COSAC 2022 COSAC Connect COSAC APAC 2023

COSAC APAC returns to Melbourne in 2023.

For 28 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2023 Call for Papers is now open!

Wednesday 4th December 2019

09:00 - 09:30 Delegate Registration & Coffee

09:30 9A: Architectural Arms in Anger Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with over 20 years in multiple sectors including retail, hospitality, tertiary education, sporting and gaming multi-nationals, as well as consulting in the financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board and a Founding Member of the SABSA Institute. He is currently the CISO of the Phoenix Group.

“Politics! Politics! Politics! Politics! Politics!” – Mel Brooks, History of the World Part I

A wise, pelvic-thrusting sage who possessed the power to render others infirmus ad genua (weak at the knees) once uttered these famous words: “War, woo woo woo, what is it good for?” The same might not only be said for corporate politics, but to also go on to observe that he/she that has a stomach for corporate politics is truly a sick, sick individual. Similarly, a somewhat well-known carpenter once said “where two or more gather in my name, I am there”; in the same way, it might also be said that “where two or more work in an organisation, the potential for corporate politics exist”. But! Hear me, O People of COSAC: I bring you a new euangelion of good news and glad tidings! Rejoice and be glad, for there is a way to emerge from the political quagmires of your corporate sin: that way is called Practical SABSA! In this session, a real-life case study is presented to the forum in detail to demonstrate the practical power of SABSA to defeat evil and win over the people to the cause of righteous bodacity.

09:30 9B: Customer Service, Disservice or Self-Service Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

Information security professionals do not have it easy. Public or private sector, we must serve our internal and external customers well while providing appropriate security. But don’t even think of slowing down crucial business processes or services. And isn’t the customer always right? “Why are you security people so difficult to deal with? Jeez, It’s like an Asperger ward. Don’t you realize we’re trying to run a business … in a competitive environment? And why the heck do we need so many security people? Can’t we automate some of this stuff and let the users take care of their own security setups and changes?” Experienced security professionals (that’s us) have heard this and worse in their careers, and usually admit that there might even be a bit of truth in some of the complaints.

We’ll analyze the situation on both the service provider (that’s us again) and customer sides from a security perspective, emphasizing the need to understand the viewpoints of those we must deal with. We will also analyze complications and particular difficulties inherent in doing anything that provokes as many potential conflicts as information security. Customers want what they want, they want it now, and they don’t want to hear that what they want represents a significant risk to the organization. We have to remember the function of the organization, and we want to serve our customers well, but we also understand that our responsibilities as security professionals are to safeguard organizational assets. COSAC APAC veterans all know that sometimes that means protecting users from themselves. In this session we’ll provide specific recommendations for actions that will help Information Security fit customer service principles and resolve conflicts.

10:30 10A: The Evolving Security Architect Speaker(s): Nigel Hedges

Nigel Hedges

CISO, CPA (Australia)

Nigel Hedges has been in the local Australian/New Zealand IT Security industry for 20 years, having spent a lot of time in the information security vendor and customer sectors, across security consulting, analyst and management roles. Nigel is currently the Information Security Manager (CISO) for CPA Australia, but spent several recent years as the Enterprise Security Architect for a large national Australian & New Zealand retail organisation.

Security Architecture can have different objectives and function within an Information Security and Risk practice. There are various factors that influence howsecurity architecture is approached including organisational size, industry sector and risk profile.

This session will begin with an opinion on the evolving security architect role in different parts of the world (taken from independent survey), and the typical activities we have come to expect from this function. A retail case study will detail a particular practical approach and perspective to strategy, security programs, frameworks and security service catalogues.

The session will also discuss some of the perceived challenges (from real world experience) such as the disconnect between the CISO, Security Operations, the vendor ecosystem and the business, how that canmanifests itself, and recommendations on how you might improve these relationships.

10:30 10B: Dealing with BS: Adversity and the Security Practitioner Speaker(s): William Schultz

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.

Let’s face it, things don’t always go the way we plan. Being a security practitioner is difficult enough with the constant evolution of threats and attackers, and an everchanging IT landscape. It also doesn’t help that there are so many other ways that things can go wrong. Budget cuts, personnel changes, organizational changes, competing agendas, simple miscommunications. Shit happens. We also deal with other challenges like figuring out where to start, getting organizational buy in, training up teams, and working with others who are involved in or control other parts of the process. These are a few examples of adversity that we face, and that as Security professionals we must be prepared and able to deal with if we want to be successful. In this session we will discuss strategies for coping when things don’t go as planned. We will discuss several real scenarios, including what worked and didn’t work, and we will engage as a group to discuss other approaches and experiences.

11:20 - 11:40 Morning Coffee

11:40 11A: Creating a Digital NBN in Bahrain: Solving a Complex Engineering Challenge with SABSA Speaker(s): Abubakar Latif

Abubakar Latif

Head of Technology Security, Batelco (Bahrain)

Cyber Security Strategist with 14 years of experience in Cyber Security strategy development, data privacy, and CERT design and implementation. As an Advisor to the Telecommunication Regulatory Authority in Bahrain, he has led the Cyber Security policy and strategy for the Telecom Sector. He has played a leading role in drafting the Telecom Data Privacy Cyber Security Regulation in Bahrain. Abubakar is currently the head of Technology Security in the leading Telecom Operator in Bahrain.

The separation of the incumbent Telecom Operator in Bahrain and creation of the National Broadband Network is a strategic step towards achieving the vision of a digital society. This also implies that the newly formed NBN will need to build its own ICT infrastructure and have the opportunity to adopt cloud for innovative, efficient and agile operations. This presents a challenge for security to ensure that the governance, management and operations of security is efficient and agile at the same time.

This presentation provides insights into how SABSA continues to help the organization in:

- Designing a SABSA aligned governance framework tailored for the organization’s context

- Developing business aligned security strategy that can help the organization transition into an evolved security state

The presentation also illustrates a case study of how application of SABSA Governance model helped identify significant security gaps in a business critical service that was previously considered as secure.

11:40 11B: Mental Health and Information Security

The Consulting, Digital, Information and Technology industries traditionally have attracted a certain “type” of person. Detail-oriented, technically very literate, perfectionist, with stereotypical character traits that give us (un)flattering labels such as nerds and geeks and the reputation of not being “people” people. However, all of us are people. And people go through ups and downs in their lives, and suffer poor mental health. Its normal – anxiety, depression, bipolar disorder, right up to more serious areas of severe mental illness such as psychosis, substance addiction, attempted and actual suicide.

Just like physical health, poor mental health is a disabling condition that affects our own quality of life, as well as of those around us. Men tend to suffer at younger ages, self-medicate with alcohol and drugs and cause themselves permanent disability or death. However further research in this area seems to indicate this affects Women a lot more from the early 40s … and the suffering is longer right through to the end of natural life. Women don’t appear to take the easy way out so suffer long-term with this.

We need to have a conversation within the Information Security Industry of how we can identify, support and help each other through these ups and downs; but also identify what we can practically do to support each other at the community level.

12:40 12A: Understanding the Business of New Business Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in shaping the information security practice as a transformative business driven and risk oriented discipline.

A banking case study application of SABSA that will illustrate the application of SABSA that assisted:

  • Interpretation of Business strategy to allow for new business models on new mobile distribution channels
  • Identification of attributes to gain a common understanding of business and security requirements
  • Allow the banking business to achieve more with both a set of control objectives and enablement objectives
  • Operational Challenges as it relates to Risk Management
  • How trends and technologies apply for sustainable and through life vitality of new security stack for digital
  • Lessons Learnt
12:40 12B: Business Service Modelling - A Basis for Strategic Security Investments?

SABSA is a powerful methodology for problem solving and has been defined as a structured approach to security architecture development. While SABSA is extremely useful for security architects, it is not always accepted as a common basis across other disciplines, like IT architecture for example. Given that security is an integral part of any business, as is IT these days, documenting and designing business change should utilise a common basis for driving strategic change, including security investments. Business process engineering (BPE) and Business Process Management (BPM) can provide such a basis, but usually emphasise processes. Security requires to consider processes and resources. Business services modelling might be useful here. This presentation will explore the question: How can we add business service modelling to our security architecture toolbox and utilise it for strategic security investment planning?

Within this presentation we will explore how we can define business service modelling within the security architecture context and why a business service model is a great way of documenting and driving security change in an organisation. We will also look at how it aligns various disciplines and therefore allows to consolidate strategic business changes with other changes required to support the business as a whole, like security investments. Mature business service modelling can contribute to the success of business process improvement initiatives, understanding resourcing dependencies, be used as a basis for outsourcing initiatives, and be utilised as a basis for strategic security investments. A well-defined business service model for an organisation can highlight the most valuable processes, roles and resources in an organisation. Identifying business critical applications should become a breeze with a mature business service model, given that applications are just another resource of a business service. Protecting core assets should therefore not be hard either, regardless of whether these are processes, roles, or resources.

At the end of this session participants should be able to understand the value of business service modelling and how it can be utilised to transform an existing enterprise security architecture of an organisation through strategic security investments. This will hopefully provide attendees with another tool in their security architecture toolbox.

In the spirit of COSAC, this session is designed to be interactive and it will allow participants to share their experiences concerning the topic or voice their concern of this idea Where appropriate, this session will provide attendees with examples of scenarios that might have benefitted of a mature business service model.

13:30 - 14:30 Lunch

14:30 13A: Have You Ever Considered Modelling? Speaker(s): Hugh Walcott

Hugh Walcott

Director & CTO, StrataMap (New Zealand)

Hugh is co-founder and CTO of StrataMap, an online platform for enterprise architecture and system modelling used by the government, enterprises and cybersecurity service providers. Hugh started his career as an electronics engineer before moving to ICT via the start-up labs of Cambridge UK. Highlights include performing the first ever internet e-cash transaction in 1998 and lead architect on the world’s largest real-time system (mega-city adaptive traffic management system).

All models are wrong; some models are useful.” — George Box

While George Box is correct, models are only useful if they are both accessible and are meaningful to the audience.

We all know that SABSA provides us with a plethora of approaches, methodologies and techniques to develop models that express and capture the business requirements for security. However, it can be challenging to capture all of the information created during the development of the Enterprise Security Architecture (ESA) in a meaningful and useful manner.

The purpose of architecture documentation is to capture decisions. However, the modelling languages that are typically used to express those decisions are not widely understood by the stakeholders that have to use them. Have you ever presented an ArchiMate model to a business owner and seen the blank look on their face? It’s because you’re not speaking their language (i.e. the ArchiMate models may mean something to you, but they don’t mean anything to them.)

Also, when SABSA models are captured in documents, it can be difficult to effectively maintain traceability and reuse them when delivering new services that conform with the ESA. This is because traceability for completeness and justification is usually captured in static diagrams and tables, without the ability to easily visualise the areas that relate to a specific context.

In this session, we will present a platform that enables SABSA practitioners to develop and capture various SABSA models quickly and easily within a web browser. Providing better accessibility of the ESA across the entire organisation, together with two-way traceability and the ability to rapidly filter models to present different security viewpoints by organisational context (e.g. business capability, information systems, etc.).

Finally, we will pray to the demo gods and provide a real-world example of how the platform can be used to capture, present and reuse various SABSA models.

14:30 13B: Did my house just attack me? Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.

As we fill our homes with more and more smart connected devices, we are exposing ourselves to more than just the classic security risks of Confidentiality, Integrity and Availability. But what if we aren’t the person who has the relationship with the supplier or service provider?

With our mantra of ‘There’s an app for that” we often focus on a single user/account/app customer model that at best defaults to one person in control and in the worst case has no mechanisms for sharing the user level functions or obtaining access to the administration level functions.

If all you’re dealing with is a single light bulb then you can get rid of the offending light bulb; but what if it’s a front door lock or central heating system that is embedded in the fabric of your house. And what if you’re dealing with the ultimate in insider threat – an abusive partner or cohabitee?

In this session I will explore how the security requirements of these systems (in their widest sense) could be specified to take into account this growing area of concern and look forward to contributions from the session participants.

15:30 14A: SABSA for SABSA - Using SABSA to Write a Good SABSA Practitioner Exam Answer Speaker(s): Robert Laurie

Robert Laurie

Enterprise Security Architect, David Lynas Consulting (Australia)

Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.

Many SABSA Practitioner candidates look for examples and guides for paper submission, but because the nature of SABSA is to tailor solutions to business needs it is far better to apply a SABSA study to your organisation rather than to try and answer questions from a purely academic perspective.

Rob will cover a SABSA inspired method to extract the critical components of SABSA questions into business attributes. These attributes then naturally lend themselves to quantification through control objectives, performance targets, SABSA assurance and SABSA risk management models to add vitality and verify the answer as you are developing it.

Rob was the winner of the 2018 Matt Whelan award for the best practitioner or master’s paper and in this session, Rob will present advice, tips and tricks from the field, helping you present your SABSA study in a way that will receive the greatest share of marks.

15:30 14B: Cyber Enterprise Modelling Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is an independent security consultant based in Brussels with 25+ years in IT. Steven has undertaken major assignments for clients in the national & European public sector, finance, telecoms and utilities and also lends his support to local cyber-security initiatives. His work in recent years has broadened geographically while becoming more specialised in the field of security by design through automation and modelling, leading to >span class="NormalTextRun SCXW185586280...

Scaled Agile methodologies are increasingly turning to Model-Based Systems Engineering (MBSE) as a cost-effective paradigm for maintaining the coherent, up-to-date design documentation necessary to support rapid delivery of software projects.

But as the scale and complexity of these projects increase, these models should expand beyond the logical layer, not only to place software in the wider context of business, technical and in particular, security architecture, but to fully integrate all aspects into the Agile Enterprise.

This introduction to Cyber Enterprise Modelling builds upon the principles set out in the earlier session: SABSA Modelling in ArchiMate. This session though, takes the approach beyond the immediate goal of creating quality holistic documentation, efficiently and at Agile velocity, to show how such models hold out the prospect of automated analysis and validation: CI/CD, in other words, being applied to architecture as well as code.

16:20 - 16:40 Afternoon Coffee

16:40 15A: A Reference Architecture for Implementing Governance Speaker(s): Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.

Achieving good governance of security is a key requirement for the security functions in many organisations, especially where the implementation and operation of security is federated throughout the organisation and extended out into service providers. There are many governance, risk and compliance tools, but the governance capabilities are generally limited to audit and compliance management and none of them are actually architected to the real needs of organisations. Rather than implementing a tool and calling it governance, we would propose architecting governance, starting with the SABSA Governance Model.

This presentation consist of three parts. The first is to instantiate the SABSA Governance Model in a way which brings together the main activities in the business which contribute to governance. This model is presented across the strategic, tactical and operational lifecycle stages.

The second part is a GRC Reference Architecture that can be used to establish the requirements for an effective GRC tool. We will share the overall GRC landscape for any organisation, and zoom in on the key areas for an enhanced governance capability. This will include the ability to deliver a multi-tier risk dashboard capability and allows integration with existing tools and processes. The Reference GRC Architecture will provide an architectural perspective or viewpoint on main components every organisation needs for proper Governance Risk and Compliance to manage and mitigate the risks in all sorts of business domains.

The final part we will present relates to the means of implementing governance in a robust software development model.

16:40 15B: Connections and Reflections Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.

Every day we use and depend on technical innovations whose origins and development lifecycles often lie lost in the mists of time. In this session I shall explore some paths through which technological change happened and the social effects of those changes on Western society. We will find out why Admiral of the Fleet Sir Cloudesley Shovell inspired a carpenter to solve a navigational challenge, how a discovery of the electrical characteristics of the most abundant mineral found on the Earth's surface helped James Bond in the bedroom, why an 89 year old African American mathematician was inducted into the United States Air Force Hall of Fame in 2018 and why size does matter.

Reflecting on these and other discoveries illustrates how great innovations happened through multi-disciplinary teams working together, listening to and learning from each other - an approach we should consider carefully in approaching cyber security in the present day.

Plenary Session

17:40 16P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.

The COSAC "rump" has for many years been a hugely popular closing session to COSAC and the SABAS World Congress. Now, making its debut in APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at [email protected]

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 4th December.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Dinner & Networking

18:45 Drinks Reception
19:15 Dinner