Ireland Sydney

Welcome to COSAC's second annual event in Asia-Pacific, hosting the SABSA APAC Congress. For 2018, COSAC will be held in Sydney for the first time. 

Our agenda has been selected by previous COSAC participants to ensure sessions are unique, timely, cater for the participative COSAC ethos and deliver value for experienced security practitioners. 

Tuesday 5th December 2017

09:30 - 10:00 Delegate Registration & Coffee

Plenary Session

10:00 1P: Premium Value : Exceptional Trust Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.

Welcome to a unique and special event that is destined to become APAC’s premium annual forum for elite professionals.

This brief introductory session sets expectations for the week: it describes the COSAC ethos and trust culture, and sets the tone through interaction and participation. 

We will also discuss the rules and conventions for sessions and discussions held under Chatham House Rule or subject to full Non-Disclosure.

10:40 - 11:00 Morning Coffee

11:00 2A: Banking Under a Tree: Architecting for Mobility Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the  Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in  shaping the information security practice as  a transformative business driven and risk oriented discipline. 

In an effort to create to new business revenue models as well as extend banking services to growing business segments, this session will demonstrate how a strategic security solution approach can enable business to  adapt their business strategy to support a Channel Convenience strategy, allowing customers to be able to bank anywhere from any device and at any time leveraging innovative technologies offered though emerging mobility platforms.

In addition, the session will aim to :

- Provide an understanding of the mobile business problem domain and its related complexities at a major bank,

- Show how to analyse business strategy to define business security requirements and key business attributes 

- Illustrate how the business problem can be solved through  design and creation and population of  SABSA styled domain maps and entities 

- Indicate the various emerging security mechanisms through associated product components and service management capabilities to solve the business problem of mobility   

- Address in-house organizational challenges:

- Comparison of tactical “build” versus “buy“ decisions on security solutions, and its associated trade off’s.

11:00 2B: Visualising Organisational Threat & Risk Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 

Risk managers often find it difficult to communicate threats and risk (and the difference) to those who must understand what is at stake in the context of the organizations mission.  Identifying ways to model and visualize risk is key to helping stakeholders determine which mission objectives or organizational assets are at risk, and where risk treatments are needed. To add to the complexity, many risk managers have to give assessments on the fly, or with short notice.  There are many effective methods that can be used to model risk and address these challenges and this workshop aims to explore different risk and threat modeling methods and practices.  In this highly interactive session we will work in groups to visually model risk on the fly in a 15-20 minute activity with a given challenging mission scenario.  We will then share, brainstorm, and discuss advantages and disadvantages to these risk models. 

12:20 3A: How to Implement SABSA in a Major Enterprise Speaker(s): Shane Tully

Shane Tully

Global Enterprise Security Architect, CBA (Australia)

Shane is an enterprise security architect with experience in Australian state government agencies, transport and financial services industries. His interest is in the security of international businesses. Shane was the founder of the Oneworld® airline alliance IT Security Forum; a founding member of the board of management of the global security thought leadership group, The Jericho Forum and an invited SCADA representative to the Australian Government IT Security Expert Advisory Group (ITSEAG).

This session is a real-life case study based on personal experience of updating an existing Enterprise Security Architecture using the SABSA framework  in a major enterprise. The presentation covers the security challenges along the way, understanding what you can solve, avoiding scope issues, the evolution of security controls, mapping responsibility between different security teams, aligning the architecture with the operational security lifecycle, and ends with some of the important lessons learnt along the way.

12:20 3B: The Behavioural Economics of Cyber Security Speaker(s): Craig Templeton

Craig Templeton

CISO, REA Group (Australia)

Hailing from Northern Ireland, Craig Templeton brings over 22 years experience to the security field, having worked for a variety of blue chip organisations globally.  With his no-nonsense approach, Craig is widely known for not conforming to traditional approaches to solving security problems. Over the last 5 years Craig has focused on the behavioral aspects of security, winning Security Professional of the Year at the AISA National Conference in 2015.

If the focus of cybersecurity programs continues to be on designing better technologies to combat the growing menace of cyberattacks, we’ll continue to neglect the most important aspect of security — the human in the middle.

Put simply, there's a language problem in Security. Some say that we need a war on cyber-crime. Craig says we need a war on security bullshit.

Insights from behavioural economics and psychology show that human judgment is often biased in predictably problematic ways - where decision makers use flawed mental models to help them determine where and how much investment is necessary.

For example, they may think about cyber defence as a fortification process — if you build strong perimeters with well-manned turrets, you’ll be able to see the attacker from a mile away. Or they may assume that complying rigidly with a security framework or standard is sufficient. They may also fail to consider the counter-factual thinking, "We didn’t have a breach this year, so we don’t need to ramp up investment" — when in reality they probably either got lucky this year or are unaware that a bad actor is already lurking in their system.

The problem with these mental models is that they treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. That’s why cybersecurity efforts have to focus on building security aware cultures.  Because people beat technology.  Leading research shows that attitudes to security are a stronger indicator of resilience to cyber-attack than compliance.

In his presentation, Craig will describe his strategy at REA Group and how he is building a ‘values led’ security culture, and importantly, why this matters.

13:30 - 14:30 Lunch

14:30 4A: Using SABSA to Architect Zero Trust Networks Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.

In 2014, Google threw away its traditional approach to securing its services and reimagined what a security should look like to be truly effective in today's world of distributed teams, systems, and applications.

They developed BeyondCorp, a perimeterless architecture that does away with the idea of trusted networks and treats all applications as if they are Internet connected, thereby creating an environment that is zero-trust by default. Every request is authenticated and authorised in real-time based on a set of dynamic conditions that considers changes in user status and device state.

This interactive session will explore how to apply SABSA to architect a zero-trust network through the layers of the SABSA matrix. This will be supported by a sanitised case study to highlight and discuss the real-world challenges and how they were overcome when a zero-trust network for a New Zealand organisation.

14:30 4B: Defending the Modern Castle Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

Warfare and the arts of intrusion have advanced considerably since the days of King Arthur and the Knights of the Table Round, but in many ways the principles of fortification we use in 2017 remain the same as those used in 1017. The great castles of antiquity were ingeniously designed with multiple layers of physical security to protect their inhabitants from persistent, even advanced enemy threats. Towers and moats and archery slits and murder holes and a trained castle army provided effective physical security for the castle dwellers (and maybe the local peasantry). Their carefully planned and creative defensive measures provide rich metaphors, both positive and negative, for ourselves as today’s cyber guardians. 

On the other hand, clever, daring, sometimes brilliant offensive strategies and tactics have historically breached battlements thought to be unassailable. New and better defenses were almost always defeated by newer and better offensive strategies or machines, which, in turn spurred newer defensive weapons and tactics. Still, most of the castles we see today are ruins. And not always merely because of age. We’ll examine defensive and offensive strategies and identify lessons that can be applied to securing our own sophisticated digital fortresses. 

15:40 - 16:00 Afternoon Coffee

16:00 5A: The Playground of Risk Speaker(s): Allen Baranov

Allen Baranov

Principal Consultant, Elucidate Solutions (Australia)

Allen Baranov has more than 20 years of Information Security experience and almost 5 as a SABSA® practitioner. He has worked in South Africa and Australia across large, small and tiny organisations as everything from Firewall Administrator to head of Information Security. As a speaker he presents topics from interesting angles and was the People’s Choice at IT Web Security Conference, South Africa’s largest conference. 

First presented at a SABSA World Event in Melbourne to great acclaim, this session will explore an unexpected avenue to risk & risk management. 

An eye-catching Standard listed on the Australian Standards website defines “risk” in the most interesting way possible. This happens to be AS-4685 and it is the Australian Standard for playground equipment. “Wait…What?”. 

Yes, the Australian Standard for playground equipment defines “risk” in a better way than anything in the 27000 (and possibly 31000) range of Standards. 

This playground equipment analogy is perfect for discussing how Information Security should  view risk and how architectures should be designed. The extended analogy becomes very useful as it is designed around risk (injury) vs reward (fun). 

The value of this approach lies in an “out of the box” way to think about designing safe environments balancing (no pun intended) the risk aspect. It builds on the SABSA theory that architecture should take into account the opportunity cost of restricting business aims. Security professionals tend to take our views to be sacrosanct and this session will provide a fresh view on the topic, along with clear guidance on the roles in Risk Management.

16:00 5B: Commit - Plan - Deliver: 21 Years in the Middle Speaker(s): Michael Hirschfeld

Michael Hirschfeld

First Assistant Secretary, Department of Finance (Australia)

Michael is acting Chief Information Officer and First Assistant Secretary, IT and Workplace Division in the Australian Commonwealth Department of Finance and has executive responsibility for ICT as well as physical security within that agency.He has previously held senior roles with a number of Australian government agencies including as Assistant Secretary for ICT Planning and Governance at the Australian Department of Foreign Affairs and Trade. 

I have held middle management and senior executive roles in Security, ICT Security, and ICT in general in various Australian Government Agencies over the past 23 years.

I have learnt a lot about managing the delivery and leading the strategic improvement of these fields. I also have much much more to learn.

Many believe that great leaders are born and not made – this may be true - but good leaders and great managers are, more often than not, made through the dedication to personal development of individuals.

There are innumerable capabilities and skills that take us from being technical experts to being good managers and then good leaders. In this presentation, I will share some of my experiences and tools that can be used to help you manage your deliverables and career.

There are a number of topics to cover - this session will focus on three fundamentals: committing to action, planning and delivery. Understanding the nature of commitment to action and if your team has committed to what you are committed. How do you successfully plan tasks, for teams and projects and then, how do you make sure you and your team deliver successfully.

17:20 6A: How to Herd White Cats in a Snowstorm Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.

Transforming the Conversation on Governance, Policy & Risk Ownership

“It is curious how often you humans manage to obtain that which you do not want.”

Spock (Star Trek)

The issue has been swept under the carpet and we like to pretend that we have not noticed, so whisper it softly……

…….The Emperor has no clothes. he opened a can of worms only to find a horrible ball of spaghetti, and as a result made an unholy mess of a horse’s ass.

We follow the defined practices for Governance, Policy & Risk like sheep. But while we as professionals love the subject of ‘rules’, the reality is that we as humans resist policy, hate being told what to do, and often enjoy the thrill of taking risk.

“It is difficult to get a man to understand something when his salary depends on not understanding it”

Upton Sinclair (I, Candidate for Governor: and How I Got Licked)

The psychology and ethos we have employed to create Governance, Policy & Risk structures in our organisations is historically deeply flawed and inverted. It is completely unworkable to force a group of human beings to do something they do not want to do and it is totally unsustainable to prevent human beings from doing something they do want to do.

“Humans have a unique ability to listen to one story and understand another”

Pandora Poikilos (Excuse Me, My Brains Have Stepped Out)

Traditionally, we sell fear, uncertainty and doubt to stakeholders who really want enablement, excellence and value. The experts tell us that we should use an holistic framework to provide value and to separate Governance from Management but what they don’t tell us is how to achieve that.

This session will examine why the universe of Governance, Policy & Risk is broken and, more importantly, how to use SABSA Architectural structures to transform the conversation, repair the problem, and create proactive, clear, instinctive, business-enabling, positive and motivating Governance, Policy & Risk models.

17:20 6B: Going Bust: The CISO's Perspective Speaker(s): Michael Wallmannsberger

Michael Wallmannsberger

Consultant, Wallmansberger Ltd (New Zealand)

Michael Wallmannsberger is an independent security consultant and Chair of New Zealand's CERT Establishment Advisory Board. He was the Chief Information Security Officer at Wynyard Group, a NZX-listed New Zealand software company, and a consultant and lead security architect at ASB Bank. His governance experience includes serving as a member of the board of New Zealand's national standards body, Standards NZ, and New Zealand's ccTLD manager, InternetNZ.

Being the CISO of a multinational software and cloud vendor that becomes insolvent is a unique learning opportunity. However, it is not one to seek out or wish for. This case study shares the lessons and insights form the speaker’s experience managing information security during a company’s statutory administration.

Large firms sometimes evaluate a vendor’s financial stability during procurement. However, a previously sound supplier becoming insolvent seems to be a mostly neglected risk. What happens to a company’s management of its security controls and obligations during bankruptcy or administration?

This case highlights new issues arising in a world where handing  data over to investor-funded (i.e. unprofitable) public cloud providers is the new normal. It examines the implications for security practitioners, including how we might better prepare for the possibility that our business, or a supplier’s business, fails. 

If your cloud provider becomes insolvent, who secures your information? Can you get the data out? What happens to as-a-service cloud infrastructure when you stop paying the monthly bill? Managing IT and information security through statutory administration had many challenges, some obvious but also many that were unexpected.

If selected, this talk will be presented first at COSAC & SABSA APAC 2017.

About the company:

Wynyard Group listed on the New Zealand Stock Exchange in 2013, raising $65 million, and subsequently raised a further $110 million from the market before its fortunes declined and its board decided to put the company into voluntary administration in October 2016.

Networking & Dinner

18:45 Drinks Reception
19:30 Dinner