Ireland Melbourne

Welcome to COSAC - Conferencing the way it should be!

For 26 years COSAC has delivered a trusted environment in which to deliver value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

View our 2019 agenda below.

Sunday 29th September 2019

19:30 Delegate Registration
19:30 Drinks Reception - Sponsored by Killashee
20:00 COSAC 2019 Welcome Dinner

Monday 30th September 2019

Breaks COSAC Masterclasses are full-day, 09:30 - 17:30
09:00 Registration & Coffee
11:00 Morning Coffee
13:00 Lunch
15:30 Afternoon Tea

Masterclass M1

09:30 The 19th International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

The 19th International Forum stands alone as a full-contact, no-holds-barred excursion into the COSAC experience. But it’s also a harbinger of things to come and a deep-immersion in the COSAC way. There'll be a room full of savvy, scar-bearing security professionals analyzing hypothetical scenarios and actual events from widely different perspectives based on widely different experiences and perceptions of success and failure learned in the trenches. Information security masters offer and rigorously defend their opinions, but past editions of the Forum have shown that they are also ever-willing to help others and learn from each other. Duels and mortal combat cage matches are rare. Much more prevalent is reality-based analysis of recent and probable future events and trends from perspectives illuminated by deep and broad information security knowledge and experience.

The moderator describes some actual event or prediction of the future or analysis of security-related issues, then comes up with a question or two about associated issues. He might then prod one or more attendees for their take on the issues in question, but more likely, he’ll try to avoid getting in the way, thus prompting participants to discuss topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

It was true when we started the Forum, and it’s true in 2019 - “the most significant benefit of attending any conference is the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis.” Ransomware, cryptojacking, social network privacy and security issues, GDPR, nation-state offensive activity, IoT device proliferation and security, finding and keeping competent help … – the 2019 list of real and potential concerns will no doubt continue to grow and bleed into 2020. Even if we could address them all, we have to keep playing whack-a-mole on the classic security gems that never seem to get fully resolved - password discipline, cloud security, access control, end-point security, policy writing and implementation, awareness and training, … ad infinitum. One of the features that make the Forum so valuable is learning from the grizzled veterans what we can do and what we can’t – where to focus our limited resources. Trying to do everything at once is a sure prescription for failure.

The discussion and analyses started here in the Forum almost always continue throughout COSAC, often beyond that, leading to unique, realistic and workable solutions to seemingly intractable dilemmas. Leading also to building a network of intelligent, experienced, realistic people you can count on for trenchant analysis and real help. Come join us and help solve the information security problems of the world.

Masterclass M2

09:30 The 5th COSAC Design-Off Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
X
William Schultz

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards.
X
 

This year will mark the 5th year of running this interactive and unique competition at COSAC Ireland. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Masterclass M3

09:30 Understanding the Human: Why the Human Link Matters Speaker(s): Lynette Hornung,

Lynette Hornung

Senior Enterprise Security Architecture & Privacy Manager , (USA)

Lynette is a Senior Privacy and Security Architecture Manager leading a privacy program with a federal agency focusing on data protection and security architecture that provides security and privacy by design. She has supported a variety of federal agencies with privacy and security architecture services and solutions. She was CyberCorps and has her MS in Information Assurance from Iowa State University.
X
Helvi Salminen,

Helvi Salminen

Information Security Manager, Gemalto (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014. 
X
Char Sample

Char Sample

Research Fellow, ICF Army Research Labs (USA)

Dr. Char Sample is research fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
 

Interest in the human link has been gaining interest in cyber security. Last year we opened the discussion on the human link by suggesting that the human is the least understood link in a security system. This year we will have updated the workshop while providing the foundation for understanding the last (or perhaps) first frontier of the security landscape… the human mind. This workshop is designed to improve the understanding of the human and the complex relationship between the human and machine when sensing, perceiving and deciding, while explaining how this relationship influences and impacts the security environment. We offer a fresh examination of the human security relationship with the hope of making security user enabling. This requires examination from several points of view, including the following:

  • - Understanding the commonalities and differences between humans and machines?
  • - Understanding how the human machine relationship gives rise to complex systems.
  • - Defining security in this way, we will also discuss complexity theory and how it relates to human-machine behavior.
  • - A discussion of neural networks and other classifiers in behavioral modeling.
  • - Artificial intelligence technology is increasingly applied in various contexts, including security. In many areas of expertise people fear – sometimes for a good reason - that AI systems will make their skills obsolete.
  • - What does it mean in security?
  • - What prevents AI systems from providing optimal performance
  • - Can AI systems be subverted?
  • - Do we need to have ethical implications considered for Artificial Intelligence?
  • - Are there privacy implications with Artificial Intelligence?
  • - Perception management and how it can be manipulated in spite of target awareness.
  • - Factors that influence problem perception, organization, and data formation and why this is important in the age of AI
  • - Data encoding & visualization
  • - Context recognition and evaluation
  • - Deception
  • - How are security actors (attackers, defenders and victims) deceived?
  • - How can deception be identified?
  • - How to counter deception?
  • - What are the legal remedies with deception? How can the legal world catch up to the technical developments with Artificial Intelligence?
  • - Understanding of the human brain from biology to decisions.
  • - Can the brain be re-programmed?
  • - Hardwiring, learned, conscious and unconscious behaviors
  • - Do we have ethical considerations with re-programming?
  • - Environmental factors (physical reality, virtual reality and augmented realities) and how the brain acts and responds in these environments.
  • - Future scenarios – where technology is taking us humans or where we humans are taking technology
  • - How to apply these discussions to security in your organization.

Masterclass M4

09:30 Cryptography in the Real World Speaker(s): Dan Houser,

Dan Houser

Senior InfoSec Manager, The American Chemical Society (USA)

Dan Houser is a practitioner who brings 30 years of experience to his presentations from knowledge learned in the trenches, and is a published author and frequent speaker at international conferences. Mr. Houser has set strategy, lead strategic projects and established EA/Security Architecture practices at several Fortune 500/Global 500 firms, including banking, insurance, finance, healthcare, retail and higher education. He is formerly head of cryptographic practice for a top-20 insurer.
X
Karl Meyer

Karl Meyer

Chief Architect, CAS (USA)

Karl E. Meyer is a lifelong technologist, and a renowned former General Electric (GE) technology leader who is known for deep software technology development experience as well as unique accomplishments in healthcare, power, energy, transportation and Industrial businesses by managing, leading and integrating globally diverse talent, technology and tools. Karl has worked with venture capital funds and guiding new ventures on product management as well as evaluating and negotiating acquisitions.
X
 

Few of us are protecting state secrets, or have the budget of the GCHQ or NSA - but we must create defensible cryptographic systems given the constraints we're handed. How can we avoid the mistakes that have lead to the downfall of major cryptosystems, while still achieving due diligence?

This session will provide an overview of what really matters with cryptography in the field, and help dispel bad practice with regards to cryptographic assessment. We will uncover the failure modes of crypto in the real world, and how to select and implement cryptographic components & capabilities securely as part of an enterprise initiative. We will present case studies of multiple cryptanalysis projects that permitted the author to break commercial cryptosystems, and detail the weaknesses that were introduced, and what we might learn from these failures. We will discuss failure modes of other commercial crypto systems, why those failed, and why crypto is hard to get right in practice.

Auditors and risk analysts frequently ask the wrong questions regarding cryptography, so we will provide better lists (e.g. "Describe the key management escrow lifecycle, and your process for responding to the death or disqualification of a key holder.") and examples of terrible questions (e.g. "Is it using SSL?") . Lessons for audit failures will be touched on, to better assess the strength of third-party cryptographic solutions. This interactive session will conclude with snake-oil cryptography dodges and how to avoid them, and step through the execution a defensible due-diligence cryptographic project, including team formation, segregation of duties, architectural challenges and risk strategies.

This is an approachable version of cryptography for cryptographic implementers, architects and project leads that focuses on risk management, engineering and implementation, rather than NP-hard math. No calculator required.

Networking & Dinner

18:30 Drinks Reception
19:00 Dinner

Tuesday 1st October 2019

09:00 - 09:30 Delegate Registration & Coffee

09:30 1S: Using SABSA to Architect Zero-Trust Networks: Part 2 Speaker(s): Chris Blunt

Chris Blunt

Chief Strategy Officer, Axenic (New Zealand)

Chris is the Chief Strategy Officer at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 26 years of experience in the ICT industry, specialising in security and privacy for the last 14 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives.
X
 

At COSAC 2017, I presented a session discussing how to apply SABSA to architect a zero-trust network. This session explored the basic concepts of zero trust networks and showed how SABSA was used to deliver an Enterprise Security Architecture (ESA), which included a Conceptual Architecture for a zero-trust network.

But what has happened since then? Is it practical for an organisation without the resources of Microsoft, Amazon Web Service and Google to adopt these concepts? This session seeks to shed some light on this by building on the original sanitised NZ organisation case study.

This session will provide a brief overview of the zero-trust concepts, together with the pertinent details from the ESA and the Conceptual Architecture before exploring how they were used to develop and implement a solution architecture using cloud services, discussing the real-world challenges and how they were overcome.

Finally, if time and the demo gods permit there will be a demonstration of how zero-trust networks can work in the real-world using a replica of the NZ organisation’s implementation.

09:30 1A: Cyber Squad: Creating a Patch with the Girl Scouts of America Speaker(s): Joanne O'Connor

Joanne O'Connor

, Women in Cyber Security International (Ireland)

Joanne brings her experience in public relations, user experience, and project management to her current role as Cyber Security Training and Education officer at HPE. She started her career with HP 10 years ago following her graduation in Information Systems Management. Her previous roles include global program manager, scrum master, product owner, UX/UI designer, and critical event manager. Joanne is one of the founding members of WCSI – Women in Cyber Security International.
X
 

Hewlett Packard Enterprises’ – Women in Cyber Security International (WCSI) employee resource group planned, developed, executed and launched a unique and finely crafted Cyber Security Curriculum, Game and Board Game in January 2019.

The project was run out of Galway, Ireland by a team of passionate cyber security women, who have a vision to improve the future for the next generation of girls. Aiming to show them not just in words but by concrete actions that we want to advance women in STEM/STEAM subjects and increase the no. of women turning to Cyber Security as a fulfilling career option.

This timely project brings elements of gamification to the curriculum and engage kids in a method of ‘teach by doing’. Accompanying the curriculum is an online game called ‘Cyber Squad’, designed by the BAFTA award-winning game studio Romero Games, Cyber Squad simulates cybersecurity issues such as phishing, cyberbullying and online safety through a narrative, role-playing interface.

The joint curriculum and patch also ties into the Girl Scouts organization’s longer-term pledge to bring 2.5 million girls into the science, technology, engineering and math (STEM) pipeline by 2025. Statistics show that women are underrepresented in the STEM workforce, with the largest disparities in engineering and computer sciences.

09:30 1B: Hand-rolling a Threat-intel Team to Disrupt the Dark Web Speaker(s): Dan Houser

Dan Houser

Senior InfoSec Manager, The American Chemical Society (USA)

Dan Houser is a practitioner who brings 30 years of experience to his presentations from knowledge learned in the trenches, and is a published author and frequent speaker at international conferences. Mr. Houser has set strategy, lead strategic projects and established EA/Security Architecture practices at several Fortune 500/Global 500 firms, including banking, insurance, finance, healthcare, retail and higher education. He is formerly head of cryptographic practice for a top-20 insurer.
X
 

What do you do when you're under attack, IP is being stolen, and there are no commercial tools available to solve the problem? You roll your own solutions.

As a SaaS provider, we are under daily attack by content and service thieves, via attack vectors that are atypical of the Usual Suspects: ATP, OS/app vulnerability exploits, malware, phishing, etc. Yes, we see those like everyone else, but those aren't the vectors used by content thieves. Our fraud threat vectors use atypical attacks, so we have to develop atypical methods of detecting and responding to attack. Further, the information being stolen and accessed includes juicy data for criminal underground and nation-state attackers from several geographies, so this adds to the fun.

We will share a case study of how we developed, curated and enhanced our threat analytics process to discredit the thieves, disrupt the underground economy, and recapture lost revenue.

10:30 - 10:50 Morning Coffee

10:50 2S: Securing National Critical Energy Infrastructure at the Cost of.... Speaker(s): Rik van Hees,

Rik van Hees

Security Officer, Alliander (Netherlands)

Rik has been working in an ICS / SCADA environment for 10 years as an engineer, security architect and currently as a security officer for grid operator Alliander. He has strong knowledge in designing and securing ICS systems, segmenting OT environments and risk management challenges of a grid operator. He holds a BSc of Electrical Engineering with a specialization in electronics and ‘learned on the job’ security experience. In his spare time he likes to play guitar & hike with his dogs.
X
Marc Hullegie

Marc Hullegie

CEO, Vest Information Security (Netherlands)

Marc is founder and CEO of Vest Information Security (est. 2002). Holds BSc for both electrical engineering (Datacom) and Higher Management along with a handful of security certificates. Marc is known as a ‘people’-man, building bridges in complex, political situations. Applied his skills in a variety of roles: CISO, Security Architect, Risk Analyst, Subject Matter Expert, Teacher, Coach, Presenter. Social Media followers think he’s an outdoor chef, radio station owner, music producer or biker.
X
 

A ‘project’ with a duration of 5 years. It started by ‘abusing’ SABSA. Cowboys and Priests collapsing; The Indians where doing something else. Designing, Developing, building and migrating an infrastructure Agile (huh?). Burning hours, burning people, burning hearts. Hate red, friendship and everything in the middle…. Rik van Hees and Marc Hullegie experienced it all, since they have been in the middle of it all. Men on a mission.

In this session, call it a case study, We like to share our experiences from various viewpoints with the COSAC audience and discuss the good, bad and ugly. And get their feedback.

This sessions is about how the Dutch energy (electricity, gas, public lightning) net provider Alliander, responsible for 2/3 of the Netherlands energy net, transferred from having a vulnerable infrastructure and fragile support organization into a very secure infrastructure and improved support organization. Ready for the future: An intelligent smart energy grid. Signed, Sealed Delivered !

This session (Chatham House Rule) shows technical aspects, but focusses even more on the human aspects of transforming an organization that meanwhile was transforming itself.

10:50 2A: The Triple Helix of Cyber Defence Speaker(s): Louise Gallagher,

Louise Gallagher

Cyber Security Analysis & Response, Hewlett Packard Enterprise (Ireland)

Louise is a Risk & Compliance Analyst focusing on the transformation of a Vulnerability Management Program & remediation initiatives. She comes from a strong business background having spent years in different retail sectors. After completing a Masters in Information Systems Management, Louise became an IT Support Analyst and subsequently started her Cyber Security career in Incident Response, in a 24x7 SOC environment responsible for incident prevention, analysis and recovery.
X
Annie Hennelly

Annie Hennelly

Program Manager, HPE Cyber Strategy Office (Ireland)

Annie is a Program Manager focused on the ongoing implementation of a best in class Cyber Fusion Centre to ensure HPE can proactively handle current and future cyber threats. Annie has a strong IT background, holding senior Program/Project and Account Delivery Management positions in a multinational environment throughout her career. Annie has received HP 2 CIO awards for Excellence & was shortlisted for ITAG(Information Technology Association of Galway) Digital Woman of the Year Award 2017.
X
 

The Triple Helix of Cyber Defense is a new concept that explores the importance of diversity, innovation and education in the field of cybersecurity. Its use as a framework is to advocate the relationship between these key intertwining elements, in order to promote a stronger cybersecurity posture. Each strand, relies on and interacts with the other, to ensure the growth and evolution of an organizations cyber defense.

Diversity is imperative for any successful organization - in order to have the brightest and best minds, they must think, act and react differently. In a field as fluid as cybersecurity, innovation is vital. To excel at innovation, a business must look outside the ordinary and encourage diversity. Education is paramount in order to provide the best defense an enterprise needs. As is typical in a triple helix, each of these helices take up a different amount of space, as their importance relates to the situation they are presented with.

The scope of this paper is to examine the role of each helix and the implication it has on an organization. A review is presented in the context of a case study undertaken in the growth a Fortune 500 Cyber Security Center.

10:50 2B: Firmware Security - An Overlooked Threat Arises from the Riskiest Assets Speaker(s): Zahra Khani

Zahra Khani

CEO, Firmalyzer (Belgium)

Zahra is the founder and CEO of Firmalyzer SPRL, a Belgian company specialized in providing security solutions for IoT/connected devices. Their key product is the first automated firmware security analysis platform for IoT device vendors, security labs and enterprise device users. They also provide IoT security and privacy consultancy services for companies in terms of audit and compliance check with regulations, standards and leading practices.
X
 

Firmware security is an overlooked threat and increasingly attractive entry point for attackers. According to a survey by ISACA, only 8% of respondents feel their enterprise is prepared for firmware-related vulnerabilities and exploits. This threat is getting more serious as more devices are connected to the Internet, which will be 75 billion by 2025 according to Statista.

This presentation covers the current (in)security state of the firmwares that power different kinds of devices deployed in enterprise networks based on our 3-year analysis on more than thousands of firmwares using our automated firmware security analysis platform, the reasons behind it, the risks they pose to enterprise networks and the ways they can be mitigated or remedied by both developers and enterprise users

12:00 3S: SABSA in Mission-Critical System Engineering Projects Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect, Thales (Australia)

Alex is a Senior Security Architect with in Thales Australia Cyber Security team with 20+ years' experience in Information & Communication Technology in the defence (national security), critical infrastructure and financial services sectors. Alex's role is to provide specialist security advice, design decisions and engineering review to enable projects and Thales' customers to devise, develop, acquire and maintain reliable, secure, accreditable and economically viable technology solutions.
X
 

The discussion of architecture frameworks and mission critical systems often misses the ‘elephant in the room’ since it excludes use system engineering practices to deliver large complex solutions. This is counter-intuitive since architecture frameworks were originally conceived to deal with complexities in delivery of systems and outcomes and often derived from system engineering principles.

Although the SABSA training content does highlight the system engineering pedigree of the SABSA framework and methodology, many SABSA trainees and practitioners are unfamiliar with the formal practice of system engineering. This often results in a great deal of misunderstanding when architects from an enterprise ICT background join an engineering organisation.

As a SABSA practitioner working in a System Engineering organisation and on large scale mission critical systems, I have developed a depth of experience and insights into the application of SABSA architectural practices and methods within the framework of system engineering and the challenges of integrating into a system engineering organisation. Often these challenges highlighted that non-technical considerations were just as important (if not more important) than purely technical considerations.

The presentation will familiarise SABSA practitioners with the practice of system engineering and its application to mission critical systems. It will provide guidance in applying SABSA methods in a system engineering context. This presentation is an example of how to apply SABSA security architecture practices even though the engineering / technical organisation has not ‘mandated’ the use of the SABSA framework.

12:00 3A: The People Process Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, TNT (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various roles. He currently manages an international team of security analysts for FedEx - TNT express Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
 

For those of us working in InfoSec as individual contributors the cyber security skill shortage is a blessing. Unemployment is at 0% and therefore most of us have secured a position they enjoy with suitable benefits. However, those of us managing a department or function are well acquainted with the constant struggle of recruiting, developing, and maintaining staff.

People management is essential for any security capability that requires more than just a few FTE’s. Without motivated people, willing to work for you and your company, the job will not get done.

Like most of you, I am first and foremost a security professional. But these days I am undeniably a people manager as well! So as a very professional information security people manager ;-) ....

  • - How do you build environment which enables you to maintain your team, nice to work in and delivering the results needed?
  • - How do you retain your current staff?
  • - How do you recruit new staff, especially with scarce skills?
  • - Can you train instead of buy?
  • - How do you get a recruit to choose your company over the competition?

Over the past years, I spent many hours recruiting, building, training and managing various InfoSec teams. In this interactive session I will share my views and experience on team building, workforce management and recruitment with you. In return I will ask you to share your views, triumphs and challenges, so collectively we can get ahead in the people game.

12:00 3B: Security - Only Developers can make it Proactive Speaker(s): Beata Szturemska

Beata Szturemska

Cloud Software Engineer, Intel (Poland)

A cloud software engineer at Intel, she is not devoted to any particular technology or programming language, which gives her an opportunity to makes mistakes and learn something new every day. Fluent in C++ and Java, Python's pall, queen of Jenkins pipelines. She is strongly involved in promoting science to children and youth. She loves cycling in her free time.
X
 

Whether we use high-level languages like Java, Python, C# or we dive into the world of C/C++, the lists of dependencies of our projects contain more and more external frameworks and libraries. It makes life easiest and helps us to focus on delivering business value. Do you know what vulnerabilities are known for the version you use? Are you sure you know all the tips and tricks to use the framework in a correct way? Is it good for our software to rely the security of our products on the security of these frameworks and the way we use them?

Join me during an exciting LIVE DEMO. Get to know how to weaponize known Spring Boot Data Rest library vulnerability. See how to use Remote Code Execution to actually fully compromise the server hosting an application.

Using the vulnerability in an actual attack helps us to understand the underlying mechanism and find if it is applicable to our software. It also allows us to find the detection patterns if it is attempted to be exploited on our infrastructure. And besides all of it it is fun to hack the servers! It also shows that we can do much better than just blindly upgrading components. There are examples of vulnerabilities, which are fixed not with a single patch, but rather through a series of upgrades leading to more secure solutions, so it is important to stop for a while and think about other attack paths and consequences, that can be faced. The reactive approach of simply keeping up with the latest version leaves us in a position, where we are always exposed to new vulnerabilities that are about to be discovered.

13:00 - 14:00 Lunch

14:00 4S: 100% Hotter: Getting Your SABSA Noticed for All the Right Reasons Speaker(s): Esther Schagen-van Luit

Esther Schagen-van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
X
 

“My architecture is even bigger”, said the security architect. “I needed 7 A3 posters to print it and I’ve used font size 4. Also, we have over 3000 controls in our library.”

As security architects, we tend to get caught up in our artefacts. The bigger the diagram, the better. The smaller the font, the more interesting it must be. And this is fair, as much of our work involves structuring and visualizing great quantities of information. Through professional deformation we no longer notice abhorrent color schemes, misaligned attribute boxes and heaps of lines that cross over other heaps of lines. “It is the content that really matters.” “It is not my job to make it look pretty.” But as our stakeholders squint their eyes trying to make sense of what we’ve worked on for the past two years, they wonder how to share any of this with their bosses…

This session combines the discipline of visual design with practical examples in various tools such as (e.g. Archi, PowerPoint, Excel, Visio, InDesign) to demonstrate how to re-work your big spaghetti monster diagrams to presentable and appealing security architecture artefacts. In the first part of the session we will discuss design theories, their practical implications and their value to the security architecture community. >span class="TextRun SCXW146984416 BCX0" xml:lang="EN-US" lang="EN-US">>span class="TextRun SCXW146984416 BCX0" xml:lang="EN-US" lang="EN-US"> power of design onto ugly or incomprehensible architecture artefacts and see how simple edits in design elements change the artefacts for the better. At the end of the session attendees will be invited to share some of their architecture artefacts in a challenge to the speaker, whom will aim to improve on the submissions and do a ‘before-after’ rump session with a selection of the submissions at the end of the conference. The audience is expected to walk with concrete pointers for how to structure information in a visually appealing and intelligible way for non-architect stakeholders and get their SABSA noticed for all the right reasons by their organizations

The speaker is required to deliver appealing visuals and comprehensive documentation as a professional and has been trained in theories and tools to structure information for senior stakeholders. Previous education in branding and marketing has strengthened the speaker’s insight in how to communicate effectively and hit the right notes with target audiences – be it organizational stakeholders or the COSAC audience. Seeing how visual design might not be a skill that comes natural to all and is not part of security architecture training, the speaker hopes to add real value by sharing this knowledge in a fun and engaging manner.

14:00 4A: Artificial Intelligence in Cybersecurity - Keep the Dream but Work with Realtiy Speaker(s): Miroslav Kis,

Miroslav Kis

Director - Strategic Initiatives, TMX Group (Canada)

Dr Kis provides strategic guidance related to cybersecurity characteristics and readiness for experimental and operational use of FinTech innovative technologies including blockchain, crypto-currencies, cognitive and quantum computing, machine learning, big data, and cloud technologies. He has been providing consulting services to major Canadian, US, and UK financial institutions. Author and coauthor of more than thirty papers and presentations at national and international conferences.
X
Bobby Singh

Bobby Singh

CISO & Global Head of Infrastructure, TMX Group (Canada)

Bobby Singh is responsible for delivering secure & highly available technology services across TMX. A member of the executive leadership team, Bobby is defining TMX's cyber security and technology vision & strategy, to advance the organizational agenda. Responsible for corporate information and IT systems & services, as well as all aspects of security and GRC, he has broad expertise in developing and implementing security programs for public & private sector.
X
 

Artificial intelligence capabilities have been advertised lately as important features and selling points of almost every technology and security system. Opportunities for use of AI appear to be limitless. In cybersecurity, the claims go from the promise that automated protection will make job of security professionals easier up to the extreme that the intelligent systems can entirely replace humans. But what can we expect from AI?

A realistic answer to this question is especially important in the context of cybersecurity. Overestimating the capabilities of the AI would give us false sense of security. Underestimating it, on the other hand, could leave us with inefficient cybersecurity protection. In either case our systems could be vulnerable to the attacks of those that have deeper understanding of the value of AI techniques and tools.

In this session we will analyze some key artificial intelligence techniques such as unsupervised, supervised, reinforcement, and deep learning, as well as rule-based systems. The goal is to clarify both the benefits and limitations of their use for cybersecurity protection. The second objective is to discuss how these complex, sometimes intimidating, concepts can be effectively communicated to the business so that they can make adequate investment decisions in cybersecurity.

14:00 4B: Who's Yanking My Chain? Vulnerabilities in the Software Supply Chain Speaker(s): Mike Broome

Mike Broome

Senior Software Engineer, Tanium (USA)

Mike is a Senior Software Engineer at Tanium, developing large-scale enterprise security and operations software. He spent two decades in networking and low-level embedded software, including writing code for the fastest-ramping mid-range router at Cisco. After a stint in embedded industrial control systems, he has spent the past 3 years working on a threat response solution that enables real-time monitoring of data at rest for indicators of compromise across an entire enterprise.
X
 

Modern applications rely on a panoply of frameworks and free software. As a developer, it's so easy to find some third-party software online that saves you some time, add it to your project, and have it automatically incorporated into your application. Given the crowded market of companies and software applications, it's imperative for anyone trying to enter the market or stay relevant to keep up with ever-changing software trends. The only way to do that efficiently is to build on the work of others and leverage available software components.

This talk was born from real-life experiences I've run into as an enterprise security software developer, combined with a few great hallway conversations at COSAC 2018. Together, we will continue these conversations, explore some high profile and successful hacks of the software supply chain, and try to answer the following questions: What attacks are the software supply chain vulnerable to? What risks do you and your company take on as a result? What mitigations exist or are possible for those risks – both from a developer standpoint, and from an enterprise security standpoint?

15:10 5S: SABSA Problem Solving at the C Level Speaker(s): Anton Tkachov

Anton Tkachov

Chief Security Architect, FinServ, PwC (UK)

I lead Cloud Security proposition nationally and am growing a team of 'hands-on' security architects that can assist our clients with everything from an assessment & definition of cloud security strategy to technical architecture advisory & system integration work. The primary objective of my role is to leverage a vast network of bleeding edge technology start-ups and vendors to help our clients in finding and deploying new, more effective and efficient ways to manage cyber risk.
X
 

9/10 of SABSA architects are working for a global organisation. Chances are - they have been hired by a group to make things better and, as we all know, it rarely goes according to plan...

The group has the best intentions but when the power and influence is limited, local perspectives and priorities often "torpedo" the best laid plans.

I’d like to present a real case study of solving a complex, highly political problem using SABSA techniques. I will take the audience through what at first, seemed to be a technical problem around selecting the right vendor for global security operations - something that many organizations are currently working on; and demonstrate how I've used business attribute profiling to get to the root cause of the disagreement at a business level, and flesh out the barriers to working together.

I'll then follow- up with explaining of how I adapted the defined model to create, argue and defend a solution that transcend politics and achieves a primary objective of reducing the risk to the global federated business.

The value of my presentation is in sharing the experience of applying SABSA to a problem and using methods to facilitate conversation amongst C-level executives. I'll leave the last 5-7 minutes of the presentation to facilitate a debate amongst the attendees looking for feedback to my approach.

15:10 5A: Rise of the Weird Machines Speaker(s): Lisa Lorenzin

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security.
X
 

One of the key assumptions in programming is that computers execute code that performs the function intended by the programmer. However, as programs become more complex, so do their inputs - resulting in situations where specially-crafted data can trigger unexpected computations in targets ranging from executables to OS elements to embedded hardware. These "weird machines" give rise to exploits in targets ranging from ELF metadata to X86 page handling to embedded font handlers… We'll discuss how weird machines are born, take a tour of Sergey Bratus' weird machine zoo, and talk about some of the frameworks and tools being developed to counter the rise of the weird machines.

15:10 5B: Architecting Design for Trustworthy Software (DfTS) Speaker(s): Malcolm Shore

Malcolm Shore

Chief Security Architect, David Lynas Consulting (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
 

The SABSA methodology provides a framework for security design but as with other standards does not specify any specific process to use. This presentation looks at the Design for Trustworthy Software (DfTS) approach to product design, and aligns it to the SABSA Framework. DfTS incorporates the best practices and features from a number of earlier development methodologies to ensure customer-driven design, and provides a context for deploying software quality management schemes. We will conclude with some insights into translating secure design into secure code by using the relevant elements from the Correctness by Construction methodology.

16:10 - 16:30 Afternoon Tea

16:30 6S: Engineering, Architecture & Security - How SABSA Draws Together Three Disciplines Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Executive Consultant, Envista (Australia)

Michael is a Cyber Security Adviser with Envista providing high level assistance on Cyber Related matters. He was formerly the CIO and CISO at the Australian Department of Finance where he had executive responsibility for ICT as well as physical security within that agency. He has previously held senior roles with government agencies including Department of Foreign Affairs.
X
 

The roles of engineers, architects and security professionals have evolved over time as very different and task specific professions. We often see these separate entities in a competitive light – An Architect may be trying to design and deliver a particular artistic outcome; the engineer may be trying to deliver a functional product, machine or system, and the security professional may be trying to lock down and protect a system.

In focusing on their specific goals, each discipline can lose sight of the bigger picture which should be about delivering successful outcomes for the client.

Each discipline may take a different approach, look at the task from a different perspective, use different tools, engage differently and focus on different priorities but, in reality, there is no single right approach to delivering outcomes as each engagement and assignment is unique.

Each engagement and assignment needs the right, unique, approach for that engagement.

As an engineer I think I take a pragmatic, results oriented approach, that some would argue is, at times, inflexible and black and white. Engineers tend to be problem solvers, have strong technical skills and a need to work things out. They are different to architects who tend to be creative, passionate, and easier going. And different again to security professionals who are often very technical, have a deep understanding of the system vulnerabilities and weaknesses, understand where the threats are coming from but who have, historically, taken a somewhat rule driven approach.

SABSA draws strength from each of these disciples and provides a framework that blends these strengths in a pragmatic results-oriented way.

This presentation looks at a number of engineering and security projects I have been involved with over my career and the engineering tools used to approach those problems and retrospectively applies some of the SABSA logic to that approach to understand how we could have achieved a better outcome. In doing so, this presentation will discuss a number of standard approaches we take to engineering and security problems and how these can be improved through an understanding of the SABSA approach.

16:30 6A: The Reality of Data Gravity Speaker(s): Siân John MBE,

Siân John MBE

Chief Security Advisor, Microsoft (UK)

Siân John MBE is Chief Security Advisor for E MEA in the Cybersecurity Solutions Group at Microsoft. Siân leads the EMEA security advisors who work with Microsoft’s customers to help them to develop their cyber security strategy, security best practices and to understand how Microsoft’s technology and services can help support digital transformation and cloud services. Sian was awarded an MBE in the Queens New Years Honours List for 2018 for services to Cybersecurity.
X
Diana Kelley

Diana Kelley

Field CTO, Microsoft (USA)

Diana Kelley is the Cybersecurity Field Chief Technology Officer for Microsoft where she provides guidance to C-level executives at large, global companies. She is a Faculty Member with IANS Research, an Industry Mentor at the CyberSecurity Factory and a Guest Lecturer at Boston College’s Master of Science in Cybersecurity program. Previously, she was the Global Executive Security Advisor at IBM Security and a GM at Symantec.
X
 

The vast amounts of data we must monitor increases every day and there's no end in sight. At the same time machine learning, automation and orchestration are creating a drive to larger and larger pools of security data. Bringing all this data together into one big centralized pool has significant resource costs as we face the reality of data gravity; aggregating vast amounts of data is too costly in terms of latency and throughput to be practical. Some big data applications have managed this challenge by moving the application to the data. It is time for security to follow suit – the traditional architectural approach of aggregating all security and log information into one place simply will not scale for the future.

This session will discuss current work in progress on data architectures for security information. We’ll address questions like: What data must be aggregated for analytics? When can data be left in situ or kept separate but queried for context or insight during an investigation? We’ll discuss the concepts of hot, warm and cold data stores and how a data architecture can be put in place to support a global monitoring infrastructure across on premise and hybrid cloud environments.

16:30 6B: Agile Security at Scale Speaker(s): Martin Hopkins,

Martin Hopkins

Vice President, Aon (UK)

Group. He has over 25 years experience in technology, primarily in security related fields. In between delivering consultancy he leads security research and solutions innovation with a current focus on security architecture and advisory. He is a strong advocate of business driven security, security architecture and secure software development practices.
X
Jaco Jacobs

Jaco Jacobs

Senior Manager, Accenture (Netherlands)

Jaco is Cyber Defense domain lead for the Gallia region at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to a number of companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

Solution development is increasingly adopting Agile and DevOps practices. What does this really mean for security, especially architecturally, and how can we deliver security in these projects at scale? Embedding security team members across the organization does not scale well, and it is near impossible to have a centralized security team that supports 50+ feature teams across a single program without impeding the agile processes.

How can we determine what activities we need in the development and CI/CD pipeline to avoid and prevent vulnerabilities from reaching production and, at the same time, minimize the cost and disruption of remedial work? Are our systems designed to support and enable incident response and digital forensics, and crucial business operations recovery after an incident? Are we providing sufficient, tangible, risk appropriate security guidance and input in an agile enough way to be valuable?

Bring your real-world experiences and join us to evaluate, and maybe debunk, best practice and discuss what has worked, what has not, and why.

Plenary Session

17:45 7P: Brace for Impact: A Structured Approach to Data Protection Impact Assessments Speaker(s): Valerie Lyons

Valerie Lyons

COO & PhD Scholar, BH Consulting & DCU (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.
X
 

Data Protection Impact Assessments (DPIAs) can be used to identify and mitigate data protection related risks (arising from a project, process or system) which may affect an organisation or the individuals it engages with. DPIAs are important tools for demonstrating compliance with the GDPR and as such DPIAs should be undertaken following a structured and consistent approach. Understanding when to undertake, and more importantly when not to undertake a DPIA, is very important for anyone providing data protection advice to clients, anyone fulfilling the Data Protection Officer role (as mandated in certain circumstances by the GDPR) or anyone working in Information Risk or Compliance. DPIAs are mandatory under GDPR for any new high-risk processing projects. ‘High risk’ is however a rather vague concept that may be open to interpretation and consequently EU guidelines have been published detailing processing that is likely to be classified as ‘high risk’. DPIAs are also not mandatory where the processing is unlikely to result in a high risk to the rights and freedoms of natural persons or when the nature, scope, context and purposes of the processing are similar to the processing for which DPIAs have already been carried out or where a processing operation has a legal basis which states that an initial DPIA does not have to be carried out.

However since >span class="TextRun SCXW115338984 BCX0" xml:lang="EN-IE" lang="EN-IE"> Clinical and Health Research regulation to reflect GDPR, and in some cases these revisions make DPIAs mandatory for all such research projects involving the processing of personal data, regardless of the assessment of risk to the data subject (e.g. The Irish Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. No. 314/2018)). Essentially this means that certain clinical research institutions, hospitals research units and academic research centres now need to undertake a DPIA for every research project processing personal data regardless of the ‘high risk’ criteria. Combined with the DPIA requirements mandated by GDPR, this has resulted in a growing need for competency in understanding and undertaking effective DPIAs, however on a weekly basis I encounter badly designed DPIAs, inconsistent risk evaluation and a complete lack of understanding of ‘high risk’.

In response to this growing need, I developed a structured DPIA approach presented in this session that can be applied in multiple contexts, in both public sector and private sector organizations.

Key learning outcomes from this presentation are:

  • Understanding what a DPIA is
  • Becoming familiar with a structured approach to performing a DPIA
  • Knowing how to determine if and when a DPIA should/ should not be conducted
  • Knowing if a DPIA is mandatory for processing operations that existed before May 2018?
  • Awareness of who should be involved in conducting a DPIA?
  • What to do if a DPIA does not identify mitigating safeguards for residual high risks

Networking & Dinner

19:15 Drinks Reception
19:45 onwards COSAC Gala Dinner & Networking

Wednesday 2nd October 2019

09:00 - 09:30 Delegate Registration & Coffee

09:30 8S: SABSA Enhanced NIST Cybersecurity Framework Speaker(s): Glen Bruce

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures and Policies supporting business and governments in their approach to managing information security risk. He has over 42 years of in-depth experience in information security consulting, systems management and technical positions. He has lead many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies and infrastructure implementations.
X
 

The NIST Cybersecurity Framework (CSF) has proven to be a de-facto global standard for an organized collection of policies, processes and controls that an organization should have in place to reduce and manage the risk of cybersecurity threats. Global organizations such as NTT have embraced the NIST CSF as a way of providing consistent management of cybersecurity risk across all of their nearly 1,000 companies. The NIST CSF however, lacks direction and support for identifying and managing real business drivers and demonstrating business value enhancement. A number of industry organizations and associations have addressed several perceived shortcomings of the NIST CSF by defining a number of extensions and enhancements to the framework.

The SABSA Institute recognized the limitations of the NIST CSF and established the SABSA Enhanced NIST Cybersecurity Framework (SENC) project to develop a SABSA business-risk driven front end to the NIST CSF. The objective of the SENC project is to use the SABSA Business Attribute Profiling method to specify the business risks for an organization in the form of a Business Attribute Profile and define a series of measurement approaches, specific measurements and performance targets that the reflects the views and concerns of the organization. Illustrative attribute profiles will be proposed for each of the sectors of critical infrastructure to which the NIST CSF is targeted.

In this session we will review the structure and content of the current version of the NIST CSF and then identify areas where enhancements to the framework and supporting reference material are needed. We will outline where SABSA can contribute to improving the framework and how the framework is used. We will also provide a current update on the activities of the SENC project to enhance the framework and solicit advice to further the efforts of the project.

09:30 8A: Privacy, Hunh, What is it Good for? Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.
X
 

Increasingly, privacy and security are diverging into separate fields, with Chief Information Security Officers being responsible for application of technical fixes to secure data, and Chief Privacy Officers or even Data Protection Officers responsible for issues related to data collection, privacy policies, and privacy protection agreements. However, this bifurcation of roles and responsibilities in antithetical to the concepts of security by design and privacy by design, particularly where the data collection points include things like low-power, low sophistication IoT devices. This session will focus on the interplay between privacy and security, how security enables privacy, but is not sufficient to guarantee privacy, and the role of the security professional in both enabling privacy and in questioning assumptions made by privacy personnel. It will address the need for security professionals to collect and analyze data (e.g., log data, IP addresses, user behavior) in order to promote security, as filtered through the lens of GDPR, CCPA (California privacy law and regulation) and other data privacy provisions which may restrict the ablity of companies to collect, store and process data. It will also address the collection of security related data from the Deep Dark Web, profiling, and data sharing agreements in light of privacy law and regulation.

09:30 8B: Empowering Agriculture with I&AM Speaker(s): Mark McKenzie

Mark McKenzie

Director - Information Security, Dept. of Agriculture & Water Resources (Australia)

Mark leads the Information Security program at the Australian Dept of Agriculture, where he has overall responsibility for risk management, security architecture and incident detection and management. He has held similar roles in other Australian Govt agencies, including Dept of Finance and Dept of Human Services, and prides himself on building security programs that are focussed on managing organisational risk in ways that provide good security outcomes as well as good business outcomes.
X
 

Identity and access management (IAM) processes are typically seen as an IT and security responsibility (and problem), but at Agriculture, we saw our IAM deficiencies as an opportunity to transform and improve parts of our business through better security management by empowering them with better control over their data and improving IT’s ability to react to their needs.

In around six months we turned a largely paper based and fragmented system with little accountability into a logical identity and access management system with high levels of transparency and usability. We achieved this by ensuring that our business was engaged (not merely informed), that we were solving their problems as well as ours, and that at every stage of the program we demonstrated that we delivered on our promise to them.

In this session, I’ll talk about:

  • - why IAM was the first big security issue I tackled at Agriculture;
  • - how our project went from concept from planning to implemented;
  • - how we brought our business along the journey;
  • - how we used the Agile (Scrum) project methodology to organise ourselves and achieve better results;
  • - and how we are ensuring our capability is sustainable in the long term.

10:30 - 10:50 Morning Coffee

10:50 9S: SABSA for Scaled Agile Speaker(s): Steven Bradley,

Steven Bradley

Consulting Security Architect, Lavender Bytes Consulting (Belgium)

Steven is a SCP with 10+ years experience in the SABSA methodology. He works as an independent Security Architect and develops a research interest in model-driven approaches to security architecture - a topic on which he has presented at COSAC 2018 and authored a paper for the SABSA Institute.
X
Bonnie Demeyer

Bonnie Demeyer

Security Consultant, Lavender Bytes Consulting (Belgium)

Bonnie is a Security Analyst and Information Security Manager with two years experience in the application of security to Agile and Scaled Agile projects. She has also worked with Steven in the development and practical application of the model-driven approach.
X
 

Agile Scrum works best with small teams that work to deliver software which is prioritized by the team backlog. But the lack of holistic scope and the difficulty in translating user stories into actionable security requirements expose the limitations of treating security as another type of user story.

Scaled Agile Frameworks, devised for the development and co-ordination of larger projects, provide the broader canvas, longer cycles and architectural roles that allow security to be managed as system property.

In this presentation, we summarise the limitations of attempting security at the Agile/Scrum level only, make the case for the Scaled Agile approach - highlighting the common touch-points between the Agile Release Train & the SABSA methodology, and demonstrate techniques for adapting SABSA to the Agile philosophy and mindset.

The session will crystallise why a scaled approach is necessary and how it can be achieved.

10:50 9A: Digital Ethics: A Blueprint for the Future Speaker(s): Valerie Lyons

Valerie Lyons

COO & PhD Scholar, BH Consulting & DCU (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.
X
 

Digital ethics, together with privacy, are one of Gartner’s top ten strategic technology trends for 2019. Digital ethics was also the key theme of the 2018 International Conference of Data Protection and Privacy Commissioners. In the world of Cybersecurity, we are acutely aware of what privacy means but are we so clear about digital ethics? The current discourse on digital ethics focusses either on the intended ethical breaches resulting in damage to consumer trust – in other words ‘not doing right’ or on the potential misuse of big data and artificial intelligence. However digital ethics reaches far beyond this. With digital ethics comes the added variable of the ethical implications of things which may not yet exist, or things which may have impacts we cannot predict. Organisations continue to struggle to recognize and anticipate the unintended ethical issues associated with digital technologies. For instance, who twenty years ago would have anticipated the ethical issues now associated with current digital technologies such as reduced social skills, addiction, bullying and loss of self-determination - or in a broader digital context - the emerging erosion of democracy and the socio-political divisiveness of national security surveillance?

“..two young fish are swimming along and happen to meet an older fish swimming the other way, who nods at them and says “Morning, boys. How’s the water?”. The two young fish swim on for a bit, and then eventually one of them looks at the other and says “What the hell is water?” - David Foster Wallace, This is Water.

To help navigate these digital ‘waters’ and fairly harness current and emerging digital technologies we will need to create coherent ethical governance structures for digital activities, including both privacy and security. Essentially this translates into some sort of digital ‘hippocratic oath’ taken by the creators of these digital technologies. Such an oath would not only define how to avoid being unethical, but also define how to make ethics part of the fibre of the technologies themselves and their interface with society. The biggest challenge right now is in thinking we can regulate digital ethics with compliance type checklists. This is because digital technologies are not neutral; they enshrine a vision and reflect a worldview which cannot be checklisted. Unless the creators of digital technologies are given the means to develop and foster an autonomous vision that reflects their values we will inevitably drift towards digital autocracy. What if, instead of checklists we could construct a navigational tool which guides our teams to focus, and refocus, on key areas more likely to be vulnerable to ethical compromise? Drawing on nascent research from the Omidyar Network and Institute for the Future, an overview of the recently launched ‘Ethical OS’ toolkit is presented including an overview of the process of undertaking a digital ethics review and the 8 key risk areas that organisational teams need to focus on. This toolkit does not make an organisation 'ethical' but it does provide the organisation with an essential guide for its digital endeavours now and into an unknown future.

10:50 9B: Adaptable Access Controls Using Identity-Trust Scoring Models Speaker(s): Gordon Jenkins

Gordon Jenkins

Enterprise Security Architect, Structured Security Ltd (UK)

Gordon is a security architect, working as an independent consultant since the beginning of 2018. He has 20+ years experience in IT and security for large financial services organisations in the UK and US, across investment banking, life & pensions and asset management. He has worked as a security architect for the last 9 years, providing guidance to dozens of major business and infrastructure projects and helping to shape enterprise security functions.
X
 

Classic identification controls like ID and password are binary - the user is successfully authenticated or they are not. But an authentication decision always carries a risk of error (eg., compromised password) so an identity assertion can't really be trusted 100%. More modern authentication technologies introduce additional factors that can be used to assess or improve the level of trust in an identity assertion. But once you have assessed the level of trust, what are you going to do with that information?

Identity trust-scoring and authorisation models provide a way to make access decisions based on the level of trust you have in an identity assertion. By applying these models in the conceptual and logical layers of an architecture, we can create re-usable authentication and authorisation services that are - trust-driven, based on the level of trust in an identity assertion - flexible, allowing consistent decisions to be made across diverse systems and technologies - adaptable, allowing quick and easy responses to changes in the threat landscape or risk appetite.

This talk will introduce the concept of identity trust-scoring models and demonstrate how they can be incorporated into a security architecture. It will illustrate how the models can be used to architect access solutions that:

  • - offer authentication mechanisms that adapt to the user's risk context
  • - enable consistent access authorisation decisions across diverse systems
  • - improve the user experience of access control
  • - adapt quickly and easily to changes in the threat landscape without cutting code
12:00 10S: The SABSA Minimum Viable Product Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with over 20 years in multiple sectors including retail, hospitality tertiary education, sporting and gaming multi-nationals, as well as consulting in the financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board and a Founding Member of the SABSA Institute. He is currently the CISO of the Phoenix Group.
X
 

One of the most common questions that befalls a newly minted SABSA architect is “Where do I start?” And it’s not just SABSA neophytes faced with this problem ‒ we have all struggled in some way with delivering effective value whilst justifying the lengthy time and breadth needed to develop (often nascent) enterprise security architecture, particularly when first joining a new organisation where the SABSA practitioner has to produce the goods to make it through their probation. So where do you start? And more importantly, where you should be spending your precious time and energy, particularly during those first crucial months in a new role when all eyes are watching you in silent judgement of your level of competency and effectiveness? Taking inspiration from the much-heralded approach by the Australian Signals Directorate (ASD) in producing the Top 4 / Essential 8, this entertaining, thought-provoking and, no doubt, controversial presentation proposes a set of core set of architectural ‘products’ and the minimum criteria they must meet that the Enterprise Security Architect needs to focus on in order for their efforts to be rightly deemed ‘security architecture’ in the eyes of your peers, as well as allow the budding architect to pass probation and keep their job!

12:00 10A: This Weird Thing Called Ethics Speaker(s): Dan Houser

Dan Houser

Senior InfoSec Manager, The American Chemical Society (USA)

Dan Houser is a practitioner who brings 30 years of experience to his presentations from knowledge learned in the trenches, and is a published author and frequent speaker at international conferences. Mr. Houser has set strategy, lead strategic projects and established EA/Security Architecture practices at several Fortune 500/Global 500 firms, including banking, insurance, finance, healthcare, retail and higher education. He is formerly head of cryptographic practice for a top-20 insurer.
X
 

This is an interactive session with both lecture and audience participation in case studies on ethics, created from real cases of ethical challenges. This session will explore professional ethics, information security professional ethics, and how these vary from other ethical constructs. We will discuss principles of false comfort and false alarm, interaction with policy and the law, and some of the ways to resolve conflicts of interest. As one of the most dominant and pervasive professional ethics frameworks in the Information Security profession, the (ISC)2 Code of Ethics will be examined for how it guides ethical behaviors in our field, and explain each of the canons. We we then review several ethics cases, what made these difficult, and discuss the pivotal aspects of these cases that made them either ethical or unethical. As an interactive session, this will involve substantive audience participation with questions & answers. Content for this presentation was created with the guidance and assistance of the (ISC)2 Ethics Committee members.

12:00 10B: Does eiDAS have the Midas Touch? Speaker(s): Martin Hopkins

Martin Hopkins

Vice President, Aon (UK)

Group. He has over 25 years experience in technology, primarily in security related fields. In between delivering consultancy he leads security research and solutions innovation with a current focus on security architecture and advisory. He is a strong advocate of business driven security, security architecture and secure software development practices.
X
 

From 29 September 2018, EU citizens can use electronic ID to access online public services in other EU member states. Or can they?

The EU eIDAS regulation came into force on 1 July 2016. This regulation is intended to enhance trust in electronic transactions by providing cross-border recognition of electronic ID and consistent rules on trust services. The ID can refer to an individual or a business. The services include not just identify verification but also electronic document authenticity.

The benefits of increased access and reduced friction for consumers are clear. For commercial services, e.g. banks, cross-border service delivery might look much simpler. But is it? Do the banks really want disruption of their established customer onboarding processes? Adoption will not be entirely voluntary though, the European Banking Association Regulatory Technical Standards mandate that use of eIDAS certificates by Third Party Providers to identify themselves to Account Servicing Payment Service Providers must be available by 14 September 2019. Will eIDAS deliver on the promise of cross border federated identity?

Will we see eIDAS based identity combined with other technologies, such as attribute based encryption, to deliver data-centric security between disparate systems cross-border and between organisations all across the EU? Come and join me to discuss whether eIDAS will be a giver of gold for digital identity. Or is this a case of the standards not delivering on the conceptual promises, or politicians over reaching and delivering something unworkable or outdated and inferior before it is even used.

13:00 - 14:00 Lunch

14:00 11S: Leveraging Business value Chains in Information Risk Management Speaker(s): William Schultz

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards.
X
 

The challenge of integrating business drivers and business impacts into an Information Risk (or Cybersecurity) Program can be an elusive task. It is mentioned in most risk management frameworks and is a common theme from industry strategy leaders. It sounds simple enough, but the actual implementation is usually anything but. Even with solid approach, there are challenges in getting the business to buy-in, getting the right people involved, getting the right information, and then scaling and managing the information in a reproducible way for the enterprise. In this session we will look at an organization that has recently revamped its enterprise cybersecurity program and is intentionally striving to build a foundation that engages the business to this end using value chains. We will review how the organization is leveraging SABSA Risk Management and Architecture approaches to tie in existing risk management processes and control frameworks (Including NIST and HITRUST) to a vendor introduced process that engages business leaders to identify value chains and align them to information assets and systems. We will look at some of the theory and methods behind the approach, including some of the ways we had already introduced SABSA business attributes and risk management in the organization, and will look at how the use of value chains is integrating with, and complementing them. We will look at the process around building value chains, and also discuss the systems that are being used to support these activities. Finally, we will discuss the successes that we have seen so far, as well as the obstacles that had to be overcome (some to even get started) and that we anticipate as we continue down this path.

14:00 11A: Bias Ex Machina (Lessons from Tay) Speaker(s): Siân John MBE,

Siân John MBE

Chief Security Advisor, Microsoft (UK)

Siân John MBE is Chief Security Advisor for E MEA in the Cybersecurity Solutions Group at Microsoft. Siân leads the EMEA security advisors who work with Microsoft’s customers to help them to develop their cyber security strategy, security best practices and to understand how Microsoft’s technology and services can help support digital transformation and cloud services. Sian was awarded an MBE in the Queens New Years Honours List for 2018 for services to Cybersecurity.
X
Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
 

In March 2016 Microsoft released Tay, a Twitter chat bot designed to mimic the language patterns of a 19 year old American girl and to learn appropriate behaviour based upon the interactions “she” had. Users quickly started tweeting offensive remarks at Tay and within a short period of time many internet users were tweeting offensive material to the bot leading it to share offensive and racist material and need to be taken off line. Some important lessons were learnt from this into how to build an ethical, secure and robust AI system, avoiding introducing the biases of either the programmers or the data fed to the system.

This is an important consideration in building AI and machine learning systems in general but is also important as we start to build machine learning models for automating security response. We can expect hackers to start to ‘game’ the system understanding the algorithms in use to determine how to avoid creating signal marked as malicious. This session will focus on the considerations in building a secure, resilient and ethical AI system as well as the techniques we need to consider as we use machine learning for security.

14:00 11B: Attacking and Securing Healthcare Standards & Hospital Secured Systems Speaker(s): Ajay Pratap Singh

Ajay Pratap Singh

Product Security Engineer, Philps Healthcare (India)

Ajay Pratap Singh has 5+ years of experience in security & research. He is working as a Product security engineer in Philips healthcare where his responsibility is to make Philips medical devices hack proof. His interest lies in breaking the secured medical devices & infrastructure. Speaker at c0c0n & Nullcon international conference.
X
 

The Health Care Industry has evolved exponentially over the last decade. It's no secret that advancement in technology & it's adoption was the driving force behind this positive growth. Initially, interfaces between medical devices were custom designed & posed a huge challenge as far as interoperability was concerned. HealthCare standards like HL7 & DICOM standards have come to the rescue by providing interoperability to store, manage & exchange information among one or more devices, product, systems etc.

HL7 is a set of international standards for the exchange, integration, sharing, and retrieval of electronic health information. DICOM (Digital Imaging & Communications in Medicine) is the international standard for the communication and storage of medical images and related data. Both of the standards are supported by the majority of vendors & hospitals however secure implementation of these standards is still a concern as security risks were given less importance while designing products (software & hardware) for healthcare services.

This presentation will be primarily focused on HL7 2.x, FHIR & DICOM messages, their implementation, the sensitivity of the information and how to attack these messages. The talk will cover workflow testing and its business implications, penetration testing of the hardened/secured medical system in the hospital network and the approach that needs to be taken to pentest the hardened medical system. The talk will be concluded by sharing insights on the proper implementation of these standards to better defend healthcare devices & systems against cyber-attacks.

15:10 12S: Feed Me Seymour - Taking Control of One's Appetite Speaker(s): Martin Hopkins,

Martin Hopkins

Vice President, Aon (UK)

Group. He has over 25 years experience in technology, primarily in security related fields. In between delivering consultancy he leads security research and solutions innovation with a current focus on security architecture and advisory. He is a strong advocate of business driven security, security architecture and secure software development practices.
X
Jaco Jacobs

Jaco Jacobs

Senior Manager, Accenture (Netherlands)

Jaco is Cyber Defense domain lead for the Gallia region at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to a number of companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

SABSA, and many risk management frameworks, implore us to manage risk within the risk appetite. But what is the risk appetite? Can anyone articulate it? In SABSA it is expressed in the thresholds defined on metrics that measure our control objectives, but isn't it a first-class entity in its own right? How is it described, communicated and managed? Risk appetite is dynamic, and we need to be able to change it and readily identify the systemic impacts this has when we do.

Risk is important to us, as it underpins a large part of our jobs. So what do we do when the risk appetite is apparently huge? How does security deliver value? By enabling the business of course. If risk appetite is linked to our metrics for controls, do we not have an opportunity appetite linked to our enablement objectives? What does an opportunity appetite look like, how could we express it? If we don't do this, how can we align to the business and ensure enablement is appropriately targeted?

In between the temptations delivered so frequently by the Killashee Hotel chefs, if you've lost your appetite, join us to discuss how we can find, maintain and align to it, and help build a path to satisfaction

15:10 12A: Rotten Tomatoes Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, TNT (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various roles. He currently manages an international team of security analysts for FedEx - TNT express Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
 

These days anything can and will be rated: food, film, theatre, schools, employers, and your company’s cyber security posture. While many of these ratings are solicited, in cyber security we see a trend: (-of-) vendors using public data sources and scans to create unsolicited ratings on companies to sell to their clients as a vendor risk management product.

It is not the question if, but when one of your clients puts an unsolicited cyber security report on your desk and asks for a response. When unprepared this will be the beginning of a multi-dimensional game of chess, between InfoSec, communications, the client and the provider of the report.

This session explores how these reports are created, what you can do to influence them and how the different potential responses to these reports might impact your business. It looks at the challenges you might face, but also at the opportunities it creates. That cyber security has an ever-growing impact on a company’s reputation is already clear, but the impact of perceived but unvalidated risk by a third party raises the stakes again and needs a game plan.

True to COSAC tradition, this session will be fully interactive. Please bring your points of view and experience to the table so we can collectively decide on potential playbooks to support our businesses in the best possible way.

15:10 12B: Cavalry vs Rifles: Evolving Tactics in Cybersecurity Speaker(s): Lisa Lorenzin

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security.
X
 

Pre-Napoleon, the primary modern weapon of infantry was smoothbore muskets, which were both short-range and highly inaccurate. A cavalry charge was an effective tactic against unmounted fighters all the way back to the days of Alexander the Great… but give those fighters accurate, long-range weapons, and the advantage shifts.

Today, our battlegrounds have changed and our timescales are compressed, but we're still tackling the same challenge: changes in the weapons we're facing. As information security threats evolve, we must recognize that some of our traditional tools are also becoming obsolete, and that our tactics must evolve to meet the demands of today's environment. The question is: which tactics? And how? We will discuss risk assessment, data-driven threat modeling, which of our current solutions to leverage - and which to discard, and whether any of the much-hyped new domains (AI, ML, blockchain - bingo!) are actually adding value today.

16:10 - 16:30 Afternoon Tea

16:30 13S: Always Look on the bright Side of Life: A Positivity Modelling Workshop Speaker(s): Esther Schagen-van Luit

Esther Schagen-van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
X
 

SABSA is a problem-solving framework for anything. We just happen to mostly apply it to security. And as security professionals we tend to gravitate towards the negative. Your website will be DDoSsed, you PII stolen and at the end of the day all that remains of your building are ashes…

Although looking at positive risk is part of the SABSA A1 curriculum, the speaker feels that the concept has not been fully embraced yet by security architects. Even when trying to account for positive risk in a risk assessment, the negative risks come easier to us. The solution therefore seems simple: full abstinence of negativity. This workshop is about modelling the positive – the speaker will ensure positive vibes through a light-hearted case study and abundant use of props, memes and music. Apart from being entertained, the audience can expect to feel challenged on conventional notions of risk during the session.

The workshop consists of three parts:

  • - Recap on the concepts of positive and negative risk as outlined in the SABSA A1 course;
  • - A reflection and discussion on why positive risk is not part of many architectures and what needs to change to create a balanced risk approach throughout organizations;
  • - Lastly a fictional case study will be presented and the audience will be asked to draw out positive risks and determine impact on an architecture versus a focus on negative risk only.

The speaker is a very positive and upbeat person and regrets that positive risk is not embraced by everybody. The speaker has over 28 years’ experience in positivity and feels confident in inspiring the audience to always look on the bright side of life, even as security professionals.

16:30 13A: Decrypt, Deceive, Destroy: Joe Rochefort, Midway & 8 Miraculous Minutes Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

The battle of Midway turned WWII around in 8 minutes on the morning of June 4, 1942. And decryption and deception played a substantial part in the victory. Pilots sacrificed themselves, sailors were killed, and officers went down with their ships as 3 Japanese carriers were destroyed in the 8-minute span. A fourth aircraft carrier was sunk later in the day, but the damage had already been done, and the mighty Japanese Navy could not manage an offensive mission for the rest of the War.

A small group of dedicated Pearl Harbor cryptanalysts, led by Joe Rochefort- who not only spoke Japanese, but understood their way of thinking and decision making – was tirelessly working to decrypt Japanese Naval radio traffic. They unscrambled and intuited enough to identify Midway and predict where the attack would come from. We knew where they were, but they couldn’t find us quickly enough to save their carriers.

We’ll detail the decryption of JN-25 and JN-25b and how Midway was pinpointed. We’ll also describe the unfortunate situation of Joe Rochefort, a true hero who got anything but proper recognition. Finally, we’ll analyze some potential lessons from this 1941 drama relevant in 2019.

16:30 13B: Integrate Security Architecture with Cyber Resilience or Not? Speaker(s): Lori Murray

Lori Murray

PhD Student, Iowa State University (USA)

Lori Murray is a Senior Advanced 3 Information Assurance Systems Engineer, currently enrolled at Iowa State University as a PhD student studying Computer Engineering. She has her Masters of Science degrees in Information Assurance and Business Analytics from Iowa State University, along with her CISSP. Lori has 15 years of experience between Systems Engineering as a Cyber Security SME building security architecture from requirements definition to design.
X
 

Ever evolving adversaries drive the need for system architectures to protect both critical resources and business operations. How does one approach designing a security architecutre to mitigate security risk while enabling completion of critical business operations. A cyber resilient architecture is engineered for completing critical objectives in the “face of persistent, stealthy, and sophisticated attacks of cyber resources (MITRE, 2011)”. Similar to cyber security, resilience must be engineered into all layers of system architecture at inception, baking protections for security and redundancies for resilience through all layers of the system architecture. We will explore how to build upon the SABSA security architecture framework to integrate protections to meet goals of resilience to, in the case of an adversary attack anticipate the attack across system functions, continue system functions to complete system functions, recover system functions after execution of an attack, and changes to system functions to recover from an attack.

Plenary Session

17:45 14P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

The COSAC "rump" has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at chair@cosac.net

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 2nd October.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Networking & Dinner

19:30 Drinks Reception
20:00 Dinner

Thursday 3rd October 2019

09:00 - 09:30 Delegate Registration & Coffee

09:30 15S: SABSA Secret Superpower Speaker(s): Andrew S. Townley

Andrew S. Townley

Founder & CEO, Archistry (South Africa)

Andrew is an international speaker, published author and thought leader on business execution, security, risk and technology who has extensive practical, hands-on experience working in the US, Europe, Middle East, Africa and Brazil. His Enterprise and Security Architecture experience includes leading SABSA adoption organizational change initiatives for Fortune Global 300 customers and is built on not only SABSA certification but personal mentoring by two of SABSA’s principal authors.
X
 

Are you mired in the murky muck of poorly defined risk ownership?

Tired of dealing with “kitchen sink” risk scenarios that imply every time someone trips over their shoelaces the company will inevitably go out of business?

Lost in the matrix of an overwhelmingly complex organizational reporting structure that thwarts every attempt to show where the true power over what really gets done is held?

If you’ve answered “yes” to at least one of those questions, then your future sanity, the fate of your children, your career – and even your dog – depend on you attending this talk.

Whether you wear t-shirts, Oxfords or English Spreads, underneath that tightly woven cotton exterior beats a heart infused with an oft under-used super-power: The SABSA® Governance Model

Not true, you say?

You just might need to get re-acquainted…buy it a beer…or even take it to lunch from time to time to remember who it is and why it’s useful.

Or you might not even understand its true power.

The thing is...it’s a slippery little devil. If you don’t give it enough attention, it’ll leave you colder than the last time you forgot your partner’s birthday—again.

So that’s exactly what this talk is about. To reacquaint you with a potentially under-used SABSA superpower that can literally SAVE THE DAY when you least expect it.

Some of the things we’re going to cover:

  • - Why you might’ve missed the importance of this superpower when it’s hiding in plain sight
  • - How it can be harnessed to untangle the most twisted and wicked organizational interactions and relationships (before you can find a convenient phone booth)
  • - When to formally and finally burn forever the broken, ignored and just plain confusing RACI charts clogging your existing security governance model (and what to build in their place)
  • - Exactly what to do when you have trouble finding the right risk owners so you flush them out of hiding and never let them off the hook again
  • - How you can turn abstract arrows into concrete financial impact (predictably, reliably and based on hard numbers “the business” can’t refute)
  • - What to do when you’re asked whether you’ve considered all the information and cyber risks that might derail the business (and build shedloads of stakeholder credibility in the process)
  • - Where to find the ultimate budgetary bottlenecks (and how to make sure the money keeps on flowin’)
  • - How you can give the gift of stress-free sleep to yourself (and the security leadership team) that just keeps on giving the more work you do
  • - A collaborative way of articulating and clarifying the real risk tolerances and performance targets that matter most to the organization
09:30 15A: Building a Positive & Persuasive Security Programme Speaker(s): Mark McKenzie

Mark McKenzie

Director - Information Security, Dept. of Agriculture & Water Resources (Australia)

Mark leads the Information Security program at the Australian Dept of Agriculture, where he has overall responsibility for risk management, security architecture and incident detection and management. He has held similar roles in other Australian Govt agencies, including Dept of Finance and Dept of Human Services, and prides himself on building security programs that are focussed on managing organisational risk in ways that provide good security outcomes as well as good business outcomes.
X
 

Building a security program is hard – and building it from next to nothing is harder. Vendors, compliance targets, and competing priorities make it easy to lose sight of what capability you need to build and when. But with the right attitude, a bit of planning, and an understanding of what you need, you can build a positive and pervasive security program that addresses your organisation’s risks and enhances your personal reputation.

In this session I’ll share my experience building security programs for a range of Australian Government agencies – including one where I was their first information security advisor. I’ll describe how I worked to change culture, build people, and improve security capability in challenging organisations, and how you can do the same in your organisations.

I’ll be talking about:

  • - what the core elements of a security program are;
  • - how to develop your strategy;
  • - building your team;
  • - how to overcome common constraints – particularly funding and culture; and
  • - how to work within your business to achieve shared goals.
09:30 15B: How the Attack Chain Really Works & The Evil-Minded Toad Problem Speaker(s): Matthew Pemble

Matthew Pemble

Technical Director, Goucher Consulting (UK)

Matthew has been Technical Director of Goucher Consulting Ltd since its founding, having previously worked for the UK Government (as a regular and reservist military officer & as a civilian consultant), an international banking group and several testing and security consultancies. Goucher provide specialist security advice to a range of private and public sector clients. Perhaps best known for his contributions to security testing, incident management & counter-fraud strategies.
X
 

The Lockheed Martin Cyber Attack chain, also known as the Cyber Kill chain, has been widely adopted in the literature and is part of the sales promotion techniques for far too many "not actually the magic bullet we claim it to be" security tools. However, anybody who has actually watched "Evil Minded Toads" in action against your systems - whether operational infrastructure or a honeynet - will know that there are some serious short-comings in the Lockheed Martin approach which still, unsurprisingly given their background, owes too much to the traditional military-derived attack chain concept and far too little to the speed and flexibility of the internet age.

Unless you are the target of those few adversaries with the ability and resources to craft an attack specifically to your network (your "attack surface", if we are being pedantic), you are much more likely to see a very shortened attack chain - and fewer steps and shorter timescales give the defenders much less chance to detect and respond to the attack.

This presentation will focus on a selection of very common attack methods, relate them to a modified kill chain, and look at the ways that active and passive defences can best be arranged and managed to prevent, detect and disrupt those attacks.

10:20 16S: Integrating SABSA with a High-Functioning EA Team Speaker(s): Dave Hornford

Dave Hornford

Managing Partner, Conexiam (Canada)

Dave Hornford leads vanguard architecture thinking and execution for Conexiam's clients in the digital era. Making the good great and the best even better. Dave is on a mission to improve the profession. He has decades of real-world experience. This experience is shared in real-world case studies, practical EA training and publication of field-tested best practices. Dave has co-authored thought leadership in 'Seven-Levers to Digital Transformation' & pragmatic guidance embedded in TOGAF.
X
 

High-functioning EA teams are optimized to deliver change programmes against upside opportunity-based goals. Stakeholders are typically defined in terms of who owns the existing pie and the expanded pie. In practice, this leads to happy-state enterprise architecture and treatment of security and assurance of benefit as an afterthought. While SABSA talks about the opportunity, the language, examples, and positioning remain highly threat focused.

This talk explores a case study of an established high-functioning EA practice integrating SABSA to improve change outcomes by assuring benefits realization and mitigation of threat. The talk will explore 1) adaption of Risk & Policy management for the benefit, 2) effective linkage of benefit & threat ownership, and 3) integration of model of security services to benefit realization services.

Risk & Policy management was adapted in terms understood by benefit owning stakeholders. Success was based upon the alignment of Assurance Framework to benefit realization.

Primary & secondary key benefit thresholds are used to determine the suitability of planned change and opportunity. In practice many organizations artificially separate responsibility for benefits realization and threat management. Effective future choice requires integration of risk ownership in terms that classic benefit owners will understand and accept.

Security services are not presented in terms that benefit owners will understand and accept. Assurance of benefits realization is predicated on the use of security services that are optimized to realize the opportunity. Development of benefit assurance service required careful language use in the multi-tiered control strategy.

We will offer a complete sample of anonymized enterprise architecture in the form of a self-contained HTML website.

10:20 16A: The Holistic CISO: Applying the 7S Framework to Cybersecurity Leadership Speaker(s): Todd Fitzgerald

Todd Fitzgerald

Managing Director/CISO, CISO Spotlight (USA)

Todd has led information Fortune 500/large security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored 4 books- CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019), Information Security Governance Simplified: From the Boardroom to the Keyboard, ground-breaking CISO Leadership: Essential Principles for Success, E-C Council Certified Chief Information Security Officer BoK.
X
 

How do we know if the CISO’s security program has accounted for all the components to be effective? This session will draw on the work in the 1980s by two McKinsey consultants (7-S Framework) and applies it to building and sustaining the cybersecurity program to ensure we have accounted for strategy, structure, systems, skills, style, staff and shared values. The talk will look at each of these components.

This represents an innovative way of combining a time-tested framework for organizational effectiveness and applying it to 13 different topic areas of security (i.e. cybsercurity strategy, reporting relationships, privacy, laws, multi-generational workforce dynamics, senior leadership/board interaction, selecting control frameworks, etc).

10:20 16B: Unlocking the Kill Chain - The Secrets of Mr Robot Speaker(s): Glen Bruce

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures and Policies supporting business and governments in their approach to managing information security risk. He has over 42 years of in-depth experience in information security consulting, systems management and technical positions. He has lead many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies and infrastructure implementations.
X
 

Kill chains have been used as an organized approach to attack organizations that have provided very successful results. In some cases the attack appears to be well-planned attack, in other cases, attacks have followed a kill chain approach but may not have been planned that way. In almost all cases, the organizations did not realize they were under a kill-chain attack until after the attack had succeeded. Understanding the components and execution of a kill chain based attack provides some insight into how they have been used and what can be done to limit their success.

We will outline the elements of the generally accepted kill chain model and identify the components that are typically used for a successful result. We will use a few well-known and interesting breaches to illustrate the kill-chain approach used to perpetrate successful attacks and what might have been done to stop or limit their success. The popular TV show, Mr. Robot, has applied very realistic kill-chains in their dramatic activities. We will use some examples from the show to illustrate the attack model. Additional examples from session participants are also most welcome.

We will describe various approaches that can be taken to defend against kill-chain based attacks at each step in the kill chain. The better the kill-chain approach is understood, the better able an organization is positioned to avoid or defeat them.

11:05 - 11:25 Morning Coffee

11:25 17S: SABSA Open Forum - Part 1 Speaker(s): Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
11:25 17A: So you've Been Hit with Ransomware - Now What? Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.
X
 

This session will focus on ransomware preparadeness and response from a technical, political and legal perspective. It will address tools and techniques to minimize the likelihood and potential impact of ransomware, the role of insurance in ransomware preparedness, the role of Service Level Agreements (SLA’s) with respect to third party access and use of data, and the role and elements of a ransomware preparedness program. It will also address the most common sources and impacts of ransomware, the role of cryptocurrency preparedness, and some of the legal issues associated with both paying and failing to pay for restoration of data, including the role of export control laws and regulations, domestic and international sanctions regimes on the flow of cryptocurrencies, the role of “material assistance” laws which may restrict the transfer of cryptocurrency, money laundering and currency exchange laws and their impact on ransomware payment, the use of tumbling, obfuscation, cut-outs and fictitious wallets, tracking money flows through the cryptocurrency exchanges, the use of proxies and third parties, the role of law enforcement (domestic and international), corporate duties and obligations, and will attempt to answer the questions “do I pay?” and if so “how?”

11:25 17B: Building a Working IoT SDLC Business Design Architecture Speaker(s): Shelby Kobes

Shelby Kobes

Director IoT Security, Cognizant (USA)

Shelby is currently leading Cognizant and Verizon Wireless in the development of a IoT design security process. Shelby has been working with a client, developing and designing how their internal departments align with the security mission of the business. Shelby has used the SABSA and ITIL frameworks to develop guidelines and matrix to help align current security services with the strategic mission of the organization.
X
 

Building a working IOT SDLC business Design Architecture: A Work Session, Vetting IoT Desing Architecture One of the common problems facing organizations and IT management is how to determine what security controls are needed on IoT devices, how do you develop a process to implement security, and What process are needed throughout the design lifecycle so that security is implemented from a design perspective.

In many organizations, the business of design security follows only security best practices, trends, control lists or highly publicized events without really looking at the specific risks to the business. I lot of design security is only focused on ROI and Time to Market, without realizing the faults and risk adherent is designing a unsecure IoT device/.

SABSA provides a great way to address the business risk, design mythology and patterns an organization will need to develop a secure IoT device. We will show you an example of how the SABSA Architecture can be used in conjunction with IoT security framework models, as well as NIST/ISO guidelines to create IoT design Architecture.

In this work session, we will review the processes needed to develop an IoT device, using the SABSA Matrix. We will look at each layer and review the current process in small teams. The goal is to vet the current process with industry leaders and address any gaps in the process. I built this process to allow organizations to define high level requirements and processes, as well as provide traceability to the lower level strategies, services, and components in the IoT design process. I believe that this will provide a robust lens for design security of IoT devices so that security in not something seen as a process after the development of a device, but as a method to develop systems throughout the design process.

12:15 18S: SABSA Open Forum - Part 2 Speaker(s): Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
12:15 18A: Security Assessments are Dead! Long Live Security Assessments! Speaker(s): Martin De Vries

Martin De Vries

Information Security Officer, Rabobank (Netherlands)

Martin is an experienced Information Security Professional with a background in Project Management and Service Management. Recent years his focus is on innovation, both security innovation as secure innovation. In this role he scouts for security innovations, trends and technologies, and provides security advice to startups and scale-ups helping them to properly address their cyber security risks.
X
 

A revolutionary shift in performing security assessments is needed.

With the ever growing IT landscape of organizations, as well as the growing number of third party IT we depend upon, a discrepancy is rising. The reason for this is that the number of skilled security resources isn’t growing at the same speed (for various reasons) to perform all those assessments. The current, manual, way of performing risk/security assessments is no longer viable. In fact one might say that every organization still performing manual security assessments is inherently insecure and at risk! So, what should we do then?

It’s called ‘Digital Risk Management’ (I know, it’s a Gartner ‘invented term’). More automation, machine learning and AI (Yep, this talk will do good in the hype word bingo at COSAC) will be needed to get up to date insights in the security maturity of an organization. This talk will dive into the benefits and pitfalls of this new way of performing security assessments and as such will provide an interesting insight to the experienced COSAC audience.

12:15 18B: SDN NFV - the Next Big Thing? Speaker(s): Mary Dunphy

Mary Dunphy

Security Architect, TEK Systems (USA)

Mary is an IT Security Architect for TEK systems. She has worked on projects in advanced cyber defense for RSA & Program Manager for Vendor Solutions/Integrations for Google headquarters in Mountain View, CA. Mary is the former CTO for Pro-Tec Design where clients included DHS, MSP, Best Buy, City of Minneapolis, FBI and departments at all levels of government. She also provided consulting services for Attorney General Settlement Agreement and Office of the Comptroller of the Currency.
X
 

The wave of Software Defined Networks (SDN) and Network Function Virtualization (NFV) or sometimes referred to as virtual network function (VNF) are disruptors to previously agreed upon best practices for security. Solution providers touting the ease of 3 day installs of overlay networks to provide configuration and orchestration, minimize the potential new risks introduced with OpenStack virtual network function (VNF or NFV) as well as the many NFV flavors vendors have developed for their own market share. The shiny promise of relief regarding management tasks is a siren call to a beleaguered network staff. The promise of the ability to implement multiple network architectures at high levels of abstraction rather than piece by piece, operating as intended simply by telling it your goals and letting it figure out the best path to success. What is left out of this utopia? Where does Security live in this model? This session is designed to facilitate ongoing discussion of roles and placement of security in this changing landscape.

13:00 - 14:00 Lunch

Workshop W1

14:00 How to Build Resilience & Fidelity into our Data Speaker(s): Char Sample

Char Sample

Research Fellow, ICF Army Research Labs (USA)

Dr. Char Sample is research fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
 

The data that we protect and use lacks guaranteed veracity. This problem has been known for years, but because historically the data has been accurate, therefore deemed trustworthy, we have not looked closely at the fidelity of the data. Recent developments in fake news (beyond politics and into economics) with “deep fakes” and artificial intelligence in creating narratives presents an opportunity for all cyber security professionals to question our role in ensuring the accuracy and fidelity of our data and how we can make the data resilient against deception. We will define the problem, discuss the origins of the problem and examine various methods being discussed to address this problem that is only now gathering attention.

Workshop W2

14:00 Security Modelling Workshop Speaker(s): Steven Bradley,

Steven Bradley

Consulting Security Architect, Lavender Bytes Consulting (Belgium)

Steven is a SCP with 10+ years experience in the SABSA methodology. He works as an independent Security Architect and develops a research interest in model-driven approaches to security architecture - a topic on which he has presented at COSAC 2018 and authored a paper for the SABSA Institute.
X
Bonnie Demeyer

Bonnie Demeyer

Security Consultant, Lavender Bytes Consulting (Belgium)

Bonnie is a Security Analyst and Information Security Manager with two years experience in the application of security to Agile and Scaled Agile projects. She has also worked with Steven in the development and practical application of the model-driven approach.
X
 

By the time COSAC 2019 opens, The SABSA Institute is expecting to have established a new Interest Group dedicated to processes and tooling.

The launch will be marked by a working group dedicated to model-driven security architecture.

We would like to use this workshop to provide a more practical, in-depth introduction to tools & resources, both available and in development, that support the SABSA methodology and the production of artefacts.

These will mainly focus on the resources available from the TSI's own Process & Tooling Interest Group site (open-source ArchiMate Security Extension) but will also evaluate & compare an unofficial 3rd Party SABSA module for the Sparx EA modelling environment.

Workshop W3

14:00 Ask Us Anything: A Q&A with a SABSA Masters Panel Speaker(s): Chris Blunt,

Chris Blunt

Chief Strategy Officer, Axenic (New Zealand)

Chris is the Chief Strategy Officer at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 26 years of experience in the ICT industry, specialising in security and privacy for the last 14 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives.
X
Maurice Smit,

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
William Schultz

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards.
X
 

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your problem depends on the question you are trying to answer. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the COSAC way there will be plenty of group debate and interaction, and no shortage of other experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

Workshop W4

14:00 Speaking Security Innovation Fluently: Taking ESA from Boardrooms to Lego Rooms Speaker(s): Rosanna Kurrer,

Rosanna Kurrer

Managing Director, CyberWayFinder (Belgium)

Rosanna is an Architectural Engineer by training and holds a Masters Degree in Building Physics from Kyoto University in Japan. For the past several years, this certified MIT Master Trainer in Educational Mobile Computing, as well as EU Code Week ambassador, has led hands-on, result-oriented workshops in the areas of computer programming, data visualisation, the Internet of Things, and 3D design and Design Thinking, to promote the uptake of digital skills, particularly among girls and women. 
X
Patrick Wheeler

Patrick Wheeler

Mentor / Director, CyberWayFinder (Belgium)

Patrick Wheeler is an enterprise security architecture lead where he is leading the effort to secure the Kubernetting of Europe’s financial ecosystem merging design thinking and ESA for one of Europe’s largest banking groups (8-12% of Europe’s GDP). He considers this the least most important activity and acts in support of Rosanna’s efforts ushering in new cyber resources. A native of California, via years in Silicon Valley, he now identifies as Belgian.
X
 

An introduction to design thinking.

Contextual? Global and local enterprises are all pushing ‘innovation’ mantras, from Agile-IT or Netflix-HR. The rush toward decentralized-small-squad-self-governed-code-fast-publish-now-fail-early-apologize-later-if-needed (Agile, DevOps, etc) place known and growing challenges to ESA. Design Think, Hasso-Plattner; radical-collaboration, bias-toward-action, mindful-of-process, beginners-mindset, show-don’t-tell, embrace-experimentation, prototype-to-discover) is one the latest widely adopted methodological approaches to innovation. Often placed upstream of Agile. Applying the SABSA framework to Design Think in an enterprise can embed ESA concepts early into corporate strategies (boardrooms) and product lifecycles (lego rooms). By embedding ourselves at the earliest stages in decision-making processes we carry ESA to the boardrooms, differently.

What? Business decisions from fintech acquisition, business partnerships through strategic bet-the-company pivots are being made via this process. We propose an introduction, workshop and exercise to get in front of enterprise strategy and setting enterprise security architecture priorities by reverse engineering design think orthodoxy and credos in the enterprise. Includes a 3-hour learning-by-doing exercise on how to identify design opportunities, generate diverse ideas, and create and test prototypes using principles and mindsets of design thinking. This business focus exercise focuses on Business and the Contextual and Conceptual layers. Our presenters are practitioners who can speak to using this throughout all layers in Financial sector (e.g. SWIFT, Euroclear and BNPPF) and governments (e.g. EU).

Why? While we may speak the language of risk, business and enterprise, we must be fully conversant with the buzzwords, concepts and methodologies to be fluent in the language of innovation. Ideas are always in abundance, how do we turn them into concrete, and desirable products, processes or campaigns? In security we strive to create a positive impact and bring value to our teams and relationships. We are faced with complex situations or challenges with known or unknown conditions and uncertainty. These challenges often require creative solutions that actually work, feel right and meet core needs. Using the on-going communications frameworks are key to success. Co-creating solutions is just the beginning.

How? While this can be used as design think for security (and we have indications of success in enterprise security teams) we will focus on the business context of embedding ESA concepts and securing the design think and innovation eco-system process. By making ourselves conversant in and demonstrably using of the design thinking process, by bringing into action the mindsets of creative confidence, tactical empathy, iteration, learning from failure, radical collaboration and embracing ambiguity - we increase the likelihood of gaining real insight on the real and often hidden needs of our audience, users or stakeholders. We look at the mental barriers to security adoption, differently. There are design opportunities for which we could create prototypes and iterate to drive organic adoption (pull, not push) of ESA. (warning: if special dispensation is granted, there may be commercial product placement of Lego’s™, the presenters have no direct or indirect commercial involvement and choking hazards are assumed an acceptable risk).

Plenary Session

17:15 20P: The 2019 Anthony Sale Memorial Session - Connections Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
 

In the late 1970s James Burke's ground-breaking TV series 'Connections' explored the various paths of how technological change happens and the social effects of these changes on Western society.  To illustrate this he followed various timelines of how one innovation led to something totally unrelated in the future.  The series had a profound effect on me, in particular how you can learn to think laterally and how that can drive technical innovation.

Tony Sale was an inspirational leader and lateral thinker, his legacy at The National Museum of Computing is not just the Colossus Rebuild Project but the Bletchley Park site as a whole.  In this talk I shall follow some of the connections that led to the birth of the computer security industry and the challenges we face today.

Conference Close

18:15 Conference Close - COSAC Chairman Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X