COSAC 2023 COSAC Connect COSAC APAC 2023

COSAC APAC returns to Melbourne in 2023.

For 28 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. #COSAC2023 delegate registration is now open.

Thursday 2nd March 2023

09:30 - 10:00 Delegate Registration & Coffee

11:35 Morning Coffee

Workshop W1

10:00 3rd COSAC APAC Security Architecture Design-Off Speaker(s): William Schultz,

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
Jason Kobes

Jason Kobes

Architect, Research Scientist, Professor, Northrop Grumman (USA)

Jason Kobes works as Tech Fellow Senior Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason also is an adjunct professor for Marymount University teaching Cyber Crime and Digital Terrorism. Jason has over 24 years of experience concentrated in cyber digital transformation, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's...

In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedInPage congratulating them on their achievement!Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Workshop W2

10:00 Filling the Skills Gap: Recruitment, Learning, Diversity & Mental Health

In this exclusive COSAC half-day session we will investigate four unique aspects of our workplace and address the considerable challenges of hiring, developing skills, and supporting the well-being of our teams in one the most stressful professions of the digital age:


The journey starts with a novel and unique discussion on who we hire and how we manage from the perspectives of both neuroscience and information security.


Part 2 investigates humanity's attempts at passing on knowledge across generations and the lessons we can learn from them to build a strong mentoring program to develop and inspire new people.

Mental Health

Part 3 discusses the state of mental health in the cyber industry, emphasising the unique stresses faced by cyber security professionals, and outlines how industry can begin to tackle this challenge.

Career Change

We conclude the half-day session by revealing the unique challenges faced by professionals switching into security from other parts of the organisation. Using the true story of a career switch we will reveal the expectations versus the reality of a new team member being placed into the firing line.

10:00 Part 1 - Hiring and Managing in Infosec: the Importance of Brain Diversity Speaker(s): Kathleen Mullin,

Kathleen Mullin

CISO, Cancer Treatment Centers of America (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...
Ashling Lupiani

Ashling Lupiani

Cognitive Solutions Developer, Cancer Treatment Centers of America (USA)

Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...

This is a novel and unique discussion on who we hire and how we manage from the perspectives of both neuroscience and information security. Debunking prevalent Human Resource and Information Security thought leadership and training materials, this presentation addresses how many are adversely impacting the credibility of their presentations, themselves, and the profession by using a misinterpretation and misunderstanding of how the brain works.

Utilizing the false concept of “left-” and “right-brained thinkers” and other myths about brain differences to explain how we think and decide influences perceptions and detracts from otherwise accurate information and can skew materials to make them entirely incorrect. By establishing a faulty knowledge foundation, this impairs the ability of information security professionals to create appropriate defenses for malicious hacking attempts including hiring and managing diverse teams well-equipped to tackle problems.

The value in this session is providing information from current brain science to use in hiring and managing, including addressing gender bias. This discussion is timely as social engineering, human resource, and behavior experts are spreading misinformation. The approach of this session provides opportunities to challenge and give input while imparting attainable science on the real brain and the importance of diversity.

10:50 Part 2 - Mentorship: The Foundation of a Healthy Tech Industry Speaker(s): Alfie Oloo

Alfie Oloo

Product Designer, IoT.nxt (South Africa)

Alfi is a Product designer specialising in design systems. Being dyslexic, among other challenges, Alfi eventually dropped out of university, which eventually led to him building his own education through auditory learning (100s of audiobooks). Realising that he had an unusual capacity for auditory communication, He also co-founded the “Edit Undo” Podcast.  Alfi is a lifelong student in the field of mentorship having played the role of a mentor at Jack Academy’s UX Bootcamp and a coordinator...

From the psychological significance of a parent-child relationship to the unravelling of the modern schooling system, in this discussion, we will approach humanity's attempts at passing knowledge on across generations and the lessons we can learn from them and apply in our daily social and professional engagements.

In this series of talks, you will be able to take away Three things.

A strong argument for the importance of mentorship in the building of a relatively new industry.

Building a working knowledge of some of the underlying biological processes that undergird human development

And a clear & PRACTICAL guide on how to begin your career as a mentor in your own domain of knowledge.

11:55 Part 3 - Welcome to the Burnout Club: Mental Health in the Cyber Industry Speaker(s): Andrew Reeves

Andrew Reeves

Director of Organisational and Behavioural Research, Cybermindz (Australia)

Andrew Reeves is a psychologist with a focus on the human aspects of cyber security. He is Director of Organisational and Behavioural Research for, a peer informed not-for-profit organisation dedicated to providing evidence-based mental health support to cyber teams. He has 9 years of experience in the defence and ICT industries and has recently completed a PhD in the area of cyber security employee motivation and fatigue.

“If you are in cybersecurity and are constantly feeling angry, exhausted, bitter and you jump up to the ceiling when your company mobile rings — welcome to the burnout club.”

(CISO Burnout, Medium, 2021)

Recent industry reports state that workplace stress is impacting the mental health of cyber security professionals. In 2020, nine out of ten executives holding either the title of chief information security officer (CISO) or chief security officer (CSO) reported “moderate or tremendous” job-related stress. As a result, the average tenure of a CISO was just 26 months in 2020 due to high stress and burnout, and this is likely to have deteriorated further during the progression of the COVID-19 pandemic. It is further likely that similar trends are occurring not only within CISO groups, but across all role levels within cyber security teams. Consequently, was launched as a not-for-profit initiative to support mental health in the cyber sector. Cybermindz’ mission is to deliver peer-informed, effective, accessible relief and resilience building to stressed and embattled cyber teams. We use military grade, evidence-based protocols to counter burnout. Our message is that resourcing prevention is a better strategy from a compassionate, continuity and cost standpoint. In this talk, Andrew Reeves (Psychologist & Cybermindz Director of Organisational and Behavioural Research) discusses the state of mental health in the cyber industry, emphasising the unique stresses faced by cyber security professionals, and outlines how industry can begin to tackle this challenge.

12:45 Part 4 - Here Be Dragons: My Career Switch to InfoSec - Expectations & Reality Speaker(s): Dan Schoemaker

Dan Schoemaker

Information Security Officer, Phoenix HSL (Australia)

Dan Schoemaker has been working in the IT support, Infrastructure/Operations and Security fields for the past 8 years. At the end of 2021, he decided to change his career path and move into the Information Security field. He has formal degrees from UNSW, Western Sydney University and certification from CISCO. He is a self-driven techie that ultimately believes in learning by doing and having a crack.

Why would an infrastructure Specialist want to move across to security and put themselves in the firing line of the business?

Join me as I look through the past year as I moved from IT infrastructure and IT Service Management to Information Security. What expectations I had and what was the reality.

I came into a business that had a lot of work, the role was separated from the technical function, and had to ensure the technical teams were deploying and maintaining a secure environment.

Moving into a new specialism is daunting, especially when you change business and industry at the same time. When there is a myriad of issues, where do you start? How do you prioritise the issues, balance self-expectations and feel like a useful member of the team?

I will explore what are common perceptions of security teams from the greater IT team.

Look into the training pressures for a newcomer? How are we supposed to stack up against security professionals that have evolved with the industry? And how do you find new talent and entice quality security professionals to the field?

13:30 - 14:30 Lunch

16:10 Afternoon Coffee

Workshop W3

14:30 Ask us Anything - A Q&A with a SABSA Masters Panel Speaker(s): William Schultz,

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your question/problem depends on your situation and what you are trying to achieve. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session, attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Any SABSA Master’s in attendance at COSAC will be welcome and encouraged to participate as they are available.Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the “COSAC way” there will be plenty of group debate and interaction, and no shortage of experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

Workshop W4

14:30 Security Modelling Workshop Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is an independent security consultant based in Brussels with 25+ years in IT. He has undertaken major assignments for clients in the national & European public sector, finance, telecoms & utilities and also lends his support to local cyber-security initiatives. His work in recent years has broadened geographically while becoming more specialised in the field of security by design through automation & modelling, leading to the foundation in 2021 of a niche consultancy in this...

Since the idea of a Security Overlay for ArchiMate was first introduced at COSAC 2018, a great deal of progress has been made - principally via the Working Group dedicated to the modelling of SABSA in ArchiMate (MSA). This culminated in a revised White Paper, a schema definition of the Overlay and the introduction of a 2-day training course to the SABSA Institute catalogue.

This proposal for a half-day workshop would be an abridged version of the full course with the following goals:

  • - To raise awareness of the SABSA course’s availability, contents and objectives.
  • - To show, through a hands-on session, how the Overlay can be used within an EA modelling environment to create the following artefacts, easily and productively:
    • - SABSA Business Attribute traceability;
    • - Compliance with security standards & frameworks;
    • - Threat Models;
    • - Risk Analysis.
  • To demonstrate that the use of these models goes well beyond the creation of documentation but an ‘active’ resource capable of being validated and analysed.

The workshop will step through examples that have been derived from anonymised, real-world consulting assignments, selected to highlight the advantages of being able to overlay security concepts onto the context of an EA model (e.g. situational awareness) that are not possible in traditional approaches (spreadsheets and checklists).

The value to the conference, is likely to be two-fold:

  • - For practitioners seeking ways of applying SABSA pragmatically and at scale, it provides a quick induction to the course, open-source tool support, supplemented by SABSA Institute resources;
  • - For others engaged by the ‘Case Studies’ presentation (separate but independent CfP submission), it provides further detail on the methodology and a pathway to achieving the same in their own organisations;

As always, this will be original content, being presented at conference for the first time.

Conference Close

18:00 COSAC Chairman's Closing Remarks Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.

SABSA World Forum

18:30 SABSA World Forum Hosted by The SABSA Institute

Registration for the SABSA World Forum is separate to COSAC 2023 and can be completed fee of charge at