COSAC 2023 COSAC Connect COSAC APAC 2024

COSAC APAC: Melbourne, 27-29 February 2024

For 30 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2024 Call for Papers is now open.

Wednesday 1st March 2023

09:00 - 09:30 Delegate Registration & Coffee

09:30 10A: A SABSA-based Model for Critical Infrastructure Zero Trust Speaker(s): Marina Liu,

Marina Liu

PhD Candidate, Deakin University (Australia)

Marina Liu is a PhD candidate at Deakin University. She is a recipient of the Deakin University Postgraduate Research Scholarship. Prior to that, she received her master’s degree in cyber security from Deakin University in 2021. Her research interests include zero trust cybersecurity, blockchain and risk management. Her research has been published in the Journal of Computer Information Systems. Her PhD topic focuses on zero trust maturity, and includes the development of a SABSA attribute-based...
Malcolm Shore

Malcolm Shore

PhD Supervisor, Deakin University CSRI (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.

Zero Trust Cybersecurity (ZTC) is emerging as the preferred security model for business and government and is now a critical national infrastructure mandate for US Government Agencies. ZTC differs significantly from the trust-model of traditional perimeter-focused security, requiring instead real time validation of access based on policy which dynamically adjusts to the cyber environment. The implementation of ZTC is a complex undertaking involving situational awareness of the cybersecurity state relating to identity, device, application, infrastructure, network, and data. This goes beyond the traditional triad of confidentiality, integrity and availability into attributes such as timeliness of authentication, assurance of device health as well as microdomain zoning and dynamic policy.

As organisations begin to implement zero trust in their infrastructure, there is a need to be able to measure the effectiveness of the infrastructure from a zero trust perspective. This requires measurements of both control performance and process maturity in order to effectively manage risk. In this presentation, we describe a model for measuring the performance of a critical infrastructure zero trust implementation using SABSA developed as part of a post-graduate research initiative on Zero Trust maturity.

09:30 10B: Lost and Found - Good Information Security Governance Speaker(s): Glen Bruce

Glen Bruce

Cybersecurity Consultant, GDB Cyber Security Consulting (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information and cybersecurity risk. He has over 49 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, frameworks, policies, PKIs and infrastructure implementations in support of...

One of the pillars of a well-functioning information security program is effective governance. Good governance tends to go unnoticed. Bad or ineffective governance however, becomes very apparent when “things go wrong”. What is good governance? How do you know if you have it or not? What is the value of having good governance and the penalty for not having it? These tend not to be the burning questions within the organization until bad things happen, and the inevitable question gets asked—how could this happen? I thought we had a policy for that. More difficult questions could follow from the Board. Governance is one of the main drivers and foundations in many if not most security architectures or frameworks. What is it and how do you get it? How do you know if it is good or not? Having defined security policies are not enough.

We will define what information security governance is and how it applies to all levels, from overall corporate governance and oversight through to the security program that is implemented and operationalized. We will define the “value of effective governance” and the evidence of ineffective or non-existent governance. We will have a look at what the standards such as ISO, NIST, the ISF, CIS CSC and several others have to say about the need for effective risk management and governance.

How do we build an effective information security governance model and get the right people making the right decisions, with the right accountability, at the right time to continually manage risk to the acceptable level, even when “things go wrong”? We will outline the top 10 things to consider and the critical success factors that will show you governance is working. Good governance provides effective management of business risk and is much, much more than just having good technology and policies.

10:30 11A: Arrival at the Promised Land, or a Deal with the Devil? Speaker(s): Shane Tully

Shane Tully

Global CISO, A24 (Australia)

Shane is the Global CISO of A24 and previously was an enterprise security architect with experience in Australian state government agencies, transport and financial services industries. His interest is in the security of international businesses. Shane was the founder of the oneworld® airline alliance IT Security Forum; a founding member of the board of management of the global security thought leadership group, The Jericho Forum; an invited attendee at the APEC 2007 data privacy seminars; and...

My proposed topic is at this stage loosely looking at the application of the SABSA Architecture for Cryptographic Key Management for Cloud, Cloud-adjacent & On-prem alternatives – supported by some case studies.

It will also discuss ways to align to new Cryptographic protocols coming out of NIST to position companies for the quantum computing algorithms.

The value proposition for this topic will be that it covers 3 scenarios that could apply from large enterprises, to smaller enterprises – whether they are still utilising on-premise compute, or Cloud, or Cloud-adjacent models.

The uniqueness of this presentation is that hopefully the Cloud-adjacent model has not been previously presented at COSAC – so this would be a point of differentiation for the audience.

In terms of timeliness, with ever increasing demands for data protection, and businesses considering alternatives to the big Cloud providers, hopefully this will give the audience timely and relevant information for other cryptographic capabilities.

In terms of approach, the presentation content and style will be tailored to the expectations of the COSAC audience, as per previous presentations in 2017 (in Melbourne) & 2018 (in Sydney).

10:30 11B: Chaos Monkey Comes to Threat Modeling Speaker(s): William Schultz

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.

Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability in our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the method of the Chaos Monkey.

What are the reasons we often discount certain threats, methods, and outcomes as unreasonable, unlikely, or even crazy?

Are we working with blinders, unable to understand systemic risk around us which may contribute to the motivation and outcome in our threat model?

Do our countermeasures create opportunities?

Can we truly understand how the adversaries’ objectives may be different from our perspective?

How do we adapt to rapid changes in our understanding due to observed or experienced events?

The session will start by exploring what was accomplished in the 2022 Threat Modeling session at 2022 COSAC. We then will address what we know and what processes exist to help us unfold this difficult topic. We will then move into a group discussion where we will explore how we can leverage each other’s perspectives and ideas.

11:20 - 11:40 Morning Coffee

11:40 12A: Creating Effective Security Proposals for Major Bid Activities Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect, Thales (Australia)

Alex Parkinson is a senior cybersecurity architect at Thales Australia. Qualifications include a Master of Science (Internetworking), a Graduate Diploma in Applied Finance and CISSP, CRISC and SABSA Practitioner (SCP) professional certifications. Alex has 30+ years of experience in understanding and dealing with complex systems and organisations in multiple sectors, including Defence and National Security, Trading and Financial Services and Mission Critical Engineering projects.

As SABSA architects we often focus on how to successfully engage with enterprise/organisation leadership about security programs to address enterprise/organisational challenges and the successfully delivery of security solutions/programs to meet those challenges.

These situations are focused more on the internal operation of the enterprise; but, what about the situation where security solution need to be proposed and delivered into another organisation as part of a larger business activity or capability delivery program?

Requesting Manager to You: “You are the security proposal lead for this major tender. The security part of the proposal is big factor in us winning (or losing) this business!”

You, the Security Architect Lead (thinking): “OK, so what do I need to do now?!”

The production of an effective security proposal that is an integrated part of a larger business proposal / tender response is a difficult activity that involves more than just formulating a proposed technical solution. It must meet many conflict needs (effective, bounded, compelling, minimum cost, etc). At the same time, the proposal will be the starting point for defining the potential future security program, if the tender is successful. Good choices made early make all the difference.

This session will discuss the challenges, experiences and lessons learnt from supporting security contribution to major business proposal or tender response activities.

11:40 12B: Applying Fault & Accident Management Principles to Cyber Risk Management Speaker(s): Mattia Rossi

Mattia Rossi

Enterprise Security Architect, Ignitize (Australia)

Mattia Rossi is a freelance consultant currently active in the Cybersecurity space. What you would call an Enterprise Security Architect, he is providing businesses with expertise in not just security analysis and solution security work, but most of all driving the implementation and application of security frameworks. He recognises that while there is a high number of frameworks available, and very good documentation on how frameworks and processes SHOULD be applied, most enterprises lack the...

Accident and fault management has been topic of high importance for many years. Understanding when even so small parts of a system are malfunctioning and what major or even catastrophic faults or accidents they might cause is of enormous importance in safety-relevant systems. Modelling techniques like STPA/STAMP or Bow-ties allow to explode a system into its smaller parts and construct hierarchies of controls, which can then be tested for their operating effectiveness that inform the causation or non-causation of a main event. This then allows for either improvement of controls (moving towards risk avoidance) or at least understanding of the implications and the risk (or residual risk).

This talk explores on how these modelling techniques should be applied to cyber risk, allowing to create more meaningful Key Risk Indicators and Cyber Risk Reports than are generally used in the industry and how to allow dynamic adjustment and re-calculation of the Risk position based on exposures found throughout daily security analysis work. It also explores how to codify such exposure hierarchies and speed up the provisioning of meaningful risk reports.

12:40 13A: Security Modelling Case Studies Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is an independent security consultant based in Brussels with 25+ years in IT and has undertaken major assignments for clients in the national & European public sector, finance, telecoms & utilities. He also lends his support to local cyber initiatives. His work in recent years has broadened geographically while becoming more specialised in the field of security by design through automation and modelling, leading to the 2021 foundation of a niche consultancy in this domain. Steven...

Since a means of expressing the security concepts in standard Enterprise Architecture modelling notation was first proposed at COSAC 2018, a great deal of progress has been made: a Working Group has developed, enriched and extended the original White Paper with the collective wisdom and experience of SABSA practitioners, the Security Overlay has been defined as a schema and the approach has been made accessible through webinars, presentations and this year, as a SABSA Training course with basic tool support.

While COSAC 2018-21 has traced the emergence of security modelling as an technique, its early-stage technical readiness meant that conference sessions were limited to discussion of concepts, ideas, possibilities and envisioned benefits based on small scale, proof of concept ‘laboratory models’.

This year for the first time, we expect to be able to present feedback from the application of this technique at scale in real-world case studies with an honest appraisal of where modelling delivered technical & business benefit, scenarios that were challenging or thought-provoking and where the technique might be headed in light of this experience.

At the time of CfP, the contracts for this work are just being signed with projects set for completion in the summer – so fresh content to be unveiled for the first time at COSAC. In addition to presenting the projects from the security architect’s perspective, we hope to be joined via video-link by a client representative who can present, and answer questions, from the customer viewpoint.

The value to the conference will not only be an awareness of an emerging technology but to stimulate a better understanding of what is increasingly possible, based on what is already being achieved.

12:40 13B: Conquer the Architect's Eternal Dilemma: How to Turn Strategy into Reality Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 41st year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.

It is a fundamental dilemma faced by all strategists: how to run strategy into reality?

Enterprise Architecture takes a long time to define and rarely starts from a green field site. Ordering I.T. to postpone all initiatives until the strategy is fully developed is a seriously career-limiting, if not life-threatening, move. Business innovation cannot stop, developments and improvements cannot be shelved or hang around waiting on Architects in their perceived ivory tower to complete their idealist thinking.

The Architecture may be brilliant work but what if we have an incident tomorrow, are we any safer while the Architect is doing their ‘thing’, can we demonstrate any value from a strategic initiative that isn’t yet deployed?

In practice, the Architect’s scope is rarely all of Enterprise in a single bite, but if we can’t start at the all-of-Enterprise end, where is the beginning? We must deliver something before we deliver everything. How do we scope an Architectural project or an RFP in practical reality?

By definition any starting point below all of Enterprise is not Enterprise, it is only one particular viewpoint or aspect of Enterprise: being Business-driven and looking downward we see multiple dependencies and relationships, many contributing “means to an end”, but looking upward from any non-Enterprise viewpoint as see an exclusive relationship – a single “means to an end”. This creates a tunnel vision that risks the creation of the very isolated silos we set out to remove. So, even if we can identify a starting point, how do we ensure that it is Architecturally consistent, holistic, and integrated with all the other aspects and viewpoints of our complex Enterprise that are currently out of scope?

Join us in this session to explore SABSA Architecture realisation techniques to help us overcome our eternal dilemmas.

13:30 - 14:30 Lunch

14:30 14A: Cyber Resilience: Living with Uncertainty Speaker(s): Dimitrios Delivasilis

Dimitrios Delivasilis

CEO, Qiomos (UK)

Strong technology executive, specialising in business-driven security strategy, architecture and operational resilience. Dimitrios has more than 22 years of extensive experience in leadership roles predominantly within financial services (Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC). He has built a success record of simplifying security decisions, delivering future proof information security strategies and helping organisations implement...

Cyber security risk is one of the top non-financial risks for organisations. It can be present in almost any part of digital operations. The nature of the risk is both complex and broad due to the complexity of the attacks and evolving capabilities of the attackers. More often than not, risk assessments rely on static artefacts, unilaterally focus on controls and rely heavily on the biases of the person who is conducting the assessment.

This presentation will focus on how to instil a degree of pragmatism in the identification and evaluation of cyber security risk. Using real-life case studies, we will highlight how the development of plausible threat scenarios for the critical products and services, based on a threat modelling methodology, may be operationalised to embed an accurate reflection of the threat landscape in the risk evaluation and thus validate the relevance of the relationship between risk events and key controls. Utilising threat scenarios as the conduit between risks and controls helps to identify actionable insights, simplify remediations actions and improve the risk position of the organisation.

14:30 14B: Artificial (un)Intelligence: Risks and Opportunities of AI Speaker(s): Ashling Lupiani

Ashling Lupiani

Cognitive Solutions Developer, City of Hope (USA)

Ashling Lupiani ,SCF is a Cognitive Solutions Developer at the City of Hope. A neuroscientist, and biomedical engineer with experience in speech and gait research, she spent 5 years running neurorehabilitation engineering studies with human participants and conducting analysis to investigate sensorimotor systems. She co-authored 5 papers and presented at conferences in Toronto and Boston, and COSAC 28 & 29. Ashling has a BA in Neuroscience from Boston University, & a MS in Biomedical...

This unique discussion will address the structural limits of artificial intelligence such as machine learning in comparison to human intelligence. We will also consider the dangers posed by overestimating these systems and the responsibilities of professionals and organizations to manage expectations for their performance and monitor their function.

This session is timely because of the accelerating use of AI systems to determine everything from who to employ to how to treat diseases. While these systems’ decisions have increasingly impactful consequences, scrutiny of their structure and inputs has lagged behind. AI processes are unintelligible to the average IT practitioner or citizen, so it is increasingly important that those with the background and experience to understand its hazards prevent misconceptions, correct misinformation, and ensure responsible use.

The approach will be to outline the current state and direction of artificial intelligence systems in comparison to their fleshy counterparts, suggest actions that individuals and groups can take to mitigate the risks that their operation and perceptions of their operation can pose, and open the floor for discussion of these topics.

The value of this session is in presenting a scientific comparison of the differences between artificial and human intelligence and using that comparison to determine risk and suggest next steps.

15:30 15A: Trust Relation Framework and Threat Modelling to Enrich Risk Assessments Speaker(s): Marten Gerssen

Marten Gerssen

Independent IAM Consultant, unConceptual (Netherlands)

After graduating in Control Engineering, Marten started his professional career in Telecom Network Management at Alcatel in 1996, holding various pre-sales and marketing positions. In 2010, Marten founded unConceptual as an independent consulting company, growing from IT project management into IT Security. Customers include energy, telecom, government and banking sector. In those 10 years, the focus evolved to Identity and Access Management with projects in IAM overhaul, Privileged Access...

In 2020, my then CISO tasked me with charting “the” Identity and Access Management Risk for the organisation.

That triggered me to not only list the standard risks, such as credential theft, but also the risks when dealing with 3rd parties: Sales agents downstream, and suppliers upstream, regulators, authorities…

Result: Sales Agent and Vendor Risk Management Assessments with (less) obvious risk. For example: if you have shared account (SABSA Trust Relation) with a printing company for your posters, how easy is it to get a picture of the CISO in a vampire suit onto a billboard in the street?

You can use SABSA to map that trust relations with the outside world, and then use threat modelling to list scenarios once the authentication has taken place, and classify risks as reputational, financial, availability risks. We present an easy to use table.

Further attention for IAM related issues such as key management on non-owned IAM systems, managing non-federated IAM with associated organisations.

This matters to Security Architecture, because these Trust Relations with vendors and agents are the foundation of the organisation’s business.

15:30 15B: Contagion - Simian Flu

Despite huge investments cyber security continues to hit the headlines for all the wrong reasons. Each year brings new technologies that will, apparently, save us all. Away from the bright lights you’ll hear it is all about people: you need to increase awareness and adopt the right culture. If that doesn’t work there’s always AI, that’ll save us.

We sit in our ivory towers developing our architectures and programmes, assuming that ours is the one true way. But big data and the scientific method are failing us. Beyond the biases we’ve all heard about our data sets are often collected and applied across widely differing cultures. Those we look towards to steer us through the storm stick to the familiar, fearing or discounting the foreign.

We need to step back from the bird’s-eye view that encompasses so much, but at the cost of local context. What does the worm’s-eye view from the ground show us? Those strange people that don’t align to our expectations, that don’t behave correctly; they’re not irrational or uneducated, they just have different perspectives, different drivers, and maybe goals we’ve overlooked. We know what they’re doing, or not, but do we really understand why? We also need to look critically at ourselves: does our normal and familiar look weird and alien from the outside in?

As global recessions and pandemics hit, business leaders and politicians are looking to anthropologists to help them understand why people are behaving the way they are in the present and prepare for the future. Together we’ll discuss some examples, some parallels, and invite insights into cyber folklore and customs. By understanding behaviours better, we may be better able to influence them.

16:20 - 16:40 Afternoon Coffee

16:40 16A: A SABSA Approach to Health and Well Being

I had a brilliant 2019 having embarked on a spiritual pilgrimage walking the Camino in Spain and my intellectual pilgrimage to Ireland but like many of us my follow up experience in 2020 was less than ideal and I came out of that year needing to take stock of my general health and wellbeing.

It is a shared observation of my colleagues, that as we approach retirement, we look back at the last years of our careers to realise too late that we have worked harder, worked longer hours, taken less time for ourselves, managed very stressful jobs and feel like we are about to collapse, exhausted, over the finish line at the end of a marathon.

We have, to a certain extent, let ourselves go and we are no longer the fit young 30 somethings we used to be as we enter the next phase of our lives. Not the greatest when we now have the time to engage and enjoy the good things in life.

In this vein, and following 2020, I sort of undertook a personal health and wellbeing journey in 2021 with the aim of being “Retirement Fit”. I took a haphazard approach and by the end of the year I realised three things:

Firstly, this is not a one-year project – it is going to be an ongoing iterative process.

Secondly, a structured approach to this project (health and wellbeing) should deliver better and more consistent results; and

Thirdly, many of my younger colleagues (those thirty and forty somethings) who are falling into the ‘Working Harder, Working Longer, and Not Looking after themselves’ category might be able to benefit from this structured approach.

So, heading into 2022 I have applied SABSA to my health and wellbeing project to see if that will deliver long term sustainable outcomes and

This presentation uses SABSA as framework for health and well-being and presents the fundamentals of SABSA in a non-security and non-IT context.

16:40 16B: The Multiverse of Cybersecurity Frameworks Speaker(s): Glen Bruce

Glen Bruce

Cybersecurity Consultant, GDB Cyber Security Consulting (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information and cybersecurity risk. He has over 49 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, frameworks, policies, PKIs and infrastructure implementations in support of...

What is an organization to do? You’re expected to master managing your cybersecurity risks, but the threats are constantly changing, and there are differing ideas of exactly what mastery means and requires. However, mastery isn’t enough. You need to be able to demonstrate your mastery to anyone who needs to know and in a way everyone, including business partners and regulators, can understand and accept. All within budget and available resources. How can you adapt your approach to satisfy all the demands and expectations?

The good news is that there many frameworks and standards to help you master your domain. This is also bad news, because there are many common (or not so common) standards and frameworks that influence how you organize your cybersecurity program. You already may have defined cybersecurity requirements and perhaps an organizing framework that is specific to your industry, required by regulation or aligned to your technical choices. However, all frameworks are not equivalent, nor are they intended to solve identical problems. You may be important gaps to fill in or conflicts to deal with. How do you navigate through this multiverse of choices for the framework that aligns to your cybersecurity requirements?

After establishing a common taxonomy, we will examine and categorize various approaches to cybersecurity frameworks using examples to illustrate the considerations. We will outline some the issues and challenges involved in defining or using cybersecurity frameworks to organize and manage your cybersecurity risk. We will discuss essential principles for establishing an effective framework foundation and outline a risk-based approach for effective management of your cybersecurity risk. We will review and discuss critical success factors for an effective cybersecurity framework. Have you leveraged a framework in your own organization and have some insight to share? Maybe together we can put frameworks to better use.

Plenary Session

17:40 17P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 41st year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.

The COSAC "rump" has for many years been a hugely popular closing session to COSAC. Now, returning to APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at [email protected]

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 1st March.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Dinner & Networking

18:45 Drinks Reception
19:15 Dinner