COSAC 2024 COSAC Connect COSAC APAC 2025

COSAC APAC: Melbourne, 25-27 February 2025. For 30 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. #COSAC2025 Call for Papers is now open.

Tuesday 27th February 2024

08:30 - 09:00 Delegate Registration & Coffee

09:00 1P: COSAC APAC 2024 Chairman's Welcome Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 42nd year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.
09:30 2A: Something Sinister Below the Horizon Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
09:30 2B: An Update on Kali Purple for Cyber Defence

Kali Purple was released in March 2023 as a free-to-use platform with an initial installed set of tools across the Identify, Protect, Detect, Respond and Recover categories of cyber defence. The initial set of tools came mostly from the existing tools available in Kali.

Since then, Kali Purple has evolved not only as a cyber defence analyst workstation with an increasing number of tools, but also as a server platform which provides easy installation of a range of cyber defence servers. At this stage the main focus has been the operational aspects of cyber defence covering security monitoring, threat hunting, threat intelligence and incident response. In addition, a new tool has been added to the Kali distribution to support the use of Kali Purple as a workshop platform for training cyber defenders.

This presentation provides an insight into building and experiences in using the ELKStack and Wazuh SIEM solutions, the Malcolm threat hunting platform with its integrated Arkime, Zeek, and Suricata tools, the OpenTAXII threat intelligence sharing platform and the OpenCTI tool, and the Velociraptor incident Response tool. It will also demonstrate the use of Kali Autopilot to generate automated attack scripts.

The presentation will give some insights into the current and upcoming wave of activity on Kali Purple, including a case study of using Archimate for SABSA modelling.

10:20 3A: Beyond the Frontier - SABSA Beyond Security Architecture Speaker(s): Ross MacKenzie

Ross MacKenzie

Head of Security Controls Assessment Information Security Group, Westpac (Australia)

Ross MacKenzie is the Head of Security Architecture & Design at Westpac Banking Group, and is responsible Globally for the delivery of security architecture, design and security capabilities. Ross has over 15 years of experience in the information security field, and is based in Sydney, Australia. He is also SCF & SCP certified.

This session describes how a SABSA deployment that initially focused on securing change has evolved into an extensive distributed security controls assessment function, spanning both change and run. We also explore how we intend to take this function into the future, including ongoing/continuous controls assessment and the new frameworks we are building.

We start with the back-story of the ‘Secure by Design’ practice at a large financial services organisation in Australia - a practice that was originally inspired by SABSA but has now been operating for over 15 years. We then explore how this ‘Secure by Design’ has evolved over the years, and how it is now delivering value far beyond its initial scope. This leads to a discussion about what might be possible if we continue to extend SABSA beyond Architecture. Finally, we outline our intent for future experimentation.

The speaker has led this program over fifteen years, embedding SABSA at the core of the security architecture function at this large financial organisation in Australia. This speaker helped create and enable a large cohort of SABSA-certified professionals that operated across architecture and security teams, ensuring the concepts permeated far beyond their security architecture roots.

10:20 3B: Large Language Models – Leveraging Prompt Engineering Techniques as an Architect Speaker(s): Rahul Lobo

Rahul Lobo

Partner, Kordamentha (Australia)

Rahul has over 20 years of experience in consulting with his clients to solve their cyber and technology business challenges to help create opportunity for business transformation. His career has been quite expansive and has included working across cloud security, security consulting, cybersecurity architecture, security automation, attack and penetration testing, application security, vulnerability management and assessment, cybersecurity risk management, remediation, incident response and...

Large Language Model and Generative AI tools are exploding across the news headlines and discussions and capturing our imaginations. Additionally, the discource is full of debate and discussion about the potential risks and exposures of this technology however as with any new innovation or solution, there are always both risks and rewards to consider.

I have been on a journey exploring Generative AI (GAI) especially to understand its capability and how this can be leveraged to enhance and improve the delivery of security consulting and its usefulness to a security architect and want to use this opportunity to share the outcomes of using prompt engineering techniques to generate the below

This presentation will cover the below:

• What are Large Language Models and what is available?

This section will provide a background of the different types of LLMs available such as GPT, LLaMA, Alpaca and guidance on when to use them.

• What is Prompt Engineering

This section of the presentation will cover a crash course on prompt engineering and cover the various techniques of prompting such a zero-shot prompting where the language model is capable of performing tasks without any instructions, few shot prompting where some examples can be provided to steer the model towards in-context learning, chain of thought prompting, graph prompting etc. We will also cover the typical structure of a prompt and the elements of the prompt such as instruction, context, input data and output structure.

We will also cover settings of an LLM such as temperature and top_p which are parameters that can allow for deterministic results or creative results as a result of prompting.

• Specific Use Cases and Prompts – Rapid Prototyping

This section will present different use cases of Prompt Engineering and show specific examples of prompts that can be used. We will also present how LLM Plugins can be used to generate specific outcomes in security. Following are some of the use cases that we will cover

  1. 1. Business Process Engineering: GPT4 can be used to create user journey diagrams as well as create visual representations of various business processes.
  2. 2. Rapid Prototyping of Security Architectures: GPT4 can be used to rapidly prototype security architectures based on information provided through the prompt.
  3. 3. Developing a Rapid Security Threat Model using a Large Language Model:

This part of the presentation will demonstrate how I used a large language model to generate a threat model for a sample organization using the Architecture, Threats, Attack Surfaces and Mitigations (ATASM) approach. This is a method that I regularly use as a consultant to perform threat modelling for my clients.

This method consists of the below steps

Architecture :- Understand the logical, physical and component views of the architecture. We will leverage the modelling and diagramming capability of the language model to develop various diagrams to help visualize the architecture. The LLM also has a capability for writing mermaid code which is javascript based diagramming and charting tool.

Threats:- Provided context about the organization and trained on the format we are using for the threat model, we will leverage the LLM to generate a list of threat agents, their goals, their risk tolerance, work factor etc as well as the methods they would use.

Attack Surfaces:- Once the architecture is modelled in code, given the context about the location and potential vulnerabilities in the architecture diagram the LLM is able to identify potential Attack Surfaces.

Mitigations:- The last step will cover prompting techniques to help draft countermeasures to the identified attack methods that have a legitimate exposed attack surface. We will leverage the LLM capability to ingest a large amount of controls and recommend specific controls from control libraries such as NIST etc. We will also demonstrate how to leverage an LLM to display the controls leveraging models such as the SABSA Multi-tiered control strategy defense-in-depth model etc.

Once the threat model is complete we will analyse the outputted threat model for weaknesses and certain issues such as accuracy, creativity, credibility etc. and how to mitigate them leveraging prompt engineering techniques.

11:05 - 11:25 Morning Coffee

11:25 4A: Cyber Security Investments: Journey from Cost to Value Speaker(s): Dimitrios Delivasilis

Dimitrios Delivasilis

Director - Cyber Risk & Resilience, David Lynas Consulting (UK)

Strong technology executive, specialising in business-driven security strategy, architecture and operational resilience. Dimitrios has more than 22 years of extensive experience in leadership roles predominantly within financial services (Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC). He has built a success record of simplifying security decisions, delivering future proof information security strategies and helping organisations implement...

Increasingly, organisations are beginning to double down their investments in digitalisation in order to compete in an even more interconnected world. Digital transformations monopolise the interest of board members globally, aiming to leverage the latest technological advancements to improve the customer experience, automate the value chain, free up resources, discover new revenue streams and operate with greater agility.

The pressing need for digital transformation constitutes cyber security risk as one of the top non-financial risks for organisations across all sectors. It also acts as the main driver for improving the security fabric and strengthening the cyber security resilience. Due to the consequences cyber security incidents have on critical products and services, cyber security investment soars to $1.75T globally.

This presentation will assess the effectiveness of the current practices organisations rely upon to create cyber security portfolios and allocate investment funds. Emphasis will be given on the challenges security professionals face to demonstrate meaningful return of value and maintain the corporate support.

The presentation will then introduce a novel approach on how to optimise security investment by modelling the security mechanisms, analysing the effectiveness of the proposed activities and demonstrating their relevance to business outcomes. Pivotal to achieving this is the need to establish a clear linkage between cybersecurity services and business objectives to both justify actions across the security posture and assess the completeness of the assurance provided. Most remarkably, bridging the gap between cyber security and business serves as an effective communication mechanism that portrays security as a value provider.

11:25 4B: Simulation and Cybersecurity Speaker(s): David Lang,

David Lang

Senior Security Architect, Thales (Australia)

David Lang is a Senior Security Architect at Thales Australia, with over 25 years of experience in software, systems and security engineering within the Defence sector. In that time, he has led the security engineering programs on a range of cyber physical systems, including Protected Mobility Vehicles, C4ISR systems, maritime sensor/combat systems and military flight simulators.
Alex Parkinson

Alex Parkinson

Senior Systems & Security Architect, Thales (Australia)

Alex Parkinson is a senior cybersecurity architect at Thales Australia. Qualifications include a Master of Science (Internetworking), a Graduate Diploma in Applied Finance and CISSP, CRISC and SABSA Practitioner (SCP) professional certifications. Alex has 30+ years of experience in understanding and dealing with complex systems and organisations in multiple sectors, including Defence and National Security, Trading and Financial Services and Mission Critical Engineering projects.

Simulation of platforms and systems provides the basis for many important organisational outcomes, such as individual skills training, training users on the specifics of a system, training teams on operational processes, testing operational concepts and system testing and troubleshooting to name a few. The application of simulation concepts is well established in the development and sustainment of physical platforms and systems.

For cybersecurity, there has been increasing discussion about using of “cyber-ranges” and “red -team exercises” to support various cybersecurity objectives and outcomes. It is noticeable that this discussion often lacks the application of basic simulation concepts - ‘what is being simulated’ and ‘what is the simulation being used for’.

This session will discuss the basic concepts of simulation, its application to systems (especially mission-critical and cyber-physical systems) and will explore how it can be applied to systems to deliver cybersecurity outcomes.

12:15 5A: Unlocking Business Value Through Effective Cyber Security Strategy and Architecture Speaker(s): Chirag Joshi

Chirag Joshi

Founder & CEO, 7 Rules Cyber (Australia)

Chirag is a seasoned cyber security executive with extensive experience building and leading cyber security, risk management, and compliance programs in multiple countries across various industries. He is the Founder and Chief Executive of 7 Rules Cyber - a cyber security company focused on enabling businesses to be secure in a cost-effective and efficient manner. He has built the company on the key pillars of strategy, architecture and culture.

Yes, you can be cyber secure and optimise investments! Here's how....

As cyber security challenges continue to mount, organisations are feeling the pressure to keep investing in order to be secure. However, we cannot spend our way out of the cyber threats and risks that are confronting us. This is especially true in an economically challenged environment that currently exists. There are rising frustrations on both the business executive and cyber security sides. Business executives aren't seeing the right return on their cyber investments while cyber teams are increasingly feeling the pressures of keeping up with the workloads and managing burnout. There needs to be a smarter way to address these issues.

This session will look the challenges facing executives and cyber teams and recommend practical, actionable takeaways in the following areas:

  • - Formulating a cyber security strategy that is truly business-centric and enables the organisation to be secure by investing proportionally
  • - Giving businesses strategic options on investments and resourcing aligned with levels of cyber protection tied to the right metrics
  • - Realising cost optimisation and an improved security posture through a holistic approach to security tooling as part of Enterprise Security Architecture
12:15 5B: Digital Safety and Protecting our Cyber-Physical World. Episode 3: Liability In an AI World Speaker(s): Andy Prow

Andy Prow

Founder, Qubit Cyber (New Zealand)

Andy is a cyber-security veteran with 28 years of IT experience, over half of which has been in cyber security. From being a software developer for global giants such as IBM, Ericsson & Vodafone, to pen testing and vulnerability research, to more recently as a tech entrepreneur founding 5 firms, including Aura InfoSec (purchased by Kordia in 2015) and RedShield Security which now protects thousands of web apps and critical systems across globe. Andy is a previous winner of the EY NZ...

More human interaction now occurs in the digital realm, than the physical realm.

We are utterly dependent on the digital world for our daily lives to function.

Definition: “Digital Safety = where vulnerabilities and exploits on software, cause harm and damage to the physical world and humans.”

In this 3rd episode in the Digital Safety saga, I’ll be further challenging:

  • - How can you possibly know the full stack of code and software that runs in a complex system? (For example a fully autonomous rail network).
  • - Even if you do know, how can you possibly know that each and every component is secure and tested, and fit for purpose?
  • - Who is then liable for that code and the physical damages caused by exploited vulnerabilities in it? The end provider? The software developer? The pen-tester?
  • - Then, what about the AI generated code? Are we making the problem smaller, or larger? Both in regards to the quality and vulnerabilities in code, but also who’s liable for the physical damages the AI’s code may cause?

In short, what insights and learnings can we get from trying to build a world of “Physical Safety” into how we provide “Digital Safety”.

13:00 - 14:00 Lunch

14:00 6A: Shifting Left: Data Driven Business Risk Intelligence introduced the SABSA way Speaker(s): Paul Blowers

Paul Blowers

Principle Consultant, Hi-Spec Security (New Zealand)

Paul Blowers has more than 35 years experience in security. He is a certified SABSA® practitioner and advocate, and an APMG practiced Business Change expert. He has extensive experience supporting Law Enforcement, Defence, Intelligence, Border Security, and securing critical infrastructure environments.

My presentation will introduce the concept of integrated business assurance built on a foundation of data driven risk intelligence that supports the hypothesiss of truly adaptable security.

Using anonymised case studies experienced during the pandemic and post-pandemic business change years, I will highlight how three organisations have embraced the ‘Shift Left’ concept. ‘Shift Left’ addresses challenges concerning point in time dipsarate security solutioneering to a place of complete businesses immersion. No longer the business outcast but a true business outcome enabler.

14:00 6B: Neuro Linguistic Programming – What We Know About Reprogramming the Brain and Enhancing Human Performance Speaker(s): Ashling Lupiani,

Ashling Lupiani

Cognitive Solutions Developer, City of Hope (USA)

Ashling Lupiani, SABSA SCF is a Cognitive Solutions Developer at City of Hope. She is a neuroscientist and biomedical engineer with experience in speech and gait research. She spent 5 years running neurorehabilitation engineering studies with human participants and conducting data analysis to investigate sensorimotor systems. She co- authored 5 papers and presented at conferences in Toronto and Boston, USA, COSAC APAC 2023 & 2024, and COSAC 28, 29 & 30.
Kathleen Mullin

Kathleen Mullin

CISO, MyCareGorithm (USA)

Kathleen Mullin is an influential information security practitioner and international speaker with over twenty-five years of experience. Starting her career in Accounting and Internal Audit before moving into IT and finally Cybersecurity. She has been CISO, focusing primarily on healthcare. Most recently, she is CIO|CISO for MyCareGorithm. Throughout her career, Kate has volunteered and contributed to information security as a profession, including serving on multiple board and advisory...

This novel and unique discussion on changing the way we think and enhancing human performance using neuro linguistic programming (NLP) from the perspectives of both neuroscience and information security, presented at COSAC 30 and updated with that audience’s feedback. Debunking current Human Resource and Information Security thought leadership and training materials, this presentation addresses how many are adversely impacting the credibility of their presentations, themselves, and the profession by using a misinterpretation and misunderstanding of how the brain works.

NLP is referenced in Self Help Programs and seminars, and Security Awareness and leadership training. The basic concept is tied to “Reprogramming the nervous system through the use of language” with false concepts and pseudoscience about brain programming to communicate effectively and influence others to change our own thoughts when presenting otherwise accurate information and can skew materials to make them entirely incorrect. By establishing a faulty knowledge foundation, this impairs the ability of information security professionals to influence system changes, develop awareness training, and create appropriate defenses for malicious hacking attempts.

The value in this session is providing information from current brain science to use in training. This discussion is timely as social engineering, human resource, and behavior experts are spreading misinformation. The approach of this session provides opportunities to challenge and give input while imparting attainable science on the real brain.

14:50 7A: Risk Ownership Using SABSA Domain Architecture Speaker(s): Gabriel Akindeju

Gabriel Akindeju

Chief Security Officer and Managing Consulting Director, Risks Consult Ltd (New Zealand)

Gabriel Akindeju is an innovative and strategic Technology Risk Management and Security Management thought leader with background in Enterprise Technology Risk Management and Enterprise Security Governance and Architecture; Information Systems Management; Instrumentations and Controls Engineering; Electronic Electrical Engineering; PRInCEII and Agile practices.His overall objectives are to help organisations leverage effective technology risk management and security for the creation of...

Risk Management

Risk Management in its very basic form requires identification, assessment (impact and likelihood), current controls assessment, mitigation controls definition, monitoring and reporting of risk over the active lifetime of the risk record. In some instances, and depending on the nature and maturity of risk management disciplines, concepts like inherent risk, control risk, residual risk, risk appetite and tolerances, risk optimisation, etc, can be introduced to enrich the strategic leverage of risk management. All of these have critical dependency on “risk ownership and accountability”. Without an appropriate “risk ownership and accountability” assignment model, risk management can often appear academic, theoretical and highly abstracted, delivering no real value to the organisation. In this unfortunate situation, risk management and its associated records simply become the graveyard or the “too-hard” basket for issues and problems. Managers absolve themselves of any accountability and/or responsibilities once their teething issues and problems make their ways into the too-hard basket, the Risk Register, and never to be talked about ever again.

In many organisations risk accountability assignment is a very complex thorny issue. Several stakeholders have bona-fide interests in specific business resources and would be impacted by plausible risk vectors. However, the differential individual interests are not significant enough for them to voluntarily take-on unequivocal and active accountability for the specific risks. In some other instances, each impacted stakeholder feels strong attachment to specific risks and have different views on how these risks should be managed to the points of passive-aggressive tensions. Both of these situations lead to the same risk graveyard scenario raised above.

SABSA Risk Domain Architecture - One of many solutions

Risk Management could be a strategic foundation for a wide range of management processes – including but not limited to general business, technology governance, security, etc. To enable this strategic capability, there needs to be a sound and objective method of assigning risk ownership and accountability. One such method is the Sherwood Applied Business Security Architecture (“SABSA”) Domain Architecture concept. Domain concepts - single domain, super-domain, sub-domain, peer domain, multi-tiering, inter-domain interactions, complex inter-domains policy associations, etc - can be combined with standard RACI (Responsibility, Accountability, Consult, Inform) model to construct a useful method to resolve the fundamental issues around risk accountability assignment. In the discussion below, I lay out (a) some SABSA Domain Architecture concepts and a simple application construct, (b) a requisite highest ranked lowest common node accountability test, and (c) high level application of the construct.

14:50 7B: Top down: An Experience with Mutiny Speaker(s): Kirren Hartas

Kirren Hartas

Security Architect, On the Business Pty Ltd (Australia)

Kirren started his career in the Australian Department of Defence as a technical trainee in the mid 90’s and has worked across various elements of the Federal Government as a public servant, consulting engineer, project manager, security specialist and generalist. During this time, Kirren has developed the opinion that what the government asks for and what it needs are two very different things and so has spent much of his time trying to assist them in developing that understanding across...

We embark on the good ship Access Management. We have a clear direction from the captain to move from the fjords of isolated data bays to the sea of open access seeking analytical riches. However, the crew has been working the closed bays of the fjords for aeons and think the captain is not considering the perils the open sea represents. The ship therefore stays in the apparent safe harbour of endless segregation, limitless localised risk scopes and ingrained process all pulling on the tiller while the ripe shoals of opportunity pass them by. Mission success is declared because they couldn't see the sea.

As a crew member on that ship, it has baffled me for some time as to how this occurred. After some soul searching and a pinch of analysis, I came to understand this was a function of a complex set of interplays that generally tie back to the human condition. I will demonstrate how localised risk scopes prevent lateral vision; that access to information is used as a power trip; and that people assume how things work based on how it appears to them. These elements combine to establish a form of human thinking when ownership (maybe accountability) gets lost in process (this is how it's done), inheritance (this is how it was always done) and learned helplessness (what do you mean we can change how it's done). I will share some of the tools and techniques that I used to try and combat this environment, but I will also ultimately show how the bureaucratic tools of; perverted reporting, scope manipulation and waiting until being overtaken by events, mean that success was always guaranteed therefore undermining any lessons learned that might be taken.

15:35 - 15:55 Afternoon Coffee

15:55 8A: Not Too Heavy, Not Too Light, Getting Your Cyber Security Architecture Just Right Speaker(s): Bruce Large

Bruce Large

OT Cyber Security Team Leader, Powerlink (Australia)

Bruce Large has 15 years experience working with IT and OT in network, telecommunications and system engineering roles. Bruce has worked in Electricity Generation & Transmission, Railway, Aviation, Emergency Services and Consulting industries. Bruce considers himself a security architecture enthusiast as well as an infrastructure tourist. He is a Foundation Chartered SABSA Architect (SCF), is (still..) working on his A3 SCP paper, holds the GIAC Response and Industrial Defense (GRID)...

Cyber security architects understand the value of an Enterprise Security Architecture to ensure that the business is exploiting positive opportunities and managing negative risks. However, whilst the benefits of a traceable and justified ESA are obvious to security practitioners it is difficult to develop an architecture in the first row and column of the SABSA matrix. Too often, businesses know they need an architectural framework, but stakeholders are discouraged by the time investment of a full ESA. What businesses desire is an appropriately sized and managed approach to applying cyber security solution architecture.

The aim of this presentation is to have a discussion with the audience on what is the “right level” of cyber security architecture. The session also aims to critically analyse the key components of a SABSA ESA and determine how architects can adjust to match the needs and maturity of the target organisation. Ideally, this presentation gives direction for how organisations can invest in a crawl, walk and run approach to developing a flexible “right sized” security architecture for their business needs. Bruce believes the answer lies in the application of the SABSA Fast Track approach …

15:55 8B: Mentor, learn, Repeat Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

Mentoring those new to the field or new to our organizations is one of the least emphasized yet most important of our responsibilities But if we’re going to mentor others, we surely better know the details and peculiarities of what we’re trying to have them learn. Okay, principles haven’t changed much since security graybeards were coding access control lists and carrying their card decks to be read into mainframes: Availability, Integrity, Confidentiality. But the actual technology and the specifics of the threats change so fast and so continually that keeping up would be a full-time job if we didn’t already have one. And ChatGPT won’t provide us a guidebook.

Advantages of mentoring include getting some help for ourselves. We encourage “mentees” to take a balanced and nuanced view even when circumstances might indicate that “panic.” In this interactive session, we focus on mentoring others and on keeping ourselves up-to-date. We’ll look at effective ways to guide others and cite some key elements of successful mentoring programs that receive positive feedback from both mentors and mentees. We’ll cover pitfalls to avoid and examine ways of fighting the uphill battle to keep current on techniques, threats and technology. Your own experiences as mentor and/or mentee will be solicited and welcome. Come join us.

16:45 9A: Putting Security Frameworks into Practice in the Energy Sector Speaker(s): Dane Hobson

Dane Hobson

Principal Cyber Security Architect, Western Power (Australia)

Dane Hobson has more than 15 years' experience working in Operational Technology environments in the transforming energy industry with a wide exposure to cyber security challenges. Dane now brings strategic direction and technical leadership to a Security Architecture and Governance role at Western Power to lay a strong and secure foundation for the State’s energy future.

This session will present a practical framework for implementation of an Enterprise Security Architecture using SABSA and key points of contact with other standards or frameworks such as ISA/IEC 62443, ISO55000, and the AESCSF v2.

With the pace of digital transformation, security architects are facing challenges to support a coordinated, inter-operable design, and re-usable set of cyber security artefacts across the enterprise. This session will address how to share a common language between IT and OT cyber security practitioners, based on the business context and cyber security risks, and how to inform cyber security requirements and cyber security controls following a systematic process that enables traceability to business requirements (justification) and cyber security solutions (completeness) enterprise wide.

This session will be based on the presenter’s practical experience in Operational Technology environments, and the lessons learnt through the planning, design, and implementation of this approach in an Australian energy utility.

This session will challenge and encourage the audience in working through how security solutions are delivered to assets across the organisation, with a holistic and risk informed view. And will provide some examples of artefacts to address the business security context, compliance demands, and the evolving digital environment.

16:45 9B: Sleepwalking into a Digital Deception Identity Crisis Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.

Barely a day goes by without us hearing of how digital services are changing our lives, typically through new products and services that give us more choice and tailored on-line experiences. Generally, businesses embrace digital capabilities to help reduce their operational costs and, no doubt, this trend will continue.

Working within the tech community we are very likely to consider ourselves as technology aware and, generally, increasingly take advantage of digital services. It is important however that we address the fact that there are substantial sectors of society that are classified as digitally disadvantaged and who struggle to participate in an increasingly digital based and digital dominated society. This needs to be addressed as part of ethical business policy and practice.

Digital disadvantage occurs when one person or group of people receive different, more harmful experiences of digital services when compared to others. It encompasses a range of elements from inclusion to skills and attitudes and is closely linked to broader social disadvantage. Digital exclusion occurs when a person or group of people cannot access digital services for one or more of a variety of reasons from having no physical access to digital services to being unable to validate their identity through a lack of valid digital credentials.

You might think that this could never apply to you … but I believe the pool of digitally disadvantaged people is growing, and not necessarily among those sectors you may expect.

Where businesses are increasingly struggling with unambiguously identifying their users, most of whom they will never have met in person, they rely on digital artefacts to establish and verify identity. The datapoints they use are no longer just date of birth, passport or country ID number and credit history but, for example, now include mobile phone operation as part of the dataset, and this approach of using more and more datapoints can have unexpected consequences, and not in a good way.

In this talk (and debate) I will highlight how AI enabled deception services can produce synthetic identities with sufficient data points to appear genuine and amplify the problem of making more real people outliers because they lack these additional markers.

I expect us also to consider the emerging problem of loss of control of critical biometric identify information as (typically younger) people give away their DNA and retinal scan data in exchange for a service or, in the latter case, crypto coins.

Plenary Session

17:40 10P: Securing Machine Learning Ops (MLOps): An Organisational Approach Speaker(s): Debi Ashenden

Debi Ashenden

Director of IFCyber, University of New South Wales - UNSW (Australia)

Debi holds the DST Group-University of Adelaide Chair in Cyber Security. In addition, she is a Visiting Professor at Royal Holloway, University of London. Debi was previously Head of the Centre for Cyber Security at Cranfield University at the Defence Academy of the UK. Her research interests are in the social and behavioural aspects of cybersecurity – particularly in finding ways of ‘patching with people’ as well as technology. She is currently researching how to fuse behavioural science with...

While the use of machine learning (ML) offers a lot of promise to organisations, industry studies suggest that many ML projects are unsuccessful. Part of the problem is often in the operationalisation of ML (MLOps). A lot of attention is paid to getting the right tool set to deliver an ML model into production, but less effort tends to be spent on understanding how ways of working across the organisation need to adapt to ensure security risks are managed. To use a familiar trope - secure MLOps is not just about the technology and tools being used, but also about policies, processes, and people. This presentation will use the results of our research to date to examine organisational security in the context of MLOps, exploring the policy decisions that need to be made about risk, automated decision making, the use of digital twins, legal requirements around data, and the need for people with ‘T’-shaped skills.

Networking & Dinner

18:45 Drinks Reception
19:15 Dinner