture. Today Andrew has a focus on improving security practice and the relationships between security functions and their organisations. His current work contributes to development of New Zealand government digital strategy and nationally significant digital service. 
X
 

In late 2018 New Zealand's government began an ambitious project to develop a trust framework to establish the future environment for the digital identities of New Zealanders. With a list of stakeholders that potentially includes every New Zealander and NZ organisation - as well as off-shore entities which transact with New Zealanders - the task of understanding the outcomes and attributes necessary for a successful and trusted digital identity ecosystem looked overwhelming. As the Enterprise Architect for this programme Andrew Stephen began by formulating an approach to shaping a trust framework that focussed on the diverse outcomes needed for the many stakeholders to confidently participate in the future ecosystem, and determining the dependencies needed to achieve them. In this talk Andrew will explain how he developed this approach and will also give an overview of the findings and how these are being reflected in the trust framework itself.

11:20 - 11:40 Morning Coffee

11:40 3A: The SABSA Minimum Viable Product Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with over 20 years in multiple sectors including retail, hospitality tertiary education, sporting and gaming multi-nationals, as well as consulting in the financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board and a Founding Member of the SABSA Institute. He is currently the CISO of the Phoenix Group.
X
 

One of the most common questions that befalls a newly minted SABSA architect is “Where do I start?” And it’s not just SABSA neophytes faced with this problem ‒ we have all struggled in some way with delivering effective value whilst justifying the lengthy time and breadth needed to develop (often nascent) enterprise security architecture, particularly when first joining a new organisation where the SABSA practitioner has to produce the goods to make it through their probation. So where do you start? And more importantly, where you should be spending your precious time and energy, particularly during those first crucial months in a new role when all eyes are watching you in silent judgement of your level of competency and effectiveness? Taking inspiration from the much-heralded approach by the Australian Signals Directorate (ASD) in producing the Top 4 / Essential 8, this entertaining, thought-provoking and, no doubt, controversial presentation proposes a set of core set of architectural ‘products’ and the minimum criteria they must meet that the Enterprise Security Architect needs to focus on in order for their efforts to be rightly deemed ‘security architecture’ in the eyes of your peers, as well as allow the budding architect to pass probation and keep their job!

11:40 3B: NATO Resilience by Design Speaker(s): Perri Nejib,

Perri Nejib

Technical Fellow - Cyber Solutions Architect, Northrop Grumman (USA)

Ms Nejib has 33+ years of system engineering and program protection experience and 27+ years of technical leadership & DoD acquisition management experience. Currently part of the Advanced Cyber Technology Center (ACTC) as one of its senior engineering consultants & is deployed to the Missile Defense & Protective Systems Division (MDPS) as Cyber Solutions Architect. In this role she supports key programs, serves as stakeholder on MDPS IRADs and provides SSE subject matter expertise.
X
Edward Yakabovicz

Edward Yakabovicz

Technical Fellow, Northrop Grumman (USA)

Edward Yakabovicz is an innovative technical leader at Northrop Grumman responsible for advanced technologies for enhancing cybersecurity, resilience, and security engineering throughout enterprise, SCADA, and the Internet of Things. He is a cybersecurity doctorate candidate researching the current human capital crisis and inability to staff cyber related jobs.
X
 

Cyber Resilience (as opposed to merely risk-based approaches) is an ever increasing topic of interest in literature and in practice with many nations expressing it in their cyber strategies to apply newer practices in providing system protection from the rapidly changing cyber threat environment. This presentation addresses the engineering-driven actions necessary to develop more resilient systems by integrating Cyber Security/ Systems Security Engineering (SSE) to that of the well known Systems Engineering (SE) process. This concept, shown in Figure 1 (see attachment), infuses systems security engineering techniques, methods, and practices into systems and software engineering system development lifecycle activities, thus becoming part of the core solution/process rather than an isolated and expensive add-on, bolt-on, and separate task/process. The presentation will be based on a position paper developed on this topic area (see attached)-this is intended to be presented and discussed in a forum such as COSAC to allow for audience interaction and feedback on the concept of Cyber Resiliency in the NATO construct. Cyber Resiliency by Design is an important topic area across NATO and the COSAC/SABSA event will be a perfect forum to discuss and examine current standards and methods in this area and possible implementations. Our intention is for this event to be a catalyst of change for cyber resiliency across NATO.

12:40 4A: Security Architecture in 3 Steps Speaker(s): Ross MacKenzie

Ross MacKenzie

Head of Security Architecture & Design, Westpac (Australia)

Ross MacKenzie is the Head of Security Architecture & Design at Westpac Banking Group, and is responsible Globally for the delivery of security architecture, design and security capabilities. Ross has over 15 years of experience in the information security field, and is based in Sydney, Australia. He is also SCF & SCP certified.
X
 

Security is considered by many to be a blocker, often with accompanying complaints that Security Architecture decisions take too long and don't often align to enterprise business strategies.

WBC decided to transform security architecture practice by adopting Lean and Agile principles of breaking silos,  measuring everything and providing quick and immediate feedback to learn and improve.

  In order to improve our security architecture practice, we decided to take on following ambitious goals:

  • Enable faster and effective decision making by ensuring that all Security architecture decisions and deliverables be completed in 3 days
  • Ensure that the work flows through our structured Security architecture pipeline without interruptions or blockers.
  • Enable continuous compliance and security by continually verifying, correcting and adapting.

  In this talk, we will go through the following 3 step process to build Agile Security Architecture capability in order to reduce process and lead time

  1.   Establish Enterprise Security Architecture Principles, guardrails, patterns and metrics to ensure alignment with enterprise strategy
  2. Build a security architecture pipeline by adopting Lean & agile principles
  • Break silos by building cross-functional teams
  • Divide work into small manageable work-packages
  • Develop quality metrics
  • Improve visibility of work
  • Provide quick and effective feedback
  • Optimise flow of work and remove bottlenecks
  • Automate, monitor and optimise . Enable business and technology to be autonomous
  • Enable reusability and standardization by:
  • Security Patterns & Building blocks 
  • Externalise Security Services e.g EAM, KMS
  • Build an effective Security Governance capability by incorporating continuous security and compliance.

In the end, we will bring all the theory into practice by going over sample case study.

12:40 4B: Measuring Cyber Resilience Speaker(s): Edward Yakabovicz

Edward Yakabovicz

Technical Fellow, Northrop Grumman (USA)

Edward Yakabovicz is an innovative technical leader at Northrop Grumman responsible for advanced technologies for enhancing cybersecurity, resilience, and security engineering throughout enterprise, SCADA, and the Internet of Things. He is a cybersecurity doctorate candidate researching the current human capital crisis and inability to staff cyber related jobs.
X
 

This session will discuss how new 2019 data on the Igor Linkov cyber resiliency measurement concepts discussed at COSAC 2018. The Linkov concepts discuss the practical methods to measure cyber resiliency both negative and positive. The discussion offers to address changes and new innovative data from the 2019 NATO conference and others. This unique and novel way of measuring cyber resiliency appears to be the only valid method discussed around the global as a novel and practical measurement practice. The outcome of the discussions will lend to the overall attendees taking away better and more practical way to measure resiliency and apply it to their subject matter.

13:30 - 14:30 Lunch

14:30 5A: Architecting Design for Trustworthy Software (DfTS) Speaker(s): Malcolm Shore

Malcolm Shore

Chief Security Architect, David Lynas Consulting (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
 

The SABSA methodology provides a framework for security design but as with other standards does not specify any specific process to use. This presentation looks at the Design for Trustworthy Software (DfTS) approach to product design, and aligns it to the SABSA Framework. DfTS incorporates the best practices and features from a number of earlier development methodologies to ensure customer-driven design, and provides a context for deploying software quality management schemes. We will conclude with some insights into translating secure design into secure code by using the relevant elements from the Correctness by Construction methodology.

14:30 5B: Cavalry vs Rifles - Evolving Tactics in Cyber Security Speaker(s): Lisa Lorenzin

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security.
X
 

Pre-Napoleon, the primary modern weapon of infantry was smoothbore muskets, which were both short-range and highly inaccurate. A cavalry charge was an effective tactic against unmounted fighters all the way back to the days of Alexander the Great… but give those fighters accurate, long-range weapons, and the advantage shifts.

Today, our battlegrounds have changed and our timescales are compressed, but we're still tackling the same challenge: changes in the weapons we're facing. As information security threats evolve, we must recognize that some of our traditional tools are also becoming obsolete, and that our tactics must evolve to meet the demands of today's environment. The question is: which tactics? And how? We will discuss risk assessment, data-driven threat modeling, which of our current solutions to leverage - and which to discard, and whether any of the much-hyped new domains (AI, ML, blockchain - bingo!) are actually adding value today.

15:30 6A: Forensic Readiness: Buzzword? More a Set of Attributes Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
15:30 6B: Ethics in Social Engineering & Penetration Testing Speaker(s): Kathleen Mullin

Kathleen Mullin

CISO, Healthmap Solutions (USA)

Kathleen Mullin CISSP, MLSE, CCSFP is an influential information security practitioner with more than 30 years of experience. She has been a CISO at various publicly traded, private, not-for-profit organizations, and governmental entities including HealthMap Solutions, WageWorks, Healthplan Services, Adventist Health, and Tampa Airport. She has a BSBA from St Joseph’s College Maine and an MBA from Florida Metropolitan University.
X
 

Ethics in social engineering is frequently left up to the individuals involved, sometimes with disastrous results, without ethical boundaries sometimes destroying people’s lives.

This discussion is the best practices and the potential adverse impacts of unethical behavior. Why should the Social Engineer care about the target and why should the client care about the Social Engineers ethical values and approach.

What is the difference between morals, ethics, and culture? Why do those distinctions matter? Let' look at the equivalency of testing on human subjects.

Decision making of the client and how they make those decision. Who should they hire?

Also, the importance of trust. Can or should you terminate an employee based on the information that is garnered during the Social Engineering exercise. If an employee is terminated what is the impact on trust relationships.

Rules of engagement, setting expectations, and outlining ethical behavior. Decision making of the Social Engineer: What to do when OSINT finds sensitive information or when the engagement goes wrong and there is the temptation to cross the line.

What to do when it all goes wrong even with good intentions. What should the outcome of a Social Engineering engagement be after the report is issued?

16:20 - 16:40 Afternoon Coffee

16:40 7A: Using SABSA to Design a Cyber Security Strategy Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Executive Consultant, Envista (Australia)

Michael is a Cyber Security Adviser with Envista providing high level assistance on Cyber Related matters. He was formerly the CIO and CISO at the Australian Department of Finance where he had executive responsibility for ICT as well as physical security within that agency. He has previously held senior roles with government agencies including Department of Foreign Affairs.
X
 

The SABSA architectural methodology has a number of tools, techniques and frameworks that can help IT Security professionals understand the challenges they face, present and discuss with their executive and stakeholders when building and progressing a Cyber Security Program.

Fundamentally, a strategy is a document that sets out how you plan to achieve a series of long-term objectives.

Within Cyber Security our objectives must be closely aligned with those of the ICT group and, just as importantly, with those of the business as a whole.

If our Cyber Security Strategy isn’t helping the Business or ICT meet their objectives, then we will struggle to articulate our relevance and we will find it difficult to get budget. On the other hand, when our strategy clearly aligns and strengthens the business we are viewed more as a partner.

This presentation will cover a few of the basics of SABSA, provide you with a framework for a Cyber Security Strategy and then demonstrate how understanding and applying some key techniques from the SABSA tool kit can assist you in developing and presenting a coherent and aligned Cyber Security Strategy that the business will understand.

16:40 7B: DevSecOps: Enterprise Automation - Challenges & Approaches Speaker(s): Rahul Lobo

Rahul Lobo

Director, Ernst & Young (Australia)

Rahul is an experienced Cyber Threat Management professional with 16 years of experience, including 6 years managing a high performance security team, involved in attack and penetration testing, application security, vulnerability assessment, risk management and mitigation, IT security remediation, security architecture and security consulting.
X
 

Digitally disruptive technologies are rapidly converging. These technologies are fundamentally shaping value propositions and operating models.

In order to compete in the digital economy, enterprises are increasingly competing on time-to-market. The pace of change observed in digital solutions necessitates that security be built in instead of bolted on.

New threat landscape

  • Technology disruption is making online services more open and accessible to customers and attackers alike.
  • The advent of the connected world, and the inherent interconnectivity of people, devices and organizations, opens up a whole new playing field of vulnerabilities.
  • Critical information assets of organizations are more exposed to targeted attacks than ever

Quick iterative releases

  • Typical sprint cycle for technology deployment is less than 30 days compared to 6-12 months for Waterfall SDLC
  • Short, time-boxed development iterations of small functional stories
  • Traditional security activities such as manual penetration testing don’t fit short iterative sprints
  • Development team are only focused on changes for that iteration

Automated tools challenge

  • Tools need to be configured and tuned to get adequate coverage of critical application functionality and different testing strategies need to be used
  • Too many different types of tools and approaches available
  • Too many false positives from traditional security tools for the developer to deal with

In response to the challenges facing the inclusion of security testing into Devops Pipelines and the requirement to be able to perform automated security testing early on in the development lifecycle EY developed a platform that can infuse automated security testing into development pipelines. The Team leveraged the SABSA framework to define the business problem as well as drive the business case for development of the platform.

The solution overview will look at various approaches for automated testing as well as their benefits / weaknesses as well as stages where they are appropriate. The presentation will also share case studies of successful integration of these approaches in large enterprises as well as typical challenges and how we overcame them.

Plenary Session

17:40 8P: Moving Security to the Left - Putting the Sec in DevSecOps Speaker(s): Debi Ashenden

Debi Ashenden

Professor, Deakin University (Australia)

Debi is Professor of Cyber Security and Human Behaviour at Deakin University & a Director of Industry Research for Deakin’s Centre for Cyber Security Research and Innovation (CSRI). Debi is also a Professor of Cyber Security at the University of Portsmouth (UK) & a visiting Professor at Royal Holloway, University of London. She is Programme Director for Protective Security & Risk at CREST (the Centre for Research & Evidence for Security Threats.)
X
 

With the move to continuous integration/continuous delivery and agile software development, shorter cycle times have led to initiatives such as DevSecOps that aim to integrate security with software development. While there are now processes and frameworks to support this integration, motivating software developers to develop secure code is a cultural and behavioural problem as much as a process issue. To develop a successful DevSecOps team requires security practitioners to understand the cultural and behavioural aspects of software development in order to successfully ‘shift security to the left’.

This talk starts from an illustration of the problem in a real-world setting before presenting research carried out with software developers to understand software development as a social practice. We look at the barriers and incentives that can hinder or help the integration of security with software development including code analysis, code reviews and the culture of open source development. The final part of the talk will be a facilitated discussion tooutline interventions that are more likely to ensure the successful implementation of DevSecOps and secure software development.

Networking & Dinner

18:45 Drinks Reception
19:15 Dinner

Wednesday 4th December 2019

09:00 - 09:30 Delegate Registration & Coffee

09:30 9A: Architectural Arms in Anger Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with over 20 years in multiple sectors including retail, hospitality tertiary education, sporting and gaming multi-nationals, as well as consulting in the financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board and a Founding Member of the SABSA Institute. He is currently the CISO of the Phoenix Group.
X
 

“Politics! Politics! Politics! Politics! Politics!” – Mel Brooks, History of the World Part I

A wise, pelvic-thrusting sage who possessed the power to render others infirmus ad genua (weak at the knees) once uttered these famous words: “War, woo woo woo, what is it good for?” The same might not only be said for corporate politics, but to also go on to observe that he/she that has a stomach for corporate politics is truly a sick, sick individual. Similarly, a somewhat well-known carpenter once said “where two or more gather in my name, I am there”; in the same way, it might also be said that “where two or more work in an organisation, the potential for corporate politics exist”. But! Hear me, O People of COSAC: I bring you a new euangelion of good news and glad tidings! Rejoice and be glad, for there is a way to emerge from the political quagmires of your corporate sin: that way is called Practical SABSA! In this session, a real-life case study is presented to the forum in detail to demonstrate the practical power of SABSA to defeat evil and win over the people to the cause of righteous bodacity.

09:30 9B: Customer Service, Disservice or Self-Service Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

Information security professionals do not have it easy. Public or private sector, we must serve our internal and external customers well while providing appropriate security. But don’t even think of slowing down crucial business processes or services. And isn’t the customer always right? “Why are you security people so difficult to deal with? Jeez, It’s like an Asperger ward. Don’t you realize we’re trying to run a business … in a competitive environment? And why the heck do we need so many security people? Can’t we automate some of this stuff and let the users take care of their own security setups and changes?” Experienced security professionals (that’s us) have heard this and worse in their careers, and usually admit that there might even be a bit of truth in some of the complaints.

We’ll analyze the situation on both the service provider (that’s us again) and customer sides from a security perspective, emphasizing the need to understand the viewpoints of those we must deal with. We will also analyze complications and particular difficulties inherent in doing anything that provokes as many potential conflicts as information security. Customers want what they want, they want it now, and they don’t want to hear that what they want represents a significant risk to the organization. We have to remember the function of the organization, and we want to serve our customers well, but we also understand that our responsibilities as security professionals are to safeguard organizational assets. COSAC APAC veterans all know that sometimes that means protecting users from themselves. In this session we’ll provide specific recommendations for actions that will help Information Security fit customer service principles and resolve conflicts.

10:30 10A: The Evolving Security Architect Speaker(s): Nigel Hedges

Nigel Hedges

CISO, CPA (Australia)

Nigel Hedges has been in the local Australian/New Zealand IT Security industry for 20 years, having spent a lot of time in the information security vendor and customer sectors, across security consulting, analyst and management roles. Nigel is currently the Information Security Manager (CISO) for CPA Australia, but spent several recent years as the Enterprise Security Architect for a large national Australian & New Zealand retail organisation.
X
 

Security Architecture can have different objectives and function within an Information Security and Risk practice. There are various factors that influence howsecurity architecture is approached including organisational size, industry sector and risk profile.

This session will begin with an opinion on the evolving security architect role in different parts of the world (taken from independent survey), and the typical activities we have come to expect from this function. A retail case study will detail a particular practical approach and perspective to strategy, security programs, frameworks and security service catalogues.

The session will also discuss some of the perceived challenges (from real world experience) such as the disconnect between the CISO, Security Operations, the vendor ecosystem and the business, how that canmanifests itself, and recommendations on how you might improve these relationships.

10:30 10B: Dealing with BS: Adversity and the Security Practitioner Speaker(s): William Schultz

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards.
X
 

Let’s face it, things don’t always go the way we plan. Being a security practitioner is difficult enough with the constant evolution of threats and attackers, and an everchanging IT landscape. It also doesn’t help that there are so many other ways that things can go wrong. Budget cuts, personnel changes, organizational changes, competing agendas, simple miscommunications. Shit happens. We also deal with other challenges like figuring out where to start, getting organizational buy in, training up teams, and working with others who are involved in or control other parts of the process. These are a few examples of adversity that we face, and that as Security professionals we must be prepared and able to deal with if we want to be successful. In this session we will discuss strategies for coping when things don’t go as planned. We will discuss several real scenarios, including what worked and didn’t work, and we will engage as a group to discuss other approaches and experiences.

11:20 - 11:40 Morning Coffee

11:40 11A: Business Service Modelling - A Basis for Strategic Security Investments? Speaker(s): Andreas Dannert

Andreas Dannert

Enterprise Security Architect, NBN Co (Australia)

Andreas is an Enterprise Security Architect for Australia’s national broadband network (NBN Co). At nbn he is responsible for defining Security Strategy and Roadmap across the organisation. Prior to nbn, Andreas has worked for Deloitte and HSBC in the role of Enterprise Security Architect, developing Enterprise Security Architecture Frameworks and solutions. Andreas is currently the Research Director on the ISACA Melbourne Chapter board and an industry advisor to various organisations.
X
 

SABSA is a powerful methodology for problem solving and has been defined as a structured approach to security architecture development. While SABSA is extremely useful for security architects, it is not always accepted as a common basis across other disciplines, like IT architecture for example. Given that security is an integral part of any business, as is IT these days, documenting and designing business change should utilise a common basis for driving strategic change, including security investments. Business process engineering (BPE) and Business Process Management (BPM) can provide such a basis, but usually emphasise processes. Security requires to consider processes and resources. Business services modelling might be useful here. This presentation will explore the question: How can we add business service modelling to our security architecture toolbox and utilise it for strategic security investment planning?

Within this presentation we will explore how we can define business service modelling within the security architecture context and why a business service model is a great way of documenting and driving security change in an organisation. We will also look at how it aligns various disciplines and therefore allows to consolidate strategic business changes with other changes required to support the business as a whole, like security investments. Mature business service modelling can contribute to the success of business process improvement initiatives, understanding resourcing dependencies, be used as a basis for outsourcing initiatives, and be utilised as a basis for strategic security investments. A well-defined business service model for an organisation can highlight the most valuable processes, roles and resources in an organisation. Identifying business critical applications should become a breeze with a mature business service model, given that applications are just another resource of a business service. Protecting core assets should therefore not be hard either, regardless of whether these are processes, roles, or resources.

At the end of this session participants should be able to understand the value of business service modelling and how it can be utilised to transform an existing enterprise security architecture of an organisation through strategic security investments. This will hopefully provide attendees with another tool in their security architecture toolbox.

In the spirit of COSAC, this session is designed to be interactive and it will allow participants to share their experiences concerning the topic or voice their concern of this idea Where appropriate, this session will provide attendees with examples of scenarios that might have benefitted of a mature business service model.

11:40 11B: Rise of the Weird Machines Speaker(s): Lisa Lorenzin

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security.
X
 

One of the key assumptions in programming is that computers execute code that performs the function intended by the programmer. However, as programs become more complex, so do their inputs - resulting in situations where specially-crafted data can trigger unexpected computations in targets ranging from executables to OS elements to embedded hardware. These "weird machines" give rise to exploits in targets ranging from ELF metadata to X86 page handling to embedded font handlers… We'll discuss how weird machines are born, take a tour of Sergey Bratus' weird machine zoo, and talk about some of the frameworks and tools being developed to counter the rise of the weird machines.

12:40 12A: Have You Ever Considered Modelling? Speaker(s): Chris Blunt,

Chris Blunt

Chief Strategy Officer, Axenic (New Zealand)

Chris is the Chief Strategy Officer at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 26 years of experience in the ICT industry, specialising in security and privacy for the last 14 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives.
X
Hugh Walcott

Hugh Walcott

Director & CTO, StrataMap (New Zealand)

Hugh is co-founder and CTO of StrataMap, an online platform for enterprise architecture and system modelling used by the government, enterprises and cybersecurity service providers. Hugh started his career as an electronics engineer before moving to ICT via the start-up labs of Cambridge UK. Highlights include performing the first ever internet e-cash transaction in 1998 and lead architect on the world’s largest real-time system (mega-city adaptive traffic management system).
X
 

All models are wrong; some models are useful.” — George Box

While George Box is correct, models are only useful if they are both accessible and are meaningful to the audience.

We all know that SABSA provides us with a plethora of approaches, methodologies and techniques to develop models that express and capture the business requirements for security. However, it can be challenging to capture all of the information created during the development of the Enterprise Security Architecture (ESA) in a meaningful and useful manner.

The purpose of architecture documentation is to capture decisions. However, the modelling languages that are typically used to express those decisions are not widely understood by the stakeholders that have to use them. Have you ever presented an ArchiMate model to a business owner and seen the blank look on their face? It’s because you’re not speaking their language (i.e. the ArchiMate models may mean something to you, but they don’t mean anything to them.)

Also, when SABSA models are captured in documents, it can be difficult to effectively maintain traceability and reuse them when delivering new services that conform with the ESA. This is because traceability for completeness and justification is usually captured in static diagrams and tables, without the ability to easily visualise the areas that relate to a specific context.

In this session, we will present a platform that enables SABSA practitioners to develop and capture various SABSA models quickly and easily within a web browser. Providing better accessibility of the ESA across the entire organisation, together with two-way traceability and the ability to rapidly filter models to present different security viewpoints by organisational context (e.g. business capability, information systems, etc.).

Finally, we will pray to the demo gods and provide a real-world example of how the platform can be used to capture, present and reuse various SABSA models.

12:40 12B: Can AI be used for Fraud Investigation to Reduce the Insider Threat? Speaker(s): Tanya Harris

Tanya Harris

Director, Harrman Cyber (Australia)

Tanya's experience centres on performance psychology and why people do what they do. She holds certificates in Cybersecurity, Mobility & International Cyber Conflict. She is currently working on a research program with Goldsmiths and Oxford University in London UK, testing how AI can rapidly expedite fraud investigation and identify the risking risk of insider threat in order to mitigate such incidents occurring. Tanya is Non-Executive Director of Universal Data Protection.
X
 

This presentation is not about detecting threats through network analytics, rather, it uses AI machine learning technologies associated with transaction analysis, natural language processing and breakout detection to detect threats through peoples’ behaviors. This technology was developed for fraud investigation at the Centre for Intelligent Data Analytics division of Goldsmith University as development partners of Harrman Cyber. On a small PC we processed 600,000 emails in 2 days, triggering communication of importance to investigators that go unnoticed to the human eye and we worked on patterns rather than sentiment allowing the system to trigger breakouts of importance in multiple languages. This talk with discuss how this technology can be used to prevent insider threat.

At the end of the session participants will be able to:

  • Comprehend the environmental elements that impact insider threat
  • Apply organisational thinking to security
  • Consider the use of artificial intelligence machine learning as a preventative tool to reduce insider threat

13:30 - 14:30 Lunch

14:30 13A: SABSA for SABSA - Using SABSA to Write a Good SABSA Practitioner Exam Answer Speaker(s): Robert Laurie

Robert Laurie

Enterprise Security Architect, David Lynas Consulting (Australia)

Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.
X
 

Many SABSA Practitioner candidates look for examples and guides for paper submission, but because the nature of SABSA is to tailor solutions to business needs it is far better to apply a SABSA study to your organisation rather than to try and answer questions from a purely academic perspective.

Rob will cover a SABSA inspired method to extract the critical components of SABSA questions into business attributes. These attributes then naturally lend themselves to quantification through control objectives, performance targets, SABSA assurance and SABSA risk management models to add vitality and verify the answer as you are developing it.

Rob was the winner of the 2018 Matt Whelan award for the best practitioner or master’s paper and in this session, Rob will present advice, tips and tricks from the field, helping you present your SABSA study in a way that will receive the greatest share of marks.

14:30 13B: Threat Intelligence & Threat Hunting Demystified Speaker(s): John Willis

John Willis

CEO, Turnaround Security (USA)

John M. Willis is a Chief Information Security Officer (CISO) for Zermount, currently supporting the United States DHS, and previously for Lockheed Martin supporting The United States Mint. He was also a Principal Information Security and Privacy Consultant for pINFOSEC, supporting U.S. government agencies and private sector companies. Prior to security, as Principal Configuration Management Consultant for Regulus Consulting, John supported numerous Fortune 500 companies for over 10 years.
X
 

Deciding which threat intelligence data to acquire, aggregating that data, prioritizing threats and vulnerabilities, then hunting for adversaries on your systems is a rather complex and fast-changing area to understand and keep up with. First, you must identify which types of threat actors present the greatest risk to your business. Then, you need to identify what the specific risks are to which systems. With this knowledge you can then know the questions you want answered by threat intelligence data. You must balance the need for strategic versus tactical data. Once you know what threats you are looking for you then want to begin looking for adversaries on your systems that are using techniques not identified in the threat intelligence data. Specifically, you want to incorporate MITRE ATT&CK technique data. There are other key considerations such as enriching the data, sharing data, utilizing machine learning, and automated remediation.

Threat intelligence data is now consumed in many different areas of the enterprise, by people, processes and technology. Key use cases include monitoring of the web, brand, social media, and threat actors, vulnerability prioritization, enrichment, phishing detection, investigations and response, and data sharing

15:30 14A: Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in shaping the information security practice as a transformative business driven and risk oriented discipline.
X
15:30 14B: System Security Engineering - Whose Job is it Anyway? Speaker(s): Dawn Beyer,

Dawn Beyer

Senior Fellow, Lockheed Martin (USA)

Dr. Dawn Beyer is a LM Senior Fellow for Lockheed Martin. She has 26+ years of experience covering security engineering, cybersecurity, systems engineering, military operations, risk assessments, strategy, and policy development and execution. She provides consultation to proposal, program, O&M, and project teams. Dr. Beyer is a cyber leader in LM and Industry. She Co-Chairs the National Defense Industry Association (NDIA) Cyber Division.
X
Perri Nejib

Perri Nejib

Technical Fellow - Cyber Solutions Architect, Northrop Grumman (USA)

Ms Nejib has 33+ years of system engineering and program protection experience and 27+ years of technical leadership & DoD acquisition management experience. Currently part of the Advanced Cyber Technology Center (ACTC) as one of its senior engineering consultants & is deployed to the Missile Defense & Protective Systems Division (MDPS) as Cyber Solutions Architect. In this role she supports key programs, serves as stakeholder on MDPS IRADs and provides SSE subject matter expertise.
X
 

A look at current and evolving policy, guidance, and standards surrounding security activities in the systems engineering life cycle. Emphasis is placed on Systems Security Engineering (SSE) and how application of systems engineering (SE) concepts and processes in an agile manner (agile-systems engineering) throughout the life cycle is the way to deal with the dynamic and diverse world of cyber threats to a system (Dove 2014). This paper is a follow on to “Response to Cybersecurity Demands for Agility” (Nejib-Beyer 2014) published in the International Council on Systems Engineering (INCOSE) Insight in 2014. The foucs of that research was bringing attention to cybersecurity and the importance of other disciplines towards contributing to secure systems. Since that time many of these domains have further developed their own standards, process and guidance in the area of cybersecurity. What is needed now is a way to take these domain-focused concepts and integrate them into and across a systems life cycle. The best way to achieve this is as part of the SE function. Designing and building secure systems requires a seamless integration of security into SE processes and agile methodologies adopted to constantly revisit, reevaluate, and re-design as part of a risk management process. The framework that will be discussed in this paper will focus on taking currently evolving guidance in SE and breaking that down into products and tools for system engineers to easily determine the relationship and value between SSE and SE. In addition, quick reference guides will further enhance and enable successful development and integration of SSE artifacts into SE artifacts. One of the companion pieces needed in the existing SSE documentation is a mapping of work products/artifacts generated during the life cycle/technical processes and the responsible and contributing parties. Critical to the success of the new guidance, such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-160, Systems Security Engineering, is a clear accountability and acceptance of all disciplines on their contributions and influence towards developing a secure system. An SSE roles and responsibilities framework concept will be presented and discussed for consideration. The framework is an implementation tool to be used along with existing guidance in the area of SSE and SE to clearly demonstrate that program protection is not the responsibility of any one person or discipline, it is the responsibility of an entire team of individuals planning, developing, deploying, operating & maintaining (O&M), and retiring a system. SSE is the “glue” that binds all of this together during the SE life cycle to enhance system security.

16:20 - 16:40 Afternoon Coffee

16:40 15A: A Reference Architecture for Implementing Governance Speaker(s): Malcolm Shore,

Malcolm Shore

Chief Security Architect, David Lynas Consulting (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
16:40 15B: Connections Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
 

In the late 1970s James Burke's ground-breaking TV series 'Connections' explored the various paths of how technological change happens and the social effects of these changes on Western society.  To illustrate this he followed various timelines of how one innovation led to something totally unrelated in the future.  The series had a profound effect on me, in particular how you can learn to think laterally and how that can drive technical innovation.

Tony Sale was an inspirational leader and lateral thinker, his legacy at The National Museum of Computing is not just the Colossus Rebuild Project but the Bletchley Park site as a whole.  In this talk I shall follow some of the connections that led to the birth of the computer security industry and the challenges we face today.

Plenary Session

17:40 13P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

The COSAC "rump" has for many years been a hugely popular closing session to COSAC and the SABAS World Congress. Now, making its debut in APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at chair@cosac.net

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 4th December.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Dinner & Networking

18:45 Drinks Reception
19:15 Dinner

Thursday 5th December 2019

09:30 - 10:00 Delegate Registration & Coffee

11:40 Morning Coffee
16:10 Afternoon Coffee

Workshop W1

10:00 2nd COSAC APAC Design-Off Speaker(s): William Schultz,

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards.
X
Jason Kobes

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
X
 

After a successful session last year in Sydney we are taking the design-off to Melbourne! In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide an opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Workshop W2

10:00 3rd Annual APAC International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

The 3rd International Forum is a deep-end immersion in the COSAC APAC way. There'll be a room full of dedicated, savvy, scar-bearing security professionals analyzing hypothetical scenarios and actual events from widely different perspectives based on widely different experiences and perceptions of success and failure learned in the trenches. These Information security masters offer and rigorously defend their opinions, but are also ever-willing to help others and learn from each other. This leads to reality-based analysis of recent and probable future events and trends from perspectives illuminated by deep and broad information security knowledge and experience. And nobody charges consulting fees.

The moderator describes some actual recent event or prediction of the future or analysis of security-related issues, then comes up with a question or two about associated issues. He might then prod one or more attendees for their take on the issues in question, but more likely, he’ll try to avoid getting in the way, thus prompting participants to discuss topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

It was true when we started the Forum back in Ireland 20+ years ago, and it’s true in Australia rapidly approaching 2020 - “the most significant benefit of attending any conference is the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis.” Ransomware, cryptojacking, social network privacy and security issues, GDPR, nation-state offensive activity, IoT device proliferation and security, finding and keeping competent help … – the 2019 list of real and potential concerns will no doubt continue to grow and bleed into 2020. Even if we could address them all, we have to keep playing whack-a-mole on the classic security gems that never seem to get fully resolved - password discipline, cloud security, access control, end-point security, policy writing and implementation, awareness and training, … ad infinitum. One of the features that make the Forum so valuable is learning from each other (as grizzled veterans) what we can do and what we can’t – where to focus our limited resources. Trying to do everything at once is a sure prescription for failure.

The discussions and analyses started here in the Forum almost always continue throughout COSAC APAC, often beyond that, leading to unique, realistic and workable solutions to seemingly intractable dilemmas. Leading also to building a network of intelligent, experienced, realistic people you can count on for trenchant analysis and real help. Come join us and help solve the information security problems of the world.

13:30 - 14:30 Lunch

Workshop W3

14:30 Ask us Anything - A Q&A with a SABSA Masters Panel Speaker(s): Chris Blunt,

Chris Blunt

Chief Strategy Officer, Axenic (New Zealand)

Chris is the Chief Strategy Officer at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 26 years of experience in the ICT industry, specialising in security and privacy for the last 14 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives.
X
William Schultz,

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards.
X
Malcolm Shore,

Malcolm Shore

Chief Security Architect, David Lynas Consulting (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your problem depends on the question you are trying to answer. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the COSAC way there will be plenty of group debate and interaction, and no shortage of other experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

Workshop W4

14:30 Security is Non-Trivial - Another Surprisingly Serious Approach... Speaker(s): Lisa Lorenzin,

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security.
X
Peter Nikitser

Peter Nikitser

Director, ALC Cyber Security (Australia)

Peter Nikitser is in his 30th year of IT, most of which has been spent in information security. He is a co-founding member of both AusCERT and SL-CERT. When he is not travelling teaching students or consulting, Peter spends time renovating his acreage, and can tell you all about lantana.
X
 

Over the last couple of years at COSAC, we have explored common issues in cybersecurity via an uncommon format. This year we're offering COSAC participants a new opportunity to test your mettle! With topics ranging from general information security to SABSA principles to history, this session will spark conversations, broaden our collective knowledge, and offer a light-hearted - but seriously informative - venue for sharing our experiences. We learn best from each other, and from the chance to go off-script and see how much we really know, individually and in groups.

Conference Close

18:00 COSAC Chairman's Closing Remarks Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X