COSAC 2022 COSAC Connect COSAC APAC 2023

COSAC APAC returns to Melbourne in 2023.

For 28 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2023 Call for Papers is now open!

Thursday 5th December 2019

09:30 - 10:00 Delegate Registration & Coffee

11:40 Morning Coffee
16:10 Afternoon Coffee

Workshop W1

10:00 The 2nd COSAC APAC Design-Off Speaker(s): William Schultz,

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
Jason Kobes

Jason Kobes

Senior Architect & Research Scientist, Northrop Grumman (USA)

Jason Kobes works as Tech Fellow Senior Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason also is an adjunct professor for Marymount University teaching Cyber Crime and Digital Terrorism. Jason has over 24 years of experience concentrated in cyber digital transformation, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's...

After a successful session last year in Sydney we are taking the design-off to Melbourne! In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide an opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Workshop W2

10:00 The 3rd Annual APAC International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

The 3rd International Forum is a deep-end immersion in the COSAC APAC way. There'll be a room full of dedicated, savvy, scar-bearing security professionals analyzing hypothetical scenarios and actual events from widely different perspectives based on widely different experiences and perceptions of success and failure learned in the trenches. These Information security masters offer and rigorously defend their opinions, but are also ever-willing to help others and learn from each other. This leads to reality-based analysis of recent and probable future events and trends from perspectives illuminated by deep and broad information security knowledge and experience. And nobody charges consulting fees.

The moderator describes some actual recent event or prediction of the future or analysis of security-related issues, then comes up with a question or two about associated issues. He might then prod one or more attendees for their take on the issues in question, but more likely, he’ll try to avoid getting in the way, thus prompting participants to discuss topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

It was true when we started the Forum back in Ireland 20+ years ago, and it’s true in Australia rapidly approaching 2020 - “the most significant benefit of attending any conference is the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis.” Ransomware, cryptojacking, social network privacy and security issues, GDPR, nation-state offensive activity, IoT device proliferation and security, finding and keeping competent help … – the 2019 list of real and potential concerns will no doubt continue to grow and bleed into 2020. Even if we could address them all, we have to keep playing whack-a-mole on the classic security gems that never seem to get fully resolved - password discipline, cloud security, access control, end-point security, policy writing and implementation, awareness and training, … ad infinitum. One of the features that make the Forum so valuable is learning from each other (as grizzled veterans) what we can do and what we can’t – where to focus our limited resources. Trying to do everything at once is a sure prescription for failure.

The discussions and analyses started here in the Forum almost always continue throughout COSAC APAC, often beyond that, leading to unique, realistic and workable solutions to seemingly intractable dilemmas. Leading also to building a network of intelligent, experienced, realistic people you can count on for trenchant analysis and real help. Come join us and help solve the information security problems of the world.

13:30 - 14:30 Lunch

Workshop W3

14:30 Ask us Anything - A Q&A with a SABSA Masters Panel Speaker(s): William Schultz,

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your problem depends on the question you are trying to answer. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the COSAC way there will be plenty of group debate and interaction, and no shortage of other experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

Workshop W4

14:30 Resilience by Design Speaker(s): Perri Nejib,

Perri Nejib

Technical Fellow - Cyber Solutions Architect, Northrop Grumman (USA)

Ms Nejib has 33+ years of system engineering and program protection experience and 27+ years of technical leadership & DoD acquisition management experience. Currently part of the Advanced Cyber Technology Center (ACTC) as one of its senior engineering consultants & is deployed to the Missile Defense & Protective Systems Division (MDPS) as Cyber Solutions Architect. In this role she supports key programs, serves as stakeholder on MDPS IRADs and provides SSE subject matter expertise.
Edward Yakabovicz

Edward Yakabovicz

Technical Fellow, Northrop Grumman (USA)

Edward Yakabovicz is an innovative technical leader at Northrop Grumman responsible for advanced technologies for enhancing cybersecurity, resilience, and security engineering throughout enterprise, SCADA, and the Internet of Things. He is a cybersecurity doctorate candidate researching the current human capital crisis and inability to staff cyber related jobs.

Part 1 - NATO Resilience by Design

Cyber Resilience (as opposed to merely risk-based approaches) is an ever increasing topic of interest in literature and in practice with many nations expressing it in their cyber strategies to apply newer practices in providing system protection from the rapidly changing cyber threat environment. This presentation addresses the engineering-driven actions necessary to develop more resilient systems by integrating Cyber Security/ Systems Security Engineering (SSE) to that of the well known Systems Engineering (SE) process. This concept, shown in Figure 1 (see attachment), infuses systems security engineering techniques, methods, and practices into systems and software engineering system development lifecycle activities, thus becoming part of the core solution/process rather than an isolated and expensive add-on, bolt-on, and separate task/process. The presentation will be based on a position paper developed on this topic area (see attached)-this is intended to be presented and discussed in a forum such as COSAC to allow for audience interaction and feedback on the concept of Cyber Resiliency in the NATO construct. Cyber Resiliency by Design is an important topic area across NATO and the COSAC/SABSA event will be a perfect forum to discuss and examine current standards and methods in this area and possible implementations. Our intention is for this event to be a catalyst of change for cyber resiliency across NATO.

Part 2 - Measuring Cyber Resilience

This session will discuss ne 2019 data on the Igor Linkov cyber resiliency measurement concepts discussed at COSAC 2018. The Linkov concepts discuss the practical methods to measure cyber resiliency both negative and positive. The discussion offers to address changes and new innovative data from the 2019 NATO conference and others. This unique and novel way of measuring cyber resiliency appears to be the only valid method discussed around the global as a novel and practical measurement practice. The outcome of the discussions will lend to the overall attendees taking away better and more practical way to measure resiliency and apply it to their subject matter.

Part 3 - System Security Engineering: Whose Job is it Anyway?

A look at current and evolving policy, guidance, and standards surrounding security activities in the systems engineering life cycle. Emphasis is placed on Systems Security Engineering (SSE) and how application of systems engineering (SE) concepts and processes throughout the life cycle is the way to deal with the dynamic and diverse world of cyber threats to a system. This presentation is a follow-on to a previous COSAC Atlantic (2018) NATO focused brief and will have a focus on the Australian (Pacific) region. The presenters have publications and working group project leadership in this international region on the topic of SSE published in the International Council on Systems Engineering (INCOSE) Insight Journal. The focus of this research was bringing attention to cybersecurity and the importance of other disciplines towards contributing to secure systems. Since that time many of these domains have further developed their own standards, process and guidance in the area of cybersecurity. What is needed now is a way to take these domain-focused concepts and integrate them into and across a systems life cycle. The best way to achieve this is as part of the SE function. Designing and building secure systems requires a seamless integration of security into SE processes adopted to constantly revisit, reevaluate, and re-design as part of a risk management process. The framework that will be discussed in this presentation will focus on taking currently evolving guidance in SSE and breaking that down into products and tools for system engineers to easily determine the relationship and value between SSE and SE. In addition the briefers are now leading the update to the next version of the INCOSE SE Handbook-which will have a chapter dedicated to specialty engineering and sections on SSE/Cybersecurity. This COSAC session will be an opportunity for COSAC attendees to be able to discuss and help shape the content of the next version of the INCOSE SE Handbook Cybersecurity section(s).

Conference Close

18:00 COSAC Chairman's Closing Remarks Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.