COSAC 2022 COSAC Connect COSAC APAC 2023

Welcome to COSAC - Conferencing the way it should be! View the COSAC APAC 2023 agenda below.


Tuesday 28th February 2023

08:30 - 09:00 Delegate Registration & Coffee

09:00 1P: COSAC APAC 2023 Chairman's Welcome Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
09:30 2A: Raiders of the Lost Attributes Speaker(s): Robert Laurie

Robert Laurie

Enterprise Security Architect, David Lynas Consulting (Australia)

Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.
X
 

SABSA measures the impact of risk on attribute performance targets within a domain and we use these measures in decision support for our control objectives. This SABSA domain model paints a tropical canvas of business attributes isolated deep in a domain jungle with the where-abouts known only to the domain owner. Forging into this domain we might take care to draw upon multi-tiered attributes to describe how risk is systemically transferred from one attribute to another - but can an attribute directly support another attribute or are we searching for the missing link in this view?

In this presentation I will detail all the missing elements needed to properly excavate a multi-tiered attribute view. I’ll demonstrate how systemic risk is really transferred between elements in a multi-tiered attribute view and how this missing link is actually part of the powerhouse that drives the implementation of SABSA in the real world. Attendees will emerge from this domain jungle with a solid gold view of what the multi-tiered attributes view really represents and how it can be used to delegate risk successfully in your next expedition.

09:30 2B: Autonomous Intelligent Cyber-defense Agents: Next-Generation Cyber Resilience Speaker(s): Phil Bridgham

Phil Bridgham

Cyber Architect, Northrop Grumman (USA)

Dr. Phillip Bridgham is a Cyber Architect and researcher for Northrop Grumman and applies AI, Machine Learning, and Information Fusion techniques to achieve advanced automation and risk management. Dr. Bridgham brings 25 years of software engineering and technical leadership experience across a wide range of industries, including: Aerospace, Industrial Controls, Robotics, Banking and Finance, Medical Devices, Fraud Detection, Risk Analysis, and more.
X
 

Achieving cyber resilience for our critical systems using traditional, human-intensive methods is becoming more difficult as adversarial tactics, techniques and technologies outpace our current cyber defenses. New and disruptive techniques are needed to not just catch-up to the increased risk of cyber threat vectors, but to surpass the threat to attain cyber resilience.

This presentation provides an introduction of how we can collaboratively develop and acquire Autonomous Intelligent Cyber-defense Agents (AICAs) for next-generation cyber resilience.

This presentation explores and discusses the future of autonomous cyber defense and resilience techniques from the human perspective; as well as how this new paradigm for autonomous intelligent cyber-defense agents may be integrated with our human cyber protection team with transparency and explainability. It introduces the AICA International Working Group’s ongoing efforts to develop a new reference architecture for implementing autonomous intelligent cyber-defense agents and transition the science from concept to reality for battlefield applications.

We will discuss the definition for intelligent cyber-defense agents, and the requirements and challenges associated with this approach, including: Infrastructure, architecture and engineering; Individual and collective decision-making; Stealth and resilience; Societal considerations.

We then examine and discuss modernizing for tomorrow through the application of cyber-defense agents by exploring the need and requirements for human-machine teaming. This portion of the presentation will present novel techniques for aligning human and machine mental models and user interface techniques for gaining transparency and explainability for artificial intelligence (AI) and cognitive solutions.

10:30 3A: Space Systems, Cyber Security and SABSA Attributes Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect, Thales (Australia)

Alex Parkinson is a senior cybersecurity architect at Thales Australia. Qualifications include a Master of Science (Internetworking), a Graduate Diploma in Applied Finance and CISSP, CRISC and SABSA Practitioner (SCP) professional certifications. Alex has 30+ years of experience in understanding and dealing with complex systems and organisations in multiple sectors, including Defence and National Security, Trading and Financial Services and Mission Critical Engineering projects.
X
 

The space sector is undergoing a new surge in activity as major advances in technologies create opportunities for existing space systems owners (e.g. governments, SATCOM telcos) and new players to design, build, launch and operate new space systems and services. At the same time, there is increased use of and reliance on space services within the general economy.

All space systems and services are complex technology-based platforms that have specific cybersecurity concerns and attributes. This session will discuss these issues around the application of cybersecurity to space systems, current developments in security in the sector and review the applicability of specific SABSA attributes to the security architecture of space systems.

10:30 3B: Cyber Resilience – Converting Crisis into Opportunity Speaker(s): Gokul Srinivasan

Gokul Srinivasan

CEO, ARInnovate (Australia)

Gokul is a cyber security expert specialising in cyber incident response, business continuity planning, security operations, secure software development and cyber security strategy. With more than 18 years of cyber security experience, Gokul now is the Founder and CEO of ARInnvate, a cyber security consulting firm based out of Australia. Through ARInnovate, Gokul serves organisations in Australia, Singapore and India.
X
 

A cyber-attack is inevitable, and all organisations need to be prepared for it. Time and again we have seen cyber resilient organisations convert a crisis into opportunity and are praised for their effective management of catastrophic cyber security incidents.

When an organisation manages an incident efficiently, it reposes the trust in the brand and positively shows customers what the organisations truly stand for.

Cyber resilience directly increases customer loyalty and eventually increases revenue for organisations.

We have developed the ICBR framework that organisations can use to become cyber resilient. ICBR stands for Incident Response, Crisis Management, Business Continuity and Recovery Planning.

In the session, we will discuss the following:

  • - Defining cyber resilience
  • - Why is critical resilience critical?
  • - Key differences between cyber security and cyber resilience
  • - Introduce the various components and sub-components of ICBR framework
  • - Practical actions that organisations can undertake to achieve cyber resilience.

11:20 - 11:40 Morning Coffee

11:40 4A: Just Give Me a Number! Speaker(s): Martin Hopkins

Martin Hopkins

Consultant, Attributive Security (UK)

Martin is an independent information security consultant with a current focus on security advisory to small businesses in the UK. He has over 25 years’ experience in technology, primarily in security related fields. A regular speaker on cyber security topics, he is a strong advocate of business driven security, security architecture and secure software development practices.
X
 

Despite the investment in cyber security over decades, many security teams are still wedded to qualitative methods. When the business comes asking for our evaluation of something it all comes down to will the answer be high, medium or low this time? We categorise into one of 3, 4 or maybe even 5 ordered categories. Based on these ordinal scales we turn out the same charts to communicate security to the business. We still hear the argument that senior leadership’s brains would explode if we tried to explain it. But they think we’re just fudging it and say, “what do you expect us to do with this?”. They want a number. Numbers can be added, multiplied and averaged. They can be compared to other people’s numbers; they can be plugged into models. This is the 21st century, quantitative methods are what is needed.

So now we get asked for a number? Once delivered that number will be the expert opinion, quoted as gospel and combined with other such numbers in ways we cannot begin to comprehend, and cannot control. It’s true, there are less places to hide: we’re now being asked to be certain of our uncertainties. So, what to do? We do what everyone would do, we pad the numbers and we do it early. When combined the padding grows and the numbers lose even more accuracy. But they also gain the illusion of precision, which merely serves to make them more trustworthy to the masses. Oh, and the numbers are often just as subjective as the qualitative methods that came before.

Do we even consider the risks relating to our risk management frameworks and methods themselves? If we misrepresent risks to the business, it may not be those risks that derail us, but the decisions made based on the bad data. SABSA does not magically resolve this issue: it is commonplace to see single numbers for risk (and its constituent elements), performance targets and risk appetite.

This session will discuss some pitfalls of quantification as well as questions such as:

  • - How can we express our uncertainty so that it survives the calculations that will follow?
  • - How can we improve our objectivity and deliver numbers that we’re confident are accurate and are sufficiently precise?
  • - How do we enable aggregation with numbers we didn’t produce?
  • - Do we need expensive specialised tools to get started?
11:40 4B: Improving Healthcare Cybersecurity During a Pandemic Speaker(s): William Schultz

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
 

In this session we will discuss the growthofacybersecurity risk management program at a Healthcare organizationduringthe COVID-19 pandemic.In addition tothe pandemic,wewerealso experiencing an unprecedentedincrease in targeted cybersecurityattacks, as well asmaintaining consistent organizational growth.We will discussthe significant executive leadership support that enabled and drove thecybersecurity improvementeffortseven whilethey weredealing with the significant impacts of COVID-19, and setting up the organization as a leader both regionally and nationally. The key topics will include discussion of our efforts aroundthe enterprise cybersecurity risk management programand IT vendor risk managementprogram, as well asthe significant collaborationswith IT and clinical colleagues that have proven to beessentialto our success.We will discusssuccesses, lessons learned, and next stepsas our journey continues.

12:40 5A: Shifting Left: Security Risk Intelligence introduced the SABSA® Way Speaker(s): Paul Blowers

Paul Blowers

Head of Assurance, SEQA (New Zealand)

Paul Blowers has more than 35 years experience in security. He is a certified SABSA® practitioner and advocate, and an APMG practiced Business Change expert. He has extensive experience supporting Law Enforcement, Defence, Intelligence and Border Security environments and with a wide range of private sector organisations. He has spent the last 18 years in New Zealand, he has also worked in the USA, the UK, and mainland Europe. His roles include CISO for NZ Police, managed his own consultancy...
X
 

My presentation will introduce the concept of security integrated business assurance built on a foundation of risk intelligence that supports the hypothesis of adaptable security.

Using anonymised case studies experienced during the pandemic years, my presentation will highlight how three organisations have embraced the ‘Shift Left’ concept. ‘Shift Left’ addresses challenges concerning point in time security solutioneering to a place of complete businesses immersion. No longer the business outcast but a true business outcome enabler.

12:40 5B: Ransomware and Wiperware in Healthcare Speaker(s): Kathleen Mullin

Kathleen Mullin

CISO, Cancer Treatment Centers of America (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...
X
 

This timely presentation addresses the escalation seen in ransomware (wiperware) tied to the Russian Federation, uniquely framed by an experienced hospital system CISO. Healthcare is currently one of the top three sectors being targeted, and healthcare systems are particularly susceptible because basic security controls are not in place within highly integrated systems with limited funds and manufacturers still sell systems with obsolete operating systems.

Organizations are being advised to spend resources on ransomware tabletop exercises, technology solutions, security awareness training, memberships in organizations, and specific technology controls to protect them from ransomware. Recommendations from the FBI include “be[ing] a cautious and conscientious computer user,” implying that the average user is not being conscientious if they fall victim to ransomware.

The approach of this presentation is to discuss the different strategies that should be used in healthcare while providing patient care and finding innovative treatments and cures, with complex systems that are constantly changing. Participants will have the opportunity to challenge or build on these strategies, which can also be leveraged in other business verticals.

The value in this discussion is that it will leverage SABSA to focus on the business requirements to determine which controls help meet the business objectives.

13:30 - 14:30 Lunch

14:30 6A: Deep Behind Enemy Lines with SABSA Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with over 20 years in multiple sectors including retail, hospitality, tertiary education, sporting and gaming multi-nationals, as well as consulting in the financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board and a Founding Member of the SABSA Institute. He is currently the CISO of the Phoenix Group.
X
 
“They are in front of us, behind us, and we are flanked on both sides. They can’t get away from us now!”
Lt.Gen. Lewis “Chesty” Puller, USMC

The environment is a mess. The architects are proselytizing. The engineers want you to go away. The project managers are flogging dead horses everywhere while shutting out distractions from you. The auditors are sticking the knife into you. Management is screaming at everyone for updates. The business hates the whole damn lot fo you.

And there you are, right in the centre of the storm, being handed your rifle, pointed at the direction of the enemy and told to start running!

All too often, we are faced with the unenviable circumstance of being dropped into a swirling maelstrom of conflicting goals, priorities, challenges, ideas and personalities, and are expected to start pulling rabbits and unicorns out of the proverbial hat – and all while being watched and ruthlessly judged by your peers, your management and the Board!

If all that sounds like it’s enough to make you curl up into a foetal position wrapped in a Dettol-soaked blanket mumbling random prose in haiku*, then this presentation is for you!

In Deep Behind Enemy Lines with SABSA, 20 years of practical experience is brought to bear to provide you with the joie-de-guerre to face an enormously complex and challenging environment, win allies and set-up yourself up to succeed with SABSA. Before you know it, you will dive headlong where angels fear to tread with a smile on your face, into the fray of a real corporate environment and revel in a resounding victory!

* based on actual events

14:30 6B: Let's get Cyber Physical: Aligning SABSA and the ISA/IEC 62443 Standard Series Speaker(s): Bruce Large

Bruce Large

OT Cyber Security Team Leader, Powerlink (Australia)

Bruce Large has 15 years experience working with IT and OT in network, telecommunications and system engineering roles. Bruce has worked in Electricity Generation & Transmission, Railway, Aviation, Emergency Services and Consulting industries. Bruce considers himself a security architecture enthusiast as well as an infrastructure tourist. He is a Foundation Chartered SABSA Architect (SCF), is (still..) working on his A3 SCP paper, holds the GIAC Response and Industrial Defense (GRID)...
X
 

This session will present a framework integration of SABSA and the ISA/IEC 62443 Standard Series which addresses Cyber Security for Industrial and Automation Control Systems. With the increased public awareness of cyber security incidents affecting Industrial Control Systems (ICS) and the industry drivers to converge Information Technology and Operational Technology, we need a true enterprise security framework that works for both IT and OT. The session will draw upon the presenter’s practical experience as a security architect working in Operational Technology environments. 

This session will educate and inform the audience about the nuance of Operational Technology (OT) cyber security through the application of ISA/IEC 62443. This application will enable critical infrastructure operators to manage their risks and opportunities for cyber physical systems in a truly holistic and whole of enterprise manner. The debate for convergence has passed, now it is about making risk informed integration decisions. 

The session will make it real by using a worked example of the fictitious State Power Corporation Enterprise Security Architecture. The session will also encourage audience participation in working through common assumptions for the state of OT cyber security and challenge the audience to consider the differences of IT and OT.

15:30 7A: I Shot the (Sheriff) Architect but I Didn't Shoot the Deputy Speaker(s): Pete Wolski

Pete Wolski

Head of Information & Cyber Security, MYOB (Australia)

Peter is an experienced security professional, currently Head of Information and Cyber Security at business management platform MYOB. With 18 years’ experience in various roles and industries, Peter has supported a variety of public, commercial, regional and global clients. In his most recent roles Peter has focused on engaging with business and technology management, enhancing risk awareness and mitigation through planning, strategy and technology architecture. He is focused on discovering...
X
 

Does a scale-up software engineering company need a security architect to have a successful security program? Is strong technical leadership and a strongly business aligned security engineering community of practice enough? This session will interrogate the trade-offs and pitfalls of choosing to do away with the security architect role.

At MYOB, we set out to engender strong security practices as opposed to creating a security architecture. Our guiding principle is that the business aligned security team can build the solution with engineering teams in addition to guiding and influencing. We also asked what could be borrowed from architecture frameworks and applied to a digital products organisation. In a world where objectives and key results drive business outcomes can the SABSA attributes model be augmented to deliver the same security outcomes?

Are these concepts sustainable in the long term? How does a security program keep aligned to strategic outcomes with engineers, not architects.

15:30 7B: Digital Safety and Protecting our Cyber-Physical World Speaker(s): Andy Prow

Andy Prow

Founder and Tech Entrepreneur, RedShield Security (New Zealand)

Andy is a cyber-security veteran with 28 years of IT experience, over half of which has been in cyber security. From being a software developer for global giants such as IBM, Ericsson & Vodafone, to pen testing and vulnerability research, to more recently as a tech entrepreneur founding 5 firms, including Aura InfoSec (purchased by Kordia in 2015) and RedShield Security which now protects thousands of web apps and critical systems across globe. Andy is a previous winner of the EY NZ...
X
 

More human interaction now occurs in the digital realm, than the physical realm. The internet is where our kids grow up. Software is running our physical world. Yet we have more vulnerabilities and more exploits than ever.

The cyber-security sector has historically been defined as the “protection of computers and networks”, and yet our roles are fast becoming way more than this...

This presentation covers "Digital Safety" and what that means, not only to us as practitioners, but particularly to the people who want to feel and be safe both online and in the physical world.

I’ll be challenging current thinking in areas such as:

  • What happens when exploits to our digital realm impact the physical realm?
  • Are we equipped to cope? Are our current “IT risk management and security protocols” sufficient to protect the physical world?
  • Should boards be legally liable for physical injury caused by software breaches?
  • Who would be willing to guarantee and warranty their systems against breaches?

In short, security weaknesses in our digital realm are already impacting our physical realm. What insights and learnings can we get from trying to build a world of “Physical Safety” into how we provide “Digital Safety".

16:20 - 16:40 Afternoon Coffee

16:40 8A: Gaining Business Value from Security Architecture Speaker(s): Andreas Dannert

Andreas Dannert

Principal Enterprise Security Architect, Standard Chartered (Singapore)

Andreas is Principal Enterprise Security Architecture at Standard Chartered Bank in Singapore. At SCB he is responsible for a core Security Architecture team that is delivering the organization’s Security Architecture Framework, Strategy, and relevant Security Capabilities. Before this he was a Principal Enterprise Security Architect at Australia’s national broadband network (nbn), which is a government owned enterprise, providing critical infrastructure services to millions of Australians.
X
 

This session will focus on the challenges of maximising the business value organizations can gain from their Security Architecture function in middle to large sized, compliance driven organizations, like finance and banking for example.

The session will be based on personal experiences in the Telecommunications and Financial industry. It will cover how combining enterprise architecture governance, information management approaches and other architecture models, frameworks and concepts will be essential for gaining value from an organization’s security architecture function.

While SABSA might be a good starting point for aspiring security architects to plan for security changes, it does not go into detail of integrating change and operations to deliver business value. For this it is important to understand business service models, business capability maps, organizational taxonomies and more. Enterprise architecture maturity and governance can have a huge impact on the value security architecture can contribute to a business. The presenter will share his experiences and views on these and other aspects, providing an insight into what factors outside of the Security Architecture function will be equally important when an organization wants to establish a more mature security architecture capability and get value beyond ticking a compliance box.

At the end of this session participants should be able to understand the challenges that need to be addressed when being asked to setup or mature Security Architecture capabilities in an organization. This presentation should assist CISOs, senior executives, and senior security architects in gaining a broader understanding of the interplay between security architecture, enterprise architecture and other business aspects, like corporate culture and organizational structure, when it comes to delivering business value through security architecture.

In the spirit of COSAC, this session will hopefully provoke lots of questions, discussions and sharing of experiences that will assist in building and maturing Security Architecture in organizations that not only want to tick the business compliance box when establishing a security architecture function, but also want to see to see some tangible returns like increased customer trust and business agility for example.

16:40 8B: Misinformation for Fun and Profit Speaker(s): Ashling Lupiani

Ashling Lupiani

Cognitive Solutions Developer, Cancer Treatment Centers of America (USA)

Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
X
 

This timely discussion centers on the structural incentives of social media to allow misinformation to circulate on their platforms. Companies such as Facebook (Meta), YouTube and Twitter have long complained there is no way for them to effectively fight bots or misinformation, yet bot activity significantly decreased when Russian accounts were cut off after the invasion of Ukraine. This demonstrates that there are steps these companies can take if given sufficient incentive.

The problem is that the profit incentive of social media companies is diametrically opposed to some of their mission statements. The success of a social media platform is determined by engagement, whether that engagement is positive or negative. Engagement is easier using the tactics of disinformation. Showing people information that they will react to emotionally increases activity and profits for these corporations, regardless of whether the information is true or not.

This session will be unique in its scientific perspective on misinformation geared specifically toward security professionals. Our approach will be to examine the competing incentives of social media companies and discuss how the scales might be tipped in favor of accurate information. The value of our discussion will come from providing ways to leverage positive engagement and other tools to improve the culture of the internet landscape.

Plenary Session

17:40 9P: De-biasing the Security Architect Speaker(s): Patrick Dunstan

Patrick Dunstan

Head of Cyber Security, Seqwater (Australia)

Patrick (Pat) Dunstan leads the Cyber Security Team for Southeast Queensland’s Bulk Water Authority and has over 15 years’ experience leading cyber teams and delivering security outcomes for some of Australia’s largest companies. Pat has a broad and deep background in cyber security and has experience working across multiple verticals, including security operations, penetration testing, cyber consulting, security architecture and management. Pat is an engaged student on the subject of risk...
X
 

Good decisions are at the heart of every successful security architecture. A security architect must constantly make good decisions and sound judgements to protect business assets from harm and keep an enterprise safe. But what if these decisions weren’t always sound? What if these judgements were just plain wrong? The truth is that making good decisions is hard. Decade’s worth of behavioural science research has consistently shown that humans aren’t naturally wired to make good decisions. Our mental makeup is subject to many biases that impair our decision-making. In the context of SABSA security architectures, these biases can adversely influence how security architects make good risk decisions and protect business assets. Poor decision-making in this respect can be costly and jeopardise the overall value proposition of a security architecture. This presentation will focus on some of the more common biases that arise when designing security architectures and what can be done to overcome them.

Networking & Dinner

18:45 Drinks Reception
19:15 Dinner

Wednesday 1st March 2023

09:00 - 09:30 Delegate Registration & Coffee

09:30 10A: A SABSA-based Model for Critical Infrastructure Zero Trust Speaker(s): Marina Liu,

Marina Liu

PhD Candidate, Deakin University (Australia)

Marina Liu is a PhD candidate at Deakin University. She is a recipient of the Deakin University Postgraduate Research Scholarship. Prior to that, she received her master’s degree in cyber security from Deakin University in 2021. Her research interests include zero trust cybersecurity, blockchain and risk management. Her research has been published in the Journal of Computer Information Systems. Her PhD topic focuses on zero trust maturity, and includes the development of a SABSA attribute-based...
X
Malcolm Shore

Malcolm Shore

PhD Supervisor, Deakin University CSRI (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
 

Zero Trust Cybersecurity (ZTC) is emerging as the preferred security model for business and government and is now a critical national infrastructure mandate for US Government Agencies. ZTC differs significantly from the trust-model of traditional perimeter-focused security, requiring instead real time validation of access based on policy which dynamically adjusts to the cyber environment. The implementation of ZTC is a complex undertaking involving situational awareness of the cybersecurity state relating to identity, device, application, infrastructure, network, and data. This goes beyond the traditional triad of confidentiality, integrity and availability into attributes such as timeliness of authentication, assurance of device health as well as microdomain zoning and dynamic policy.

As organisations begin to implement zero trust in their infrastructure, there is a need to be able to measure the effectiveness of the infrastructure from a zero trust perspective. This requires measurements of both control performance and process maturity in order to effectively manage risk. In this presentation, we describe a model for measuring the performance of a critical infrastructure zero trust implementation using SABSA developed as part of a post-graduate research initiative on Zero Trust maturity.

09:30 10B: Lost and Found - Good Information Security Governance Speaker(s): Glen Bruce

Glen Bruce

Cybersecurity Consultant, GDB Cybersecurity (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...
X
 

One of the pillars of a well-functioning information security program is effective governance. Good governance tends to go unnoticed. Bad or ineffective governance however, becomes very apparent when “things go wrong”. What is good governance? How do you know if you have it or not? What is the value of having good governance and the penalty for not having it? These tend not to be the burning questions within the organization until bad things happen, and the inevitable question gets asked—how could this happen? I thought we had a policy for that. More difficult questions could follow from the Board. Governance is one of the main drivers and foundations in many if not most security architectures or frameworks. What is it and how do you get it? How do you know if it is good or not? Having defined security policies are not enough.

We will define what information security governance is and how it applies to all levels, from overall corporate governance and oversight through to the security program that is implemented and operationalized. We will define the “value of effective governance” and the evidence of ineffective or non-existent governance. We will have a look at what the standards such as ISO, NIST, the ISF, CIS CSC and several others have to say about the need for effective risk management and governance.

How do we build an effective information security governance model and get the right people making the right decisions, with the right accountability, at the right time to continually manage risk to the acceptable level, even when “things go wrong”? We will outline the top 10 things to consider and the critical success factors that will show you governance is working. Good governance provides effective management of business risk and is much, much more than just having good technology and policies.

10:30 11A: Arrival at the Promised Land, or a Deal with the Devil? Speaker(s): Shane Tully

Shane Tully

Global CISO, A24 (Australia)

Shane is the Global CISO of A24 and previously was an enterprise security architect with experience in Australian state government agencies, transport and financial services industries. His interest is in the security of international businesses. Shane was the founder of the oneworld® airline alliance IT Security Forum; a founding member of the board of management of the global security thought leadership group, The Jericho Forum; an invited attendee at the APEC 2007 data privacy seminars; and...
X
 

My proposed topic is at this stage loosely looking at the application of the SABSA Architecture for Cryptographic Key Management for Cloud, Cloud-adjacent & On-prem alternatives – supported by some case studies.

It will also discuss ways to align to new Cryptographic protocols coming out of NIST to position companies for the quantum computing algorithms.

The value proposition for this topic will be that it covers 3 scenarios that could apply from large enterprises, to smaller enterprises – whether they are still utilising on-premise compute, or Cloud, or Cloud-adjacent models.

The uniqueness of this presentation is that hopefully the Cloud-adjacent model has not been previously presented at COSAC – so this would be a point of differentiation for the audience.

In terms of timeliness, with ever increasing demands for data protection, and businesses considering alternatives to the big Cloud providers, hopefully this will give the audience timely and relevant information for other cryptographic capabilities.

In terms of approach, the presentation content and style will be tailored to the expectations of the COSAC audience, as per previous presentations in 2017 (in Melbourne) & 2018 (in Sydney).

10:30 11B: Chaos Monkey Comes to Threat Modeling Speaker(s): Jason Kobes

Jason Kobes

Architect, Research Scientist, Professor, Northrop Grumman (USA)

Jason Kobes works as Tech Fellow Senior Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason also is an adjunct professor for Marymount University teaching Cyber Crime and Digital Terrorism. Jason has over 24 years of experience concentrated in cyber digital transformation, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's...
X
 

Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability in our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the method of the Chaos Monkey.

What are the reasons we often discount certain threats, methods, and outcomes as unreasonable, unlikely, or even crazy?

Are we working with blinders, unable to understand systemic risk around us which may contribute to the motivation and outcome in our threat model?

Do our countermeasures create opportunities?

Can we truly understand how the adversaries’ objectives may be different from our perspective?

How do we adapt to rapid changes in our understanding due to observed or experienced events?

The session will start by exploring what was accomplished in the 2022 Threat Modeling session at 2022 COSAC. We then will address what we know and what processes exist to help us unfold this difficult topic. We will then move into a group discussion where we will explore how we can leverage each other’s perspectives and ideas.

11:20 - 11:40 Morning Coffee

11:40 12A: Creating Effective Security Proposals for Major Bid Activities Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect, Thales (Australia)

Alex Parkinson is a senior cybersecurity architect at Thales Australia. Qualifications include a Master of Science (Internetworking), a Graduate Diploma in Applied Finance and CISSP, CRISC and SABSA Practitioner (SCP) professional certifications. Alex has 30+ years of experience in understanding and dealing with complex systems and organisations in multiple sectors, including Defence and National Security, Trading and Financial Services and Mission Critical Engineering projects.
X
 

As SABSA architects we often focus on how to successfully engage with enterprise/organisation leadership about security programs to address enterprise/organisational challenges and the successfully delivery of security solutions/programs to meet those challenges.

These situations are focused more on the internal operation of the enterprise; but, what about the situation where security solution need to be proposed and delivered into another organisation as part of a larger business activity or capability delivery program?

Requesting Manager to You: “You are the security proposal lead for this major tender. The security part of the proposal is big factor in us winning (or losing) this business!”

You, the Security Architect Lead (thinking): “OK, so what do I need to do now?!”

The production of an effective security proposal that is an integrated part of a larger business proposal / tender response is a difficult activity that involves more than just formulating a proposed technical solution. It must meet many conflict needs (effective, bounded, compelling, minimum cost, etc). At the same time, the proposal will be the starting point for defining the potential future security program, if the tender is successful. Good choices made early make all the difference.

This session will discuss the challenges, experiences and lessons learnt from supporting security contribution to major business proposal or tender response activities.

11:40 12B: Applying Fault & Accident Management Principles to Cyber Risk Management Speaker(s): Mattia Rossi

Mattia Rossi

Enterprise Security Architect, Ignitize (Australia)

Mattia Rossi is a freelance consultant currently active in the Cybersecurity space. What you would call an Enterprise Security Architect, he is providing businesses with expertise in not just security analysis and solution security work, but most of all driving the implementation and application of security frameworks. He recognises that while there is a high number of frameworks available, and very good documentation on how frameworks and processes SHOULD be applied, most enterprises lack the...
X
 

Accident and fault management has been topic of high importance for many years. Understanding when even so small parts of a system are malfunctioning and what major or even catastrophic faults or accidents they might cause is of enormous importance in safety-relevant systems. Modelling techniques like STPA/STAMP or Bow-ties allow to explode a system into its smaller parts and construct hierarchies of controls, which can then be tested for their operating effectiveness that inform the causation or non-causation of a main event. This then allows for either improvement of controls (moving towards risk avoidance) or at least understanding of the implications and the risk (or residual risk).

This talk explores on how these modelling techniques should be applied to cyber risk, allowing to create more meaningful Key Risk Indicators and Cyber Risk Reports than are generally used in the industry and how to allow dynamic adjustment and re-calculation of the Risk position based on exposures found throughout daily security analysis work. It also explores how to codify such exposure hierarchies and speed up the provisioning of meaningful risk reports.

12:40 13A: Security Modelling Case Studies Speaker(s): Steven Bradley,

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is an independent security consultant based in Brussels with 25+ years in IT. He has undertaken major assignments for clients in the national & European public sector, finance, telecoms & utilities and also lends his support to local cyber-security initiatives. His work in recent years has broadened geographically while becoming more specialised in the field of security by design through automation & modelling, leading to the foundation in 2021 of a niche consultancy in this...
X
Bonnie Demeyer

Bonnie Demeyer

Security Consultant, Cyber Enterprise Modelling (Belgium)

Bonnie is a freelance Security Analyst and Information Security Manager who has been working in, and advocating for, a model-driven approach to security since 2016. She returns for her third COSAC as the co-founder of Cyber Enterprise Modelling: a niche consultancy specialising in the application and advancement of model-driven security. Bonnie holds certifications in security, information risk management, privacy and ArchiMate.
X
 

Since a means of expressing the security concepts in standard Enterprise Architecture modelling notation was first proposed at COSAC 2018, a great deal of progress has been made: a Working Group has developed, enriched and extended the original White Paper with the collective wisdom and experience of SABSA practitioners, the Security Overlay has been defined as a schema and the approach has been made accessible through webinars, presentations and this year, as a SABSA Training course with basic tool support.

While COSAC 2018-21 has traced the emergence of security modelling as an technique, its early-stage technical readiness meant that conference sessions were limited to discussion of concepts, ideas, possibilities and envisioned benefits based on small scale, proof of concept ‘laboratory models’.

This year for the first time, we expect to be able to present feedback from the application of this technique at scale in real-world case studies with an honest appraisal of where modelling delivered technical & business benefit, scenarios that were challenging or thought-provoking and where the technique might be headed in light of this experience.

At the time of CfP, the contracts for this work are just being signed with projects set for completion in the summer – so fresh content to be unveiled for the first time at COSAC. In addition to presenting the projects from the security architect’s perspective, we hope to be joined via video-link by a client representative who can present, and answer questions, from the customer viewpoint.

The value to the conference will not only be an awareness of an emerging technology but to stimulate a better understanding of what is increasingly possible, based on what is already being achieved.

12:40 13B: Conquer the Architect's Eternal Dilemma: How to Turn Strategy into Reality Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

It is a fundamental dilemma faced by all strategists: how to run strategy into reality?

Enterprise Architecture takes a long time to define and rarely starts from a green field site. Ordering I.T. to postpone all initiatives until the strategy is fully developed is a seriously career-limiting, if not life-threatening, move. Business innovation cannot stop, developments and improvements cannot be shelved or hang around waiting on Architects in their perceived ivory tower to complete their idealist thinking.

The Architecture may be brilliant work but what if we have an incident tomorrow, are we any safer while the Architect is doing their ‘thing’, can we demonstrate any value from a strategic initiative that isn’t yet deployed?

In practice, the Architect’s scope is rarely all of Enterprise in a single bite, but if we can’t start at the all-of-Enterprise end, where is the beginning? We must deliver something before we deliver everything. How do we scope an Architectural project or an RFP in practical reality?

By definition any starting point below all of Enterprise is not Enterprise, it is only one particular viewpoint or aspect of Enterprise: being Business-driven and looking downward we see multiple dependencies and relationships, many contributing “means to an end”, but looking upward from any non-Enterprise viewpoint as see an exclusive relationship – a single “means to an end”. This creates a tunnel vision that risks the creation of the very isolated silos we set out to remove. So, even if we can identify a starting point, how do we ensure that it is Architecturally consistent, holistic, and integrated with all the other aspects and viewpoints of our complex Enterprise that are currently out of scope?

Join us in this session to explore SABSA Architecture realisation techniques to help us overcome our eternal dilemmas.

13:30 - 14:30 Lunch

14:30 14A: Predictive Risk Intelligence – Is it the Next Big Thing? Speaker(s): Paul Blowers

Paul Blowers

Head of Assurance, SEQA (New Zealand)

Paul Blowers has more than 35 years experience in security. He is a certified SABSA® practitioner and advocate, and an APMG practiced Business Change expert. He has extensive experience supporting Law Enforcement, Defence, Intelligence and Border Security environments and with a wide range of private sector organisations. He has spent the last 18 years in New Zealand, he has also worked in the USA, the UK, and mainland Europe. His roles include CISO for NZ Police, managed his own consultancy...
X
 

My presentation charts the emergence of a new Crown entity from conceptual design to full operational capability designed completely in the Cloud in less than 18 months. No legacy infrastructure or outdated business applications, this was a once in a career green-field opportunity, that couldn’t be missed.

There were many unique challenges:

  • - Systems must observe the principles set out in the New Zealand government security policy standard
  • - Statutory obligations must be met – the entities legislative rights policy had not been passed by Cabinet, meaning the core regulatory platforms purpose was ever changing
  • - Stakeholder numbers rose from an original estimate of 1000 to an unanticipated 100,000
  • - Delivery pressures: Design and build a regulatory platform and key business services within 6 months (using cloud only services)
  • - Data sovereignty rights were the potential showstopper

As one of only two technologists we designed the system with three key principles front and centre of all our decisions:

  • - The system must be secure.
  • - It must be resilient.
  • - Useability is non-negotiable.
14:30 14B: Artificial (un)Intelligence: Risks and Opportunities of AI Speaker(s): Ashling Lupiani

Ashling Lupiani

Cognitive Solutions Developer, Cancer Treatment Centers of America (USA)

Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
X
 

This unique discussion will address the structural limits of artificial intelligence such as machine learning in comparison to human intelligence. We will also consider the dangers posed by overestimating these systems and the responsibilities of professionals and organizations to manage expectations for their performance and monitor their function.

This session is timely because of the accelerating use of AI systems to determine everything from who to employ to how to treat diseases. While these systems’ decisions have increasingly impactful consequences, scrutiny of their structure and inputs has lagged behind. AI processes are unintelligible to the average IT practitioner or citizen, so it is increasingly important that those with the background and experience to understand its hazards prevent misconceptions, correct misinformation, and ensure responsible use.

The approach will be to outline the current state and direction of artificial intelligence systems in comparison to their fleshy counterparts, suggest actions that individuals and groups can take to mitigate the risks that their operation and perceptions of their operation can pose, and open the floor for discussion of these topics.

The value of this session is in presenting a scientific comparison of the differences between artificial and human intelligence and using that comparison to determine risk and suggest next steps.

15:30 15A: Trust Relation Framework and Threat Modelling to Enrich Risk Assessments Speaker(s): Marten Gerssen

Marten Gerssen

Security Project Manager, unConceptual (Netherlands)

After graduating in Control Engineering, Marten started his professional career in Telecom Network Management at Alcatel in 1996, holding various pre-sales and marketing positions. In 2010, Marten founded unConceptual as an independent consulting company, growing from IT project management into IT Security. Customers include energy, telecom, government and banking sector. In those 10 years, the focus evolved to Identity and Access Management with projects in IAM overhaul, Privileged Access...
X
 

In 2020, my then CISO tasked me with charting “the” Identity and Access Management Risk for the organisation.

That triggered me to not only list the standard risks, such as credential theft, but also the risks when dealing with 3rd parties: Sales agents downstream, and suppliers upstream, regulators, authorities…

Result: Sales Agent and Vendor Risk Management Assessments with (less) obvious risk. For example: if you have shared account (SABSA Trust Relation) with a printing company for your posters, how easy is it to get a picture of the CISO in a vampire suit onto a billboard in the street?

You can use SABSA to map that trust relations with the outside world, and then use threat modelling to list scenarios once the authentication has taken place, and classify risks as reputational, financial, availability risks. We present an easy to use table.

Further attention for IAM related issues such as key management on non-owned IAM systems, managing non-federated IAM with associated organisations.

This matters to Security Architecture, because these Trust Relations with vendors and agents are the foundation of the organisation’s business.

15:30 15B: Contagion - Simian Flu Speaker(s): Martin Hopkins

Martin Hopkins

Consultant, Attributive Security (UK)

Martin is an independent information security consultant with a current focus on security advisory to small businesses in the UK. He has over 25 years’ experience in technology, primarily in security related fields. A regular speaker on cyber security topics, he is a strong advocate of business driven security, security architecture and secure software development practices.
X
 

Despite huge investments cyber security continues to hit the headlines for all the wrong reasons. Each year brings new technologies that will, apparently, save us all. Away from the bright lights you’ll hear it is all about people: you need to increase awareness and adopt the right culture. If that doesn’t work there’s always AI, that’ll save us.

We sit in our ivory towers developing our architectures and programmes, assuming that ours is the one true way. But big data and the scientific method are failing us. Beyond the biases we’ve all heard about our data sets are often collected and applied across widely differing cultures. Those we look towards to steer us through the storm stick to the familiar, fearing or discounting the foreign.

We need to step back from the bird’s-eye view that encompasses so much, but at the cost of local context. What does the worm’s-eye view from the ground show us? Those strange people that don’t align to our expectations, that don’t behave correctly; they’re not irrational or uneducated, they just have different perspectives, different drivers, and maybe goals we’ve overlooked. We know what they’re doing, or not, but do we really understand why? We also need to look critically at ourselves: does our normal and familiar look weird and alien from the outside in?

As global recessions and pandemics hit, business leaders and politicians are looking to anthropologists to help them understand why people are behaving the way they are in the present and prepare for the future. Together we’ll discuss some examples, some parallels, and invite insights into cyber folklore and customs. By understanding behaviours better, we may be better able to influence them.

16:20 - 16:40 Afternoon Coffee

16:40 16A: A SABSA Approach to Health and Well Being Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Director, David Lynas Consulting (Australia)

Michael has 20 years’ experience in Information Security and is a Director of David Lynas Consulting and the Chair of the SABSA Founders Bursary. He has provided high level assistance on information security related matters to a range of clients within Australia and internationally. He was formerly the Chief Information Officer and CISO at the Australian Commonwealth Department of Finance where he had executive responsibility for ICT as well as physical security.
X
 

I had a brilliant 2019 having embarked on a spiritual pilgrimage walking the Camino in Spain and my intellectual pilgrimage to Ireland but like many of us my follow up experience in 2020 was less than ideal and I came out of that year needing to take stock of my general health and wellbeing.

It is a shared observation of my colleagues, that as we approach retirement, we look back at the last years of our careers to realise too late that we have worked harder, worked longer hours, taken less time for ourselves, managed very stressful jobs and feel like we are about to collapse, exhausted, over the finish line at the end of a marathon.

We have, to a certain extent, let ourselves go and we are no longer the fit young 30 somethings we used to be as we enter the next phase of our lives. Not the greatest when we now have the time to engage and enjoy the good things in life.

In this vein, and following 2020, I sort of undertook a personal health and wellbeing journey in 2021 with the aim of being “Retirement Fit”. I took a haphazard approach and by the end of the year I realised three things:

Firstly, this is not a one-year project – it is going to be an ongoing iterative process.

Secondly, a structured approach to this project (health and wellbeing) should deliver better and more consistent results; and

Thirdly, many of my younger colleagues (those thirty and forty somethings) who are falling into the ‘Working Harder, Working Longer, and Not Looking after themselves’ category might be able to benefit from this structured approach.

So, heading into 2022 I have applied SABSA to my health and wellbeing project to see if that will deliver long term sustainable outcomes and

This presentation uses SABSA as framework for health and well-being and presents the fundamentals of SABSA in a non-security and non-IT context.

16:40 16B: The Multiverse of Cybersecurity Frameworks Speaker(s): Glen Bruce

Glen Bruce

Cybersecurity Consultant, GDB Cybersecurity (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...
X
 

What is an organization to do? You’re expected to master managing your cybersecurity risks, but the threats are constantly changing, and there are differing ideas of exactly what mastery means and requires. However, mastery isn’t enough. You need to be able to demonstrate your mastery to anyone who needs to know and in a way everyone, including business partners and regulators, can understand and accept. All within budget and available resources. How can you adapt your approach to satisfy all the demands and expectations?

The good news is that there many frameworks and standards to help you master your domain. This is also bad news, because there are many common (or not so common) standards and frameworks that influence how you organize your cybersecurity program. You already may have defined cybersecurity requirements and perhaps an organizing framework that is specific to your industry, required by regulation or aligned to your technical choices. However, all frameworks are not equivalent, nor are they intended to solve identical problems. You may be important gaps to fill in or conflicts to deal with. How do you navigate through this multiverse of choices for the framework that aligns to your cybersecurity requirements?

After establishing a common taxonomy, we will examine and categorize various approaches to cybersecurity frameworks using examples to illustrate the considerations. We will outline some the issues and challenges involved in defining or using cybersecurity frameworks to organize and manage your cybersecurity risk. We will discuss essential principles for establishing an effective framework foundation and outline a risk-based approach for effective management of your cybersecurity risk. We will review and discuss critical success factors for an effective cybersecurity framework. Have you leveraged a framework in your own organization and have some insight to share? Maybe together we can put frameworks to better use.

Plenary Session

17:40 17P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

The COSAC "rump" has for many years been a hugely popular closing session to COSAC. Now, returning to APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at [email protected]

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 4th December.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Dinner & Networking

18:45 Drinks Reception
19:15 Dinner

Thursday 2nd March 2023

09:30 - 10:00 Delegate Registration & Coffee

11:35 Morning Coffee

Workshop W1

10:00 3rd COSAC APAC Security Architecture Design-Off Speaker(s): William Schultz,

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
Jason Kobes

Jason Kobes

Architect, Research Scientist, Professor, Northrop Grumman (USA)

Jason Kobes works as Tech Fellow Senior Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason also is an adjunct professor for Marymount University teaching Cyber Crime and Digital Terrorism. Jason has over 24 years of experience concentrated in cyber digital transformation, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's...
X
 

In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedInPage congratulating them on their achievement!Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Workshop W2

10:00 Filling the Skills Gap: Recruitment, Learning, Diversity & Mental Health
 

In this exclusive COSAC half-day session we will investigate four unique aspects of our workplace and address the considerable challenges of hiring, developing skills, and supporting the well-being of our teams in one the most stressful professions of the digital age:

Recruitment

The journey starts with a novel and unique discussion on who we hire and how we manage from the perspectives of both neuroscience and information security.

Mentoring

Part 2 investigates humanity's attempts at passing on knowledge across generations and the lessons we can learn from them to build a strong mentoring program to develop and inspire new people.

Mental Health

Part 3 discusses the state of mental health in the cyber industry, emphasising the unique stresses faced by cyber security professionals, and outlines how industry can begin to tackle this challenge.

Career Change

We conclude the half-day session by revealing the unique challenges faced by professionals switching into security from other parts of the organisation. Using the true story of a career switch we will reveal the expectations versus the reality of a new team member being placed into the firing line.

10:00 Part 1 - Hiring and Managing in Infosec: the Importance of Brain Diversity Speaker(s): Kathleen Mullin,

Kathleen Mullin

CISO, Cancer Treatment Centers of America (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...
X
Ashling Lupiani

Ashling Lupiani

Cognitive Solutions Developer, Cancer Treatment Centers of America (USA)

Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
X
 

This is a novel and unique discussion on who we hire and how we manage from the perspectives of both neuroscience and information security. Debunking prevalent Human Resource and Information Security thought leadership and training materials, this presentation addresses how many are adversely impacting the credibility of their presentations, themselves, and the profession by using a misinterpretation and misunderstanding of how the brain works.

Utilizing the false concept of “left-” and “right-brained thinkers” and other myths about brain differences to explain how we think and decide influences perceptions and detracts from otherwise accurate information and can skew materials to make them entirely incorrect. By establishing a faulty knowledge foundation, this impairs the ability of information security professionals to create appropriate defenses for malicious hacking attempts including hiring and managing diverse teams well-equipped to tackle problems.

The value in this session is providing information from current brain science to use in hiring and managing, including addressing gender bias. This discussion is timely as social engineering, human resource, and behavior experts are spreading misinformation. The approach of this session provides opportunities to challenge and give input while imparting attainable science on the real brain and the importance of diversity.

10:50 Part 2 - Mentorship: The Foundation of a Healthy Tech Industry Speaker(s): Alfie Oloo

Alfie Oloo

Product Designer, IoT.nxt (South Africa)

Alfi is a Product designer specialising in design systems. Being dyslexic, among other challenges, Alfi eventually dropped out of university, which eventually led to him building his own education through auditory learning (100s of audiobooks). Realising that he had an unusual capacity for auditory communication, He also co-founded the “Edit Undo” Podcast.  Alfi is a lifelong student in the field of mentorship having played the role of a mentor at Jack Academy’s UX Bootcamp and a coordinator...
X
 

From the psychological significance of a parent-child relationship to the unravelling of the modern schooling system, in this discussion, we will approach humanity's attempts at passing knowledge on across generations and the lessons we can learn from them and apply in our daily social and professional engagements.

In this series of talks, you will be able to take away Three things.

A strong argument for the importance of mentorship in the building of a relatively new industry.

Building a working knowledge of some of the underlying biological processes that undergird human development

And a clear & PRACTICAL guide on how to begin your career as a mentor in your own domain of knowledge.

11:55 Part 3 - Welcome to the Burnout Club: Mental Health in the Cyber Industry Speaker(s): Andrew Reeves

Andrew Reeves

Director of Organisational and Behavioural Research, Cybermindz (Australia)

Andrew Reeves is a psychologist with a focus on the human aspects of cyber security. He is Director of Organisational and Behavioural Research for Cybermindz.org, a peer informed not-for-profit organisation dedicated to providing evidence-based mental health support to cyber teams. He has 9 years of experience in the defence and ICT industries and has recently completed a PhD in the area of cyber security employee motivation and fatigue.
X
 

“If you are in cybersecurity and are constantly feeling angry, exhausted, bitter and you jump up to the ceiling when your company mobile rings — welcome to the burnout club.”

(CISO Burnout, Medium, 2021)

Recent industry reports state that workplace stress is impacting the mental health of cyber security professionals. In 2020, nine out of ten executives holding either the title of chief information security officer (CISO) or chief security officer (CSO) reported “moderate or tremendous” job-related stress. As a result, the average tenure of a CISO was just 26 months in 2020 due to high stress and burnout, and this is likely to have deteriorated further during the progression of the COVID-19 pandemic. It is further likely that similar trends are occurring not only within CISO groups, but across all role levels within cyber security teams. Consequently, Cybermindz.org was launched as a not-for-profit initiative to support mental health in the cyber sector. Cybermindz’ mission is to deliver peer-informed, effective, accessible relief and resilience building to stressed and embattled cyber teams. We use military grade, evidence-based protocols to counter burnout. Our message is that resourcing prevention is a better strategy from a compassionate, continuity and cost standpoint. In this talk, Andrew Reeves (Psychologist & Cybermindz Director of Organisational and Behavioural Research) discusses the state of mental health in the cyber industry, emphasising the unique stresses faced by cyber security professionals, and outlines how industry can begin to tackle this challenge.

12:45 Part 4 - Here Be Dragons: My Career Switch to InfoSec - Expectations & Reality Speaker(s): Dan Schoemaker

Dan Schoemaker

Information Security Officer, Phoenix HSL (Australia)

Dan Schoemaker has been working in the IT support, Infrastructure/Operations and Security fields for the past 8 years. At the end of 2021, he decided to change his career path and move into the Information Security field. He has formal degrees from UNSW, Western Sydney University and certification from CISCO. He is a self-driven techie that ultimately believes in learning by doing and having a crack.
X
 

Why would an infrastructure Specialist want to move across to security and put themselves in the firing line of the business?

Join me as I look through the past year as I moved from IT infrastructure and IT Service Management to Information Security. What expectations I had and what was the reality.

I came into a business that had a lot of work, the role was separated from the technical function, and had to ensure the technical teams were deploying and maintaining a secure environment.

Moving into a new specialism is daunting, especially when you change business and industry at the same time. When there is a myriad of issues, where do you start? How do you prioritise the issues, balance self-expectations and feel like a useful member of the team?

I will explore what are common perceptions of security teams from the greater IT team.

Look into the training pressures for a newcomer? How are we supposed to stack up against security professionals that have evolved with the industry? And how do you find new talent and entice quality security professionals to the field?

13:30 - 14:30 Lunch

16:10 Afternoon Coffee

Workshop W3

14:30 Ask us Anything - A Q&A with a SABSA Masters Panel Speaker(s): William Schultz,

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your question/problem depends on your situation and what you are trying to achieve. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session, attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Any SABSA Master’s in attendance at COSAC will be welcome and encouraged to participate as they are available.Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the “COSAC way” there will be plenty of group debate and interaction, and no shortage of experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

Workshop W4

14:30 Security Modelling Workshop Speaker(s): Steven Bradley,

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is an independent security consultant based in Brussels with 25+ years in IT. He has undertaken major assignments for clients in the national & European public sector, finance, telecoms & utilities and also lends his support to local cyber-security initiatives. His work in recent years has broadened geographically while becoming more specialised in the field of security by design through automation & modelling, leading to the foundation in 2021 of a niche consultancy in this...
X
Bonnie Demeyer

Bonnie Demeyer

Security Consultant, Cyber Enterprise Modelling (Belgium)

Bonnie is a freelance Security Analyst and Information Security Manager who has been working in, and advocating for, a model-driven approach to security since 2016. She returns for her third COSAC as the co-founder of Cyber Enterprise Modelling: a niche consultancy specialising in the application and advancement of model-driven security. Bonnie holds certifications in security, information risk management, privacy and ArchiMate.
X
 

Since the idea of a Security Overlay for ArchiMate was first introduced at COSAC 2018, a great deal of progress has been made - principally via the Working Group dedicated to the modelling of SABSA in ArchiMate (MSA). This culminated in a revised White Paper, a schema definition of the Overlay and the introduction of a 2-day training course to the SABSA Institute catalogue.

This proposal for a half-day workshop would be an abridged version of the full course with the following goals:

  • - To raise awareness of the SABSA course’s availability, contents and objectives.
  • - To show, through a hands-on session, how the Overlay can be used within an EA modelling environment to create the following artefacts, easily and productively:
    • - SABSA Business Attribute traceability;
    • - Compliance with security standards & frameworks;
    • - Threat Models;
    • - Risk Analysis.
  • To demonstrate that the use of these models goes well beyond the creation of documentation but an ‘active’ resource capable of being validated and analysed.

The workshop will step through examples that have been derived from anonymised, real-world consulting assignments, selected to highlight the advantages of being able to overlay security concepts onto the context of an EA model (e.g. situational awareness) that are not possible in traditional approaches (spreadsheets and checklists).

The value to the conference, is likely to be two-fold:

  • - For practitioners seeking ways of applying SABSA pragmatically and at scale, it provides a quick induction to the course, open-source tool support, supplemented by SABSA Institute resources;
  • - For others engaged by the ‘Case Studies’ presentation (separate but independent CfP submission), it provides further detail on the methodology and a pathway to achieving the same in their own organisations;

As always, this will be original content, being presented at conference for the first time.

Conference Close

18:00 COSAC Chairman's Closing Remarks Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X