COSAC 2023 COSAC Connect COSAC APAC 2024

COSAC APAC: Melbourne, 27-29 February 2024

For 30 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2024 Call for Papers is now open.

Tuesday 28th February 2023

08:30 - 09:00 Delegate Registration & Coffee

09:00 1P: COSAC APAC 2023 Chairman's Welcome Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 41st year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.
09:30 2A: Raiders of the Lost Attributes Speaker(s): Robert Laurie

Robert Laurie

Deputy CISO / Enterprise Security Architect, David Lynas Consulting (Australia)

Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.

SABSA measures the impact of risk on attribute performance targets within a domain and we use these measures in decision support for our control objectives. This SABSA domain model paints a tropical canvas of business attributes isolated deep in a domain jungle with the where-abouts known only to the domain owner. Forging into this domain we might take care to draw upon multi-tiered attributes to describe how risk is systemically transferred from one attribute to another - but can an attribute directly support another attribute or are we searching for the missing link in this view?

In this presentation I will detail all the missing elements needed to properly excavate a multi-tiered attribute view. I’ll demonstrate how systemic risk is really transferred between elements in a multi-tiered attribute view and how this missing link is actually part of the powerhouse that drives the implementation of SABSA in the real world. Attendees will emerge from this domain jungle with a solid gold view of what the multi-tiered attributes view really represents and how it can be used to delegate risk successfully in your next expedition.

09:30 2B: Autonomous Intelligent Cyber-defense Agents: Next-Generation Cyber Resilience

Achieving cyber resilience for our critical systems using traditional, human-intensive methods is becoming more difficult as adversarial tactics, techniques and technologies outpace our current cyber defenses. New and disruptive techniques are needed to not just catch-up to the increased risk of cyber threat vectors, but to surpass the threat to attain cyber resilience.

This presentation provides an introduction of how we can collaboratively develop and acquire Autonomous Intelligent Cyber-defense Agents (AICAs) for next-generation cyber resilience.

This presentation explores and discusses the future of autonomous cyber defense and resilience techniques from the human perspective; as well as how this new paradigm for autonomous intelligent cyber-defense agents may be integrated with our human cyber protection team with transparency and explainability. It introduces the AICA International Working Group’s ongoing efforts to develop a new reference architecture for implementing autonomous intelligent cyber-defense agents and transition the science from concept to reality for battlefield applications.

We will discuss the definition for intelligent cyber-defense agents, and the requirements and challenges associated with this approach, including: Infrastructure, architecture and engineering; Individual and collective decision-making; Stealth and resilience; Societal considerations.

We then examine and discuss modernizing for tomorrow through the application of cyber-defense agents by exploring the need and requirements for human-machine teaming. This portion of the presentation will present novel techniques for aligning human and machine mental models and user interface techniques for gaining transparency and explainability for artificial intelligence (AI) and cognitive solutions.

10:30 3A: Space Systems, Cyber Security and SABSA Attributes Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect, Thales (Australia)

Alex Parkinson is a senior cybersecurity architect at Thales Australia. Qualifications include a Master of Science (Internetworking), a Graduate Diploma in Applied Finance and CISSP, CRISC and SABSA Practitioner (SCP) professional certifications. Alex has 30+ years of experience in understanding and dealing with complex systems and organisations in multiple sectors, including Defence and National Security, Trading and Financial Services and Mission Critical Engineering projects.

The space sector is undergoing a new surge in activity as major advances in technologies create opportunities for existing space systems owners (e.g. governments, SATCOM telcos) and new players to design, build, launch and operate new space systems and services. At the same time, there is increased use of and reliance on space services within the general economy.

All space systems and services are complex technology-based platforms that have specific cybersecurity concerns and attributes. This session will discuss these issues around the application of cybersecurity to space systems, current developments in security in the sector and review the applicability of specific SABSA attributes to the security architecture of space systems.

10:30 3B: Win Conditions: Designing & Evaluating your Security Exercise Campaign Speaker(s): Kirk Nicholls

Kirk Nicholls

Director, No Duff Security (Australia)

Kirk is a security advisor with a focus on disaster and incident response exercises. He develops and manages exercise programs through the discipline of serious games, using research-based practice. Through the lens of serious games, simulation and a military background he enables clients to gracefully handle the unexpected.

Exercises are useful training, validation and discovery tools for any security program but are also becoming formal business requirements. Many legal and governance frameworks such as CPS234 and the Australian ISM call for regular testing of incident response systems. As a result security leaders find themselves adding exercises to their calendar and wondering how to effectively conduct exercise campaigns while showing positive return on investment.

It’s dangerous to go alone. Fortunately we can turn to the field of serious games for tools and maps to ease the path. We will venture through the key conceptual landmarks, drawing linkages to familiar architectural concepts using a SABSA lens. The journey will build on existing security architecture muscles to support both exercise design and evaluation. This session will guide you to design your campaigns to align with your security priorities. We will explore ways of defining what ‘good’ looks like and translate that into exercise design. You will leave the session with clear signposts for demonstrating the impact and value of your exercise program to your leadership team.

This session will guide you to design your campaigns to align with your security priorities. We will explore ways of defining what ‘good’ looks like and translate that into exercise design. You will leave the session with clear signposts for demonstrating the impact and value of your exercise program to your leadership team.

11:20 - 11:40 Morning Coffee

11:40 4A: Just Give Me a Number!

Despite the investment in cyber security over decades, many security teams are still wedded to qualitative methods. When the business comes asking for our evaluation of something it all comes down to will the answer be high, medium or low this time? We categorise into one of 3, 4 or maybe even 5 ordered categories. Based on these ordinal scales we turn out the same charts to communicate security to the business. We still hear the argument that senior leadership’s brains would explode if we tried to explain it. But they think we’re just fudging it and say, “what do you expect us to do with this?”. They want a number. Numbers can be added, multiplied and averaged. They can be compared to other people’s numbers; they can be plugged into models. This is the 21st century, quantitative methods are what is needed.

So now we get asked for a number? Once delivered that number will be the expert opinion, quoted as gospel and combined with other such numbers in ways we cannot begin to comprehend, and cannot control. It’s true, there are less places to hide: we’re now being asked to be certain of our uncertainties. So, what to do? We do what everyone would do, we pad the numbers and we do it early. When combined the padding grows and the numbers lose even more accuracy. But they also gain the illusion of precision, which merely serves to make them more trustworthy to the masses. Oh, and the numbers are often just as subjective as the qualitative methods that came before.

Do we even consider the risks relating to our risk management frameworks and methods themselves? If we misrepresent risks to the business, it may not be those risks that derail us, but the decisions made based on the bad data. SABSA does not magically resolve this issue: it is commonplace to see single numbers for risk (and its constituent elements), performance targets and risk appetite.

This session will discuss some pitfalls of quantification as well as questions such as:

  • - How can we express our uncertainty so that it survives the calculations that will follow?
  • - How can we improve our objectivity and deliver numbers that we’re confident are accurate and are sufficiently precise?
  • - How do we enable aggregation with numbers we didn’t produce?
  • - Do we need expensive specialised tools to get started?
11:40 4B: Improving Healthcare Cybersecurity During a Pandemic Speaker(s): William Schultz

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.

In this session we will discuss the growthofacybersecurity risk management program at a Healthcare organizationduringthe COVID-19 pandemic.In addition tothe pandemic,wewerealso experiencing an unprecedentedincrease in targeted cybersecurityattacks, as well asmaintaining consistent organizational growth.We will discussthe significant executive leadership support that enabled and drove thecybersecurity improvementeffortseven whilethey weredealing with the significant impacts of COVID-19, and setting up the organization as a leader both regionally and nationally. The key topics will include discussion of our efforts aroundthe enterprise cybersecurity risk management programand IT vendor risk managementprogram, as well asthe significant collaborationswith IT and clinical colleagues that have proven to beessentialto our success.We will discusssuccesses, lessons learned, and next stepsas our journey continues.

12:40 5A: Beyond Cyber Risk Management Speaker(s): Dimitrios Delivasilis

Dimitrios Delivasilis

CEO, Qiomos (UK)

Strong technology executive, specialising in business-driven security strategy, architecture and operational resilience. Dimitrios has more than 22 years of extensive experience in leadership roles predominantly within financial services (Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC). He has built a success record of simplifying security decisions, delivering future proof information security strategies and helping organisations implement...

Despite the ever-increasing investment in cyber security, organisations are still struggling to implement an integrated approach to cyber risk management and reporting. More often than not decision makers rely on poorly structured reports which are skewed towards technical jargon and as such fail to convey an accurate or consistent articulation of the risk exposure.

This presentation will cover the common pitfalls of attempting cyber risk quantification, even in mature end-client environments, in an attempt to frame the problem and identify its main root causes. It will then move to introduce a more architecture-focused approach on how to build an integrated single data model that encapsulates the security fabric and holds everything together as an interdependent network of nodes. The structure of the data model, with its various layers of abstraction, provides a reliable mechanism to utilise actuarial data, mine insights and support effective decision making. Most importantly, it breaks away from the siloed mentality and the disconnected thinking it usually fosters, puts the emphasis on what is materially important and communicates the most essential information for a complete risk profile.

12:40 5B: Ransomware and Wiperware in Healthcare Speaker(s): Kathleen Mullin

Kathleen Mullin

CISO, My Virtual CISO (USA)

Kate Mullin CISSP, CCSFP, CDPSE, SABSA SCF is an influential information security practitioner and international speaker with 25+ years of experience. Kate has been a VCISO and was CISO at various organizations, including privately owned (Cancer Treatment Centers of America), publicly traded (WageWorks), private equity (HealthPlan Services), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TPA. Throughout her career, Kathleen has volunteered and participated in...

This timely presentation addresses the escalation seen in ransomware (wiperware) tied to the Russian Federation, uniquely framed by an experienced hospital system CISO. Healthcare is currently one of the top three sectors being targeted, and healthcare systems are particularly susceptible because basic security controls are not in place within highly integrated systems with limited funds and manufacturers still sell systems with obsolete operating systems.

Organizations are being advised to spend resources on ransomware tabletop exercises, technology solutions, security awareness training, memberships in organizations, and specific technology controls to protect them from ransomware. Recommendations from the FBI include “be[ing] a cautious and conscientious computer user,” implying that the average user is not being conscientious if they fall victim to ransomware.

The approach of this presentation is to discuss the different strategies that should be used in healthcare while providing patient care and finding innovative treatments and cures, with complex systems that are constantly changing. Participants will have the opportunity to challenge or build on these strategies, which can also be leveraged in other business verticals.

The value in this discussion is that it will leverage SABSA to focus on the business requirements to determine which controls help meet the business objectives.

13:30 - 14:30 Lunch

14:30 6A: Deep Behind Enemy Lines with SABSA Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with nearly 25 years in retail, tertiary education, hospitality, sport and gaming, financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board, Founding Member of the SABSA Institute and a director of the SABSA Founders Bursary. He is currently the CISO of the international Phoenix Group.
“They are in front of us, behind us, and we are flanked on both sides. They can’t get away from us now!”
Lt.Gen. Lewis “Chesty” Puller, USMC

The environment is a mess. The architects are proselytizing. The engineers want you to go away. The project managers are flogging dead horses everywhere while shutting out distractions from you. The auditors are sticking the knife into you. Management is screaming at everyone for updates. The business hates the whole damn lot fo you.

And there you are, right in the centre of the storm, being handed your rifle, pointed at the direction of the enemy and told to start running!

All too often, we are faced with the unenviable circumstance of being dropped into a swirling maelstrom of conflicting goals, priorities, challenges, ideas and personalities, and are expected to start pulling rabbits and unicorns out of the proverbial hat – and all while being watched and ruthlessly judged by your peers, your management and the Board!

If all that sounds like it’s enough to make you curl up into a foetal position wrapped in a Dettol-soaked blanket mumbling random prose in haiku*, then this presentation is for you!

In Deep Behind Enemy Lines with SABSA, 20 years of practical experience is brought to bear to provide you with the joie-de-guerre to face an enormously complex and challenging environment, win allies and set-up yourself up to succeed with SABSA. Before you know it, you will dive headlong where angels fear to tread with a smile on your face, into the fray of a real corporate environment and revel in a resounding victory!

* based on actual events

14:30 6B: Let's get Cyber Physical: Aligning SABSA and the ISA/IEC 62443 Standard Series Speaker(s): Bruce Large

Bruce Large

OT Cyber Security Team Leader, Powerlink (Australia)

Bruce Large has 15 years experience working with IT and OT in network, telecommunications and system engineering roles. Bruce has worked in Electricity Generation & Transmission, Railway, Aviation, Emergency Services and Consulting industries. Bruce considers himself a security architecture enthusiast as well as an infrastructure tourist. He is a Foundation Chartered SABSA Architect (SCF), is (still..) working on his A3 SCP paper, holds the GIAC Response and Industrial Defense (GRID)...

This session will present a framework integration of SABSA and the ISA/IEC 62443 Standard Series which addresses Cyber Security for Industrial and Automation Control Systems. With the increased public awareness of cyber security incidents affecting Industrial Control Systems (ICS) and the industry drivers to converge Information Technology and Operational Technology, we need a true enterprise security framework that works for both IT and OT. The session will draw upon the presenter’s practical experience as a security architect working in Operational Technology environments. 

This session will educate and inform the audience about the nuance of Operational Technology (OT) cyber security through the application of ISA/IEC 62443. This application will enable critical infrastructure operators to manage their risks and opportunities for cyber physical systems in a truly holistic and whole of enterprise manner. The debate for convergence has passed, now it is about making risk informed integration decisions. 

The session will make it real by using a worked example of the fictitious State Power Corporation Enterprise Security Architecture. The session will also encourage audience participation in working through common assumptions for the state of OT cyber security and challenge the audience to consider the differences of IT and OT.

15:30 7A: I Shot the (Sheriff) Architect but I Didn't Shoot the Deputy Speaker(s): Pete Wolski

Pete Wolski

Head of Information & Cyber Security, MYOB (Australia)

Peter is an experienced security professional, currently Head of Information and Cyber Security at business management platform MYOB. With 18 years’ experience in various roles and industries, Peter has supported a variety of public, commercial, regional and global clients. In his most recent roles Peter has focused on engaging with business and technology management, enhancing risk awareness and mitigation through planning, strategy and technology architecture. He is focused on discovering...

Does a scale-up software engineering company need a security architect to have a successful security program? Is strong technical leadership and a strongly business aligned security engineering community of practice enough? This session will interrogate the trade-offs and pitfalls of choosing to do away with the security architect role.

At MYOB, we set out to engender strong security practices as opposed to creating a security architecture. Our guiding principle is that the business aligned security team can build the solution with engineering teams in addition to guiding and influencing. We also asked what could be borrowed from architecture frameworks and applied to a digital products organisation. In a world where objectives and key results drive business outcomes can the SABSA attributes model be augmented to deliver the same security outcomes?

Are these concepts sustainable in the long term? How does a security program keep aligned to strategic outcomes with engineers, not architects.

15:30 7B: Digital Safety and Protecting our Cyber-Physical World Speaker(s): Andy Prow

Andy Prow

Founder and Tech Entrepreneur, RedShield Security (New Zealand)

Andy is a cyber-security veteran with 28 years of IT experience, over half of which has been in cyber security. From being a software developer for global giants such as IBM, Ericsson & Vodafone, to pen testing and vulnerability research, to more recently as a tech entrepreneur founding 5 firms, including Aura InfoSec (purchased by Kordia in 2015) and RedShield Security which now protects thousands of web apps and critical systems across globe. Andy is a previous winner of the EY NZ...

More human interaction now occurs in the digital realm, than the physical realm. The internet is where our kids grow up. Software is running our physical world. Yet we have more vulnerabilities and more exploits than ever.

The cyber-security sector has historically been defined as the “protection of computers and networks”, and yet our roles are fast becoming way more than this...

This presentation covers "Digital Safety" and what that means, not only to us as practitioners, but particularly to the people who want to feel and be safe both online and in the physical world.

I’ll be challenging current thinking in areas such as:

  • What happens when exploits to our digital realm impact the physical realm?
  • Are we equipped to cope? Are our current “IT risk management and security protocols” sufficient to protect the physical world?
  • Should boards be legally liable for physical injury caused by software breaches?
  • Who would be willing to guarantee and warranty their systems against breaches?

In short, security weaknesses in our digital realm are already impacting our physical realm. What insights and learnings can we get from trying to build a world of “Physical Safety” into how we provide “Digital Safety".

16:20 - 16:40 Afternoon Coffee

16:40 8A: Gaining Business Value from Security Architecture Speaker(s): Andreas Dannert

Andreas Dannert

Principal Enterprise Security Architect, Standard Chartered (Singapore)

Andreas is Principal Enterprise Security Architecture at Standard Chartered Bank in Singapore. At SCB he is responsible for a core Security Architecture team that is delivering the organization’s Security Architecture Framework, Strategy, and relevant Security Capabilities. Before this he was a Principal Enterprise Security Architect at Australia’s national broadband network (nbn), which is a government owned enterprise, providing critical infrastructure services to millions of Australians.

This session will focus on the challenges of maximising the business value organizations can gain from their Security Architecture function in middle to large sized, compliance driven organizations, like finance and banking for example.

The session will be based on personal experiences in the Telecommunications and Financial industry. It will cover how combining enterprise architecture governance, information management approaches and other architecture models, frameworks and concepts will be essential for gaining value from an organization’s security architecture function.

While SABSA might be a good starting point for aspiring security architects to plan for security changes, it does not go into detail of integrating change and operations to deliver business value. For this it is important to understand business service models, business capability maps, organizational taxonomies and more. Enterprise architecture maturity and governance can have a huge impact on the value security architecture can contribute to a business. The presenter will share his experiences and views on these and other aspects, providing an insight into what factors outside of the Security Architecture function will be equally important when an organization wants to establish a more mature security architecture capability and get value beyond ticking a compliance box.

At the end of this session participants should be able to understand the challenges that need to be addressed when being asked to setup or mature Security Architecture capabilities in an organization. This presentation should assist CISOs, senior executives, and senior security architects in gaining a broader understanding of the interplay between security architecture, enterprise architecture and other business aspects, like corporate culture and organizational structure, when it comes to delivering business value through security architecture.

In the spirit of COSAC, this session will hopefully provoke lots of questions, discussions and sharing of experiences that will assist in building and maturing Security Architecture in organizations that not only want to tick the business compliance box when establishing a security architecture function, but also want to see to see some tangible returns like increased customer trust and business agility for example.

16:40 8B: Misinformation for Fun and Profit Speaker(s): Ashling Lupiani

Ashling Lupiani

Cognitive Solutions Developer, City of Hope (USA)

Ashling Lupiani ,SCF is a Cognitive Solutions Developer at the City of Hope. A neuroscientist, and biomedical engineer with experience in speech and gait research, she spent 5 years running neurorehabilitation engineering studies with human participants and conducting analysis to investigate sensorimotor systems. She co-authored 5 papers and presented at conferences in Toronto and Boston, and COSAC 28 & 29. Ashling has a BA in Neuroscience from Boston University, & a MS in Biomedical...

This timely discussion centers on the structural incentives of social media to allow misinformation to circulate on their platforms. Companies such as Facebook (Meta), YouTube and Twitter have long complained there is no way for them to effectively fight bots or misinformation, yet bot activity significantly decreased when Russian accounts were cut off after the invasion of Ukraine. This demonstrates that there are steps these companies can take if given sufficient incentive.

The problem is that the profit incentive of social media companies is diametrically opposed to some of their mission statements. The success of a social media platform is determined by engagement, whether that engagement is positive or negative. Engagement is easier using the tactics of disinformation. Showing people information that they will react to emotionally increases activity and profits for these corporations, regardless of whether the information is true or not.

This session will be unique in its scientific perspective on misinformation geared specifically toward security professionals. Our approach will be to examine the competing incentives of social media companies and discuss how the scales might be tipped in favor of accurate information. The value of our discussion will come from providing ways to leverage positive engagement and other tools to improve the culture of the internet landscape.

Plenary Session

17:40 9P: De-biasing the Security Architect Speaker(s): Patrick Dunstan

Patrick Dunstan

Head of Cyber Security, Seqwater (Australia)

Patrick (Pat) Dunstan leads the Cyber Security Team for Southeast Queensland’s Bulk Water Authority and has over 15 years’ experience leading cyber teams and delivering security outcomes for some of Australia’s largest companies. Pat has a broad and deep background in cyber security and has experience working across multiple verticals, including security operations, penetration testing, cyber consulting, security architecture and management. Pat is an engaged student on the subject of risk...

Good decisions are at the heart of every successful security architecture. A security architect must constantly make good decisions and sound judgements to protect business assets from harm and keep an enterprise safe. But what if these decisions weren’t always sound? What if these judgements were just plain wrong? The truth is that making good decisions is hard. Decade’s worth of behavioural science research has consistently shown that humans aren’t naturally wired to make good decisions. Our mental makeup is subject to many biases that impair our decision-making. In the context of SABSA security architectures, these biases can adversely influence how security architects make good risk decisions and protect business assets. Poor decision-making in this respect can be costly and jeopardise the overall value proposition of a security architecture. This presentation will focus on some of the more common biases that arise when designing security architectures and what can be done to overcome them.

Networking & Dinner

18:45 Drinks Reception
19:15 Dinner