COSAC 2024 COSAC Connect COSAC APAC 2025

COSAC APAC: Melbourne, 25-27 February 2025. For 30 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. #COSAC2025 Call for Papers is now open.

Wednesday 28th February 2024

09:00 - 09:30 Delegate Registration & Coffee

09:30 11A: SABSA by Sea - Smooth Seas Do Not A Good Architect Make Speaker(s): Robert Laurie

Robert Laurie

Deputy CISO / Enterprise Security Architect, David Lynas Consulting (Australia)

Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.

In this session, we demonstrate how risk floats exactly like bricks don’t.

Sailors will tell you that you want to sail as close to the wind as possible to maximise your speed and this risk concept, while oft miss-used by the non-nautical, is a great analogy for maximising your performance in a risky environment.

The often-tragic events in humanity’s conquest of the great oceans, demonstrates the severity of negative outcomes in sea of ever changing risks.

In this SABSA presentation we take a deep dive into managing risk with SABSA, demonstrating clearly, using maritime success and disasters, how doing business means taking risk.

We ask how much risk is enough and how much risk is too much? We will get our feet wet answering the question - In the deep blue do we always want to operate in the green?

We will plumb the depths of SABSA attribute performance targets and suggest raft of extensions to buoy our ability to manage risk within appetite, helping us sail closer to the wind to rapidly meet our goals.

Attendees will take away new findings regarding SABSA performance targets, for both positive and negative risk and systemic risk interactions, helping them and their organisations plot a course through the uncertain business risk environment.

This session is recommended for anyone interested in measuring risk and would serve as a ship load of ideas for a SABSA Masters’ thesis, telescoping suggested extensions to the framework to provide additional guidance to captains of change.

09:30 11B: The Risk Boomstick Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with nearly 25 years in retail, tertiary education, hospitality, sport and gaming, financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board, Founding Member of the SABSA Institute and a director of the SABSA Founders Bursary. He is currently the CISO of the international Phoenix Group.

“Alright, you primitive screwheads, listen up! You see this? This... is my BOOMSTICK!!!” – Ash Williams, Evil Dead 4

Ahhhhhhhhhhhhhhhhhh, Risk: no other topic bears as sweet a perfume, as intoxicating a character, as entrancing an allure...

... Nor, for some reason, as predisposing an invitation to an uninvited critique from those around you (including, I might add, from yours truly).

That we all do this to each other is a good sign that the way we think about Risk is full of complexity, character and a seemingly bottomless well of nuance from which any amount of pithy insight can be drawn.

‘That’s all well and good, but you should model your opportunities.’

‘I can see your inherent risks, but where are your cascading risks?’

‘That’s a discrete risk, what about the aggregate risk?’

‘There’s too much detail here, roll it up.’

‘This is too abstract, break it down.’

‘That’s not a risk.’

Yet amidst the hoity-toity brouhaha of the Risk enthusiast lies the rock-solid, time-worn lesson:

Suck at Risk and you suck at your job.

That’s why, shoppers, you need the RISK BOOMSTICK™! 25 years of not sucking at Risk is distilled down into an eensy weensy power-packed (like me) 1 hour presentation for your enjoyment, pleasure and 100% money-back-guaranteed satisfaction*. Chock-packed full of nuanced techniques, revitalised ideas and all-weather analysis ammo to get you out of any situation, this baby will eat up ANYTHING you feed it and never fail to deliver whatever is on your sights and on le-plait-de-jour!

That’s right. Shop smart! Shop S-MART!

* 100% money-back-guarantee not included

10:20 12A: Business Trust Model using SABSA Speaker(s): Sarit Kannanoor

Sarit Kannanoor

Consulting CISO, Digital Frontier Partners (Australia)

Sarit is a highly accomplished security leader with experience in enterprise security architecture, security governance and security management. Sarit comes from an engineering, governance and technology background and looks at security from an "enterprise security as a system" view not just from an Information Security or IT Security or Cyber Security viewpoint. Sarit also has consciously gained experience in all IT functions and a number of business functions (Governance, Risk, Compliance and...

Trust is an integral part of human nature and society. However, ‘Zero Trust’ is a hot topic among security professionals, vendors, regulators, assurers, and business stakeholders. The immediate impression one gains from ‘zero trust’ is ‘no trust’, though the concepts and principles described by zero trust are about the maintenance and provision of continuous trust.

The presentation uses SABSA frameworks and methodologies to argue the case for a holistic ‘Business Trust Model’ that can be architected to assist the business and its stakeholders in making informed decisions on the business trust strategy they could implement. The ‘Business Trust Model’ explores the entities that play a part in providing business trust and their interactions, the definition of business trust as attributes of value to the business, the risks (opportunities and threats) associated with business trust, the use of attributes of business trust to map the capabilities of tool and processes related to business trust and means for justifying the capabilities required, the type of governance and assurance processes that are required for business trust to be immutable, the use and interplay of logical and physical domains in business trust, and the time dependencies related to trust.

10:20 12B: Chaos Comes to Threat Modeling Speaker(s): Jason Kobes,

Jason Kobes

Tech Fellow, Northrop Grumman (USA)

Jason works as a Sr. Staff Cyber Architect & Research Scientist for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa...
William Schultz

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 17 years, with the past 13 focused on Enterprise Architecture, Security Architecture, RiskManagement, and Compliance. Bill has built security programs, risk management programs, anddeveloped strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.

Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability in our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the methods of our adversary!

  • - What are the reasons we often discount certain threats, methods, and outcomes as unreasonable, unlikely, or even crazy?
  • - Are we working with blinders, unable to understand systemic risk around us which may contribute to the motivation and outcome in our threat model?
  • - Are our adversaries using AI to undermine our controls?
  • - How do we adapt to rapid changes in our understanding due to observed or experienced events?

In this session we will leverage the work from the 2022/2023 working sessions at both COSACs. We then will build on these ideas with our combined experience and discuss what mechanisms and processes exist to help us unfold this difficult topic and see if we can create a method to address these threats.

11:05 - 11:25 Morning Coffee

11:25 13A: The Grammar of Attributes, Requirements and ESA Speaker(s): Kirk Nicholls

Kirk Nicholls

Consultant, SABSA World (Australia)

Kirk is a security advisor with a focus on disaster and incident response exercises. He develops and manages exercise programs through the discipline of serious games, using research-based practice. Through the lens of serious games, simulation and a military background he enables clients to gracefully handle the unexpected.

‘Words mean things’, as Drill Sergeant once enthusiastically bellowed at me after failing to communicate effectively. I came to understand this was because of the lethal consequences of the profession he was training me for.

When undertaking any work as a risk professional, it behooves us to proceed with caution and choose our words wisely. Business Drivers, Attributes and the careful crafting of their definitions for the Enterprise to which they belong are foundational to the ESA toolbox. With our work, we hope to capture complexity within plain language expressions while remaining flexible and removing ambiguity.

This session is for those who feel that creating meaning from words is both a powerful and dangerous undertaking. These brave persons will want to better harness language for their work. It is also for anyone who enjoys a cheeky bit of wordplay.

Attendees will be exposed to principles and tools from game design, systems engineering and linguistics. These concepts will be connected back to Security Attribute writing and demonstrate their utility for ESA. By the end of the session you will be equipped to define Requirements and Attributes with the decisiveness of James Murray heading the Oxford Scriptorium

11:25 13B: It’s all About Perspective Speaker(s): Jaco Jacobs

Jaco Jacobs

Director of Consulting Services, David Lynas Consulting (Netherlands)

Jaco is the Director of Consulting Services for David Lynas Consulting based out of the Netherlands. He has been a “security guy” for more than 25 years during which time he has provided security consulting services to many of the largest organizations around the world. He has spent most his career developing security IP, training and services for the largest global security providers as well as co-authoring several security publications.

In an era inundated with digital threats, the cybersecurity landscape is continually evolving, challenging conventional methodologies.

The Microsoft Digital Defence Report 2023, which gains its insights by amalgamating 65 trillion signals, harnessing the expertise of over 10,000 security professionals, blocking over 4,000 attacks per second, tracking 300+ threat actors, and managing 135 million devices, reveals that basic security hygiene thwarts 99% of attacks. This encompasses strategies such as implementing Multi-Factor Authentication (MFA), embracing zero-trust principles, leveraging Extended Detection and Response (XDR) solutions, staying updated, and safeguarding data. This is, as expected, pretty conventional and in-line with industry rhetoric about one-size-fits-all best practices.

Recent disclosures from both Microsoft and HPE however shed light on the daunting reality of (unconventional) cyber warfare. In January 2024, these tech giants disclosed that they fell prey to a sophisticated nation-state threat actor, targeting cybersecurity personnel with alarming precision. HPE endured an intrusive persistence of at least nine months, while Microsoft acknowledged a compromise dating back to late November 2023.

In response to these types of escalating threats, an unconventional method emerges, inspired by the cognitive behavioural therapy (CBT) framework. Devoid of therapeutic jargon, offering a pragmatic approach to dissecting complex situations, this method empowers us to scrutinize threat and risk from diverse angles, fostering clarity and informed decision-making.

As we navigate the intricate labyrinth of cybersecurity, embracing alternative perspectives becomes paramount to forge resilient defences and safeguard the digital realm against adversarial incursions. Join us as we explore the transformative potential of reimagining threat and risk from a different vantage point.

12:15 14A: Is Not a Thing of Beauty Bare? A Simple Graph Can Powerfully Communicate Thousands of Words Speaker(s): Duncan Hall

Duncan Hall

Strategy & Planning Manager, Ministry of Foreign Affairs and Trade | Manatū Aorere Aotearoa (New Zealand)

I’m a member of The SABSA Institute (G001093), and a SABSA Chartered Security Architect (SCF13071903). Over many years I have contributed in pro bono voluntary capacities to numerous not-for-profit civil society organisations, professional societies, and authoring and reviewing good practice guidelines for software engineering. My ResearchGate site provides further information.

It can be difficult to explain SABSA’s value to folk who have not actively become enmeshed in planning for, implementing, or operating information security controls.

I will present a simple (perhaps simplistic?) framework using graphical constructs of Linear Programming (LP) to convey – from a top-down holistic perspective – the value in business terms of adopting the SABSA framework to inform information security architecture development.

By holistic, I mean that not all of SABSA’s value can be easily communicated – even to a technologically erudite audience – using reductionist perspectives, in which the value propositions are explained in terms of itemised lists of specific components and sub-models.

In contrast, from a business and technology senior leadership perspective, key messages are best communicated verbally and visually in a ‘BLUF’ manner: Bottom Line Up Front.

  • - What’s in it for those senior business/technology leaders …
  • - … Who have the authority to commit resources to address information security concerns?
  • - Why should they care?
  • - Where and When is it best to advocate for using SABSA?
  • - How can graphical LP constructs be used to communicate the answers to the above?

To expand on the graphical LP construct, further details are best presented in subsidiary artefacts which can then be pored over by éminence grise functionaries.

12:15 14B: Major Incident Management for Small Teams Speaker(s): Jack Sussmilch

Jack Sussmilch

Principal Cybersecurity Consultant, Tawfik Consulting (Australia)

Jack Sussmilch has over 25 years’ experience in the definition and enablement of both strategic and operational cybersecurity domains. He has a proven track record in working with business and IT leadership to mitigate cyber security risks in a measurable, scalable, repeatable and sustainable way across a broad range of technologies, compliance and cultural environments in the context of historical, current and emerging threats.

Major incidents can be described as being a form of organised chaos. As the duration of the incident response extends, the risks to your personnel can become extreme. These risks can and do often compromise the efficacy of the Incident responses. Jack has seen people physically collapse or even suffer heart attacks exacerbated by the evil nexus of exhaustion and stress.

For smaller organisations and teams, fatigue management often becomes an afterthought during their first major incident – usually after someone “loses their shit”. By preparing in advance, you can mitigate the adverse effects on your personnel and help to ensure a more rapid and effective response for the harder incidents that run into days weeks and even months.

In this session, Jack will describe the key artifacts required of which your Incident Response Plans, Disaster Response Plans and Business Continuity Plans should all leverage off. These artefacts and the forethought required to create them will maximise the focus your key personnel can bring to bear on the incident at hand and help to ensure your response is not inhibited by mistakes tired people make whilst also helping to minimise the impact on your most important asset – your people.

13:00 - 14:00 Lunch

14:00 15A: Attributes of the Metaverse Speaker(s): MZ Omarjee

MZ Omarjee

Head: Client Security and Moonshots, Standard Bank Group (South Africa)

Muhammed Zubair (Mz) Omarjee, is a former Enterprise Security Architect providing advisory to leading banking institutions in South Africa and abroad. He is instrumental in crafting technology strategies as it relates to digital transformation, mobile banking and cyber security. He plays a pivotal role in shaping information technology practices as a transformative business driven and risk-oriented discipline.

The session will illustrate how two key attributes can shape the discussion of the Metaverse, what it is in business context, what it means from an end user perspective, the types of metaverses and a sequenced approach in terms of shaping its delivery strategy. This session will show some insights on how to introduce the concept to the organization as a case study, through to creating awareness and balancing compliance and security requirements.

14:00 15B: Using Markov Chains to Estimate Security Risks in Descriptive System Models Speaker(s): David Keene

David Keene

Sr Staff Cyber Architect, Northrop Grumman (USA)

David is a Cyber Architect for Northrop Grumman, based in San Antonio, Texas. He holds both INCOSE Expert Systems Engineering Professional (ESEP) and (ISC)2 Certified Information System Security Professional (CISSP) certifications, and in his 40-year career (most at Northrop Grumman) he has worked in a variety of roles in software, systems, and cybersecurity engineering. Recently, he has been working with NG’s Digital Transformation initiative to help define new approaches to engineering...

The Markov chain is a well-known mathematical tool for evaluating the probability of a series of interdependent events. Risk-based domains such as reliability and security can make use of this state-based process model to better assess the likelihood of a given fault scenario, but such analyses typically take place in a fashion that is not integrated with the architectural/design model of the system-of-interest. As systems grow in complexity, our ability to fully understand the holistic nature of risks and how to manage them is increasingly challenged by the absence of established methods that can associate risk evaluations with those systems’ authoritative architecture and design models, especially as the pace of engineering development processes quickens.

This topic explores a method for modeling and analyze system security risk using adaptations of the Risk Analysis and Assessment Modeling Language (RAAML). It provides the means to accurately express Markov processes in the same foundational language used for Model-Based Systems Engineering, thereby inherently improving the integration of security analyses and engineering development processes. This enhanced integration of processes can yield results that are both more timely and of better quality, thus increasing our confidence in the engineered system’s security.

14:50 16A: Increase Resilience, Decrease Risk: Embedded Dependency Models in SABSA Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 42nd year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.

The ability of an Enterprise to collect diverse but inter-connected Risk information, integrate it, align it, view it, and consider it holistically, may be the difference between success and failure.

“This capability is what separated the banks that survived the financial crisis from those that failed. The failed companies had relegated risk management to a compliance function.” Harvard Business Review 2012

A complex system such as today’s modern enterprise is composed of many constituent parts which interact, are inter-dependent, with conflicted and systemic relationships. It is an eco-system, changing organically because of the innovations and behaviours of its parts, each of which has its own objectives, success factors, methods, risks and opportunities. The Enterprise and/or its parts also interact with the ever-changing environment in which it exists. A complex Enterprise cannot be defined by reference to its constituent parts alone because no part is completely independent of the behaviour of the other parts.

And yet an Enterprise can spend huge resources and finances on checklist-based, compliance-driven, highly subjective, non-normalised, isolated, siloed risk assessments and treatment plans.

“Insanity is doing the same thing over and over again but expecting different results.” Albert Einstein

The traditional approach to Risk is fundamentally flawed. We know it is broken and not fit-for-purpose in real world complexity, but we continue to blindly do things the way they have always been done simply because they have always been done that way.

When viewing the Enterprise as a complex system, failure to understand the complex nature of risk is itself the greatest risk of all. We cannot predict all failures and cannot model all successes. Pull one end of the spaghetti and all sorts of interesting things start to unravel and fall off the plate. What is good news for one authority may represent horribly bad news for another. But the question is, how do we approach this challenging subject to achieve the systemic understanding that the Harvard Business Review suggests?

Just as a system depends upon subsystems and processes depend upon subprocesses, so each perspective of SABSA (What, Why, How, Who, Where, and When) can be modelled as a layer-independent dependency chain where each dependent element sets the requirements for each dependency, and each dependency meets the needs of each dependent element. At the same time, we can understand the inter-relationships between the perspectives that often present real-world risk tensions or conflicts.

By using this technique, we can more clearly identify complex relationships to articulate clear risk context, empower accurate, meaningful control and enablement decisions strategically, tactically and operationally, and identify true risk owners and decision-making authorities.

14:50 16B: Threat Driven Cyber Investment Strategies Speaker(s): Chathura Abedyeera,

Chathura Abedyeera

Director – Cyber Security, KPMG (Australia)

Chathura is a Director in the Cyber security and Forensic practice of KPMG Australia and leads the Cyber Attack and Response services. He is a highly technical Cyber security practitioner with over 20 years’ experience in offensive Cybersecurity and Incident Response. He is a CREST Certified Tester and an examination assessor for the CREST International. He is also an advisory board member of the CREST Australasia. He has delivered complex technical Cyber security assessment programs and...
Andreas Dannert

Andreas Dannert

Principal Enterprise Security Architect, Standard Chartered (Singapore)

Andreas is Principal Enterprise Security Architecture at Standard Chartered Bank in Singapore. At SCB he is responsible for a core Security Architecture team that is delivering the organization’s Security Architecture Framework, Strategy, and relevant Security Capabilities. Before this he was a Principal Enterprise Security Architect at Australia’s national broadband network (nbn), which is a government owned enterprise, providing critical infrastructure services to millions of Australians.

In today's landscape of increasingly sophisticated and persistent cyber threats, it is crucial for organisations to leverage Cyber Threat Intelligence (CTI) and effective effectively integrate CTI in to other business units (downstream consumers) such as risk functions, Internal audit, architecture, engineering, sec-ops, security testing, SOC, to enhance the collective decision-making capabilities of the organisation. This presentation emphasizes the importance of leveraging CTI more directly and efficiently in decision making processes with an organization to achieve the desired business outcomes. Attendees will gain valuable insights into the practical steps and best practices required to strengthen their organisation's defenses by integrating CTI within their existing security infrastructure. The following topics will be explored in the presentations.

  • - Understand your organization's business and resulting security objectives
  • - Understand your downstream organisational consumers and contextualising CTI
  • - Define CTI goals and requirements based on security objectives
  • - Identify and integrate CTI sources
  • - Establish data collection and processing
  • - Develop intelligence analysis capabilities
  • - Enable threat intelligence sharing and its integration with risk and technology governance
  • - Integrate CTI into security operations / incident response
  • - Implement CTI led threat hunting capabilities.
  • - Foster collaboration and cross-functional engagement
  • - Establish feedback loops and continuous improvement
  • - Stay updated and adaptive

15:35 - 15:55 Afternoon Coffee

15:55 17A: Modelling Uncertainty & Building Cyber Resilience Speaker(s): Dimitrios Delivasilis

Dimitrios Delivasilis

Director - Cyber Risk & Resilience, David Lynas Consulting (UK)

Strong technology executive, specialising in business-driven security strategy, architecture and operational resilience. Dimitrios has more than 22 years of extensive experience in leadership roles predominantly within financial services (Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC). He has built a success record of simplifying security decisions, delivering future proof information security strategies and helping organisations implement...

The ever increasing reliance on technology has drastically shifted how organisations function. The interconnectedness and convergence of the digital solutions, together with the business opportunities they bring, increase the number of critical failure points. The latter explains why regulators, across the globe, have been particularly active in this topic and consequently resilience has become the latest global hot topic in many sectors.

A key premise of building cyber resilience is to develop an in-depth understanding of ‘what is materially important’ for the business. Analysing the important business services into the processes, technology and people defines the quantitative and qualitative characteristics of those assets which need to be preserved even during a successful cyber attack.

This presentation will demonstrate how SABSA methodology can be leveraged to capture the business context and how the business context in turn becomes a strong foundation to build a robust cyber resilience. Instead of addressing the challenge from a theoretical point of view, real-life use-cases will be presented from the financial services and energy sectors. Emphasis will be given on the operationalisation of SABSA methodology to capture the idiosyncrasy of the organisation, demonstrate the relevance of the security services, model the security posture and become the conduit that brings together the risk management framework, threat scenarios, control library and operational controls.

15:55 17B: GRC Modernisation ≠ Automation Speaker(s): Ahmed El Ashmawy

Ahmed El Ashmawy

Consulting Practice Lead, Axenic Limited (New Zealand)

Ahmed is a Senior Consultant at Axenic Ltd. He has significant experience as a trainer, as well as being a hands-on practitioner. He is a CERT-Certified Computer Security Incident Handler (CSIH) and a SEI-Authorised Instructor. He has been previously a member of the technical team of Q-CERT, Qatar’s national Computer Emergency Response Team.

Over the last two years, Axenic has embarked on a journey to modernise aspects of its Governance, Risk and Compliance (GRC) offerings. Almost one million dollars later, coupled with numerous scars, Axenic became the first Archer IRM customer to multi-tenant a single instance of the platform for small and medium customer. This is not the end of the journey, it is the tip of the iceberg.

This session is an automation vs modernisation discussion exploring what to automate (or not to automate), and how to modernise GRC. Axenic will share successes, failures and expensive lessons learnt throughout the process. Whether you represent an organisation that is trying to automate their GRC tasks, and consolidate their governance, risk, assurance and compliance data, or a provider trying to offer modern services, this session should help save you time and money. Even if you are at an advanced stage of your GRC modernisation journey, discussions could enrich your experience, or you may have some lessons to share.

16:45 18A: Ask A Master Q&A with a SABSA Masters Panel Speaker(s): William Schultz

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 17 years, with the past 13 focused on Enterprise Architecture, Security Architecture, RiskManagement, and Compliance. Bill has built security programs, risk management programs, anddeveloped strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your question/problem depends on your situation and what you are trying to achieve. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Any SABSA Master’s in attendance at COSAC will be welcome and encouraged to participate as they are available. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the “COSAC way” there will be plenty of group debate and interaction, and no shortage of experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

16:45 18B: That’s No Moon, It’s A Space Station. Mapping the Scale, Maturity, and Compliance Value of the Victorian Protective Data Security Framework Speaker(s): Bethany Sinclair-Giardini

Bethany Sinclair-Giardini

Principal Consultant, Votar Partners (Australia)

Hurtling towards the end of her third decade in the profession, Bethany is a time served information governance professional, passionate, and energetic about assisting organisations to better manage their information security risks by championing effective information governance. Bethany is a Principal Consultant at Votar Partners, a small boutique information governance consultancy in Melbourne, specialising in assisting firms with their information security and governance challenges, with a...

The Victorian Protective Data Security Framework (VPDSF) is a beast. It’s not just a simple moon, it’s a fully operational space station with all the bells and whistles. All Victorian public sector organisations must report to our Information Commissioner, every two years, on its compliance and maturity against the VPDSF.

Across its 12 standards and 95 elements, it really provides a window into an organisation’s internal operating environment and demonstrates clearly how seriously (or otherwise) organisations are taking information security. It’s like a tractor beam, pulling in several disciplines and there’s literally nowhere to hide. As I audit these firms, I walk a fine line between a Darth Vader compliance approach, and a Yoda-like helpfulness in really unpacking how they need to approach the VPDSF, to understand what it could do for them.

This paper will demonstrate how, by taking the VPDSF seriously, organisations can chart a course that protects them from being abandoned on the outer rim of information security governance, and instead could take them to the stratosphere in terms of compliance and maturity.

Plenary Session

17:40 19P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 42nd year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.

The COSAC "rump" has for many years been a hugely popular closing session to COSAC. Now, returning to APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

  • - Electronic submission: Send email to the rump session chair David Lynas at [email protected]
  • - Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 28th February.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Dinner & Networking

18:45 Drinks Reception
19:15 Dinner