COSAC 2024 COSAC Connect COSAC APAC 2025

COSAC APAC: Melbourne, 25-27 February 2025. For 30 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. #COSAC2025 Call for Papers is now open.

Thursday 29th February 2024

09:30 - 10:00 Delegate Registration & Coffee

Workshop W1

10:00 COSAC International Round Table Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

For this iteration of the Forum, we feature a group of experienced, smart, tough, honest, politically savvy, creative, resilient, reality-grounded, and, of course, good looking professionals to address the existing and emerging set of information security problems and issues. Recognize yourself? Always learning, willing to listen to and learn from others who’ve encountered things you might not have, not shy about sharing strategies and techniques, and committed to our strange and but very necessary profession.

With minimal moderating by an ancient security geek, a roomful of you and your peers will analyze current events, trends, publications and situations NOT to admire the problems, but to craft possible solutions based on multiple universes of knowledge and experience. It’s a half-day immersion in the COSAC way. Moderator questions or comments on associated issues might engender wildly divergent reactions from attending professionals who experienced a similar event, but had different constraints or objectives or working tools or eventual outcomes. The moderator tries to avoid getting in the way, allowing participants to illuminate topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

In past Fora, we solved the information security problems of the world. Unfortunately the world allowed new problems to arise and blossom. And some we stuck stakes into the hearts of didn’t stay down and buried. Join us and help solve the current and maybe future information security problems of the world.

Workshop W2

10:00 Digital Transformation Masterclass Speaker(s): MZ Omarjee

MZ Omarjee

Head: Client Security and Moonshots, Standard Bank Group (South Africa)

Muhammed Zubair (Mz) Omarjee, is a former Enterprise Security Architect providing advisory to leading banking institutions in South Africa and abroad. He is instrumental in crafting technology strategies as it relates to digital transformation, mobile banking and cyber security. He plays a pivotal role in shaping information technology practices as a transformative business driven and risk-oriented discipline.

An intriguing session that will attempt to re-orient the mindset required to undergo a Digital Transformation. In an unusual manner (not about just technology or apps) this session will provide real world insight and experiences as it relates to the following:

  • - The drivers of why we have to undergo Digital Transformation.
  • - The thinking required for a Digital Transformation.
  • - The Organizational Shift to a Digital Transformation.
  • - New ways of marketing.
  • - New ways of Hiring.
  • - Technologies at play that enable Digital Transformation.
  • - Interactive practical activity on how to digitize something that’s highly physical and manual in nature.

Workshop W3

10:00 Using Improv to Improve Tabletop Exercises Speaker(s): Ashling Lupiani,

Ashling Lupiani

Cognitive Solutions Developer, City of Hope (USA)

Ashling Lupiani, SABSA SCF is a Cognitive Solutions Developer at City of Hope. She is a neuroscientist and biomedical engineer with experience in speech and gait research. She spent 5 years running neurorehabilitation engineering studies with human participants and conducting data analysis to investigate sensorimotor systems. She co- authored 5 papers and presented at conferences in Toronto and Boston, USA, COSAC APAC 2023 & 2024, and COSAC 28, 29 & 30.
Kathleen Mullin

Kathleen Mullin

CISO, MyCareGorithm (USA)

Kathleen Mullin is an influential information security practitioner and international speaker with over twenty-five years of experience. Starting her career in Accounting and Internal Audit before moving into IT and finally Cybersecurity. She has been CISO, focusing primarily on healthcare. Most recently, she is CIO|CISO for MyCareGorithm. Throughout her career, Kate has volunteered and contributed to information security as a profession, including serving on multiple board and advisory...

Traditionally Information Security is the department of no while using SABSA focuses on business opportunity risk and transforming it to yes. This presentation looks at how Improv skills for expanding and continuing the scene can be used to increase value in Tabletop exercises.

This material is relevant and timely as cyber risk insurers ask if tabletop exercises are conducted, external audit firms look at scope and reports from tabletop exercises, and the business looks for tangible results from exercises that use many hours of valuable human resources.

This unique presentation will show how to strategically leverage a tabletop exercise scenario and expand upon it using the Improv techniques of “Yes, And” and “No, But” to overcome scenario objections, get participant buy in so that they also expand upon the premise, address unrealistic recovery options, and keep creativity in the solutions proposed. Making tabletop exercises fun and producing more relevant and actionable results is the optimal outcome.

The approach of this session will be interactive with the attendees being called upon to participate in portions of a mock exercise leveraging Improv to show the value of using this novel approach and adding fun to what can otherwise be a compliance ritual.

11:35 Morning Coffee

13:30 - 14:30 Lunch

Workshop W4

14:30 4th COSAC APAC Security Architecture Design-Off Speaker(s): Jason Kobes,

Jason Kobes

Tech Fellow, Northrop Grumman (USA)

Jason works as a Sr. Staff Cyber Architect & Research Scientist for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa...
William Schultz

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 17 years, with the past 13 focused on Enterprise Architecture, Security Architecture, RiskManagement, and Compliance. Bill has built security programs, risk management programs, anddeveloped strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.

Returning for a 4th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real client scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Workshop W5

14:30 So You Want To Be A CISO Speaker(s): Harley Aw,

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with nearly 25 years in retail, tertiary education, hospitality, sport and gaming, financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board, Founding Member of the SABSA Institute and a director of the SABSA Founders Bursary. He is currently the CISO of the international Phoenix Group.
Kathleen Mullin

Kathleen Mullin

CISO, MyCareGorithm (USA)

Kathleen Mullin is an influential information security practitioner and international speaker with over twenty-five years of experience. Starting her career in Accounting and Internal Audit before moving into IT and finally Cybersecurity. She has been CISO, focusing primarily on healthcare. Most recently, she is CIO|CISO for MyCareGorithm. Throughout her career, Kate has volunteered and contributed to information security as a profession, including serving on multiple board and advisory...

A new unique presentation from the viewpoint of two CISOs from different continents. Leveraging and sharing their experiences, their thoughts on the direction that the role of CISOs is taking, and what someone considering the role should be aware of before taking the leap. In addition both of these CISOs will share how they have leveraged SABSA in their roles and why it is critical to the success of the CISO, Information Security, and the Business.

This material is relevant and timely addressing the changing CISO role in light of Solarwinds CISO’s monthly legal fees tied to the 2020 breach, the CISO from Uber being sentenced to prison by a US Federal jury, the CEO from Drizly being held accountable for security failures and similar to how the American Sarbanes Oxley Act changed the face of Financial Governance across the world the U.S. Securities and Exchange Commission finalized cybersecurity Rule has the potential to have seismic impacts to the Cybersecurity profession.

The value of this session is assisting those considering becoming a CISO, new CISOs, or those who work with CISOs understand considerations for success with an approach that is both presentation and a discussion between the CISOs and audience.

Workshop W6

14:30 Incident Response Exercise Design Workshop Speaker(s): Kirk Nicholls

Kirk Nicholls

Consultant, SABSA World (Australia)

Kirk is a security advisor with a focus on disaster and incident response exercises. He develops and manages exercise programs through the discipline of serious games, using research-based practice. Through the lens of serious games, simulation and a military background he enables clients to gracefully handle the unexpected.

Do you want to learn to build a functional incident response exercise?

Perhaps you’d like to have clear and measurable exercise goals and performance reporting. The kind that will endear you to your training team and produce clear and actionable reporting. Good news, we can do that together. After all it’s dangerous to go alone.

The workshop will provide attendees with both support and guidance in developing a plan for a simple incident response exercise. Attendees will be walked through the process of making key decisions and creating usable exercise documents. The workshop will include an introduction to exercise concept development, scenario planning, exercise logistics, communication plans, effective evaluation and post-exercise reporting.

Attendees will leave with a usable exercise plan that will be relevant and usable within their organisation. A selection of video and print resources will be made available for attendees to explore and utilise post-workshop.

16:10 Afternoon Coffee

Conference Close

18:00 COSAC Chairman's Closing Remarks Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 42nd year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.