COSAC 2022 COSAC Connect COSAC APAC 2023

Welcome to COSAC - Conferencing the way it should be!

View the COSAC 2022 agenda below to gain an insight into the value COSAC provides for experienced information security practitioners.


Sunday 2nd October 2022

COSAC 2022 Registration & Welcome Dinner

19:30 Delegate Registration
19:30 Drinks Reception - Sponsored by Killashee Hotel
20:00 COSAC 2022 Welcome Dinner

Monday 3rd October 2022

Breaks COSAC Masterclasses are full-day, 09:30 - 17:30
09:00 Registration & Coffee
11:05 Morning Coffee
13:00 Lunch
15:35 Afternoon Tea

Masterclass M1

09:30 The 21st International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

For 2022, the COSAC Forum presents a room full of industrial strength, battle-hardened, reality-grounded information security veterans. They’ve seen it all, done it all, fixed it all, coped with it all and didn’t even need to get the t-shirt. Of course, you’re one of them. And like the others, you’re always learning, willing to listen to and learn from others who’ve encountered things you might not have, not too shy about sharing strategies and techniques, and committed to our strange and very necessary profession.

This full-day immersion in the COSAC way features a moderator, an ancient, grizzled if not very knowledgeable security veteran himself, who describes some actual recent events or publication or prediction or analysis of security-related activity, then comes up with a question or two about associated issues. But the real stars of the session are the participants. A described event or publication might engender wildly divergent reactions from attending professionals who experienced a similar event, but had different constraints or objectives or working tools or eventual outcomes. The moderator might prod an attendee for their take, but more likely, he’ll try to avoid getting in the way, thus allowing participants to illuminate topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room. And nobody charges consulting fees.

Join us and help solve the information security problems of the world.

Masterclass M2

09:30 The 6th COSAC Security Architecture Design-Off Speaker(s): Jason Kobes,

Jason Kobes

Senior Architect & Research Scientist, Northrop Grumman (USA)

Jason Kobes works as Tech Fellow Senior Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason also is an adjunct professor for Marymount University teaching Cyber Crime and Digital Terrorism. Jason has over 24 years of experience concentrated in cyber digital transformation, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's...
X
William Schultz

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
 

In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are aseasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedInPage congratulating them on their achievement! Other spot prizes maybe awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Masterclass M3

09:30 CyberWar, Deception & Weaponising Disinformation
 

It has been suggested that we are on the verge of a digital “cold war” but recent events show that such a prospect introduces new characteristics: cyberwar is not limited to the nations in conflict, it involves hacker groups, civilians with personal computing power, corporations in third countries, digital influencers, and a battle of the algorithms to create bias and misinformation.

But what does that mean for us, for corporations, for Information Security leaders? What can we anticipate happening? How should we plan and respond? This COSAC Full-Day MasterClass examines the subject in detail and from multiple perspectives.

09:30 Part 1 - From Solar Winds to Digital Cold War Speaker(s): Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
 

A look back and discussion of the most news worth cyber events over the last couple of years and a look forward to what we can anticipate in a digital cold war through the lens of history and the events in Georgia.

11:25 Part 2 - Deception, Weaponizing Disinformation and Challenges for the Future Speaker(s): Lynette Hornung,

Lynette Hornung

Security Architecture Manager, Catapult Systems (USA)

Lynette has her MS in Information Assurance from Iowa State University and her SABSA certifications. She has over 20 years of experience with security architecture and data privacy serving as a trusted advisor with customers and working on cross functional teams. She is currently a Security Architecture Manager with Catapult Systems.
X
Char Sample

Char Sample

Cybersecurity Researcher, ICF International (USA)

Dr. Char Sample is Chief Scientist Cybersecurity at the Idaho National Laboratory and a research fellow with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
 

Threat modeling and trust relationships are important tools to use with analyzing disinformation.  Trust relationships provide lessons learned that can be applied to other domains, such as military, cyber, information, public health and economic.  Trust solutions are often binary, but in reality trust is often fuzzy, cross-spectrum and can be visualized with a color spectrum.  In this session we explore various aspects of disinformation and current events in considerations of topics, including the Ukraine/Russian conflict and privacy considerations.  The Ukraine conflict offers a unique recent event to have an interactive discussion of disinformation, cyber attacks, information warfare, and the weaponization of fear.

Disinformation stories often have a grain of truth.  Part of the problem with handling disinformation is that even smart people can be fooled and that does not make them less good or credible.  The landscape of disinformation also encompasses group think, biases in algorithms and political bias. propaganda, spies and a lack of journalistic integrity.  Like many challenges with cybersecurity, disinformation is a very serious challenge that is used in nefarious ways by various political actors with various economic and geo political gains.  We will apply threat modeling and trust relationships to this and explore the challenges with disinformation and explore creative approaches to navigate disinformation and future considerations and approaches.   Disinformation is something that has been around for a long time, but made more difficult to detect with technological advancements and requires diligent understanding and analysis by diverse academic backgrounds that are part of the cyber security field of practitioners. 

14:00 Part 3 - Help, I Need a New IR Playbook! Preparing for Global Cyber Warfare Speaker(s): Esther Schagen-van Luit

Esther Schagen-van Luit

CISO Netherlands & Belgium, Deloitte (Netherlands)

Esther is the Chief Information Security Officer for Deloitte Netherlands and Deloitte Belgium. She has previously specialized in security architecture in an advisory role at Deloitte Netherlands and sat on the Board of Trustees for The SABSA Institute. Her ambition is to be a Leading Lady In Cyber, who is the best in her craft and makes societal impact as a role model through making girls & women feel they (could) belong in world of cybersecurity. For her work on getting more women into...
X
 

The first real act of cyber war was the DDoS attacks on Estonia in 2007. Over the years we saw more aggressions. Georgia in 2008, Stuxnet in 2009, Saudi Aramco in 2012, Sony in 2014, Ukraine in 2015, NotPetya and Triton in 2017. NotPetya was a novel case as it harmed global organisations as collateral damage. New in this series are the cyber attacks to help Russian physical warfare in Ukraine. This time, involvement is not limited to the conflict countries. International hacker groups such as Anonymous picked a side. Organisations with off-shoring in Ukraine and Russia cut off their networks and people. Civilians from around the globe contributed by volunteering their laptops for DDoS attacks. This is the first time we've come close to a global cyber war. But how to respond?

This session sets out the elements of cyber warfare and uses the Russia-Ukraine conflict as a case study. We take the view of an entity in a third country with operations in both conflict countries. The presenter uses her experience of managing security for an international organization. Next to incident readiness and response, she provided advice on how to engage employees in conflict countries and answer client questions on the situation. She is therefore well-placed to provide an end-2-end security perspective. She will share insights on aspects of incident readiness she had not encountered before and lessons learned on IR preparation for similar future cases. Then the floor is open for the audience to share how their organizations responded to the Russia-Ukraine conflict and how they view the future of cyber warfare.

15:55 Part 4 - Analyzing Russian Cyber Strategy in Warfare Speaker(s): G. Mark Hardy

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is the author of over 100 articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration.
X
 

"The strong do what they can and the weak suffer what they must" -Thucydides, History of the Peloponnesian War,(431 BC),Chapter XVII

Beginning in March 2022 the world saw a broad array of Russian warfare techniques. Ukraine has been Russia's testbed for cyber, but unlike the 2008 invasion of Georgia, cyber attacks did not effectively accompany the initial militaryactivity. Why? And how doescyber align with Russia's strategy for escalation management, or intra-war deterrence, across the spectrum of conflict? What lessons have we learned about the conduct of cyberwar, and what are the implications for future conflicts whether or not they rise to the level of kinetic?What are the appropriate responses to avoid mutualdigital annihilation?What other nation states should we add to this discussionto better prepare for the future.

Drinks Reception & Dinner

19:00 Drinks Reception
19:30 Dinner

Tuesday 4th October 2022

09:00 - 09:30 Registration & Coffee

09:30 1A: Top 10 Privacy Challenges of the Hybrid Workplace Model Speaker(s): Valerie Lyons

Valerie Lyons

COO, BH Consulting (Ireland)

Recently included as one of Europe's top 100 women in cybersecurity, Dr. Valerie Lyons is a highly experienced senior cybersecurity and privacy professional. Currently COO of BH Consulting (a data protection and cybersecurity firm based in Ireland), Valerie is also a subject matter expert in European data protection and privacy. She recently completed an award-winning PhD, researching organisational approches to Information Privacy. She lectures on the topic of cybersecurity, privacy and ethics...
X
 

Pre-pandemic, the common model of work was primarily the on-site working model, where the remote working model was less common. During the pandemic however many organisations pivoted to embrace the remote working model in response to strict lockdown and mandated office closures. As we emerge from the pandemic, organisations are now operating variations of work models, ranging from fully onsite to fully remote. However many organizations now offer a combination of the two, where employees can work part of the time remote/part of the time on site, or where some employees can work onsite full-time while others work remotely full-time. This new model is referred to as the Hybrid Workplace Model (HWM). Instead of structuring work around desks in a physical office space, the HWM introduces a set of privacy challenges associated with data protection, consumer protection, child protection, employee health and safety, and many other pieces of legislation.

This session will share 10 key privacy challenges that this post-pandemic HWM introduces - such as the challenges associated with employee surveillance, health and safety, awareness training, auditing remote workspaces and auditing remote privacy practices.

Key Learning Outcomes:

  • - An understanding of the key privacy challenges associated with the HWM
  • - An overview of the possible ways to address those challenges
  • - An understanding of how to build privacy into the culture of the hybrid workforce
09:30 1B: How Security Architecture Completely Changes the Game of 3rd-Party Risk Management Speaker(s): Andrew S. Townley

Andrew S. Townley

Chief Executive, Archistry (South Africa)

Andrew S. Townley helps information and cyber security leaders build more effective security programs by applying 25 years of hard-won lessons across a diverse career from starting as a Software Engineer to building Archistry from the ground-up starting in 2006. Andrew is an international speaker, published author and thought leader on Information Security, Security Architecture, SABSA, Risk Management, Enterprise Architecture, SOA and Technology Strategy, and he has extensive practical,...
X
 

The prominent security breach headlines recently - from SolarWinds to Log4j - have certainly brought a more intense awareness of 3rd Party Risk Management (TPRM) to just about everybody. However, despite a whole lot more attention, eyeballs and even money thrown at rapidly rolling out vendor solutions, it hasn’t really done much to find practical answers to the problem. In fact, according to a recent survey Ponemon of 600 IT professionals:

  • Over 60% of them say the processes they use for conducting 3rd-party risk assessments aren’t effective;
  • Over 50% of them say the assessments don’t really reflect their actual security posture; and
  • Less than 8% of the assessments performed – with an average cost of $1.9 million per year – result in any kind of remedial action being taken.

Not only do these statistics paint a pretty bleak picture of the current “state of the art”, many of the vendor solutions supposedly addressing this problem are simply reducing the time and effort to perform the assessments. In fact, they're basically automating the same, traditional, ineffective approach.

In practice, the true state of TPRM in most organizations is a mess. And it’s a mess not because of the 3rd-parties themselves. It’s a mess because many organizations don’t treat TPRM as an integrated part of their overall cybersecurity program. Unfortunately, a lot of these issues aren’t really apparent until the organization is knee-deep in some kind of security problem-solving exercise, proving once again that security was involved far too late in the process.

In this session, I’m going to use the case study of a fairly common security problem to back into the limitations of the standard approach to TPRM used by many organizations. I’m then going to show how you can get out in front of the problem once and for all if you have the grit and determination required to fight a few organizational political battles and make sure that security is considered from an enterprise perspective for every business project.

Once we’ve exposed the common issues preventing effective integration of TPRM into security, and we’ve identified an architectural approach that can solve the problem, I’m then going to dive deeper into how supplier and 3rd-party risk management really works. Once there, you’ll discover why the way we often try to solve the problem will never really get the results our organizations need. When the full scope of the problem has been unearthed, I’ll present a better, architecture-driven approach to identify and manage your organization’s 3rd-party and supplier risk exposure.

Once we’ve exposed the common issues preventing effective integration of TPRM into security, and we’ve identified an architectural approach that can solve the problem, I’m then going to dive deeper into how supplier and 3rd-party risk management really works. Once there, you’ll discover why the way we often try to solve the problem will never really get the results our organizations need. When the full scope of the problem has been unearthed, I’ll present a better, architecture-driven approach to identify and manage your organization’s 3rd-party and supplier risk exposure.

09:30 1S: Applying SABSA to Digital Twins and Cyber-Physical Infrastructure Speaker(s): Hugh Boyes

Hugh Boyes

Principal Engineer, University of Warwick (UK)

Hugh Boyes is a Chartered Engineer, a Fellow of the Institution of Engineering and Technology (IET) and holds the CISSP. He divides his time between working as a Principal Engineer at the University of Warwick and undertaking cyber security consultancy assignments. Hugh is a Member of the Register of Security Engineers and Specialists (RSES).
X
 

Concepts such as digital twins and cyber—physical infrastructure (CPI) are receiving increasing attention, with promotional coverage in technology focussed media, accompanied by consultations and investment by governments. There is significant hype around these concepts with little discussion of what they represent in terms of functionality and any associated security risks. For example, the proposed interaction between physical entities and their digital twins presents significant security and safety challenges, with potential conflicts between the measures typically deployed by safety and security professionals.

This session will explore the functional components and conceptual architecture typically required to create a realistic digital representation of a physical entity. It will highlight how differing security and assurance practices may affect the integration of a physical entity with its digital twin, and their subsequent operation. Then, building on the functional and conceptual models, it will explore how SABSA may be used to engineer a safe and secure approach to the digitalisation of the physical world. This session may cause you to think differently about security risks associated with cyber-physical systems. It will provide a better understanding of the potential for unforeseen outcomes arising from adoption and integration of sometimes-immature digital technologies in our physical world.

10:30 - 10:50 Morning Coffee

10:50 2A: Artificial Intelligence and Privacy – Can They Ethically Co-exist? Speaker(s): Conor Hogan

Conor Hogan

Global Practice Director – Digital Trust, BSI (Ireland)

Conor is a highly experienced privacy, data governance, and information security advisor with more than a decade’s experience in consultancy and audit. Conor leads a growing global team possessing extensive knowledge of designing, implementing, and operating enterprise-wide privacy, data governance, risk assessment, cybersecurity, project management, and IT assurance programs.
X
 

The Benefit

Understand the key intersections between and challenges between the proliferation of Artificial Intelligence (AI) in the information age, and the rapidly evolving privacy landscape that always seems to be playing catch up. Conor will explore his thoughts on the critical opportunity facing the world today, to reinstate balance in the “tech vs privacy” debate.

The Challenge

Artificial Intelligence (AI) is everywhere. Individuals interact with companies and services on a daily basis without ever coming into contact with a real person, and don’t even realize that. AI powers customer service interactions, informs and takes commercial and real-world impacting decisions, and influences the news and media content that people see, consume and reshare. But at what cost?

The Solution

Organizations and governments around the world generally have good intentions; and balance the cost-benefit argument when making investments in technology or making budgetary decisions on innovation, change, and strategy. The relentless pace of technology development means meaningful benefits can be realized more easily than ever before, but hidden costs in new technology introduce risks that many are ignorant to, e.g. surveillance; privacy-intrusive processing; invasive profiling, or automated decisions. Legislation is painfully slow, but existing and evolving privacy laws already provide many tools to assist rebalance the tech vs privacy debate. With AI-specific regulation on the horizon in many jurisdictions now is the time to reinstate protections for fundamental rights and build AI technology that can ethically co-exist with privacy in the Information Age.

10:50 2B: When Third Parties Come First: A Case Study on Russia/Ukraine and the Importance of Holistic Third-party Management Speaker(s): Timothy Sewell,

Timothy Sewell

CIO / CISO, Reveal Risk (USA)

Tim is a lifelong technology and security enthusiast with broad experience in multiple industries. He spent over a decade at Lockheed Martin designing and deploying solutions to some of the hardest cybersecurity problems in the national security space: Cryptography, weapon systems, aircraft, satellites, critical networks, APTs, hardware security, supply chain and third-party security, anti-tamper and industrial control systems using a blend of best-of-breed from the commercial space, coupled...
X
Todd Wilkinson

Todd Wilkinson

Chief Information Security Architect, Elanco Animal Health (USA)

Todd Wilkinson has been in the technology Industry for 23 years and most recently is serving as the Chief Information Security Architect for Elanco Animal building their new security program as part of a divestiture and IPO. He has advised and was accountable for the technology direction and product development of solutions that Elanco offers to our animal health customers, developed innovation in disease detection, wearables, implantable and mobile imaging capabilities with Elanco.
X
 

This two-part presentation explores some unexpected impacts from the Russia / Ukraine conflict on global operations where vendors are moving to protect their assets first more quickly and the importance of including third-party risk management in organizational security architecture.

  • When your vendor makes decisions that impact you and informs you later.
  • The importance of actrively managing your third parties
  • Why real backup plans matter – you can’t rely on “IT will fix it”
  • How to build a third-party management program that actually manages your third-party risk

Highlights will include a global manufacturing company with office in Russia, Ukraine, and eastern Europe, a small manufacturer that is dependent on Russian suppliers, a biotech company with a heavy Russian developer population, and other real world examples.

10:50 2S: The Chicken and Egg Problem or How to Implement Enterprise Security Architecture Without Architects Speaker(s): Dr. Silvia Knittl

Dr. Silvia Knittl

Director Cyber & Privacy, PwC (Germany)

Dr. Silvia Knittl is focused on Enterprise Security Architecture and supporting public and business clients in enabling their cyber capabilities. She manages security transformation projects and has led many cyber engagements helping organizations to improve on governance, processes, or tooling in the domains like IAM, SIEM/SOC or network. Sie is Director at PwC Germany in the Cyber & Privacy practice and has over 15 years of experience working in Cyber.
X
 

Companies often ask us to improve their cyber security. Even more frequently, many of the organizations cannot answer the question of where they stand with their security today. Many of the organizations have grown in the past without architectural support and have not yet established an enterprise architect or security architects. Quite often, cyber is organized somewhere in the IT department and the various security domains with their experts and their respective tooling needs are very often located in distinct silos.

In this session I will report on how to introduce an enterprise security architecture (ESA) capability without all the relevant prerequisites, such as an architect position, already being in place in the company.

Our framework of cyber capabilities, which comprises domains, subdomains, and their capabilities, serves as the foundation. It encompasses domains such as Incident Recognition and Response and Security Orchestration, as well as the ESA domain. This framework is used to construct specific scenario reports swiftly and efficiently. These reports feature traditional maturity level representations, which help the organization to make well-informed decisions on the appropriate and further development of their ESA capabilities.

For the situational pictures, we methodically use classic architecture visualization patterns. Here I demonstrate what value classical EA tools add to the development of the ESA capability.

The session is interactive, and all the participants are invited to share their experiences concerning this topic.

12:00 3A: Artificial (un)Intelligence: Risks and Opportunities of AI Speaker(s): Ashling Lupiani

Ashling Lupiani

Consultant , Eminere Group (USA)

Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
X
 

This unique discussion will address the structural limits of artificial intelligence such as machine learning in comparison to human intelligence. We will also consider the dangers posed by overestimating these systems and the responsibilities of professionals and organizations to manage expectations for their performance and monitor their function.

This session is timely because of the accelerating use of AI systems to determine everything from who to employ to how to treat diseases. While these systems’ decisions have increasingly impactful consequences, scrutiny of their structure and inputs has lagged behind. AI processes are unintelligible to the average IT practitioner or citizen, so it is increasingly important that those with the background and experience to understand its hazards prevent misconceptions, correct misinformation, and ensure responsible use.

The approach will be to outline the current state and direction of artificial intelligence systems in comparison to their fleshy counterparts, suggest actions that individuals and groups can take to mitigate the risks that their operation and perceptions of their operation can pose, and open the floor for discussion of these topics.

The value of this session is in presenting a scientific comparison of the differences between artificial and human intelligence and using that comparison to determine risk and suggest next steps.

12:00 3B: Managing the Software Supply Chain: Are we Kidding Ourselves? Speaker(s): Todd Fitzgerald

Todd Fitzgerald

Vice President, Cybersecurity Strategy, Cybersecurity Collaborative (USA)

Todd Fitzgerald promotes cybersecurity leadership collaboration and serves as VP, Cybersecurity Strategy and Chairman of the Cybersecurity Collaborative Executive Committee. Todd authored 4 books including #1 Best Selling and 2020 CANON Cybersecurity Hall of Fame Winner CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019) and ground-breaking CISO Leadership: Essential Principles for Success. Todd also hosts the popular SecurityWeekly CISO STORIES...
X
 

The past 2 years have seen several high-profile examples of where information technology products we have purchased have exposed our systems to bad actors. How do we get ahead of this? Is this even possible? We may hire SABSA Architects within our organizations, only to discover that the smaller (and larger!) companies have not exercised the same level of due diligence. This session consists of positing some ideas for getting ahead of these supply chain issues and discussing where they may be useful and their flaws in actual practice. Our environments are no longer inside our walls, or our systems in the cloud, but rather need to include those systems and processes we generally have regarded as external in the past.

The session will be interactive, visual, and use audio/video, props and interactive discussion to discuss an issue that is top of mind for many in 2022. This is a complex issue that will leverage the experienced minds of COSAC.

12:00 3S: It Takes More Than SABSA: Building A Greenfield ESA Practice Speaker(s): Richard Morgan

Richard Morgan

Chief Architect, Verizon Communications (USA)

Richard Morgan is the director of Enterprise Security Architecture and Chief Architect at Verizon Communications, a US-based telecommunications firm. Mr. Morgan was previously the Sr. Director of Strategy & Execution at the Verizon Media Group, and spent about 14 years in varying roles at AOL before that. He has a background that includes work in the Open Source and Linux communities back to the 1990s and feels the same sort of positive energy and camaraderie in the COSAC community.
X
 

In the COSAC world, we talk a lot about the SABSA framework and how useful and flexible it is. While that is true, there’s an entire set of other concepts, structures, and practices that are required to build a functioning Enterprise Security Architecture practice.

In early 2021, Richard Morgan had the opportunity (and funding) to build, from the proverbial ground floor, an ESA practice for a Fortune 20 company.

This session will cover the conceptual basis and metamodels that underlie the practice and the practical aspects of operationalizing the capabilities, functions, and principles to create something new and innovative. The work included lots of training, many, many presentations, and the inevitable challenges and lessons learned in showing the value of security architecture work. And for the COSAC audience, we offer credit and thanks for the concepts and experience gleaned from the community since 2018.

13:00 - 14:00 Lunch

14:00 4A: Are You Talking to Me? Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a team of security analyst with a global remit at FedEx, owning implementing and executing various GRC processes. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
 

As cyber security professionals, we see lots of issues all the time, but we have only limited time and resources to address them. By reporting we get exposure to executive leadership and therefore an opportunity to ask for resources, support, and prioritization. However, reporting is often limited to just a few slides a month. Futher more we can’t over ask, we can’t cry wolve to often and we can’t bring them problems management cannot solve.

Then what can we ask? How can we getexecutive leadership to support our plans, while all we have is 5 minutes and a few slides in the lime lite each quarter?

Those slides can be much more than just a table with the colours red, amber, and green. If you know your audience, you can make the presentation work for you. This to ensure your messages is delivered loud and clear.

In this talk, I dissect several strategies I use to push my agenda for support and buy in towards senior leadership. I’ll share what works for me and what doesn’t. I encourage participation of the attendees, to share their experiences, successes and failures, this in order to expand our collective knowledge.

14:00 4B: Chaos Monkey Comes to Threat Modeling Speaker(s): Jason Kobes

Jason Kobes

Senior Architect & Research Scientist, Northrop Grumman (USA)

Jason Kobes works as Tech Fellow Senior Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason also is an adjunct professor for Marymount University teaching Cyber Crime and Digital Terrorism. Jason has over 24 years of experience concentrated in cyber digital transformation, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's...
X
 

Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the method of the Chaos Monkey.

  • What are the reasons we often discount certain threats, methods, and outcomes as unreasonable, unlikely, or even crazy?
  • Are we working with blinders, unable to understand systemic risk around us which may contribute to the motivation and outcome in our threat model?
  • Do our countermeasures create opportunities?
  • Can we truly understand how the adversaries’ objectives may be different from our perspective?
  • How do we adapt to rapid changes in our understanding due to observed or experienced events?

The session will start by exploring what we know and what processes exist to help us unfold this difficult topic. We will then move into a group discussion where we will explore how we can leverage each other’s perspectives and ideas.

14:00 4S: Raiders of the Lost Attributes Speaker(s): Robert Laurie

Robert Laurie

Enterprise Security Architect, David Lynas Consulting (Australia)

Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.
X
 

SABSA measures the impact of risk on attribute performance targets within a domain and we use these measures in decision support for our control objectives. This SABSA domain model paints a tropical canvas of business attributes isolated deep in a domain jungle with the where-abouts known only to the domain owner. Forging into this domain we might take care to draw upon multi-tiered attributes to describe how risk is systemically transferred from one attribute to another - but can an attribute directly support another attribute or are we searching for the missing link in this view?

In this presentation I will detail all the missing elements needed to properly excavate a multi-tiered attribute view. I’ll demonstrate how systemic risk is really transferred between elements in a multi-tiered attribute view and how this missing link is actually part of the powerhouse that drives the implementation of SABSA in the real world. Attendees will emerge from this domain jungle with a solid gold view of what the multi-tiered attributes view really represents and how it can be used to delegate risk successfully in your next expedition.

15:10 5A: Telling Better Cyber Stories Speaker(s): Siân John MBE

Siân John MBE

Director SCI Business Development, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
X
 

The stories we tell about Cyber security often fail to land with the wider community. It is difficult to share stories that allow the cyber risk and security advise to be shared with appropriate nuance and senstitivity. Too often we end up with “scare stories” and “disaster movie tropes and plotlines” that spread “Fear, Uncertainty and Doubt”. This makes it harder to share insights that resonate and have impact on customers. What can we learn from other story telling and narratology techniques to allow us to build communications that resonate more formally. This probably means shifting from some of the disaster and militaristic terminology to others that relate to public health and the way in which people work. This session will explore some of these issues and propose ways in which we could communicate using traditional story telling methods to get business leaders to understand the nuanced aspects of cyber risk and resilience.

15:10 5B: Using OSCAL to Manage and Assess Security Controls Across International Standards Speaker(s): Phil Bridgham

Phil Bridgham

Principal Investigator, Northrop Grumman (USA)

Dr. Phillip Bridgham is a Cyber Architect and researcher for Northrop Grumman and applies AI, Machine Learning, and Information Fusion techniques to achieve advanced automation and risk management. Dr. Bridgham brings 25 years of software engineering and technical leadership experience across a wide range of industries, including: Aerospace, Industrial Controls, Robotics, Banking and Finance, Medical Devices, Fraud Detection, Risk Analysis, and more.
X
 

This session introduces NIST’s (National Institute of Standards and Technology) newly released standard called Open Security Control Assessment Language or OSCAL.In this session we will survey the three layers and nine models that make the OSCAL standard.  This session will present and discuss examples of how OSCAL helps with defining security control catalogs, management of security profiles (or baselines), and definition of security plans.We will also examine how OSCAL can help to specify security assessment plans, capture assessment results, and help produce Plan of Actions & Milestones (POA&M) reports.

This session will provide hands-on insight into how OSCAL is used and helps to integrate standards and provide opportunities for security control management automation. This session wraps-up with Q&A and a thought-provoking discussion about this new standard and the opportunities it presents.

15:10 5S: Culture Eats Innovation for Breakfast, Disruption for Lunch and Agility for Dinner Speaker(s): Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

Agile methodology is driving how businesses innovate, develop products and services, and take them to market. Hyper-personalization is the key ingredient in this recipe that is called success. Security is having a hard time, playing a perpetual game of catch-up and perceived as the blocker for doing business by increasing costs and overcomplicating almost everything it touches. It is essential that security, trust and transparency are adopted as CORE business values at the very top of the organization and is deeply embedded into the DNA of the business through an uncompromising cultural shift that will allow all employees throughout the business to make wise decisions about security.

In this talk we will look at the importance of effecting large-scale cultural change to allow our beneficiaries to use the architectural artefacts that we create for them for the benefit of the business and how SABSA can help us achieve this monumental task.

16:10 - 16:30 Afternoon Tea

16:30 6A: The Art of Communicating Bad News Speaker(s): John Ceraolo

John Ceraolo

Head of Information Security, Skilljar, Inc. (USA)

Mr. Ceraolo has been an information security professional for over 25 years in industries ranging from publishing, software, automotive, mobile technology and now healthcare analytics. He has frequently spoken at COSAC and other US-based security conferences. He holds his CISM, CISSP, and CISA as well as his Masters in Information Assurance from Norwich University.
X
 

Ransomware attacks, outages, general failure of your products – how much thought is going into your communications to your customers? Is it fully vetted by your legal counsel – and you aren’t making statements that are untrue or incomplete? How critical is timing? This session addresses the need for establishing a communication protocol in advance and walks through some of the good, the bad and ugly from past incidents. Takeaways will be ideas on what to include, what to avoid, how quickly to communicate and making crisis communication a critical part of your incident response.

16:30 6B: How to Hold a Trustworthy Public Election, in Theory and Practice Speaker(s): D. Sandy Currier

D. Sandy Currier

Consultant, OSET Institute (USA)

Sandy attended Massachusetts Institute of Technology as both an undergraduate and a graduate student but dropped out before earning a graduate degree to explore his options. He spent the first nine years of his tech career at Thinking Machines Corporation before moving on into the general Greater Boston Area high tech business community. At TMC Sandy was quickly attracted to the domain that was then called Release Engineering because the problem space was significantly multifaceted - the...
X
 

This talk will describe VoteTrackerPlus, a fully 100% open source solution to make elections publicly trustworthy. The design specifications are currently available in GitHub via https://github.com/TrustTheVot.... It is part of the TrustTheVote project currently found at https://trustthevote.org/, which is a project under the guidance of the OSET Institute (https://www.osetinstitute.org/). A primary goal of the talk is to receive active feedback on the viability of the proposed solution not only in the security domain but in any of the domains that public elections occupy, particularly regarding the User experience.

VoteTrackerPlus is a distributed, open-source voting system that enables transparent, secure, and accurate elections with full voter based End-to-End verifiable (E2EV) ballots. VoteTrackerPlus maximizes the transparency and trust of an election throughout the election process by:

  • allowing each voter to verify that their ballot is electronically cast, collected, and counted as intended
  • allowing each voter and all election officials to verify the tally of all the ballot questions
  • cryptographically associating the voter's anonymous Cast Vote Records with an anonymous paper receipt given to the voter, ensuring that neither set is tampered or fraudulently altered, and providing the end voter an anonymous paper receipt that contains a small but random set of the actual ballot data
  • allowing each voter to inspect their neighborhood for fraudulent voters and/or addresses

The project is currently under development with a goal of having compelling demos operating live by the time of this talk.

16:30 6S: There is a Time and Place for Everything – Bringing SABSA to Small and Medium Sized Business Speaker(s): Kathleen Mullin

Kathleen Mullin

CISO, Cancer Treatment Centers of America (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...
X
 

This new and timely presentation focuses on the gap in guidance for new CISO’s. Current information focuses on the first 90 or 100 days in large organizations where the CISO role is well established or where the CISO is coming in after a breach or other serious cyber security incident.

This is focused on those small and medium sized organizations that do not have the budgets and controls in place that are assumed by the vendors and consultants creating these guides.

This presentation focuses on using an approach using SABSA and layering in controls based on business needs, then gradually growing information security focusing on leveraging SABSA for new projects and the highest risk areas within Information Security itself. This allows the CISO to address the most egregious risks while establishing or reestablishing a security program where information security has been a checkbox driven by vendor promises or compliance requirements.

IT and Information security have in many ways failed everyday users as well as smaller and medium size businesses creating tools that are complex and expensive. This session’s value is in providing guidance that helps new CISO’s, and any small or medium sized business that hires them, to succeed.

Tony Sale Memorial Lecture

17:45 7P: Living in a World of Covert Channels Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
 

On 24 February 2020 Terence Michael Whall was found guilty by a unanimous verdict of the murder of 74-year-old pensioner Gerald Corrigan, who was shot outside his rural home in Anglesey on Good Friday 2019.

Whall thought he had committed the perfect murder, there was no forensic evidence, no direct eye witness to the shooting and no one saw him travelling to and from the murder scene.

During the trial the jury heard evidence of telematics data provided by Jaguar Land Rover showing the location of a suspect vehicle the day before when Whall was reconnoitring the scene of the crime, the boot being opened at 23:11:04 and closed 39 seconds later when he removed the murder weapon.

Evidence provided by Sky proved that Mr Corrigan’s satellite TV system was present at 00:08 at his home on the night he was murdered, at 00:28 he stopped a pre-recorded programme and the satellite signal was no longer present. When he went outside to investigate the problem, he was shot dead.

Again, telematics provided valuable evidence of vehicle movement, the opening and closing of the boot following the murder and Whall making his escape from the scene.

It is a credit to the hard work of those prosecuting this case that they were able to retrieve a body of critical evidence and present it clearly to the jury during the five-week trial.

To many people it was a revelation that such levels of technical data were transmitted to third party companies routinely and without their understanding of the full scale of the activity.

In this talk we will focus on how this example is only one of many instances of such data transfers. In new work we will detail how malicious actors might take advantage of an emerging standardised environment for vehicle to vehicle and vehicle to infrastructure communications to undermine efforts to monitor their activities.

COSAC 2022 Gala Dinner

19:30 Drinks Reception
20:00 COSAC 2022 Gala Dinner & Networking sponsored by SABSAcourses

Wednesday 5th October 2022

09:00 - 09:30 Registration & Coffee

09:30 8A: Liquidation of a Security Viewpoint Speaker(s): Pieter Siedsma

Pieter Siedsma

Domain Architect Technology & Security, Heineken (Netherlands)

Pieter is currently the domain architect for technology & security for HEINEKEN. As a security architect he is working for over 20 years in the overlap of technology and security. He worked mainly for a large global financial with some side steps to the military and engineering. Now he works for the best beer company. Pieter acts also quite often as a threathunter, engineer or “a guy with an opinion”.
X
 

End of 2019 I decided to change my career from the world of mainly digital products in a worldwide financial company to a world of fast moving consumer goods, BEER. Over the past 2 years I have seen some interesting parallels and differences between these two worlds.

The session will explain how a beer company is changing from an offline traditional brewery to a modern connected brewery. We will focus on two aspect (and then mainly on the security aspects) of this transition. We will expand on the IT in the physical world, the so called Operational Technology (OT) or Process Control Domain (PCD). The breweries and warehouses are built to last for a long time and the IT components are never designed with security in mind. This leads to some interesting challenges in both threats to these OT components but also to threats to the physical world that is controlled with these OT components.

The other aspect of the transition to the connected brewer is the fast amounts of data that is collected for analytics in order to improve all parts of the “from barley to bar” processes. This includes the collection of weather data at the farmers to predict raw material quality to the collection of temperature and pressure data in customer installations to control the quality of the beer for the consumers.

The session will conclude with some personal reflections on the security and control aspects of both worlds and where it will become clear that both worlds can learn from each other.

09:30 8B: Dividi ed Impera or Empowerment - Security Strategies of Concentration or Distribution Speaker(s): Helvi Salminen

Helvi Salminen

Senior Advisor and Board Member & Information Security Specialist, Kiisec Oy & Thales DIS Finland Oy (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014.
X
 

The classical dividi ed impera (divide and rule) principle isa strategy of concentrating power and control to one central entity by decreasing the power and autonomy of the controlled entities. This can include manipulating them to work against each other and doing so these minor entities consume their forces in mutual battles which makes control by the central entity easier to apply.

Big corporations and public organizations have strong traditions of concentrating decision making and controls to the central entities. This leads to building powerful central fortresses which control the satellites (or subordinates) by defining strict and rigid managerial procedures which often are characterized by strictly controlled information flows –often being complete visibility of all levels to the central decision makers and very limited visibility to the lower levels.

This centralization strategy is often also applied to information systems architecture where the “one size fits all” principle rules.

Are these principles still applied in practice? The presenter’s observations tell: yes, they are still strong in many contexts, including technical solutions. They are justified by the reasoning that when we need efficiency and strong security, concentration is the solution to build strong security which best responds to the increasing threats.

But is concentration the best efficiency and security strategy? Would distribution of decision making with well defined organizational procedures lead to better decision making and efficiency of the organization? Would standardized distributed system architecture improve the stability of the organization by decreasing the impact of a single point of failure which is a major risk in strong centralization? Especially in these times when some things that we who live in stable democratic societies have taken for granted for decades are in danger.

This session discusses the pros and cons of centralization and distribution as business model and security architecture, and the applicability of these strategies to various business cases.

09:30 8S: Transforming a Control-focused Organization into Risk-based Value Speaker(s): Peter De Gersem

Peter De Gersem

Security Management Specialist, SWIFT (Belgium)

Peter is a security management specialist at SWIFT, the world’s leading provider of secure financial messaging services. He has over 22 years of experience in information security, having covered a broad spectrum of security domains. His current role is managing the SWIFT security assessment practice, from business objectives over threat landscape to deriving the security painpoints and identifying security requirements that speak to both business as technical stakeholders.
X
 

This paper is about the journey, along a long and winding road, of the evolution of an organization. This organization has security as one of the main business drivers, which has enabled it to be the birthplace of SABSA, but also allowed a very large number of security controls and policies to be put in place such that over the years no one remembered exactly what purpose they actually served. Over the last decade, several steps have been taken to rationalize this situation, the most recent of which again focused on a control framework aligned with ISO 27002, linked to security risks on the classical CIA triad. The question of “Well, how will we report to our executives on how this effort brings value to the organization?” was the catalyst to ensure this control rationalization would be business driven after all, supporting an enterprise risk and opportunity strategy – and sneaking in SABSA concepts without formally calling it entreprise security architecture.

10:30 - 10:50 Morning Coffee

10:50 9A: Improving Healthcare Cybersecurity During a Pandemic Speaker(s): William Schultz

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
 

In this session we will discuss the growthofacybersecurity risk management program at a Healthcare organizationduringthe COVID-19 pandemic.In addition tothe pandemic,wewerealso experiencing an unprecedentedincrease in targeted cybersecurityattacks, as well asmaintaining consistent organizational growth.We will discussthe significant executive leadership support that enabled and drove thecybersecurity improvementeffortseven whilethey weredealing with the significant impacts of COVID-19, and setting up the organization as a leader both regionally and nationally. The key topics will include discussion of our efforts aroundthe enterprise cybersecurity risk management programand IT vendor risk managementprogram, as well asthe significant collaborationswith IT and clinical colleagues that have proven to beessentialto our success.We will discusssuccesses, lessons learned, and next stepsas our journey continues.

10:50 9B: Misinformation for Fun and Profit Speaker(s): Ashling Lupiani

Ashling Lupiani

Consultant , Eminere Group (USA)

Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
X
 

This timely discussion centers on the structural incentives of social media to allow misinformation to circulate on their platforms. Companies such as Facebook (Meta), YouTube and Twitter have long complained there is no way for them to effectively fight bots or misinformation, yet bot activity significantly decreased when Russian accounts were cut off after the invasion of Ukraine. This demonstrates that there are steps these companies can take if given sufficient incentive.

The problem is that the profit incentive of social media companies is diametrically opposed to some of their mission statements.The success of a social media platform is determined by engagement, whether that engagement is positive or negative. Engagement is easier using the tactics of disinformation. Showing people information that they will react to emotionally increases activity and profits for these corporations, regardless of whether the information is true or not.

This session will be unique in its scientific perspective on misinformation geared specifically toward security professionals. Our approach will be to examine the competing incentives of social media companies and discuss how the scales might be tipped in favor of accurate information. The value of our discussion will come from providing ways to leverage positive engagement and other tools to improve the culture of the internet landscape.

10:50 9S: What's the Point of Risk Appetite? How I Learned to Love Appetite to Feed Security Speaker(s): Andy Wall

Andy Wall

Chief Security Officer, Office for National Statistics (UK)

Andy Wall is a cyber, information security & assurance leader with 25+ years’ experience within global & national commercial organisations and UK Govt providing business focused security advice & management. Currently Chief Security Officer at the Office for National Statistics, developing new approaches to secure operations of leading edge big data analytics that support the organisational mission of statistics production on a range of key economic, social & demographic topics.
X
 

Within most modern organisations data and underpinning services are at the heart of business operations. Increasing attacks on systems to obtain data force business leaders to choose how best to protect these assets. What drives these choices? Do leaders understand security risk relative to other business risks?

At the Office for National Statistics we collect process huge amounts of data – commercial, personal, business, intellectual. Our point in collecting this data is to give it to people to look at, link, match and analyse – it’s what we do as a business. Our security measures are based on the value of the data and the relative risk of access and processing. Can these decisions really reflect risk appetite – the choices that the business have made about the assets it values and how it wants to protect these assets?

This session is a debate about risk appetite using the ONS approach that has emerged. It strongly links what the business care about to the security measures actually implemented, directed by what appetite we’ve all signed up to.

It features a lot of challenges, tests where risk ownership really sits in an organisation but shows positive possibilities from trying to making risk appetite work in a complex environment as a meaningful driver for security. Ultimately it presents a series of hard-won lessons from ONS that bring security and business more closely together, highlights some hard discussions, necessary business trade offs and what risk acceptance means in practice for security measures and mitigations.

12:00 10A: Ransomware/Wiperware in Healthcare Speaker(s): Kathleen Mullin

Kathleen Mullin

CISO, Cancer Treatment Centers of America (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...
X
 

This timely presentation addresses the escalation seen in ransomware (wiperware) tied to the Russian Federation, uniquely framed by an experienced hospital system CISO. Healthcare is currently one of the top three sectors being targeted, and healthcare systems are particularly susceptible because basic security controls are not in place within highly integrated systems with limited funds and manufacturers still sell systems with obsolete operating systems.

Organizations are being advised to spend resources on ransomware tabletop exercises, technology solutions, security awareness training, memberships in organizations, and specific technology controls to protect them from ransomware. Recommendations from the FBI include “be[ing] a cautious and conscientious computer user,” implying that the average user is not being conscientious if they fall victim to ransomware.

The approach of this presentation is to discuss the different strategies that should be used in healthcare while providing patient care and finding innovative treatments and cures, with complex systems that are constantly changing. Participants will have the opportunity to challenge or build on these strategies, which can also be leveraged in other business verticals.

The value in this discussion is that it will leverage SABSA to focus on the business requirements to determine which controls help meet the business objectives.

12:00 10B: Digital Torches and Binary Pitchforks Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a team of security analyst with a global remit at FedEx, owning implementing and executing various GRC processes. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
 

For hundreds of years in times of unrest the people would use demonstrations, angry mobs, flyers, petitions and sometimes revolutions or civil wars as >span class="NormalTextRun SCXW124673436 BCX0">to try and influence current affairs. In the 21st century >span class="NormalTextRun SCXW124673436 BCX0">e are still viable options, however most of these now have digital equivalents and our interconnected lives actually create a lot of new ones as well. We see, social media campaigns, doxing, hacktivism, misinformation, dog whistles and foreign involvement in active elections amongst others.

Some of these are easily spotted, while others are more covert. During this session we will review the current techniques, trends, and impacts. With op to date knowledge, we can educate ourselves, our colleagues, and our families to try and minimize any negative impact to our personal lives, businesses, and society.

Therefore, during this talk we will dive into the most used and most successful digital activism techniques, and we will explore:

  • How do they work, how are they used and by whom?
  • How successful are they?
  • What’s the impact on this on society? Is it ethical?
  • Are we aware of the impact this digital activism has on us personally?
  • Can you prepare to prevent or counter these actions?
  • If you use these actions yourself, what would be the risk associated?
12:00 10S: Cyber Risk Quantification Dilemma: Building Digital Resilience or Adding a Number to Our Gut’s Feeling? Speaker(s): Dimitrios Delivasilis

Dimitrios Delivasilis

CEO, Qiomos (UK)

Strong technology executive, specializing in business-driven security architectures and business risk control management. I have more than 16 years of extensive experience gained within information security consultancy firms as well as financial services and telecom organizations. During the last eight years I have been offering enterprise security strategy services to C-Level executives across Europe due to my ability to simplify complex technological issues.
X
 

Despite the ever-increasing investment in cyber security, organisations are still struggling to architect an effective, integrated approach to cyber risk management and reporting. More often than not decision makers have to rely on poorly structured reports which are skewed towards technical jargon and as such fail to convey an accurate or consistent articulation of the risk exposure.

This presentation will cover the common pitfalls of attempting cyber risk quantification, even in mature end-client environments, in an attempt to frame the problem and identify its main root causes. It will then move to introduce a more architecture-focused approach on how to build an integrated single data model that encapsulates the security fabric and holds everything together as an interdependent network of nodes. The structure of the data model with its various layers of abstraction, provides a reliable fact base to support effective decision making. Most importantly, it breaks away from the siloed mentality and the disconnected thinking it usually fosters, puts the emphasis on what is materially important and communicates the most essential information for a complete risk profile.

13:00 - 14:00 Lunch

14:00 11A: Hiring and Managing in Infosec: The Importance of Brain Diversity Speaker(s): Ashling Lupiani,

Ashling Lupiani

Consultant , Eminere Group (USA)

Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
X
Kathleen Mullin

Kathleen Mullin

CISO, Cancer Treatment Centers of America (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...
X
 

This is a novel and unique discussion on who we hire and how we manage from the perspectives of both neuroscience and information security. Debunking prevalent Human Resource and Information Security thought leadership and training materials, this presentation addresses how many are adversely impacting the credibility of their presentations, themselves, and the profession by using a misinterpretation and misunderstanding of how the brain works.

Utilizing the false concept of “left-” and “right-brained thinkers” and other myths about brain differences to explain how we think and decide influences perceptions and detracts from otherwise accurate information and can skew materials to make them entirely incorrect. By establishing a faulty knowledge foundation, this impairs the ability of information security professionals to create appropriate defenses for malicious hacking attempts including hiring and managing diverse teams well-equipped to tackle problems.

The value in this session is providing information from current brain science to use in hiring and managing, including addressing gender bias. This discussion is timely as social engineering, human resource, and behavior experts are spreading misinformation. The approach of this session provides opportunities to challenge and give input while imparting attainable science on the real brain and the importance of diversity.

14:00 11B: Breaking Through the Metaverse Speaker(s): Ali Abdollahi

Ali Abdollahi

Infosec Engineer, Picnic Technologies B.V. (Netherlands)

Ali is an Infosec engineer at Picnic Technologies B.V. and researcher with a decade of experience working in a variety of fields. He was a trainer at OWASP summer of security 2020, 2021 July training and reviewer for Springer Cluster Computing Journal as well as 2021 Global AppSec US event. In addition, He was speaker or trainer at IEEE AI-ML-Workshop-2021, SSD TyphoonCon, c0c0n2019, BSides Toronto, Budapest, Calgary, Newcastle, Barcelona, OWASP Ottawa chapter, Defcon RedTeam, AppSec and...
X
 

Since October of last year (2021) when Facebook changed the name of the parent company to Meta, we have heard the word Meta and Metavers a lot. For the first time, this talk wants to review all the vulnerabilities that threaten users and infrastructure owners at different layers.

In general, Metavers is a full-scale digital life experience. This talk will cover all possible attack vectors that threaten Metaverse infrastructure as well as users. I will starting with vulnerabilities in common layers like specific flaws in libraries, basic classes and so on. Then I’ll go one step forward to component layer which I think is very interesting; because we will deep dive into P2P network, database, transaction verification module. “Model Layer” will be the next stop in the session to demonstrate potential vulnerabilities on Ledger and Account which are two main modules in this layer. In addition in “Service Layer” , HTTP/query/subscription services will be under attack which is the most part of Metaverse architecture as they are connecting blockchain core node servers to human-machine interface using APIs, Json RPC and WebSocket. The final section will be dedicated to endpoint clients like browser based attacks and sophisticated attacks on mobile clients. In this talk I will emphasis on both security risks and technical flaws in Metavers from zero to hero. All adversary scenarios will be based on MITRE ATT&CK and vulnerabilities complies both OWASP (Top10, ASVS, MASVS) and NIST standards.

14:00 11S: SABSAfying the NIST Cybersecurity Framework Speaker(s): Glen Bruce

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...
X
 

The NIST Cybersecurity Framework (CSF) continues to be one of the de-facto global framework for representing the collection of information security policies, processes and controls for an organization to reduce and manage the risk of cybersecurity threats. Although the NIST CSF is widely adopted, it still lacks some of the elements deemed essential for a comprehensive program to effectively manage all of the business risk facing the organization. That is why many industry, regulatory and other organizations have addressed several shortcomings of the NIST CSF to augment the framework with additional components to fill in the missing pieces. In this session we will review the current state of NIST CSF development, how it has been adapted to a variety of requirements and is positioned to be continually leveraged for expanding adoption.

During COSAC 26, a session was presented to introduce the SABSA Enhanced NIST CSF (SENC) project to apply the SABSA method and thinking to provide a business risk driven foundation to augment the framework of processes, practices and controls defined by the framework for the benefit of the SABSA community. One of the elements to enhance the framework is to apply business attribute profiling to ensure the business risks are well considered and used to manage the risk, and the overall effectiveness of the security program. Too often, the application of the NIST CSF gets a bit lost in the processes, technologies and controls while losing sight of the business value and risks involved.

We will outline some of the interesting issues and challenges in applying SABSA to a framework and the winding path for progress. The session will provide some insight into the problems that the NIST CSF is solving and the benefit that SABSA brings to solve a larger problem. We will conclude with example content from the deliverables of the SENC project and what will be available to the SABSA community.

15:10 12A: What Got You Here Won’t Get You There: Forging Your Future in Cybersecurity Leadership Speaker(s): Valerie Lyons

Valerie Lyons

COO, BH Consulting (Ireland)

Recently included as one of Europe's top 100 women in cybersecurity, Dr. Valerie Lyons is a highly experienced senior cybersecurity and privacy professional. Currently COO of BH Consulting (a data protection and cybersecurity firm based in Ireland), Valerie is also a subject matter expert in European data protection and privacy. She recently completed an award-winning PhD, researching organisational approches to Information Privacy. She lectures on the topic of cybersecurity, privacy and ethics...
X
 

Your hard work is paying off. You have a successful career and are progressing in the field of cybersecurity or privacy (or both). But there is something standing between you and the next level of achievement. According to Marshall Goldsmith, author of the renowned book What Got You Here Wont Get You There’, that something may just be one of your own annoying habits. Perhaps one small flaw - a behaviour you barely even recognise - is the only thing that's keeping you from where you want to be. It may be that the very characteristic that got you where you are - like the drive to win at all costs - is what's holding you back. Goldsmith explains how you can reach your full potential by eliminating 21 harmful work behaviors. He argues that while engaging in these behaviors may not have stopped you from getting “here”—to your current level of success—they won’t get you “there”—to the heights of success that you ultimately aspire to. For each behaviour – Marshall suggests a healthier choice that may more positively influence ‘getting there’.

In this talk, I present those 21 harmful work behaviours that may negatively influence ‘getting there’ (many of these behaviours actually positively influence ‘getting here’) and discuss Marshall’s recommended healthier choices.

15:10 12B: The World is Not Enough, but the Metaverse Will Do Speaker(s): Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

In 2021, Gucci sold a digital version of its Dionysus handbag on the Roblox gaming platform for $4,115, more than the price tag of the physical bag. K-POP supergroup BTS broke the record for the largest paid virtual concert with numbers peaking at 756,000 viewers, which pales in comparison to a Travis Scott virtual concert, held in partnership with Fortnite, that had 12.3 million unique attendees.

In this talk we will be exploring what this means for architecting tomorrow’s continuum securely and how we can start preparing ourselves now for what is to come in the world of virtual and augmented reality. We will discuss the security impacts of full stack programmability, the use of cyber ranges and digital twins in attack simulation and recovery, and of course the importance of how, now more than ever, security needs to be seen as a property of everything else.

15:10 12S: Security Modelling Case Studies Speaker(s): Steven Bradley,

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is an independent security consultant based in Brussels with 25+ years in IT. Steven has undertaken major assignments for clients in the national & European public sector, finance, telecoms and utilities and also lends his support to local cyber-security initiatives. His work in recent years has broadened geographically while becoming more specialised in the field of security by design through automation and modelling, leading to >span class="NormalTextRun SCXW185586280...
X
Bonnie Demeyer

Bonnie Demeyer

Security Consultant, Cyber Enterprise Modelling (Belgium)

Bonnie is a freelance Security Analyst and Information Security Manager who has been working in, and advocating for, a model-driven approach to security since 2016. She returns for her third COSAC as the co-founder of Cyber Enterprise Modelling: a niche consultancy specialising in the application and advancement of model-driven security. Bonnie holds certifications in security, information risk management, privacy and ArchiMate.
X
 

Since a means of expressing the security concepts in standard Enterprise Architecture modelling notation was first proposed at COSAC 2018, a great deal of progress has been made: a Working Group has developed, enriched and extended the original White Paper with the collective wisdom and experience of SABSA practitioners, the Security Overlay has been defined as a schema and the approach has been made accessible through webinars, presentations and this year, as a SABSA Training course with basic tool support.

While COSAC 2018-21 has traced the emergence of security modelling as an technique, its early-stage technical readiness meant that conference sessions were limited to discussion of concepts, ideas, possibilities and envisioned benefits based on small scale, proof of concept ‘laboratory models’.

For the first time, we expect to be able to present feedback from the application of this technique at scale in real-world case studies with an honest appraisal of where modelling delivered technical & business benefit, scenarios that were challenging or thought-provoking and where the technique might be headed in light of this experience.

At the time of CfP, the contracts for this work are just being signed with projects set for completion in the summer – so fresh content to be unveiled for the first time at COSAC. In addition to presenting the projects from the security architect’s perspective, we hope to be joined via video-link by a client representative who can present, and answer questions, from the customer viewpoint.

The value to the conference will not only be an awareness of an emerging technology but to stimulate a better understanding of what is increasingly possible, based on what is already being achieved.

16:10 - 16:30 Afternoon Tea

16:30 13A: From Values to Decisions - Value Based Decision Making in Security Speaker(s): Helvi Salminen

Helvi Salminen

Senior Advisor and Board Member & Information Security Specialist, Kiisec Oy & Thales DIS Finland Oy (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014.
X
 

Managing security is human activity impacted by various conflicting interests. These interests can be well justified from the point of view of the person representing them, and often the decision maker does not have a well defined formula to resolve the equation. But security practitioners are obliged to take a position and make decisions –often based on incomplete information and under pressure from different interested parties.

There are various situations in which this difficulty of decision-making manifests itself and the different points of view must be considered: security vs. privacy, trust vs. assurance, threat prevention vs. detection and correction of consequences, carrot vs. stick as motivator, detailed rules vs. principles and problem solving methods ...

The above mentioned situations have something in common –decision must be made between alternatives which both may be justified and the solution cannot be found in the black andwhite scaleor in a detailed rule book. What is the guide in this kind of decision making challenge?

The answer is in the values –personal or organizational. In this session we will study the topic of value-based decision making applied to security management problems. The session participants are challenged by presenting some problems loaded with conflicting interests and by asking them to participate in resolving them.

16:30 13B: This was Solved in an Alternate Dimension:  Demystifying the Quantum Threat to Encryption Speaker(s): Rob Hale

Rob Hale

Fellow, Lockheed Martin (USA)

Rob is a Lockheed Martin Fellow with over 25 years of experience in information systems and security. During his career he has been responsible for conducting and supporting information assurance and cyber security activities for federal, state and commercial organisations in the defense, law enforcement, financial services, utility and healthcare industries. Additionally, he has designed and implemented secure networks to support nuclear emergency response teams and top US banks.
X
 

This session will take a look at the threat quantum computing poses to encryption algorithms. Based on the concepts of Shor’s algorithm, quantum computers should be able to rapidly compromise current encryption algorithmic solutions putting massive quantities of data at risk of breach. However, the threat itself is pretty well defined, though rarely explained. For example, the threat posed by Shor’s algorithm is contained to asymmetric algorithms and does not extend to symmetric algorithms. This is still a major threat however, it demonstrates the need to take an open and honest look at what quantum computing can do in the near term rather than fear the unknown unknowns of quantum technologies.

This presentation will look at strategies for employing both pre- and post-quantum algorithms to address encryption across a notional enterprise. It will discuss the current state of quantum-resistant algorithms, examine how emerging processes and technologies in quantum random number generation, key management, and deployment can and should be addressed by organizations over the next 5-7 years.

16:30 13S: A SABSA Approach to Health and Well Being Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Director, David Lynas Consulting (Australia)

Michael has 20 years’ experience in Information Security and is a Director of David Lynas Consulting and the Chair of the SABSA Founders Bursary. He has provided high level assistance on information security related matters to a range of clients within Australia and internationally. He was formerly the Chief Information Officer and CISO at the Australian Commonwealth Department of Finance where he had executive responsibility for ICT as well as physical security.
X
 

I had a brilliant 2019 having embarked on a spiritual pilgrimage walking the Camino in Spain and my intellectual pilgrimage to Ireland but like many of us my follow up experience in 2020 was less than ideal and I came out of that year needing to take stock of my general health and wellbeing.

It is a shared observation of my colleagues, that as we approach retirement, we look back at the last years of our careers to realise too late that we have worked harder, worked longer hours, taken less time for ourselves, managed very stressful jobs and feel like we are about to collapse, exhausted, over the finish line at the end of a marathon.

We have, to a certain extent, let ourselves go and we are no longer the fit young 30 somethings we used to be as we enter the next phase of our lives. Not the greatest when we now have the time to engage and enjoy the good things in life.

In this vein, and following 2020, I sort of undertook a personal health and wellbeing journey in 2021 with the aim of being "retirement fit". I took a haphazard approach and by the end of the year I realised three things:

Firstly, this is not a one-year project – it is going to be an ongoing iterative process.

Secondly, a structured approach to this project (health and wellbeing) should deliver better and more consistent results; and

Thirdly, many of my younger colleagues (those thirty and forty somethings) who are falling into the ‘Working Harder, Working Longer, and Not Looking after themselves’ category might be able to benefit from this structured approach.

So, heading into 2022 I have applied SABSA to my health and wellbeing project to see if that will deliver long term sustainable outcomes.

This presentation uses SABSA as framework for health and well-being and presents the fundamentals of SABSA in a non-security and non-IT context.

17:45 14P: The COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• Electronic submission: Send email to the rump session chair David Lynas at [email protected]

• Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday

5th October.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Drinks Reception & Dinner

19:30 Drinks Reception
20:00 Dinner

Thursday 6th October 2022

09:00 - 09:30 Registration & Coffee

Workshop W1

09:30 Cyberwar and the Law of Armed Conflict Speaker(s): Lawrence Dietz,

Lawrence Dietz

General Counsel, TAL Global Corporation (USA)

Lawrence Dietz, Attorney has served as General Counsel of TAL Global since April 2010 where he had extensive experience in international contracts. Prior to joining TAL Global Dietz served in senior roles at Symantec Corporation to include Director of Market Intelligence and Global Public Sector Evangelist. He retired as a Colonel in the U.S. Army Reserve and is the author of the authoritative Blog on Psychological Operations (PSYOP).
X
Elizabeth O. Dietz

Elizabeth O. Dietz

Professor Emerita, San Jose State University (USA)

Dr Elizabeth 'Liz' O. Dietz, EdD, CS-NP, CSN, FAAN began her nursing career as a Lieutenant Junior Grade, Charge Nurse for the US Public Health Service during the Vietnam Conflict. She is a Professor Emeritus of Nursing from San Jose State University after a 29-year career there. She has been a volunteer with American Red Cross in Service to Armed Forces, Disaster Health Service Manager, Expert Instructor in International Humanitarian Law program, as well as Regional Disaster Lead for the...
X
 

This interactive session puts participants in the middle of the legal dilemmas and uncertainties of cyberwar and the application of International Humanitarian Law (IHL) or the Law of Armed Conflict.A very basic primer on IHL based on the International Committee of the Red Cross fundamentals will be presented in the first half the class.

During the second half of the session hypothetical and/or historical vignettes of cyberspace operations will be presented. This may include denial of service attacks on the power grid and health resources as well as phishing and intelligence operations aimed at commercial entities. Other targets and techniques may be used as well.

Charges in the form of potential IHL violations will be developed based on the scenario. Participants will be selected to portray prosecution, defense and a jury. Each side will be allowed to present a 5 minute opening and closing argument. Once these are completed, the jury will render a verdict.

An open Forum will be held to discuss the trial(s) and identify key issues.

Workshop W2

09:30 Security for the Gobsmacked Human Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

They’ve had enough. They just get used to one environment and some SOB changes it. And we security geeks want to add change to the change. No wonder they growl at us. Complex, ever-evolving work environments turn communities of competent, veteran users into fumbling rookies who make new-guy mistakes, some of which impact security. Organizational restructuring is almost a constant. People still resist change, make mistakes, painstakingly follow bad security practices and get socially engineered. And bad guys find creative ways to defeat our newest, most sophisticated security measures.

We’ll give guidance for coping with human foibles, complexity and change in securing our vital assets.

Part 1 – Securing the semi-predictable humans – Phishing, really automated social engineering, has been an element in almost every Ransomware event and a multitude of other egregious breaches. We’ll examine why social engineering works so well on our employees, on all humans, for that matter. We’ll give suggestions for shoring up this most vital link in our security chain.

Part 2 – Securing the ever-changing organization – Change agents that can seriously affect security are gaining traction everywhere. Massive organizations are making their own rules and privacy decisions, at least until governments levy gargantuan fines. Mergers, acquisitions, divestitures, downsizing in many forms, even internal reorganizations can bring danger. We’ll identify areas of security focus and give recommendations for minimizing security incidents and effects in the midst of the upheaval.

Workshop W3

09:30 Ask us Anything: A Q&A Session With a SABSA Master’s Panel Speaker(s): William Schultz,

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your question/problem depends on your situation and what you are trying to achieve. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Any SABSA Masters in attendance at COSAC will be welcome and encouraged to participate as they are available. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the “COSAC way” there will be plenty of group debate and interaction, and no shortage of experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

12:30 - 13:30 Lunch

Conference End