The 2024 edition of the Forum will not be generated by artificial intelligence. Instead, the actual intelligence and experiences of the attending delegates will be focused to analyze and solve (not just admire) current and emerging information security issues, many more political or organizational than technical. This is where the real-world experience (positive and negative) of battle-hardened COSAC delegates adds significant value to the session. Specific technical or vendor-focused solutions might work fine in one environment but fail or be disallowed in another. Historically, delegates have always been willing to listen to and learn from others who’ve encountered things they might not have, not shy about sharing strategies and techniques. In short, committed professionals.

An ancient security dinosaur will moderate as a roomful of you and your peers dig into current events, trends, and publications. We seek solutions or, at least, pathways to solutions. It’s a front window into the conference, a full-bodied immersion in the COSAC way. Divergent viewpoints are not just expected, but welcomed. Reality and professional experience trumps theory.

Come help us shine light on and solve the latest (and some of the oldest) issues.

Returning for a 8th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

For over a decade we have been undergoing digital transformation with rapidly evolving technology changing the way we live and work. That brings great opportunities for organisations but also bring new threats. This in turn brings challenges for budgeting and planning to manage the risk over multiple years. How do we predict investment to allow us to fully address the security challenges we may face to ensure that we are preparing for the future? Often the business or sales-people sit on 'happy island' when considering emerging technology landscapes whilst many security people sit in 'despondency dell'. This workshop will help us to develop the futures literacy needed to be able to plan for different emerging futures.

Workshop Part 1

This session will provide an overview of futures thinking techniques and approaches. It will cover some of the key theory of futures thinking, providing guidance on the creative process required to rigorously model emerging technologies, to navigate risk versus opportunity, and to manage the tendency to consider the future in binary terms as offering either utopia or dystopia.

These theories and approaches will include an introduction to:

• Futures literacy through narrative

• Futures and systems thinking

• Strategic foresight

Workshop Part 2

This session will look at some of the technical and threat modelling approaches most relevant to cyber security. We will explore how we can most usefully model the economic, societal, political, and cyber threats. This isn't about doom and gloom but about thinking about broad pressures on thinking. Items covered in this session will include:

• Scenario Planning

• PESTEL and VUCA analysis

• STRIDE threat modelling

• Bow Tie analysis

Workshop Part 3

This part of the workshop will put into practice some of the theory and in groups we will work through some scenarios and futures modelling.

Prizes will be given for the most innovative solutions and a special booby prize given for the weirdest.

Building on last year’s success the team decided to upgrade the “ From Hardware to Humans and Everything in Between” course. Resilience is widely considered the antidote to many of the problems that plague cybersecurity. The problem is that resilience definitions vary, and solutions typically fail to address all aspects of resilience, thereby resulting in a significant variety in security profiles of “resilient solutions”. This year we decided to upgrade the workshop by including a practical discussion based on a real living network.

This 4-part workshop opens with defining and discussing the challenges of how to identify, measure and improve resilience in existing environments. We set the overview for each day by introducing each of the areas covered to include hardware, operating systems, software, networks, data, users, and residual security gaps, using the framework of “as is”, “to be” and “reality”. The workshop will center around the Living Lab Network, a student real world laboratory housed at Purdue University Indianapolis.

Part 1: What’s new with 2.0? Like releases, this has not been tested. We open with a discussion of the exemplar network. We will examine the network from various viewpoints, noting where the 4 Rs of resilience are already present, and identifying residual gaps. We also will discuss the high level overview (OV-1), the goals of the institution and how the Living Lab Network supports those goals.

Part 2: Part 2 dives into the hardware, firmware, and IoT devices. Understanding fault rates, failure rates, supply chains, vendor data, and transparency goals will be explored. These values will be applied to the exemplar network within the “as is” followed by steps to get to the “to be” state, and finally concluding with the “reality state” where financial concerns are reconciled with risk tolerance..

Part 3: Software & Data Resilience – We will open with a discussion on software resilience (or lack thereof), and reliability. We will discuss secure coding, DevSecOps and other software security solutions along with their effectiveness. After discussing software we will move onto data resilience. Trust, privacy, and data fidelity have various points of potential vulnerability and exploit, which are not easily solved. Using the “as is” followed by “to be” and finally the “reality”state we examine how data can be both trustworthy and resilient. We will discuss the various complexities with this to explore different approaches to trust, privacy and data fidelity determining how we can achieve better transparency with regard to trust and privacy.

Part 4: Intelligence: Artificial (AI) and Human(HI) and Policy Resilience – AI continues to expand in cybersecurity. What are the strengths and limitations? Where do AI outperform HI and where does HI outperform AI? Training, education, decision-science using the “as is” followed but “to be” and finally the “reality”state. How do cognitive models work in the resilience framework? Should ethics be included in this analysis? How can different cognitive models be navigated in the HMI? What is possible through understanding the human mind, and how can this knowledge inform policies and procedures? What guardrails are in place to address various biases with the models? What are the requirements to remove flawed cognitive data?

Technical assurance and vulnerability management have been parallel but complementary functions in organisations for a number of years. Technical assurance has included: testing the security of a system including penetration testing, hardware assurance, and cryptographic testing; compliance driven testing including web application testing and PCI/DSS; and now regulatory testing required by schemes such as CBEST, TIBER, and DORA including full threat led red team testing. In parallel the vulnerability management world has grown from vulnerability scanning, to vulnerability management, then proactive testing as part of the DevOps process with DAST and SAST, and now into continuous controls monitoring.

We’ve also seen the growth in expectation around the use of automation and machine learning in testing with automated stress testing with low setup cost high agility approaches popularised by Netflix and Google becoming more popular as vendors offer tooling to enable this.

This is creating pressures on traditional testing and assurance services and merging the capabilities with continuous controls monitoring to build success. This session will consider this journey, the move towards continuous controls management and looking to automate remediation as well as testing.

It will address some key questions including:

• How should be looking to build an evergreen and secure ecosystem

• when automation is useful and when it is not and

• whether we can achieve that aim of proactive cyber defence considering how we combine technology with human expertise, context and insights to ensure an organisation is as resilient as possible.

CISOs have been in the hot seat lately, as evidenced by charges levied by the U.S. Securities and Exchange Commission in October 2023 against Solarwinds and CISO Tim Brown for “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities”, in that he overstated the cybersecurity practices and understated or failed to disclose known risks.

In May 2023, Joe Sullivan, Former CISO for Uber was sentenced to three years’ probation and ordered to pay a fine of $50,000 USD, after being found guilty of two felonies, one for obstructing justice by not revealing the breach to the FTC and another for misprision (concealing a felony from authorities).

This session will discuss the current state of the CISO, these cases and their implications, the approaches the CISO should take to avoid prosecution, and the insights from the CISOs. The presenter has had one on one interviews with both the CISO from Solarwinds, as well as the Former CISO from Uber (after the conviction) and can share these perspectives. The session will be interactive as we discuss these cases, as well as the security program itself, and where else the CISO may become liable in the future.

For several decades, the presenter has used an innovative approach to delivering content - props, videos, sound, and audience participation to create a memorable entertaining and informative experience with actionable material. The speaker is a top-rated RSA speaker and ISACA top-rated speaker.

Just a normal day for the security architects at a DSO (Distribution System Operator) being in the midst of the Energy Transition Race.

Time for an Enterprise Security Architecture upgrade.

The journey starts on the contextual layer of the Business, right?

The Business context.

Right?

Cool. “Dear business, can I see your documents, your requirements?”.

“Oh, you’ve just released OGSM’s containing loads of items and performance targets on KPI’s?”. Thanks, we will analyze those.

But wait... these don’t really align to what’s been described as business targets and some of it conflicts with the Strategy we’ve seen in the presentations.

“Can we have a quick chat about this?” –silence–

We better team up with the EA team, as it turns out they are ahead, and we can piggyback on their relationships with the business.

And then when you’ve just established an opening with the business, they re-organize. The person you had on your side is now focusing on a different area.

What next?

In this highly interactive session we would like to present our challenging journey, discuss our observations, our challenges and learn from the participants how we can do better, what should be our next steps.

System hardening plays a pivotal role in bolstering cybersecurity defenses, and the adoption of immutable operating systems coupled with containerization technologies offers a promising approach for organizations requiring flexible solutions, which can scale with the enterprise. This presentation delves into the benefits and challenges associated with utilizing an immutable operating system with multiple independent containers, while also examining the distinctions between various containerization technologies including separation kernel technologies, virtual machines, Docker containers, and Kubernetes containers.

Immutable operating systems, characterized by their unmodifiable nature once deployed, provide inherent security advantages by reducing the attack surface and minimizing vulnerabilities associated with system modifications. When combined with containerization, which encapsulates applications and their dependencies in isolated environments, organizations can achieve enhanced security, scalability, and resource efficiency.

However, the choice of containerization technology influences the efficacy and suitability of the overall architecture. Separation kernel technologies offer strong isolation between containers at the kernel level, ensuring robust security but often at the expense of flexibility and performance overhead. Virtual machines provide greater isolation through hardware emulation, but their heavier footprint may impact scalability and resource utilization.

In contrast, Docker containers offer lightweight virtualization with efficient resource utilization, enabling rapid deployment and scalability. Kubernetes containers provide orchestration capabilities for managing containerized applications at scale, offering features such as auto-scaling and self-healing.

In discussing these options, a notional architecture that combines the strengths of immutable operating systems with flexible container and orchestration options will be proposed. This architecture leverages the security benefits of immutability while harnessing the flexibility and scalability afforded by containerization and orchestration. A list of candidate applications and operating environments/systems will also be provided as a starting point for further study.

By adopting such an architecture, organizations can establish a robust cybersecurity posture characterized by enhanced resilience, agility, and scalability, while mitigating potential risks associated with system hardening and containerization technologies.

In January of 2015 a qualified academic was appointed as the Finance Minister of Greece with a mandate to renegotiate a disastrous programme that had sent the deficit of Greece further into the red. Upon his second meeting with the “troika” (decision group) he was told by one of the powerbrokers of the Eurozone “Elections cannot be allowed to change an economic programme of a member state!”.

Many times, per month, quarter, or even per year, qualified information security professionals are appointed as Chief Information Security Officers the world over. They are armed with a mandate to negotiate, steer, traverse (choose your verb) organisations to uplift their cyber security programs and capabilities, to hopefully manage cyber risk and enable opportunity. Upon starting they are often told by their stakeholders (typically C-suite, sometimes the board) that they have no budget, save for whatever may have been allocated to the role for years, but they are expected to materially turn around the security posture and culture of the organisation within 12 to 24 months, if they’re lucky.

To quote that Finance Minister: “It’s lunacy”.

This session will look at the challenges faced by the role of a CISO, through the lens of Europe’s post-GFC crisis, and the absurdity that is commonly faced by leaders in information security who are tasked with an immense, complex challenge with both arms tied behind their back.

The aim is to have a discussion with the audience and posit pragmatic ideas on how a CISO may manage such futility so as not to find their mission over before it even begins.

In other words, unlike the radical, ‘game theory’-loving Finance Minister, can the CISO find a way to avoid further “austerity” and make a positive impact on the organisation’s cyber security.

While major cloud providers offer comprehensive reference architectures for implementing functional technical structures such as landing zones, these models often lack direct alignment with core business motivations. This misalignment frequently results in architectures developed from the bottom up, focusing on technical specifications rather than strategic business outcomes. Such an approach can meet technical requirements precisely yet fail to deliver on security and operational efficiency due to poorly defined service management and the absence of an effective operating model.

This session proposes a different approach using a top-down, business-driven approach to cloud architecture. It will outline a method for using business motivations and objectives to drive cloud strategy and design, ensuring that the technical deployment of cloud environments inherently supports and enhances business goals.

Participants will learn how to:

• Consider cloud architecture design from a business perspective, ensuring that every technical decision is made with strategic objectives in mind.

• Implement frameworks and methodologies that bridge the gap between business leaders and technical teams, fostering a shared understanding and vision.

• Develop effective service management practices and operating models that are tailored to the business, enhancing security, efficiency, and adaptability in cloud environments.

Through real-world examples, this session will demonstrate how a business-driven approach not only mitigates the risk of misaligned cloud implementations but also creates an architecture which spans all 6 of the SABSA layers rather than just the Component and Physical layers which the cloud vendors would lead you to believe is enough. Attendees will leave with practical strategies for delivering cloud architectures that are operationally secure not just technically.

Quantum Computing is going to be the next disruptor that has a potential of turning security upside-down. I like to draw a parallel with AI and ML, that were discussed and researched for many years, until a sudden breakthrough that has rapidly accelerated the adoption and resulted in disruption we see today. The same will happen with Quantum Computing, but there is an important difference - while the use of AI introduces new attack surfaces, the advancement of QC disrupts and invalidates current defences, which is much harder to tackle post-fact.

In this session we will gain a common understanding of quantum computing and challenges it brings. We will then look at specific threats to the way we use and rely on traditional encryption to protect long term secrets. Using SABSA, we will identify a number of practical things organisations could do in order to achieve ‘crypto-agile’ architecture that will enable them to manage the risk of current defences becoming obsolete.

NOTE: This is not a lecture in physics or mathematics, the session is practical in nature and examples I will be sharing are from real-world implementations.

If you’ve been keeping up, the latest buzz in the IT and cybersecurity world is the adoption of Outcome-Driven Metrics (ODMs). These metrics aim to measure the effectiveness of specific investments in a way that bridges the communication gap with the boardroom. Their purpose is to enable stakeholders to directly link cybersecurity investments to the levels of protection delivered. Importantly, ODMs are designed to be easily explainable to non-IT executives, using clear and simple language.

While this all sounds promising, it’s natural to wonder if it’s too good to be true. That’s why I’ve decided to use them. In this interactive session, I’ll share my experiences and views on ODMs, and in good COSAC fashion, we’ll examine them and address the following questions.

1. How do they work?

2. How do you implement them?

3. In what scenarios are they likely to work?

4. In which scenarios will they fail?

5. Can they track return on investment?

6. Can they track effectiveness?

7. Are they likely to be biased?

8. Are they just old wine in new bottles?

Are you curious? Let’s dive in.

Now that your SASBA security architecture is effectively managing and governing the risks to your organization and enhancing the business value, what does it actually look like? Is it something that anyone can easily recognize and understand their responsibilities in relation to what has been implemented or is it operating “under the covers” and is assumed to be mostly technology? Your SABSA security architecture is now operating as your Information Security Program and you need something to “glue” all the various artifacts, processes and responsibilities together into a framework that you can see and easily manage.

An Information Security Program Framework is a reference point for the collection of artifacts, processes and responsibilities that support the ongoing operation and management of information security governance, architectures, vulnerabilities, threats and risks, resilience, remediation and reporting processes, as well as adapting to the shifting business requirements. The Framework is used; as an anchor point for discussion and decision, as the reference for managing the collection of RACI charts to illustrate everyone’s role in the security program, and illustrates how a business decision becomes a requirement to be incorporated or accommodated into the information security program. The Framework becomes the anchor point for the security services from your services catalog if you have one.

This session will outline the need, value and use of an Information Security Program Framework and how you can define one and put it to work for your organization. We will identify the attributes of an effective Framework and the various framework components and connections to consider. There are various frameworks and standards available but the one-framework-for-all seems to be elusive. We will look at several sources and references to draw from and discuss the considerations for defining and using an effective Framework that is right for your organization. An Information Security Program Framework should represent the operation of your SABSA Security Architecture. Do you already have one or more frameworks in your own organization and have some insights to share? Maybe together we can put frameworks to better use.

“Do you have offsite backups?”

I’d answered this due diligence question many times before, always with the same answer – encrypted backups, on tape, stored offsite, in a dedicated third-party storage facility. But when I saw it last year, I realised this answer and even the question were out of date. These days almost everything we do is offsite with a major cloud provider. We take advantage of their high availability, distributed data storage solutions. Is that equivalent to the old offsite backup control, or is it better? I wasn’t sure we could explain that to ourselves yet.

Over the next couple of months, I started digging around the topics of backups and recovery. So, when I attended COSAC 2023, I was keen to join the Masterclass session on Resilience: From Hardware to Humans and Everything in Between. By the end of that day, I had a new view of what resilience means, and I realised I wasn’t asking all the right questions. Spoiler alert – it’s not all about backup and recovery!

In this talk I will describe an initiative to clarify what resilience means in our organisation and what it should look like. I’ll describe how we got started down this path, the questions it is raising, how we’re responding, what we’re learning, and where I think the path takes us next. This is a real-world example of responding to an idea sparked by a day at COSAC and the impact that might have.

According to the Dutch Corporate Governance Code, Supervisory Boards should take care to consider the impact of new technologies and cybersecurity on their long-term value creation strategy, and include cybersecurity, supply chain dependencies and data protection in their risk management.

This aligns with new European regulation like NIS2 and DORA, that put forward much more stringent requirements for board members on having knowledge about and being accountable for cybersecurity or they risk of being held personally liable. These new requirements come at a time when 13% of the Top 100 Dutch Board Members have had any dealings with IT in their career, and only 1% has indirect experience with cybersecurity.

This is reflected in the way most of them talk about cybersecurity in their annual reports - a section that is often missing or minimized. “Cybersecurity is a top priority for us” and “we have done many things to improve cybersecurity the last year” are about as much food for the thought the average annual report gives its reader. Although presenting information about the state of cybersecurity potentially puts a target on the back of a company, security by obscurity should never be the answer.

Investors and citizens have a right to know how well-guarded their information and the continuity of the organisation is from a cybersecurity perspective. Many organisations, even critical infrastructure, seem to conveniently neglect the systemic risk to society of them being unable to operate for multiple days like with a ransomware attack. We need to understand the likelihood of that happening, how the organisation is addressing those risks and whether there’s a plan B.

This session contains the following segments with the aim of providing attendees with the ammunition to challenge cyber security public reporting in their organisation:

• - A passionate plea for why not sharing the state of cyber maturity and resilience is harmful to society and ought to be delivered through a standardized reporting mechanism.
• - A round-up of cybersecurity reporting requirements of major corporate governance codes around the world.
• - A deep dive into the state of cybersecurity reporting in the annual reports of major Dutch companies, with some best-in-class examples.
• - A proposal for and discussion with the audience on which cybersecurity elements should be reported on and disclosed, without causing harm to the company.
• - Guidance and a call for action to the audience who can play a leading role as subject matter experts in moving their organisations to enhance cybersecurity reporting.

In the fast-paced world CxOs are generally seeing their cyber security position improving in their organisations, but continue to face considerable challenges. A number do not see that increasing the security technology foot-print in their business as the answer, and staff attrition, and rapid adoption of the cloud continue to cause great concern and uncertainty.

Furthermore, the cyber landscape itself is changing. Regulation through NIS 2, Telecommunications Security Act (TSA) and Digital Operational Resiliency Act (DORA) have emerged making cyber much more directly financially impacting. New technologies and innovative working (e.g. AI) is creating more and different risks to be responded to, and the industry of ‘threat’ continues unabated.

But how does enterprise security architecture respond to these, and if it does, how might it have to think differently or apply itself differently to best support the enterprise?

This 40 min presentation explores these trends, the application of SABSA and Q&A covering:

• a. Cyber trends and emerging technologies.
• b. How these trends impact our thinking as ESAs.
• c. Where does SABSA support overcoming these trends for stakeholders and where does our focus in SABSA need to shift.

A case study of the Dutch Government

The legislation and regulations for the use of Cloud applications for the Dutch Government have changed significantly in recent years. While in the past it was not done to store or process data in the cloud, the current policy is based on Cloud for certain confidential data, as long it is done in a secure manner. One of the conditions set is that a targeted risk assessment takes place and the correct measures are taken to protect the data.

The content of the presentation is about a case at the central government in the Netherlands of how a targeted risk analysis was carried out, what lessons were learned and what steps are being taken to streamline this process.

The case will mainly focus on which elements are used in the risk analysis, how risks are constructed, which positive or negative effects a risk entails and how security control frameworks, GDPR, Cloud Acts and other legislation are dealt with. In addition, selecting and adapting a risk analysis methodology is an important part of the case. SABSA can help us in selecting the important elements within risk assessments.

Lessons learned:

• - Risk analysis methods and the risk management process
• - Risks when using the Cloud.
• - Legislation for processing data in the Cloud and information security aspects

Recipients of the Bursary award share their personal experiences embarking into their cyber journey and how the Bursary helped shape their career transition and welcome them into a global community.

Sharing the love. In 2020, Ghariba Bourhidane and Clara Grillet started career transitioning in cybersecurity by following courses. In 2022, their cyber career go deeper and was boosted by receiving the first ever SABSA Founders Bursary award. Two years later, they want to share feedback on how the award was seminal in making their career transition successful:

- Certifications like SABSA are a major plus for job-seekers

- COSAC values out-of-the-box problem-solving where non-traditional profiles feel welcome

- Exposure to professionals with diverse life paths builds self-confidence and give value to non-technical skills

- Profound sense of belonging from joining a well-established community

- Receiving an award alleviates impostor syndrome and self-deprecation

Being part of the SABSA community gave them additional tools to facilitate and secure their sense of belonging to the cyber community.

Highlighting value. Non-traditional profiles bring new approaches and innovative thinking. They draw on diverse soft skills that can lift hurdles in interpersonal relationships and team projects. Hiring managers, coworkers, company culture and HR staff can all play a role to attract, welcome and keep atypical practitioners.

Thinking back and paying it forward. In this session, we share personal stories that show the immense value of the SABSA Founders Bursary for newcomers to cybersecurity. We will interact with the audience to encourage them to share their own experiences either being a newcomer themselves or working with newcomers. We will interrogate how each team can support inclusion so non-traditional colleagues in the broadest sense (nationality, gender, academic background, past experiences,…) thrive.

Global supply chains are undergoing massive strains in 2024 due to geopolitical conflicts, rapid technological evolution and regulatory changes that pose challenges to organizations irrespective of the industries they operate in. The extended supply chain for hardware suppliers and service providers spans several countries and continents while the sprawl of software components and open-source projects further increase the sophisticated nature of supply chain attacks. Another internal challenge for organizations is the governance and ownership of supply chain security which is usually shared amongst security, procurement and legal teams. Securing the supply chain and ensuring uninterrupted business operations have become top of mind for business and security leaders in their day-to-day job responsibilities.

In this interactive session, we will discuss a real-life case study of a Canadian multinational financial services company where the challenge was to securely manage the organization’s supply chain across the 36 countries it was operating in. For this organization, we leveraged and applied SABSA principles to build in traceability from the key business objectives of the executive stakeholders to the specific security services, mechanisms, and components that every security and procurement teams needed to incorporate to secure their supply chain. These security components were utilized to build a supply chain architecture that weaved in governance for the security and procurement teams involved. The result is an adaptable security architecture that is used by security teams as well as business objectives that matter to the CEO and Board.

Admiral Group Plc is a UK-based insurance group that provides a range of insurance products and financial services to over 9 million customers worldwide. In 2018, Admiral embarked on its cloud journey to achieve its strategic vision of becoming a data-driven organisation and leveraging its customer base and data for a competitive advantage. In this talk, I will share how we built, secured, and scaled our capabilities, and discuss the challenges we faced, the lessons we learned, and how that lead us to rip up the rule book on Security Engagement and develop a de-centralised and democratic approach to securing our investments into cloud by making it everyone's responsibility and the cultural changes this forced.

We will cover three main topics: What led to us deciding to move to Cloud? how we initially approached securing our cloud environment and how we realised that this approach was wrong and the steps we took to create a de-centralised security model and finally what this looks like and how we would approach it if we were going to do this again.

The Key take aways for the audience will be how to approach this type of model, What benefits this model can have on an organisation and what are the pitfalls of doing it.

This presentation aims to demonstrate the benefits of onboarding diverse profiles to security teams. It is part of a continuous effort to formulate a framework which helps security teams perform better while optimising diverse skill sets already present in the organisation. This presentation will provide proof-of-concept on how an internal talent pipeline has given professional growth opportunities to staff with the relevant transferable skills while also making the security teams more effective.

Complexity is in the nature of the problem (securing an organisation and building cyber resilience), as well as in the complex tasks needed to address them (high-dimensionality and high-interdependencies).

The number of tools and the combination of tools being used in the industry, and the introduction of new technologies - all these change at an incredible pace. Teams need to be agile, flexible and adaptive, and need both a broad, as well as deep knowledge of various domains in order to work with diverse stakeholders. How do we face complex challenges with a limited team budget for human resources and the seemingly small talent pool?

“In complex adaptive systems, diversity makes fundamental contributions to system performance.” - Scott E. Page

Building diverse teams with the necessary skill sets to meet these challenges and adapt to the changing tech and threat landscape is necessary - but also not an easy task. The question is how.

Through the lens of the PPT framework:

The success of organisations are tied to talented people and effective teams - and how well they can adapt to a complex business environment by managing the the dynamic nature and interdependencies of these three components:

• People (human weaknesses, strengths – identifying potentials, highlighting current skills and understanding competencies needed, optimising the skill set of a team),

• Processes (business landscape is changing with demographics and innovations, risks in the supply chain are increasing), and

• Technology (disrupting industries, way of working and living).

How can we enable our teams to manage challenges involving the the above three

components?

Through the lens of “Quality of Hire” indicators:

Organisations must learn to work with uncertainty, and manage talent and resources when the long-term nature of the present skills shortage is considered a major security threat. Success depends on hiring, managing and retaining talent and resources within security teams – while also learning how to make these teams highly effective.

For this, hiring managers need to have an understanding of how to measure the effectiveness of teams, in order to create a strategy for improvement and optimisation.

The use of “Quality of Hire” indicators may provide a way to determine an effective talent recruitment and retention strategy, while creating a reliable pipeline for atypical profiles with relevant transferable skills into the different security teams.

This presentation will focus on three indicators (Performance, Tenure and Engagement) as a guide to creating a clear picture of how well a team works and adapts to a highly dynamic environment.

Promoting Reskilling: Could promoting cognitive diversity - reskilling diverse profiles with transferable skills - be a sustainable answer to addressing the skills shortage in the industry, while also providing a way to address the challenges in the complexity of the challenges?

The ever increasing reliance on technology has drastically shifted how organisations function. The interconnectedness and convergence of the digital solutions, together with the business opportunities they bring, increase the number of critical failure points. The latter explains why regulators, across the globe, have been particularly active in this topic and consequently resilience has become the latest global hot topic in many sectors.

A key premise of building cyber resilience is to develop an in-depth understanding of ‘what is materially important’ for the business. Analysing the important business services into the processes, technology and people defines the quantitative and qualitative characteristics of those assets which need to be preserved even during a successful cyber attack.

This presentation will demonstrate how SABSA methodology can be leveraged to capture the business context and how the business context in turn becomes a strong foundation to build a robust cyber resilience. Instead of addressing the challenge from a theoretical point of view, real-life use-cases will be presented from the financial services and energy sectors. Emphasis will be given on the operationalisation of SABSA methodology to capture the idiosyncrasy of the organisation, demonstrate the relevance of the security services, model the security posture and become the conduit that brings together the risk management framework, threat scenarios, control library and operational controls.

In the complex field of cybersecurity, the term "threat intelligence" often becomes a catch-all, encompassing everything from basic incident reports to in-depth vulnerability analyses. My presentation, "True Threat Intelligence - What You REALLY Want to Know," aims to clarify this ambiguity by distinguishing the various layers of what is generally classified under threat intelligence. More critically, it zeroes in on the essence of what constitutes "true threat intelligence"—a nuanced, actionable insight that goes far beyond the surface-level accumulation of data.

True threat intelligence is an art form that demands a deep, covert infiltration into the underbelly of hacker organizations. It's about gaining trust within these groups, understanding their dynamics, and extracting valuable information that can be used to preempt and neutralize potential cyber threats before they strike. This session will delve into the intricate, resource-intensive process of gathering genuine threat intelligence, highlighting the essential elements of patience, substantial resources, and keen judgment required to navigate the shadowy corridors of cyber threat actors.

A focal point of my talk will be the innovative role of "evil chatbots" in the realm of cyber espionage. As we venture deeper into the age of AI, these chatbots emerge as a critical tool for engaging with and understanding hacker communities. They serve a dual purpose: as instruments for gathering intelligence and as subjects of ethical debate, reflecting the complex moral landscape of cyber intelligence operations.

This presentation will demystify the concept of true threat intelligence, drawing a clear line between generic cybersecurity reporting and the strategic, high-stakes operation of acquiring actionable insights. Attendees will gain a comprehensive understanding of the challenges and intricacies involved in true threat intelligence gathering, as well as the pivotal role this intelligence plays in enhancing cybersecurity defenses against increasingly sophisticated digital threats.

Prepare to embark on a journey into the heart of cyber espionage, where the pursuit of true threat intelligence reshapes our approach to cybersecurity strategy and operations. Join me for an in-depth exploration of what it truly takes to uncover the actionable intelligence you REALLY want to know.

Alchemy: the art of purifying the impure by imitating and accelerating the operations of nature in order to perfect matter. How do alchemists transform base metals into gold? The metaphorical aim of the alchemist is the purification of the soul, the progressive metamorphoses of the spirit. The alchemist's journey in Paulo Coelho's book is transmutation: elevating the imperfect to perfection. The main character of the book travels and lives according to the different cultures and traditions of each visited country. He eventually returns to his starting point but completely changed, grows up, conscious and strong. A real human firewall!

How does the combination of European and African values help find out solutions in Cybersecurity? What impact does the factor: "ethnic cultural values" have on the development of a stronger cybersecurity program? What if the evolution of an organization's cybersecurity maturity also depends on the cultural diversity of individuals of the organization?

Coming from a cultural duality: African and European, I am often categorized in one or the other culture and rarely in both at the same time. Yet, I am what I call "a cultural bridge".

My power: Using my two cultures in the development of solutions. Beyond easy and generic classifications, I see cultures as a spectrum and an endless combination.

African values vary widely from one country to another due to the diversity of its folklore, cultures, traditions, and religions.

Values common to African countries can be identified as - Communalism - Respect for elders – Hospitality – Spirituality - The importance of family and community ties.

These values often emphasize interconnectedness, harmony with nature, and a strong sense of identity and belonging.

My European values also differ depending on the country in which we live, but we can still identify some common ones. In Europe, the common values are - Democracy and Rule of Law - Human Rights and Privacy - Freedom of Expression and Information - Individualism and Critical Thinking - Equality and Inclusivity.

Based on these, what are the existing or future bridges that allow you to build a robust cybersecurity program. What added value does each of these cultures bring to its robustness?

By sharing my personal experiences and research, I would like to provide to the participants food for thought on how to think about cybersecurity differently and sharing some tools that they can use and apply in their challenges.

In a world where cyber threats are evolving at an alarming rate, organizations are expected to do more with less, employees are given ever increasing workloads, and human error remains a significant contributor to data errors and security breaches, automation emerges as a crucial solution.

Businesses are increasingly looking toward automation to streamline processes, improve productivity, and “enhance operational efficiency”. A naïve security team might be afraid of the risk that automation poses. But, using a SABSA perspective, we can see that risk from a different angle and recognize it as an opportunity: both to focus on what is important to the business and to reduce the exposure of systems to the human factor.

Through real-world examples, we will illustrate how automation can enhance security posture and minimize the impact of human errors on an organization. We’ll also explore the various ways automation can support security risk assessment, such as enhancing anomaly detection and fortifying defense mechanisms. Facilitated by a member of your friendly neighborhood automation team, participants can expect to discuss the best ways to communicate and partner with groups modifying their processes so that security can take advantage of a rare chance to course-correct across their organization.

In the traditional landscape, threat modelling has been a predominantly manual and meticulous process, demanding substantial expertise and time. However, the advent of cutting-edge technologies is set to transform this scenario radically.

Our presentation delves into how an amalgamation of sophisticated technologies across the tech stack can automate and enhance the threat modelling process, making it more efficient and accessible. At the heart of this transformation is the integration of Generative Artificial Intelligence (GenAI) tools, such as GPT-4, which is significantly lowering the skill barriers traditionally associated with creating threat models.

During our presentation we will:

● Explore the unique contributions of technologies like Security Copilot, Gemini, and other elements of the technology stack that, when chained together, offer a robust methodology for automated threat modelling.

● Glimpse at a 'Promptbook on ChatGPT,' aimed at simplifying the entry into technical security architecture work.

● Discuss the possibility of generating dynamic architecture documents, analysing the security estate comprehensively, and employing chained GPT models for a holistic threat analysis.

The intersection of AI and traditional security tooling is paving the way for a new era in threat modelling - one where automation, efficiency, and inclusivity are at the forefront, transforming the landscape of cybersecurity architecture.

The shortage of cyber security skills is well known and this is only getting worse. So what can we do about it? When we step back from the problem we can see that many organisations are not efficient in their security engagement. Security teams perform triage and process work which does not require advanced security skills, and often we still see late engagement of security in projects and business decisions, introducing delays and requiring re-work.

Things can be different if cyber security activity is embedded in the day today work of other professionals and functions. Security requirements can be specified by procurement professionals, security configurations and patching owned by IT functions and security objectives specified by business executives.

In this talk, Paul will share experiences across a range of different sectors showing practical examples of how security and business goals were aligned and the security workforce expanded by placing cyber capability into other jobs.

How security architecture can help you keep your new year’s resolutions and other lifestyle objectives.

Everyone dreams but few turn them into reality. Making it happen does not need to exact a taxing price on social life and comfort. Using my own personal challenge, I draw on my experience as a relatively newcomer to SABSA and to cybersecurity in general to show how the SABSA problem-solving approach can be used to tackle private goals. In my case, it enabled me to overcome health limitations in order to fulfill my parents’ last wishes.

Frustration begets frustration. Most adults have at least once in their lifetime promised themselves they would change their behavior. Few ever succeeded, let alone maintained that new good habit beyond a few weeks. What was supposed to make them feel better about themselves ended up feeding a sense of failure. This creates a vicious circle: you are less likely to dream big and experience stress when you have been repeatedly confronted with failure. When frustration is imposed (e.g. poor health diagnosis), its limitative power increases tenfold. What a waste of human energy!

Applying SABSA to tackle human challenges. Who said security architecture was limited to complex IT questions? Thinking of a life goal as a project just like any other work project, whose vision and success can be articulated, as well as broken down to the smallest step increases the likelihood that you can track your progress and therefore keep up with your promises. SABSA doesn’t impose a direction, rather you are more likely to commit to a plan that you’ve come up with yourself and which follows your own logic. The SABSA framework can be used to boost self-satisfaction and virtually eradicate a sense of failure or dissatisfaction with yourself.

Powering through life. Life goals might seem insurmountable, even more when you attempt to tackle different goals at the same time. Security architecture forces you to identify possible links between goals, thus multiplying the impact of each step. Using diverse and creative trackers, you can monitor progress every week. Even when you don’t achieve 100% of your stated goal, your achievements are visible. This has tangible macro effects: when you feel better, others around you benefit from your positive energy (family, friends, coworkers, everyday interaction with strangers,…). This creates a virtuous circle where by helping yourself, you are more likely to feel generous with others and create a positive environment.

Using personal examples, I bring the SABSA mindset to the private realm. I wish to give participants the tools to apply it to their own challenges.

DOING WHAT YOU CAN WITH WHAT YOU’VE GOT WHERE YOU ARE

This paper proposes an unconventional yet highly effective approach to helping information security teams deliver better security outcomes by blending the organisational, technical, and process reality that surrounds them with human-centric methodologies, including design thinking and negotiation techniques drawn from the practice of conflict resolution.

Leaning on inspiration from a real-world project I have led in public sector healthcare, my idea is to illustrate with pragmatic and reusable examples how security practitioners can achieve useful consensus about what their teams and wider organisations should focus on. In so doing, they can build buy-in for their strategic and operational security initiatives, making a real difference for their organisations and feeling for themselves that their contribution matters.

THE IDEA

Traditional approaches to information security tend to be technology-heavy and often overlook the human element, where teams operate under an oppressive feeling of constraint and with a scarcity mindset. This can impede good critical thinking and lead to sub-optimal decisions and operational practices, which ultimately leads to gaps in defences.

By embracing a human-centric approach rooted in design thinking and leveraging integrative negotiation techniques, security teams can foster outcome-oriented collaboration and innovation in tackling cybersecurity challenges, making the most of the available time and resources.

This talk explores the intersection of information security, design thinking, and negotiation in a real-world context where human life is what is at stake (public sector healthcare) and where the application of an unconventional approach yielded unconventionally positive results.

• Design Thinking to Uncover What Really Matters

In the public sector healthcare project, design thinking principles guided the development of a strategic roadmap that prioritised patient outcomes. By empathising with healthcare professionals and patients, the security team identified unique security needs and co-created solutions that seamlessly integrated with existing workflows.

The iterative nature of design thinking allowed for continuous improvement and adaptation to evolving threats, resulting in a robust security framework tailored to the needs of the healthcare environment.

• Negotiation Techniques to Address Intractable Disputes

Negotiation techniques played a pivotal role in garnering buy-in from stakeholders across diverse departments. By framing security concerns within the context of patient outcomes, the team facilitated productive discussions that aligned competing interests and neutralised inter-team and interpersonal conflict toward a shared goal that everybody committed to. This was a game-changer.

Through principled negotiation and active listening, we managed to reach a consensus on the priority initiatives that the security team needed to focus on, balancing risk mitigation with operational efficiency, paving the way for a successful implementation of the new 3-year strategic initiative and garnering the goodwill and active commitment of all contributors.

• Facilitated Discussions to Make Sure Every Voice is Heard

Facilitated discussions served as a cornerstone of the approach, providing a structured forum for stakeholders to voice their concerns and contribute to the decision-making process. Skilled facilitators adeptly managed group dynamics, ensuring that all perspectives were heard and respected, particularly those of neuro-diverse team members who had previously struggled to communicate their ideas and who, it turned out, had an incredibly impactful role to play.

Conclusion

By embracing human-centric methodologies like design thinking and best practices from other professional domains such as conflict resolution, this talk will show how security practitioners can unlock untapped potential from existing human talent in their organizations, orchestrating this energy into better security outcomes.

The real-world examples from public sector healthcare demonstrate the tangible benefits of design thinking, negotiation techniques, and facilitated discussions in establishing focus, achieving consensus and buy-in, and keeping teams on track to achieve superior security outcomes.

Let’s embark on an unconventional journey together, where we’ll learn to leverage the power of human ingenuity to build even better defence in depth in our organizations and safeguard what matters most.

“Everything was destroyed, and few out of many returned home.”

- Thucydides

Two years ago, we discussed whether the Russian offensive included all-out cyber, or if the combatants were husbanding their resources. Last year, we noted that 50-year-old tanks and munitions work well in battle, whereas cyber weapons have a shelf life closer to milk than to wine. As a kinetic stalemate grinds through men and materiel, cyber has blossomed as a new form of expeditionary warfare, now targeting critical infrastructure, the most prominent of which (as of this writing) has been Kyivstar, Ukraine’s largest telecom provider. The fabric of society is now a target, seemingly in violation of Rule 1 of the Law of International Warfare.

"This attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable."

- Illia Vitiuk, head of Security Service of Ukraine (SBU) cybersecurity department

Most critical infrastructures are not state-run in western nations. The United Kingdom has named thirteen critical infrastructures. The United States has sixteen. Regardless, these are being identified, cataloged, and targeted in a systematic way so as to provide a potential early strategic advantage in the event of future conflict.

What happens to our society if the digital gloves come off? What are the consequences of an adversary who cannot win on the battlefield taking the battle to the civilian population, shutting off power, water, and communications? What preparations can be made, realistically, to prepare our countries for what we can see is already happening? What message should we, as the senior global brain trust, craft to mobilize our societies and our governments before they suffer a catastrophic loss that might be avoided if we speak up now?

Do you suffer from a team that can't seem to talk to each other? Can you cut the air with a knife when entering your security meetings? Do people audibly sigh whenever you mention raising a ticket or inquire about its status? If so, then this session is for you.

In today's fast-paced and interconnected digital world, the harmony between security and technical teams is crucial. Yet, all too often, these teams operate in silos, causing friction, inefficiencies, and ultimately, compromising security. But fear not, for there is hope.

Join us as we embark on a journey to transform discord into harmony, to dissolve the tension that permeates the air, and to replace sighs with nods of understanding. We'll delve into the heart of the matter, addressing the root causes of disconnection and discord between security and technical teams.

From inspiring motivation to breaking down barriers, we'll discuss what motivates and drives people to take ownership of their place in Information Security. Say goodbye to the days of disjointed communication and hello to a future where security and technical teams work hand in hand towards a common goal.

The presentation addresses 3 trends currently challenging the cybersecurity operating model.

• Customer expectations are shifting - Digital natives think in terms of customer journeys, and they want safe but low-friction experiences along the way.

• Threats are evolving - There are now new ways to exploit human nature and decision making, using technologies like AI. Lastly,

• Regulations are fragmenting - Countries recognise the value of data and are taking a stronger, more localised, position on how to protect it.

These factors have important consequences for how cybersecurity teams design and implement their governance, risk, compliance and assurance frameworks. We will argue that the new paradigm which is decentralised, where speed and accountability for decision-making are favoured over structures of centralised authority and control.

A pre-requisite of this kind of adaptive security is for decision making at all levels of the organization, which implies effective communications based on a common ‘source of‘truth’.

In this presentation, the speakers will present their experience of establishing a security architecture that reflects these aims and principles, based on control modelling, thresholds, and real-time security data.

The session should be of value to a wide range of delegates that may be facing similar challenges and would be interested in learning what an architectural approach can contribute to the solution.

This will be original content, being presented at conference for the first time.

The hype cycle continues to thrive as illustrated by recent press coverage and political attention regarding the “existential threat” posed by AI, particularly LLMs and generative AI. Inevitably some people are asking how do we secure AI? This session considers AI-related risks and their potential evolution. To address these risks, we need to consider what governance and security mean in an AI context.

Responding to the political attention AI has received, national and international standards organisations are embarking on development of new standards. This session will explore these initiatives, discussing the challenges facing us standardising a rapidly evolving technology. In framing these standards, further discussion is needed about whether AI really is a new problem, or simply highlights inadequacies in our current IT and security standards.

Drawing to a close, the session will explore the role that the supply chain, security professionals, and SABSA could play in addressing challenges arising from use of AI and the consequences and/or liabilities arising from AI embedded in solutions.

Key learning outcomes

• An understanding of AI security risks and vulnerabilities

• An appreciation of the limitations of security standards

• An outline of key issues to address in deployment of AI solutions

The nature of the cyber security risk is both complex and broad, and present in almost any part of digital operations making it a top non-financial risk. On a daily basis stakeholders are being faced with decisions on how to proceed with the implementation of the business strategy whilst providing a commensurate level of protection against ever evolving cyber threats and ensuring critical products and services operate within the desired risk thresholds. The accuracy, completeness and timely accessibility of the information required to determine the optimum way forward is more important than ever.

The session draws in from philosophy to illustrate how ancient wisdom can be applied to cyber security and risk management. Will illustrate how Socratic method, an interactive technique for establishing knowledge, allows us to test assumptions through honest dialogue, think differently and ultimately guide us towards better understanding the implications of decisions that needs to be made. The audience will experience how to draw strength from contrarian thought, and utilise it as a tool for both establishing ignorance and knowledge.

The IT organisation around our team is making key structural and governance changes, including re-aligning to business value stream structures, migrating from waterfall processes to Agile change delivery, and introducing a new control framework. And these are just some examples.

To keep up with these changes, and this pace of change, we need to update our security architecture practices. We are aligning Security Architects with their Solution and Enterprise counterparts to maximise security “shift left”. We are embedding architects in value stream verticals and service horizontals to maximise our coverage with limited resources. We’re helping to share the definition and roll out of the new control framework, to ensure Architecture and Risk processes and artefacts are aligned from the outset. And to keep up with the pace of Agile, we’re taking first steps from point in time design docs towards living architecture artefacts, and re-learning what re-usable architecture means as a result.

In this talk I will explain how we’re tackling all of these changes, lessons learned to date and where we’re going next.

The idea for this came to me today (March 21st) after having visited a dutch conference. It has been lingering in the back of my mind for some time but having seen the call for speakers in my Linkedin-feed this morning I decided to put it forward. On my way home I even came up with a title.

The core of my presentation is that there is a difference between IT and OT and that it should be treated differently, from a security perspective. In the past I have seen that large companies treat the OT they have (HVAC of camera surveillance systems) as if it were a regular IT system. Leading to frustation of both security professionals - trying to secure these systems - and facility departments – trying to operate them.

So I’d like to argue that the IT Security guy (with his ISO2700x of equivalt framework) is not the one to turn to when it comes to securing OT. It the OT Security guy with the IEC62443 certificate. And perhaps explain the basics of IEC62433..

I’d really like to start a discussion on why companies have their OT connected to the internet…

Outside China, Apple and Google control more than 95 percent of app store market share with the Apple App Store holding nearly 2 million and Google’s Play store holding nearly 3.5 million. The impact of this proliferation of apps and their everyday routine use, together with other web interactions, means that users’ personal data is spread widely on suppliers’ servers throughout the Internet.

This arrangement provides an enormous attack surface for malevolent actors. This array of personal digital data points is taking on a much more important role in personal identification than previously, with their compromise potentially leading to individuals losing control of their (digital) identity used by a large number of service providers.

In 1989 Tim Berners-Lee conceived the Solid (SOcial LInked Data) project as a way to give individual users full control over their personal data and the freedom to combine it or share it between applications.

Users keep their personal data in "pods" (personal online data stores) hosted wherever they choose. Applications that are authenticated by Solid are allowed to request data if the user has given the application permission.

2024 has seen the first substantial rollouts of this technology in Europe in the recruitment and healthcare sectors. In this talk we discuss the architecture and technical operation of Solid and whether it has the potential to disrupt existing business models where an individual data subject can become the data controller.

‘Words mean things’, as Drill Sergeant once enthusiastically bellowed at me after failing to communicate effectively. I came to understand this was because of the lethal consequences of the profession he was training me for.

When undertaking any work as a risk professional, it is sensible to proceed with caution and choose our words wisely. Business Drivers, Attributes and the careful crafting of their definitions for the Enterprise to which they belong are foundational to the ESA toolbox. With our work, we hope to capture complexity within plain language expressions while remaining flexible and removing ambiguity.

This session is for those who feel that creating meaning from words is both a powerful and dangerous undertaking. These brave persons will want to better harness language for their work. It is also for anyone who enjoys a cheeky bit of wordplay.

Attendees will be exposed to principles and tools from game design, systems engineering and linguistics. These concepts will be connected back to Security Attribute writing and demonstrate their utility for ESA. By the end of the session you will be equipped to define Requirements and Attributes with the decisiveness of James Murray heading the Oxford Scriptorium.

The Connected and Autonomous Vehicle (CAV) sector is rapidly evolving, presenting unparalleled opportunities for integration and third-party data utilisation. This evolution, however, introduces significant challenges, particularly regarding the integrity and reliability of vehicle-generated data. The stakes are high: compromised data could lead to accidents, traffic disruptions, hinder emergency services, and more. This session delves into the technologies underpinning CAVs, upcoming enhancements, potential threats, and necessary controls. It will explore the intricate web of supply chain relationships, the data exchanged between stakeholders, and how these factors contribute to the sector's security posture.

A central theme of this presentation is the concept of "contextual trust" – a framework for assessing and ensuring the integrity of data in environments which could be considered untrustable. By leveraging contextual data points and blockchain technology, we can construct a more robust, trust-based model that safeguards against data spoofing, unreliability, and unavailability. This approach not only enhances the security of CAV operations but also underpins the development of safer, more reliable autonomous transportation systems.

Attendees will gain insights into:

• • The current and future landscape of CAV technologies and the pivotal role of data integrity.
• • The multifaceted security threats facing the CAV sector and the controls to mitigate these risks.
• • The mechanics of contextual trust and blockchain technology in establishing a dependable data ecosystem.
• • Strategies for implementing these technologies to foster trust and security within the untrustable facets of CAV operations.

This session builds on the Gordon Jenkins work presented at COSAC a couple of years ago but refocuses on CAV. It aims to equip attendees with the knowledge and tools to navigate the complexities of CAV security, focusing on the importance of trust and integrity in advancing the sector's safety and reliability.

In the sprawling digital landscape, platforms like Telegram and Discord have become pivotal arenas for threat actor communications, offering a blend of anonymity and accessibility that is highly attractive to the cybercriminal underworld. This session, entitled "Telegram and Discord - A Wretched Hive of Scum and Villainy," will peel back the layers of these digital ecosystems to reveal the dynamics of threat actor communities. The focus will be on understanding where these actors converge, the nature of their interactions, and the illicit activities they orchestrate within these seemingly benign platforms.

The presentation will navigate the complexities of infiltrating these communities, detailing strategies for gaining trust and gathering intelligence within networks that are notoriously wary of outsiders. Attendees will gain insights into the sophisticated methods employed by threat actors to safeguard their forums from prying eyes, including the weaponization of tools against security researchers, law enforcement officials, and others who venture too close.

A special emphasis will be placed on the gaming community, a vibrant and often-targeted sector where threat actors blend seamlessly with legitimate users, exploiting platforms and tools for malicious purposes. This segment will explore the unique challenges and opportunities that the gaming ecosystem presents for cybersecurity efforts, highlighting recent incidents that underscore the urgency of addressing these threats.

Moreover, the session will discuss recent U.S. criminal prosecutions that have brought to light the activities of cybercriminals operating within Telegram and Discord. These cases serve as a critical reminder of the legal and ethical considerations involved in tracking and engaging with threat actors, offering lessons for cybersecurity professionals navigating this treacherous terrain.

This presentation promises to offer a comprehensive overview of the digital underbelly that thrives on platforms like Telegram and Discord. Participants will leave with a deeper understanding of the methods and motives of cybercriminal communities, equipped with the knowledge to more effectively combat the threats they pose. Through a blend of technical insight, real-world examples, and strategic guidance, this session aims to empower attendees to confront the challenges of cybersecurity in the era of social messaging platforms.

The ability to cross boundaries is one of the most natural human behaviours, in fact, it is so natural and normal that we don’t even give it a second thought. Whether we walk out of our houses into public or walk into a bank or store from the street, we don’t even consciously think of the fact that we are crossing a boundary or that each boundary that we cross is beholden to a set of rules that we learn to follow from a young age. One can even go so far as to say that each of these boundaries defines and protects a zone. The Oxford dictionary defines a zone as “an area or stretch of land having a particular characteristic, purpose, or use, or subject to particular restrictions”. Why is it then that we make it so incredibly difficult for ourselves to define and traverse zones in modern business environments? In this session we will explore how we can use an adapted version of SABSA domain modelling to define and manage zones within a modern enterprise and use these zones to create and communicate security information flows and controls to stakeholders concisely and consistently.

In an era where digital information flows freely, the boundary between public interest journalism and computer hacking has become increasingly blurred. This session will delve into the controversial prosecution of Timothy Burke, a journalist from Tampa, Florida, who faced legal repercussions for his investigative work exposing hypocrisy in Fox News' broadcasts, including interviews between Tucker Carlson and Kanye West. His case serves as a stark example of how governments and corporations are leveraging computer crime laws to suppress dissent and penalize whistleblowers and journalists.

At the core of modern computer hacking statutes are vague and ambiguous terms such as "without authorization" and "in excess of authorization." These phrases, initially designed to protect against unauthorized access to computer systems, have evolved into tools that facilitate the transformation of hacking laws into generalized secrecy laws. This presentation will explore the implications of such legal frameworks, highlighting how they are used to prosecute individuals for exposing government or corporate secrets, thereby stifacing critical journalistic endeavors and public discourse.

Furthermore, we will examine the historical underpinnings of these statutes, tracing back to common law trespass laws. The session will argue that concepts of property and trespass, formulated in the 14th century, are ill-suited to govern the complex, interconnected landscape of the 21st-century internet infrastructure. The presentation will critically assess the adequacy of these outdated legal foundations in addressing contemporary cyber challenges, arguing for a reevaluation and modernization of legal principles to reflect the realities of digital age.

This session aims to shed light on the precarious balance between safeguarding digital assets and ensuring the freedom of information and expression. By dissecting the case of Timothy Burke and the broader context of computer crime prosecutions, we aim to foster a nuanced understanding of the legal, ethical, and societal implications of using hacking laws as instruments to stifle dissent. Attendees will leave with a deeper appreciation of the need for legal reforms that both protect against genuine cyber threats and uphold the principles of democracy and free speech.

Today, Agile and DevOps practices enable many organisations to develop and deploy software at an ever-increasing pace. At the same time, thanks to cloud computing, systems are becoming increasingly abstract and complex, making them difficult to secure.

We will discuss some of the real-world challenges facing security professionals in modern environments, including:

• • Poorly defined roles, responsibilities, and authorities
• • The pace of change
• • The constant need to reinvent the wheel
• • The amount of technical debt
• • Busy work vs. meaningful work

This interactive session will explore strategies to address these challenges, including the following:

• • Defining and implementing effective RACI models
• • Fostering collaboration between DevOps and Security
• • Integrating security into the DevOps Lifecycle
• • Automating security activities
• • Specifying reusable patterns
• • Limiting and eliminating sprawl
• • Evaluating and prioritising work

The A4: Advanced SABSA Incident, Monitoring & Investigations Architecture course has been listed as an advanced course but is rarely run and the current training material dates back to 2015. However, this course is arguably one of the most important areas of focus for advanced architectural attention. Despite the many cyber defence approaches that have been adopted in industry, cyber attacks continue to penetrate the preventative layer of controls. Having the operational aspects of an organisation’s cyber defences built as an integrated part of a solid architecture is key to minimising damage to the business and the executives running it.

The 2015 course covers monitoring, transforming log data, augmentation, and incident management and investigations. This presentation describes the changes that have been applied to bring the course to a 2024 perspective with the coverage of more advanced processes for threat hunting, current best practices in the existing processes, and introduces the architectural placement of contemporary tools in the component layers. In particular, it covers the emerging area of artificial intelligence in the form of LLMs, and addresses AI component augmentation in the architecture.

Our goal as security practitioners is to stop bad things from happening to the organization we have chosen to protect. When this happens and law enforcement is able to finally catch the bad actors, what actually happens? Do they get what they deserve or does cyber crime actually pay? In this session we'll look at this issue globally - is the punishment fitting the crime? What can we do to make this a crime that doesn't actually pay, or at the very least, comes with some significant risk? As with all COSAC presentations, this should spark a lively debate and hopefully can serve as a call to action to our governments to make a change.

Generative AI is remarkable for its ability to utilize extensive data to answer complex questions. However, in a business context, not all data should be accessible to everyone.

Human customer service representatives are adept at utilizing their comprehensive knowledge of previous cases and processes to respond to customer inquiries while safeguarding sensitive company and customer information.

In contrast, generative AI, in its default setting, strives to provide detailed answers and can inadvertently overshare information. This becomes a significant concern when handling customer interactions. The pivotal question then arises: how can one enhance the security of an AI model, ensuring both operational efficiency and data confidentiality? For seasoned security professionals like us, this entails adopting innovative approaches.

Join two COSAC regulars who will unveil their journey of deconstructing this challenge and reconstructing a solution. Participants will gain insights into current best practices for designing and implementing the following control objectives in AI:

• • Data Sanitization and Filtering
• • Privacy by Design
• • Audits and Monitoring
• • User Consent and Transparency
• • Anti-Phishing Measures

Let’s enrich our biological intelligence with a skillset needed to secure the artificial one.

What is the best way to leverage the NIST Cybersecurity Framework (CSF) 2.0 when implementing or updating a SABSA developed security architecture? The NIST CSF 2.0 is a significant upgrade to the de-facto global framework for managing cybersecurity threats but it still lacks several of the essential elements for a robust cybersecurity program. The SABSA Institute (TSI) sponsored SABSA Enhance NIST Cybersecurity Framework (SENC) workgroup project is developing various tools, techniques and guidance to help your organization put the NIST CSF 2.0 to work.

This session is a high-level view of what the updated NIST CSF 2.0 provides, and a first look at what the SENC project is delivering to enhance implementation of the CSF. The SENC project is defining SABSA-specific guidance for leveraging the NIST CSF 2.0 including: developing the contextual architecture to front end use of the CSF with the SABSA attributes profiling process including a few example Attribute Profiles for selected industry sectors; a SABSA NIST CSF 2.0 Profile to include enhanced and additional CSF categories and subcategories aligned to the SABSA method; SABSA NIST CSF 2.0 Informative References that map the SABSA NIST CSF 2.0 Profile to the SABSA matrix; and a collection of SABSA-specific Examples for the CSF subcategories aligned to the SABSA NIST CSF 2.0 Profile.

Too often, the application of the NIST CSF focusses on the processes, technologies and controls while losing sight of managing the business value and risks involved. We will outline example content from the SENC project deliverables and what will be available to the SABSA community when the project is completed. The SENC project will provide specific recommendations for leveraging SABSA to apply and enhance the NIST Cybersecurity Framework 2.0 to help manage your organization’s business risk requirements.

In this highly graphical session, I will present a mostly anonymised journey across the threat landscape that businesses have had to endure over the last decade. Like a casebook of notes from the field I will cover the weaponization of the legal system, the malicious commercial director, the IT team who were a little too smart, the overly curious manager, one of the largest regulatory investigations ever undertaken, investigations, accidents, misconfigurations and consequences, a dalliance with state sponsored actors and finally and for the first time the Anglo Irish Bank story from the insider in the room. Covering retail, services, legal, manufacturing, financial services, regulatory bodies, and local government my intention is to inform, entertain and enable attendees to take home some food for thought and potentially incorporation into their organisations irrespective of vertical or technology stack.

In the digital age, the proliferation of Artificial Intelligence (AI) technologies has transformed the way we interact, work, and conduct business. From personalized recommendations to autonomous decision-making systems, AI has permeated various facets of society, promising efficiency, innovation, and convenience. However, with these advancements come concerns regarding privacy, data protection, and ethical use of AI. In response to these challenges, regulatory frameworks such as the General Data Protection Regulation (GDPR) have been established to safeguard individuals' rights and regulate the processing of personal data. Yet, the evolving landscape of AI necessitates continual adaptation and augmentation of these regulations. Addressing this gap, the EU has recently formalised the introduction of the AI Act. This act aims to 1) establish a comprehensive framework for the regulation of AI systems, addressing issues of transparency, accountability, and fundamental rights and 2) provide AI developers and deployers with clear requirements and obligations regarding specific uses of AI. However, the act’s alignment with the GDPR presents a myriad of challenges. This presentation delves into the intricate interplay between the AI Act and GDPR, examining ten key challenges that compliance with the EU data protection framework presents for the use and development of AI tools and will cover topics such as:

• • Overlapping Regulations: Analyzing the areas of convergence and disparity between the AI Act and GDPR, and identifying potential conflicts in compliance requirements.
• • Data Protection and Privacy: Evaluating the implications of AI algorithms on data privacy and the extent to which they adhere to GDPR principles such as purpose limitation, data minimization, and data subject rights.
• • Ethical Considerations: Discussing the ethical dilemmas arising from AI technologies and their impact on fundamental rights, including the right to privacy, non-discrimination, and autonomy.
• • Regulatory Enforcement and Accountability: Examining the enforcement mechanisms under both the AI Act and GDPR, and the responsibilities of stakeholders in ensuring compliance and accountability.

By shedding light on the intersection and challenges posed by the AI Act and GDPR, this presentation aims to provide a comprehensive understanding of the regulatory landscape surrounding AI technologies, empowering organizations to navigate regulatory compliance while fostering innovation and ethical use of AI.

Key Learning Outcomes:

• • An understanding of the key requirements of the AI Act that relate to GDPR.
• • An overview of the opposing approaches to data protection in the AI Act and GDPR.
• • An understanding of data subject rights, and data protection principles
• • An understanding of organisations’ obligations under both the AI Act and the GDPR

In the evolving landscape of business security, the integration of MITRE ATT&CK® framework plays a pivotal role in enhancing organizational resilience against cyber threats. Our approach leverages the MITRE ATT&CK® from understanding adversary motives to the implementation of mitigation strategies and ensuring robust protection mechanisms. We introduce the Critical Information Protection Strategy Dependency Map, a novel tool designed to navigate the complex interplay between business impact, adversary techniques, and mitigation procedures. This dynamic map begins with identifying business impacts and systematically links them to potential adversarial techniques. Subsequently, it aligns appropriate mitigation techniques and procedures, culminating in targeted assurance questions. This methodology ensures that mitigations are contextually relevant, activated based on the specific business context at the point of impact and adversarial interaction.

Key insights from our strategy include the importance of deep business knowledge through the identification and analysis of critical information assets in collaboration with technology users. Utilizing the MITRE ATT&CK® framework as a foundation, we optimize it to fortify business resilience. Our strategy emphasizes outcome-focused strategic planning to protect the business context against adverse activities, thereby safeguarding the company's financial health. Moreover, our approach eliminates redundancy and bias by employing an effective mapping process. This not only manages the intricate business context but also ensures the dynamic and consistent application of mitigation techniques across different layers of the business, adhering to the principles of Engineering Trustworthy Secure Systems. Our methodology stands as a testament to building secure systems that are both dynamic and aligned with business objectives, offering a comprehensive blueprint for organizations aiming to enhance their security architecture.

Overtly Tony Sale was known for his outstanding engineering talents which he used to rebuild the WW2 code breaking Colossus and create the National Museum of Computing at Bletchley Park. However, during the Cold War Tony toiled secretly supporting MI5’s efforts to identify covert radio transmissions in the UK, signals which were used by hostile intelligence services working to undermine the UK Government and its allies.

This work was the precursor to modern technical surveillance counter measures (TSCM), an increasingly important field, and one that is practiced today both by Governments and commercial entities who are trying to protect their most sensitive information from competitors and hostile nations.

This paper draws upon TSCM principles to identify the threats from the Internet of Things (IoT) and how our dependence on 21st Century Personal Communication Devices and applications can expose our ‘signals’ to hostile state and organized crime actors.

We will explore the TSCM techniques in use today and how we can help protect from, or at least confuse, a modern attacker.

The question really is …. is there a spy in my coffee machine?

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• • Electronic submission: Send email to the rump session chair David Lynas at [email protected]
• • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 2nd October.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

The purpose of the risk workshop is to explore the hard parts of understanding risk. We have previously conducted workshops in Ireland and Australia on how to understand and model risk, how to explain and display risk to stakeholders, and how to think like our adversaries to identify threats that we would otherwise miss. In this workshop we will begin to explore the challenge of how to aggregate risk in a complex environment to help determine which mission objectives are most at risk. We understand single weaknesses and single risks well, but once things get complex it becomes complicated to understand how the risk compounds. Averages don’t do the trick; neither does plotting all the risk on a graph. Actuarial science has solutions, but these solutions require years of data we don’t have. This collaborative workshop will dive into this risk problem to discuss the specific challenges and collectively try to uncover a path forward.

This year, I propose the second edition of the COSAC LAB.

For the year 2024, the lab will use a new approach based on the lessons learned from the first edition performed in 2023.

1. What is the COSAC LAB?

The intent is to create an environment where people can come together and explore ideas and solutions that were generated during COSAC and develop them in a way which will give the ideas greater potential for further development by the creator or a team they create during the lab.

COSAC LAB speakers: « Hello, the first condition to get in the COSAC LAB workshop is to accept the rules without knowing them”.

Participant: Atchoo !

COSAC LAB speakers : « Bless you »

Participant: Psssst, come here, COSAC reviewers, I will tell you what’s happens here but for now, it’s a secret so keep it for you. Ok we enter in the workshop. Oh, the speakers bring some materials: games, computer, paper, paints, music and so one. I’m not so good at DIY and common, it’s not my age anymore!

Participant: Now, the speakers explain that the first rule is to put away watches and phones. They are the time masters and timekeeper. Interesting, isn’t it? They said that we will work during a time breach. I am curious and interested. Let’s continue, they ask us to propose an idea and I have one: be vulnerable to increase awareness: paradox or reality? They ask other participants if they would like to join my idea to work together on that, and maybe create a new learning model based on paradoxical behaviour.

Participant: Oh wait! Someone else proposes something very new.

Participant: You know what, it is interesting too! A lot of people have ideas. Like I said before they bring some materials to unleash our creativity. I see that I can use AI Art platform. I will try it. People join my idea about paradoxical behaviour. Let’s begin...

COSAC LAB speakers: We give you some steps to follow to achieve your objectives in a COSAC style. Of course, you are free to follow steps or not. Here the aim is to break the figure. We are here to participate too and help if we can.

Participant: Ok the conclusion is ... SURPRISE!

2. Characteristics of the COSAC LAB

Value: These design workshops not only build teams from people who may have never worked together before. This workshop will bring a list of ideas which can be developed. It will provide potential ideas for sponsorship by the SABSA foundation and provide interesting future COSAC presentation. This is new and the goal is to "break the figure". The opportunities for evolution and modification are limitless. The more feedback is given, the more people play the game, the more creative possibilities the COSAC Lab will offer.

Uniqueness: The COSAC Lab comes from its essence the COSAC which is a completely different conference as we know them. This conference is intended for people who build, create, and innovates. A laboratory’s main objective is to provide reliable results.

A laboratory whose results are too often unsafe could not be approved by the competent authorities. The COSAC Lab is the only laboratory that demands to be in danger. Everything is possible. It wants to be opportunist, nutcracker, refractory and innovative.

The first condition to be "accepted" in the COSAC Lab is to accept the conditions and the rules of COSAC Lab without knowing them. Bring the ideas together instead of losing them in discussion.

Timeliness: It is important to develop to get ideas on paper at COSAC instead of losing them.

Approach: The COSAC Lab is the place where the theoretical exchanges will take place in a practical way. Steps to follow are proposed, they remain flexible, only value creation counts.

We will create a time breach when you evolve. We will be the master of the time.

Rule 1 : No phones and no watches

Rule 2 : A commitment to attribute to all authors

Rule 3 : You must agree not to steal ideas and use competitively in a negative way

Rule 4 : You agree to build on good ideas collaboratively, the COSAC-way

A group of people trust each other, will exchange ideas, work together on an issue, an idea, a problem or other. This laboratory aims to export its creations in the real world. Its ultimate goal is to enable the creation of innovations in real life.

Do you want to learn to build a functional incident response exercise?

Perhaps you’d like to have clear and measurable exercise goals and performance reporting. The kind that will endear you to your training team and produce clear and actionable reporting. Good news, we can do that together. After all it’s dangerous to go alone.

The workshop will provide attendees with both support and guidance in developing a plan for a simple incident response exercise. Attendees will be walked through the process of making key decisions and creating usable exercise documents. The workshop will include an introduction to exercise concept development, scenario planning, exercise logistics, communication plans, effective evaluation and post-exercise reporting.

Attendees will leave with a usable exercise plan that will be relevant and usable within their organisation. A selection of video and print resources will be made available for attendees to explore and utilise post-workshop.

Everyone with experience using SABSA knows that Attributes are great for capturing and reflecting business needs. However, they can be less beneficial when working with Agile teams.

Last year, I presented a pragmatic approach to requirements engineering in agile environments. This workshop builds upon that session and aims to provide delegates with practical skills to close the requirements gap.

In this workshop, you will learn how to use SABSA Attribute profiles to develop a codified set of 'non-functional' requirements in Agile and DevOps environments.

We will explore:

• • Creating SABSA Attribute profiles for your organisation using the Multi-Tiered Attribute
• Profiling (MTAP) methodology.
• • Using SABSA Attributes to define security requirements in Agile and DevOps environments.
• • Developing user stories that clearly articulate the who, what, and why of security features.
• • Prioritising security User Stories to ensure that they are not overlooked.

Learning outcomes:

• • Understand how to use MTAP to develop SABSA Attributes tailored to your organisation's needs.
• • Comprehend the difference between SABSA Attributes and security User Stories.
• • Understand how to create security User Stories that reflect the intent of, and are traceable to, a SABSA Attribute.
• • Ability to ensure that security User Stories are priori2sed and addressed in the relevant Program Increment (PI) or sprint.

They’ve had enough. They just get used to one environment and some SOB changes it. And we security geeks want to add change to the change. No wonder they growl at us. Complex, ever-evolving work environments turn communities of competent, veteran users into fumbling rookies who make new-guy mistakes, some of which impact security. Organizational restructuring is almost a constant. People still resist change, make mistakes, painstakingly follow bad security practices and get socially engineered. And bad guys find creative ways to defeat our newest, most sophisticated security measures.

We’ll give guidance for coping with human foibles, complexity and change in securing our vital assets.

Part 1 – Securing the semi-predictable humans – Phishing, really automated social engineering, has been an element in almost every Ransomware event and a multitude of other egregious breaches. We’ll examine why social engineering works so well on our employees, on all humans, for that matter. We’ll give suggestions for shoring up this most vital link in our security chain.

Part 2 – Securing the ever-changing organization – Change agents that can seriously affect security are gaining traction everywhere. Massive organizations are making their own rules and privacy decisions, at least until governments levy gargantuan fines. Mergers, acquisitions, divestitures, downsizing in many forms, even internal reorganizations can bring danger. We’ll identify areas of security focus and give recommendations for minimizing security incidents and effects in the midst of the upheaval.

An intriguing session that will attempt to re-orient the mindset required to undergo a Digital Transformation. In an unusual manner (not about just technology or apps) session will provide real world insight and experiences as it relates to the following:

• • The drivers of why we have to undergo Digital Transformation.
• • The thinking required for a Digital Transformation.
• • The Organizational Shift to a Digital Transformation.
• • New ways of marketing.
• • New ways of Hiring.
• • Technologies at play in that enable Digital Transformation.
• • Interactive practical activity on how to digitize something that’s highly physical and manual in nature.

Cybersecurity is known as the department of “NO” while SABSA uses business opportunity risk to transform it to “YES”. This session leverages improvisational skills to increase the engagement, imagination, and impact of tabletop exercises.

We will show how to strategically leverage a tabletop exercise scenario and expand upon it with methods from improv comedy for continuing the scene. Using the techniques of “Yes, And” and “No, But”, we will overcome scenario objections, get participant buy-in to expand upon the premise, address unrealistic recovery options, and keep creativity in the solutions proposed. The optimal outcome is making tabletop exercises fun while producing more relevant and actionable results.

This material is relevant and timely as cyber-risk insurers ask if tabletop exercises are conducted, external audit firms look at scope and reports from tabletop exercises, and the business looks for tangible results from exercises that use many hours of valuable human resources.

This session, redesigned from the bottom up based on our experience at COSAC APAC, will be interactive with the attendees being called upon to participate in games and exercises leveraging improv to show the value of using this novel approach and adding fun to what might otherwise be a compliance ritual.

In late 2022 I was assigned to lead a team mandated with creating and implementing a strategy to transform the Managed Security Services business of a global organization that provides end-to-end security services. This organization operates more than twenty delivery centres globally and has grown, organically and through acquisition, to more than 3000 delivery centre employees. Due to the rapid growth, many of the delivery centres were operating in their own bubbles and using their own operating models, service definitions, delivery processes, playbooks, runbooks, people management processes, SLAs, metrics and technology stacks. This caused a high degree of inconsistency in the quality, delivery methods and collaboration between the centres, especially when providing services to clients with global footprints.

In this session we will look at how SABSA was used in this transformation journey and the value and impact that it has had on the organization.

Part 1: Context – Setting the context of the requirements and putting the necessary governance in place (Program Governance Model)

Part 2: Setting the baseline – Creating a way to consistently communicate priority and value through language and terminology (Business Attributes & Glossary)

Part 3: Organization – Creating a repeatable organization model based on priorities, requirements, skills and technology (Domain Model & Talent Program)

Part 4: Performance Targets – Creating internal and external facing KPIs and SLAs to measure performance

Part 5: Processes – Creating repeatable operational processes

Part 6: Delivery Method – Updating existing mandated delivery methods to reflect and implement changes