Contact Us
Get in contact with us by email, phone or just stay social and connect with us on LinkedIn & Twitter
Welcome to COSAC - Conferencing the way it should be!
The COSAC 2023 Call for Papers is now open. View the COSAC 2022 agenda below to gain an insight into the value COSAC provides for experienced information security practitioners. Our 2023 agenda will be announced in April.
COSAC 2022 Registration & Welcome Dinner
19:30 | Delegate Registration |
19:30 | Drinks Reception - Sponsored by Killashee Hotel |
20:00 | COSAC 2022 Welcome Dinner |
Breaks | COSAC Masterclasses are full-day, 09:30 - 17:30 |
09:00 | Registration & Coffee |
11:05 | Morning Coffee |
13:00 | Lunch |
15:35 | Afternoon Tea |
Masterclass M1
09:30 |
The 21st International Roundtable Security Forum
Speaker(s):
John O'Leary
John O'Leary President, O'Leary Management Education (USA)
John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
|
For 2022, the COSAC Forum presents a room full of industrial strength, battle-hardened, reality-grounded information security veterans. They’ve seen it all, done it all, fixed it all, coped with it all and didn’t even need to get the t-shirt. Of course, you’re one of them. And like the others, you’re always learning, willing to listen to and learn from others who’ve encountered things you might not have, not too shy about sharing strategies and techniques, and committed to our strange and very necessary profession. This full-day immersion in the COSAC way features a moderator, an ancient, grizzled if not very knowledgeable security veteran himself, who describes some actual recent events or publication or prediction or analysis of security-related activity, then comes up with a question or two about associated issues. But the real stars of the session are the participants. A described event or publication might engender wildly divergent reactions from attending professionals who experienced a similar event, but had different constraints or objectives or working tools or eventual outcomes. The moderator might prod an attendee for their take, but more likely, he’ll try to avoid getting in the way, thus allowing participants to illuminate topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room. And nobody charges consulting fees. Join us and help solve the information security problems of the world.
|
Masterclass M2
09:30 |
The 6th COSAC Security Architecture Design-Off
Speaker(s):
Jason Kobes,
Jason Kobes Architect, Research Scientist, Professor, Northrop Grumman (USA)
Jason Kobes works as Tech Fellow Senior Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason also is an adjunct professor for Marymount University teaching Cyber Crime and Digital Terrorism. Jason has over 24 years of experience concentrated in cyber digital transformation, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's...
X
Chris Blunt Enterprise Security Architect, Aflac NI (Northern Ireland)
Chris is a seasoned cybersecurity professional. He has recently moved to Belfast from New Zealand where he co-founded and ran a highly successful information security and privacy consultancy.
He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables organisations to achieve their business objectives.
X
|
In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are aseasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something. Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life! Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedInPage congratulating them on their achievement! Other spot prizes maybe awarded by the moderators in addition to this to recognize outstanding efforts of participants. A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it. |
Masterclass M3
09:30 | CyberWar, Deception & Weaponising Disinformation |
It has been suggested that we are on the verge of a digital “cold war” but recent events show that such a prospect introduces new characteristics: cyberwar is not limited to the nations in conflict, it involves hacker groups, civilians with personal computing power, corporations in third countries, digital influencers, and a battle of the algorithms to create bias and misinformation. But what does that mean for us, for corporations, for Information Security leaders? What can we anticipate happening? How should we plan and respond? This COSAC Full-Day MasterClass examines the subject in detail and from multiple perspectives. |
09:30 |
Part 1 - From Solar Winds to Digital Cold War
Speaker(s):
Lesley Kipling
Lesley Kipling Chief Security Advisor, Microsoft (UK)
Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
|
A look back and discussion of the most news worth cyber events over the last couple of years and a look forward to what we can anticipate in a digital cold war through the lens of history and the events in Georgia. |
11:25 |
Part 2 - Deception, Weaponizing Disinformation and Challenges for the Future
Speaker(s):
Lynette Hornung,
Lynette Hornung Security Architecture Manager, Catapult Systems (USA)
Lynette has her MS in Information Assurance from Iowa State University and her SABSA certifications. She has over 20 years of experience with security architecture and data privacy serving as a trusted advisor with customers and working on cross functional teams. She is currently a Security Architecture Manager with Catapult Systems.
X
Char Sample Cybersecurity Principal, MTSI (USA)
Dr. Char Sample is Chief Scientist Cybersecurity at the Idaho National Laboratory and a research fellow with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
|
Threat modeling and trust relationships are important tools to use with analyzing disinformation. Trust relationships provide lessons learned that can be applied to other domains, such as military, cyber, information, public health and economic. Trust solutions are often binary, but in reality trust is often fuzzy, cross-spectrum and can be visualized with a color spectrum. In this session we explore various aspects of disinformation and current events in considerations of topics, including the Ukraine/Russian conflict and privacy considerations. The Ukraine conflict offers a unique recent event to have an interactive discussion of disinformation, cyber attacks, information warfare, and the weaponization of fear. Disinformation stories often have a grain of truth. Part of the problem with handling disinformation is that even smart people can be fooled and that does not make them less good or credible. The landscape of disinformation also encompasses group think, biases in algorithms and political bias. propaganda, spies and a lack of journalistic integrity. Like many challenges with cybersecurity, disinformation is a very serious challenge that is used in nefarious ways by various political actors with various economic and geo political gains. We will apply threat modeling and trust relationships to this and explore the challenges with disinformation and explore creative approaches to navigate disinformation and future considerations and approaches. Disinformation is something that has been around for a long time, but made more difficult to detect with technological advancements and requires diligent understanding and analysis by diverse academic backgrounds that are part of the cyber security field of practitioners. |
14:00 |
Part 3 - Help, I Need a New IR Playbook! Preparing for Global Cyber Warfare
Speaker(s):
Lesley Kipling
Lesley Kipling Chief Security Advisor, Microsoft (UK)
Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
|
Title and abstract by Esther Schagen-van Luit The first real act of cyber war was the DDoS attacks on Estonia in 2007. Over the years we saw more aggressions. Georgia in 2008, Stuxnet in 2009, Saudi Aramco in 2012, Sony in 2014, Ukraine in 2015, NotPetya and Triton in 2017. NotPetya was a novel case as it harmed global organisations as collateral damage. New in this series are the cyber attacks to help Russian physical warfare in Ukraine. This time, involvement is not limited to the conflict countries. International hacker groups such as Anonymous picked a side. Organisations with off-shoring in Ukraine and Russia cut off their networks and people. Civilians from around the globe contributed by volunteering their laptops for DDoS attacks. This is the first time we've come close to a global cyber war. But how to respond? This session sets out the elements of cyber warfare and uses the Russia-Ukraine conflict as a case study. We take the view of an entity in a third country with operations in both conflict countries. The presenter uses her experience of managing security for an international organization. Next to incident readiness and response, she provided advice on how to engage employees in conflict countries and answer client questions on the situation. She is therefore well-placed to provide an end-2-end security perspective. She will share insights on aspects of incident readiness she had not encountered before and lessons learned on IR preparation for similar future cases. Then the floor is open for the audience to share how their organizations responded to the Russia-Ukraine conflict and how they view the future of cyber warfare. |
15:55 |
Part 4 - Analyzing Russian Cyber Strategy in Warfare
Speaker(s):
G. Mark Hardy
G. Mark Hardy President, National Security Corporation (USA)
G. Mark serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is the author of over 100 articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration.
X
|
"The strong do what they can and the weak suffer what they must" -Thucydides, History of the Peloponnesian War,(431 BC),Chapter XVII Beginning in March 2022 the world saw a broad array of Russian warfare techniques. Ukraine has been Russia's testbed for cyber, but unlike the 2008 invasion of Georgia, cyber attacks did not effectively accompany the initial militaryactivity. Why? And how doescyber align with Russia's strategy for escalation management, or intra-war deterrence, across the spectrum of conflict? What lessons have we learned about the conduct of cyberwar, and what are the implications for future conflicts whether or not they rise to the level of kinetic?What are the appropriate responses to avoid mutualdigital annihilation?What other nation states should we add to this discussionto better prepare for the future. |
Drinks Reception & Dinner
19:00 | Drinks Reception |
19:30 | Dinner |
09:00 - 09:30 Registration & Coffee
09:30 |
1A: Top 10 Privacy Challenges of the Hybrid Workplace Model
Speaker(s):
Valerie Lyons
Valerie Lyons COO, BH Consulting (Ireland)
Recently included as one of Europe's top 100 women in cybersecurity, Dr. Valerie Lyons is a highly experienced senior cybersecurity and privacy professional. Currently COO of BH Consulting (a data protection and cybersecurity firm based in Ireland), Valerie is also a subject matter expert in European data protection and privacy. She recently completed an award-winning PhD, researching organisational approches to Information Privacy. She lectures on the topic of cybersecurity, privacy and ethics...
X
|
Pre-pandemic, the common model of work was primarily the on-site working model, where the remote working model was less common. During the pandemic however many organisations pivoted to embrace the remote working model in response to strict lockdown and mandated office closures. As we emerge from the pandemic, organisations are now operating variations of work models, ranging from fully onsite to fully remote. However many organizations now offer a combination of the two, where employees can work part of the time remote/part of the time on site, or where some employees can work onsite full-time while others work remotely full-time. This new model is referred to as the Hybrid Workplace Model (HWM). Instead of structuring work around desks in a physical office space, the HWM introduces a set of privacy challenges associated with data protection, consumer protection, child protection, employee health and safety, and many other pieces of legislation. This session will share 10 key privacy challenges that this post-pandemic HWM introduces - such as the challenges associated with employee surveillance, health and safety, awareness training, auditing remote workspaces and auditing remote privacy practices. Key Learning Outcomes:
|
09:30 |
1B: How Security Architecture Completely Changes the Game of 3rd-Party Risk Management
Speaker(s):
Andrew S. Townley
Andrew S. Townley Chief Executive, Archistry (South Africa)
Andrew S. Townley helps information and cyber security leaders build more effective security programs by applying 25 years of hard-won lessons across a diverse career from starting as a Software Engineer to building Archistry from the ground-up starting in 2006. Andrew is an international speaker, published author and thought leader on Information Security, Security Architecture, SABSA, Risk Management, Enterprise Architecture, SOA and Technology Strategy, and he has extensive practical,...
X
|
The prominent security breach headlines recently - from SolarWinds to Log4j - have certainly brought a more intense awareness of 3rd Party Risk Management (TPRM) to just about everybody. However, despite a whole lot more attention, eyeballs and even money thrown at rapidly rolling out vendor solutions, it hasn’t really done much to find practical answers to the problem. In fact, according to a recent survey Ponemon of 600 IT professionals:
Not only do these statistics paint a pretty bleak picture of the current “state of the art”, many of the vendor solutions supposedly addressing this problem are simply reducing the time and effort to perform the assessments. In fact, they're basically automating the same, traditional, ineffective approach. In practice, the true state of TPRM in most organizations is a mess. And it’s a mess not because of the 3rd-parties themselves. It’s a mess because many organizations don’t treat TPRM as an integrated part of their overall cybersecurity program. Unfortunately, a lot of these issues aren’t really apparent until the organization is knee-deep in some kind of security problem-solving exercise, proving once again that security was involved far too late in the process. In this session, I’m going to use the case study of a fairly common security problem to back into the limitations of the standard approach to TPRM used by many organizations. I’m then going to show how you can get out in front of the problem once and for all if you have the grit and determination required to fight a few organizational political battles and make sure that security is considered from an enterprise perspective for every business project. Once we’ve exposed the common issues preventing effective integration of TPRM into security, and we’ve identified an architectural approach that can solve the problem, I’m then going to dive deeper into how supplier and 3rd-party risk management really works. Once there, you’ll discover why the way we often try to solve the problem will never really get the results our organizations need. When the full scope of the problem has been unearthed, I’ll present a better, architecture-driven approach to identify and manage your organization’s 3rd-party and supplier risk exposure. Once we’ve exposed the common issues preventing effective integration of TPRM into security, and we’ve identified an architectural approach that can solve the problem, I’m then going to dive deeper into how supplier and 3rd-party risk management really works. Once there, you’ll discover why the way we often try to solve the problem will never really get the results our organizations need. When the full scope of the problem has been unearthed, I’ll present a better, architecture-driven approach to identify and manage your organization’s 3rd-party and supplier risk exposure. |
09:30 |
1S: Applying SABSA to Digital Twins and Cyber-Physical Infrastructure
Speaker(s):
Hugh Boyes
Hugh Boyes Principal Engineer, University of Warwick (UK)
Hugh Boyes is a Chartered Engineer, a Fellow of the Institution of Engineering and Technology (IET) and holds the CISSP. He divides his time between working as a Principal Engineer at the University of Warwick and undertaking cyber security consultancy assignments. Hugh is a Member of the Register of Security Engineers and Specialists (RSES).
X
|
Concepts such as digital twins and cyber—physical infrastructure (CPI) are receiving increasing attention, with promotional coverage in technology focussed media, accompanied by consultations and investment by governments. There is significant hype around these concepts with little discussion of what they represent in terms of functionality and any associated security risks. For example, the proposed interaction between physical entities and their digital twins presents significant security and safety challenges, with potential conflicts between the measures typically deployed by safety and security professionals. This session will explore the functional components and conceptual architecture typically required to create a realistic digital representation of a physical entity. It will highlight how differing security and assurance practices may affect the integration of a physical entity with its digital twin, and their subsequent operation. Then, building on the functional and conceptual models, it will explore how SABSA may be used to engineer a safe and secure approach to the digitalisation of the physical world. This session may cause you to think differently about security risks associated with cyber-physical systems. It will provide a better understanding of the potential for unforeseen outcomes arising from adoption and integration of sometimes-immature digital technologies in our physical world. |
10:30 - 10:50 Morning Coffee
10:50 |
2A: Breaching The Security Behaviour Ceiling
Speaker(s):
Martin Hopkins
Martin Hopkins Consultant, Attributive Security (UK)
Martin is an independent information security consultant with a current focus on security advisory to small businesses in the UK. He has over 25 years’ experience in technology, primarily in security related fields. A regular speaker on cyber security topics, he is a strong advocate of business driven security, security architecture and secure software development practices.
X
|
Despite huge investments cyber security continues to hit the headlines for all the wrong reasons. Report after report claims that human fallibility contributes to most security incidents. Vendors tell you that your people are the weakest link, and then try to sell you some technology to fix the problem. Technology will not save you. People are not the weakest link; they’re involved in just about every link somehow. “Ok,” you say, “we get it. We’ve got a mature security awareness programme, we’ve abandoned dull CBT, our training is engaging and gamified.” But you’ve reached a plateau with progress slowing to a crawl or stopping entirely. Whatever you do to increase knowledge and understanding, behaviour change stubbornly fails to materialise. Those strange people that don’t align to our expectations, that don’t behave correctly; they’re not irrational or uneducated, they just have different perspectives, and we’re working against them not with them. In this session we’ll discuss security culture: what it is, how to find the one you already have, how to approach measuring it, the wider culture factors that influence it, and explore the gap between knowledge and behavioural norms. |
10:50 |
2B: When Third Parties Come First: A Case Study on Russia/Ukraine and the Importance of Holistic Third-party Management
Speaker(s):
Timothy Sewell,
Timothy Sewell CIO / CISO, Reveal Risk (USA)
Tim is a lifelong technology and security enthusiast with broad experience in multiple industries. He spent over a decade at Lockheed Martin designing and deploying solutions to some of the hardest cybersecurity problems in the national security space: Cryptography, weapon systems, aircraft, satellites, critical networks, APTs, hardware security, supply chain and third-party security, anti-tamper and industrial control systems using a blend of best-of-breed from the commercial space, coupled...
X
Todd Wilkinson Chief Information Security Architect, Elanco Animal Health (USA)
Todd Wilkinson has been in the technology Industry for 23 years and most recently is serving as the Chief Information Security Architect for Elanco Animal building their new security program as part of a divestiture and IPO. He has advised and was accountable for the technology direction and product development of solutions that Elanco offers to our animal health customers, developed innovation in disease detection, wearables, implantable and mobile imaging capabilities with Elanco.
X
|
This two-part presentation explores some unexpected impacts from the Russia / Ukraine conflict on global operations where vendors are moving to protect their assets first more quickly and the importance of including third-party risk management in organizational security architecture.
Highlights will include a global manufacturing company with office in Russia, Ukraine, and eastern Europe, a small manufacturer that is dependent on Russian suppliers, a biotech company with a heavy Russian developer population, and other real world examples. |
10:50 |
2S: The Chicken and Egg Problem or How to Implement Enterprise Security Architecture Without Architects
Speaker(s):
Dr. Silvia Knittl
Dr. Silvia Knittl Director Cyber & Privacy, PwC (Germany)
Dr. Silvia Knittl is focused on Enterprise Security Architecture and supporting public and business clients in enabling their cyber capabilities. She manages security transformation projects and has led many cyber engagements helping organizations to improve on governance, processes, or tooling in the domains like IAM, SIEM/SOC or network. Sie is Director at PwC Germany in the Cyber & Privacy practice and has over 15 years of experience working in Cyber.
X
|
Companies often ask us to improve their cyber security. Even more frequently, many of the organizations cannot answer the question of where they stand with their security today. Many of the organizations have grown in the past without architectural support and have not yet established an enterprise architect or security architects. Quite often, cyber is organized somewhere in the IT department and the various security domains with their experts and their respective tooling needs are very often located in distinct silos. In this session I will report on how to introduce an enterprise security architecture (ESA) capability without all the relevant prerequisites, such as an architect position, already being in place in the company. Our framework of cyber capabilities, which comprises domains, subdomains, and their capabilities, serves as the foundation. It encompasses domains such as Incident Recognition and Response and Security Orchestration, as well as the ESA domain. This framework is used to construct specific scenario reports swiftly and efficiently. These reports feature traditional maturity level representations, which help the organization to make well-informed decisions on the appropriate and further development of their ESA capabilities. For the situational pictures, we methodically use classic architecture visualization patterns. Here I demonstrate what value classical EA tools add to the development of the ESA capability. The session is interactive, and all the participants are invited to share their experiences concerning this topic. |
12:00 |
3A: Artificial (un)Intelligence: Risks and Opportunities of AI
Speaker(s):
Ashling Lupiani
Ashling Lupiani Cognitive Solutions Developer, Cancer Treatment Centers of America (USA)
Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
X
|
This unique discussion will address the structural limits of artificial intelligence such as machine learning in comparison to human intelligence. We will also consider the dangers posed by overestimating these systems and the responsibilities of professionals and organizations to manage expectations for their performance and monitor their function. This session is timely because of the accelerating use of AI systems to determine everything from who to employ to how to treat diseases. While these systems’ decisions have increasingly impactful consequences, scrutiny of their structure and inputs has lagged behind. AI processes are unintelligible to the average IT practitioner or citizen, so it is increasingly important that those with the background and experience to understand its hazards prevent misconceptions, correct misinformation, and ensure responsible use. The approach will be to outline the current state and direction of artificial intelligence systems in comparison to their fleshy counterparts, suggest actions that individuals and groups can take to mitigate the risks that their operation and perceptions of their operation can pose, and open the floor for discussion of these topics. The value of this session is in presenting a scientific comparison of the differences between artificial and human intelligence and using that comparison to determine risk and suggest next steps. |
12:00 |
3B: Managing the Software Supply Chain: Are we Kidding Ourselves?
Speaker(s):
Todd Fitzgerald
Todd Fitzgerald Vice President, Cybersecurity Strategy, Cybersecurity Collaborative (USA)
Todd Fitzgerald promotes cybersecurity leadership collaboration and serves as VP, Cybersecurity Strategy and Chairman of the Cybersecurity Collaborative Executive Committee. Todd authored 4 books including #1 Best Selling and 2020 CANON Cybersecurity Hall of Fame Winner CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019) and ground-breaking CISO Leadership: Essential Principles for Success. Todd also hosts the popular SecurityWeekly CISO STORIES...
X
|
The past 2 years have seen several high-profile examples of where information technology products we have purchased have exposed our systems to bad actors. How do we get ahead of this? Is this even possible? We may hire SABSA Architects within our organizations, only to discover that the smaller (and larger!) companies have not exercised the same level of due diligence. This session consists of positing some ideas for getting ahead of these supply chain issues and discussing where they may be useful and their flaws in actual practice. Our environments are no longer inside our walls, or our systems in the cloud, but rather need to include those systems and processes we generally have regarded as external in the past. The session will be interactive, visual, and use audio/video, props and interactive discussion to discuss an issue that is top of mind for many in 2022. This is a complex issue that will leverage the experienced minds of COSAC. |
12:00 |
3S: It Takes More Than SABSA: Building A Greenfield ESA Practice
Speaker(s):
Richard Morgan
Richard Morgan Chief Architect, Verizon Communications (USA)
Richard Morgan is the director of Enterprise Security Architecture and Chief Architect at Verizon Communications, a US-based telecommunications firm. Mr. Morgan was previously the Sr. Director of Strategy & Execution at the Verizon Media Group, and spent about 14 years in varying roles at AOL before that. He has a background that includes work in the Open Source and Linux communities back to the 1990s and feels the same sort of positive energy and camaraderie in the COSAC community.
X
|
In the COSAC world, we talk a lot about the SABSA framework and how useful and flexible it is. While that is true, there’s an entire set of other concepts, structures, and practices that are required to build a functioning Enterprise Security Architecture practice. In early 2021, Richard Morgan had the opportunity (and funding) to build, from the proverbial ground floor, an ESA practice for a Fortune 20 company. This session will cover the conceptual basis and metamodels that underlie the practice and the practical aspects of operationalizing the capabilities, functions, and principles to create something new and innovative. The work included lots of training, many, many presentations, and the inevitable challenges and lessons learned in showing the value of security architecture work. And for the COSAC audience, we offer credit and thanks for the concepts and experience gleaned from the community since 2018. |
13:00 - 14:00 Lunch
14:00 |
4A: Are You Talking to Me?
Speaker(s):
Karel Koster
Karel Koster Manager IT - Information Security, FedEx Express Int (Netherlands)
Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a team of security analyst with a global remit at FedEx, owning implementing and executing various GRC processes.
Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
|
As cyber security professionals, we see lots of issues all the time, but we have only limited time and resources to address them. By reporting we get exposure to executive leadership and therefore an opportunity to ask for resources, support, and prioritization. However, reporting is often limited to just a few slides a month. Futher more we can’t over ask, we can’t cry wolve to often and we can’t bring them problems management cannot solve. Then what can we ask? How can we getexecutive leadership to support our plans, while all we have is 5 minutes and a few slides in the lime lite each quarter? Those slides can be much more than just a table with the colours red, amber, and green. If you know your audience, you can make the presentation work for you. This to ensure your messages is delivered loud and clear. In this talk, I dissect several strategies I use to push my agenda for support and buy in towards senior leadership. I’ll share what works for me and what doesn’t. I encourage participation of the attendees, to share their experiences, successes and failures, this in order to expand our collective knowledge. |
14:00 |
4B: Chaos Monkey Comes to Threat Modeling
Speaker(s):
Jason Kobes
Jason Kobes Architect, Research Scientist, Professor, Northrop Grumman (USA)
Jason Kobes works as Tech Fellow Senior Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason also is an adjunct professor for Marymount University teaching Cyber Crime and Digital Terrorism. Jason has over 24 years of experience concentrated in cyber digital transformation, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's...
X
|
Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the method of the Chaos Monkey.
The session will start by exploring what we know and what processes exist to help us unfold this difficult topic. We will then move into a group discussion where we will explore how we can leverage each other’s perspectives and ideas. |
14:00 |
4S: Raiders of the Lost Attributes
Speaker(s):
Robert Laurie
Robert Laurie Enterprise Security Architect, David Lynas Consulting (Australia)
Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.
X
|
SABSA measures the impact of risk on attribute performance targets within a domain and we use these measures in decision support for our control objectives. This SABSA domain model paints a tropical canvas of business attributes isolated deep in a domain jungle with the where-abouts known only to the domain owner. Forging into this domain we might take care to draw upon multi-tiered attributes to describe how risk is systemically transferred from one attribute to another - but can an attribute directly support another attribute or are we searching for the missing link in this view? In this presentation I will detail all the missing elements needed to properly excavate a multi-tiered attribute view. I’ll demonstrate how systemic risk is really transferred between elements in a multi-tiered attribute view and how this missing link is actually part of the powerhouse that drives the implementation of SABSA in the real world. Attendees will emerge from this domain jungle with a solid gold view of what the multi-tiered attributes view really represents and how it can be used to delegate risk successfully in your next expedition. |
15:10 |
5A: Telling Better Cyber Stories
Speaker(s):
Siân John MBE,
Siân John MBE Director SCI Business Development, Microsoft (UK)
Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption.
Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology.
Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
X
Genevieve Liveley Professor of Classics, University of Bristol (UK)
Genevieve is Professor of Classics, RISCS Fellow, and Turing Fellow at the University of Bristol. As a narratologist, she has particular research interests in stories and their impact on futures thinking – especially in the context of emerging technologies and cyber security. She leads the Futures strand for the UKRI’s Digital Security by Design (DSbD) programme, and as RISCS Fellow, heads the ‘Anticipation and Futures Literacy’ research theme.
X
|
The stories we tell about Cyber security often fail to land with the wider community. It is difficult to share stories that allow the cyber risk and security advise to be shared with appropriate nuance and senstitivity. Too often we end up with “scare stories” and “disaster movie tropes and plotlines” that spread “Fear, Uncertainty and Doubt”. This makes it harder to share insights that resonate and have impact on customers. What can we learn from other story telling and narratology techniques to allow us to build communications that resonate more formally. This probably means shifting from some of the disaster and militaristic terminology to others that relate to public health and the way in which people work. This session will explore some of these issues and propose ways in which we could communicate using traditional story telling methods to get business leaders to understand the nuanced aspects of cyber risk and resilience. |
15:10 |
5B: Using OSCAL to Manage and Assess Security Controls Across International Standards
Speaker(s):
Phil Bridgham,
Phil Bridgham Cyber Architect, Northrop Grumman (USA)
Dr. Phillip Bridgham is a Cyber Architect and researcher for Northrop Grumman and applies AI, Machine Learning, and Information Fusion techniques to achieve advanced automation and risk management. Dr. Bridgham brings 25 years of software engineering and technical leadership experience across a wide range of industries, including: Aerospace, Industrial Controls, Robotics, Banking and Finance, Medical Devices, Fraud Detection, Risk Analysis, and more.
X
Thomas Clevely Product Cyber Security Specialist, Rolls-Royce (UK)
I am a product cyber security specialist at Rolls Royce in the UK with 15 years’ experience working a broad spectrum of cyber security roles, including Supply chain integration and risk management, Enterprise network security, Industrial controls systems security and most recently product cyber security. Product cyber security, or the security of safety/mission critical embedded systems is a fast paced and fascinating challenge. I feel privileged to be part of a global team and global community...
X
|
This session introduces NIST’s (National Institute of Standards and Technology) newly released standard called Open Security Control Assessment Language or OSCAL.In this session we will survey the three layers and nine models that make the OSCAL standard. This session will present and discuss examples of how OSCAL helps with defining security control catalogs, management of security profiles (or baselines), and definition of security plans.We will also examine how OSCAL can help to specify security assessment plans, capture assessment results, and help produce Plan of Actions & Milestones (POA&M) reports. This session will provide hands-on insight into how OSCAL is used and helps to integrate standards and provide opportunities for security control management automation. This session wraps-up with Q&A and a thought-provoking discussion about this new standard and the opportunities it presents. |
15:10 |
5S: Culture Eats Innovation for Breakfast, Disruption for Lunch and Agility for Dinner
Speaker(s):
Jaco Jacobs
Jaco Jacobs Senior Security Principal, Accenture (Netherlands)
Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
|
Agile methodology is driving how businesses innovate, develop products and services, and take them to market. Hyper-personalization is the key ingredient in this recipe that is called success. Security is having a hard time, playing a perpetual game of catch-up and perceived as the blocker for doing business by increasing costs and overcomplicating almost everything it touches. It is essential that security, trust and transparency are adopted as CORE business values at the very top of the organization and is deeply embedded into the DNA of the business through an uncompromising cultural shift that will allow all employees throughout the business to make wise decisions about security. In this talk we will look at the importance of effecting large-scale cultural change to allow our beneficiaries to use the architectural artefacts that we create for them for the benefit of the business and how SABSA can help us achieve this monumental task. |
16:10 - 16:30 Afternoon Tea
16:30 |
6A: The Art of Communicating Bad News
Speaker(s):
John Ceraolo
John Ceraolo Head of Information Security, Skilljar, Inc. (USA)
Mr. Ceraolo has been an information security professional for over 25 years in industries ranging from publishing, software, automotive, mobile technology and now healthcare analytics. He has frequently spoken at COSAC and other US-based security conferences. He holds his CISM, CISSP, and CISA as well as his Masters in Information Assurance from Norwich University.
X
|
Ransomware attacks, outages, general failure of your products – how much thought is going into your communications to your customers? Is it fully vetted by your legal counsel – and you aren’t making statements that are untrue or incomplete? How critical is timing? This session addresses the need for establishing a communication protocol in advance and walks through some of the good, the bad and ugly from past incidents. Takeaways will be ideas on what to include, what to avoid, how quickly to communicate and making crisis communication a critical part of your incident response. |
16:30 |
6B: Dogma: Perfection is the Enemy of Good – Stop Thinking in Terms of Absolutes
Speaker(s):
Siân John MBE,
Siân John MBE Director SCI Business Development, Microsoft (UK)
Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption.
Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology.
Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
X
Lesley Kipling Chief Security Advisor, Microsoft (UK)
Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
|
“Perfect is the enemy of the good” is usually interpreted in the workplace to mean “better done than perfect”. But what is good enough in cybersecurity? Considering the NCSC’s recent blog post on Not perfect, but better, we will explore the arguments and counterarguments for better security. |
16:30 |
6S: There is a Time and Place for Everything – Bringing SABSA to Small and Medium Sized Business
Speaker(s):
Kathleen Mullin
Kathleen Mullin CISO, My Virtual CISO (USA)
Kate Mullin CISSP, CCSFP is an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information security as a profession. Kate currently...
X
|
This new and timely presentation focuses on the gap in guidance for new CISO’s. Current information focuses on the first 90 or 100 days in large organizations where the CISO role is well established or where the CISO is coming in after a breach or other serious cyber security incident. This is focused on those small and medium sized organizations that do not have the budgets and controls in place that are assumed by the vendors and consultants creating these guides. This presentation focuses on using an approach using SABSA and layering in controls based on business needs, then gradually growing information security focusing on leveraging SABSA for new projects and the highest risk areas within Information Security itself. This allows the CISO to address the most egregious risks while establishing or reestablishing a security program where information security has been a checkbox driven by vendor promises or compliance requirements. IT and Information security have in many ways failed everyday users as well as smaller and medium size businesses creating tools that are complex and expensive. This session’s value is in providing guidance that helps new CISO’s, and any small or medium sized business that hires them, to succeed. |
Tony Sale Memorial Lecture
17:45 |
7P: Living in a World of Covert Channels
Speaker(s):
Andy Clark
Andy Clark Director, Primary Key Associates (UK)
Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
|
On 24 February 2020 Terence Michael Whall was found guilty by a unanimous verdict of the murder of 74-year-old pensioner Gerald Corrigan, who was shot outside his rural home in Anglesey on Good Friday 2019. Whall thought he had committed the perfect murder, there was no forensic evidence, no direct eye witness to the shooting and no one saw him travelling to and from the murder scene. During the trial the jury heard evidence of telematics data provided by Jaguar Land Rover showing the location of a suspect vehicle the day before when Whall was reconnoitring the scene of the crime, the boot being opened at 23:11:04 and closed 39 seconds later when he removed the murder weapon. Evidence provided by Sky proved that Mr Corrigan’s satellite TV system was present at 00:08 at his home on the night he was murdered, at 00:28 he stopped a pre-recorded programme and the satellite signal was no longer present. When he went outside to investigate the problem, he was shot dead. Again, telematics provided valuable evidence of vehicle movement, the opening and closing of the boot following the murder and Whall making his escape from the scene. It is a credit to the hard work of those prosecuting this case that they were able to retrieve a body of critical evidence and present it clearly to the jury during the five-week trial. To many people it was a revelation that such levels of technical data were transmitted to third party companies routinely and without their understanding of the full scale of the activity. In this talk we will focus on how this example is only one of many instances of such data transfers. In new work we will detail how malicious actors might take advantage of an emerging standardised environment for vehicle to vehicle and vehicle to infrastructure communications to undermine efforts to monitor their activities. |
COSAC 2022 Gala Dinner
19:30 | Drinks Reception |
20:00 | COSAC 2022 Gala Dinner & Networking sponsored by SABSAcourses |
09:00 - 09:30 Registration & Coffee
09:30 |
8A: Liquidation of a Security Viewpoint
Speaker(s):
Pieter Siedsma
Pieter Siedsma Domain Architect Technology & Security, Heineken (Netherlands)
Pieter is currently the domain architect for technology & security for HEINEKEN. As a security architect he is working for over 20 years in the overlap of technology and security. He worked mainly for a large global financial with some side steps to the military and engineering. Now he works for the best beer company. Pieter acts also quite often as a threathunter, engineer or “a guy with an opinion”.
X
|
End of 2019 I decided to change my career from the world of mainly digital products in a worldwide financial company to a world of fast moving consumer goods, BEER. Over the past 2 years I have seen some interesting parallels and differences between these two worlds. The session will explain how a beer company is changing from an offline traditional brewery to a modern connected brewery. We will focus on two aspect (and then mainly on the security aspects) of this transition. We will expand on the IT in the physical world, the so called Operational Technology (OT) or Process Control Domain (PCD). The breweries and warehouses are built to last for a long time and the IT components are never designed with security in mind. This leads to some interesting challenges in both threats to these OT components but also to threats to the physical world that is controlled with these OT components. The other aspect of the transition to the connected brewer is the fast amounts of data that is collected for analytics in order to improve all parts of the “from barley to bar” processes. This includes the collection of weather data at the farmers to predict raw material quality to the collection of temperature and pressure data in customer installations to control the quality of the beer for the consumers. The session will conclude with some personal reflections on the security and control aspects of both worlds and where it will become clear that both worlds can learn from each other. |
09:30 |
8B: Privacy as part of the Environment, Social and Governance (ESG) Agenda
Speaker(s):
Valerie Lyons
Valerie Lyons COO, BH Consulting (Ireland)
Recently included as one of Europe's top 100 women in cybersecurity, Dr. Valerie Lyons is a highly experienced senior cybersecurity and privacy professional. Currently COO of BH Consulting (a data protection and cybersecurity firm based in Ireland), Valerie is also a subject matter expert in European data protection and privacy. She recently completed an award-winning PhD, researching organisational approches to Information Privacy. She lectures on the topic of cybersecurity, privacy and ethics...
X
|
At RSA in 2022, key privacy leaders from Apple, Google, and LinkedIn concurred that privacy and security are set to join environmental, social, and governance (ESG) as important criteria that consumers use to determine if an organizations values align with their own, and investors use to determine the financial health and sustainability of the organization. However what does privacy as an ESG look like and how can we address it as privacy leaders? The speaker has investigated this rather nascent phenomenon for a number of years, and in this discussion presents an insight into the potential influence that privacy as an ESG may have on both consumer and organizational outcomes and discusses a brief outline of the different types of privacy activities associated with ESG. |
09:30 |
8S: Transforming a Control-focused Organization into Risk-based Value
Speaker(s):
Peter De Gersem
Peter De Gersem Security Management Specialist, SWIFT (Belgium)
Peter is a security management specialist at SWIFT, the world’s leading provider of secure financial messaging services.
He has over 22 years of experience in information security, having covered a broad spectrum of security domains.
His current role is managing the SWIFT security assessment practice, from business objectives over threat landscape to deriving the security painpoints and identifying security requirements that speak to both business as technical stakeholders.
X
|
This paper is about the journey, along a long and winding road, of the evolution of an organization. This organization has security as one of the main business drivers, which has enabled it to be the birthplace of SABSA, but also allowed a very large number of security controls and policies to be put in place such that over the years no one remembered exactly what purpose they actually served. Over the last decade, several steps have been taken to rationalize this situation, the most recent of which again focused on a control framework aligned with ISO 27002, linked to security risks on the classical CIA triad. The question of “Well, how will we report to our executives on how this effort brings value to the organization?” was the catalyst to ensure this control rationalization would be business driven after all, supporting an enterprise risk and opportunity strategy – and sneaking in SABSA concepts without formally calling it entreprise security architecture. |
10:30 - 10:50 Morning Coffee
10:50 |
9A: From Values to Decisions - Value Based Decision Making in Security
Speaker(s):
Siân John MBE,
Siân John MBE Director SCI Business Development, Microsoft (UK)
Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption.
Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology.
Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
X
Genevieve Liveley Professor of Classics, University of Bristol (UK)
Genevieve is Professor of Classics, RISCS Fellow, and Turing Fellow at the University of Bristol. As a narratologist, she has particular research interests in stories and their impact on futures thinking – especially in the context of emerging technologies and cyber security. She leads the Futures strand for the UKRI’s Digital Security by Design (DSbD) programme, and as RISCS Fellow, heads the ‘Anticipation and Futures Literacy’ research theme.
X
|
Managing security is human activity impacted by various conflicting interests. These interests can be well justified from the point of view of the person representing them, and often the decision maker does not have a well defined formula to resolve the equation. But security practitioners are obliged to take a position and make decisions –often based on incomplete information and under pressure from different interested parties. There are various situations in which this difficulty of decision-making manifests itself and the different points of view must be considered: security vs. privacy, trust vs. assurance, threat prevention vs. detection and correction of consequences, carrot vs. stick as motivator, detailed rules vs. principles and problem solving methods ... The above mentioned situations have something in common –decision must be made between alternatives which both may be justified and the solution cannot be found in the black andwhite scaleor in a detailed rule book. What is the guide in this kind of decision making challenge? The answer is in the values –personal or organizational. In this session we will study the topic of value-based decision making applied to security management problems. The session participants are challenged by presenting some problems loaded with conflicting interests and by asking them to participate in resolving them. |
10:50 |
9B: Misinformation for Fun and Profit
Speaker(s):
Ashling Lupiani
Ashling Lupiani Cognitive Solutions Developer, Cancer Treatment Centers of America (USA)
Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
X
|
This timely discussion centers on the structural incentives of social media to allow misinformation to circulate on their platforms. Companies such as Facebook (Meta), YouTube and Twitter have long complained there is no way for them to effectively fight bots or misinformation, yet bot activity significantly decreased when Russian accounts were cut off after the invasion of Ukraine. This demonstrates that there are steps these companies can take if given sufficient incentive. The problem is that the profit incentive of social media companies is diametrically opposed to some of their mission statements.The success of a social media platform is determined by engagement, whether that engagement is positive or negative. Engagement is easier using the tactics of disinformation. Showing people information that they will react to emotionally increases activity and profits for these corporations, regardless of whether the information is true or not. This session will be unique in its scientific perspective on misinformation geared specifically toward security professionals. Our approach will be to examine the competing incentives of social media companies and discuss how the scales might be tipped in favor of accurate information. The value of our discussion will come from providing ways to leverage positive engagement and other tools to improve the culture of the internet landscape. |
10:50 |
9S: What's the Point of Risk Appetite? How I Learned to Love Appetite to Feed Security
Speaker(s):
Andy Wall
Andy Wall Chief Security Officer, Office for National Statistics (UK)
Andy Wall is a cyber, information security & assurance leader with 25+ years’ experience within global & national commercial organisations and UK Govt providing business focused security advice & management. Currently Chief Security Officer at the Office for National Statistics, developing new approaches to secure operations of leading edge big data analytics that support the organisational mission of statistics production on a range of key economic, social & demographic topics.
X
|
Within most modern organisations data and underpinning services are at the heart of business operations. Increasing attacks on systems to obtain data force business leaders to choose how best to protect these assets. What drives these choices? Do leaders understand security risk relative to other business risks? At the Office for National Statistics we collect process huge amounts of data – commercial, personal, business, intellectual. Our point in collecting this data is to give it to people to look at, link, match and analyse – it’s what we do as a business. Our security measures are based on the value of the data and the relative risk of access and processing. Can these decisions really reflect risk appetite – the choices that the business have made about the assets it values and how it wants to protect these assets? This session is a debate about risk appetite using the ONS approach that has emerged. It strongly links what the business care about to the security measures actually implemented, directed by what appetite we’ve all signed up to. It features a lot of challenges, tests where risk ownership really sits in an organisation but shows positive possibilities from trying to making risk appetite work in a complex environment as a meaningful driver for security. Ultimately it presents a series of hard-won lessons from ONS that bring security and business more closely together, highlights some hard discussions, necessary business trade offs and what risk acceptance means in practice for security measures and mitigations. |
12:00 |
10A: Ransomware/Wiperware in Healthcare
Speaker(s):
Kathleen Mullin
Kathleen Mullin CISO, My Virtual CISO (USA)
Kate Mullin CISSP, CCSFP is an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information security as a profession. Kate currently...
X
|
This timely presentation addresses the escalation seen in ransomware (wiperware) tied to the Russian Federation, uniquely framed by an experienced hospital system CISO. Healthcare is currently one of the top three sectors being targeted, and healthcare systems are particularly susceptible because basic security controls are not in place within highly integrated systems with limited funds and manufacturers still sell systems with obsolete operating systems. Organizations are being advised to spend resources on ransomware tabletop exercises, technology solutions, security awareness training, memberships in organizations, and specific technology controls to protect them from ransomware. Recommendations from the FBI include “be[ing] a cautious and conscientious computer user,” implying that the average user is not being conscientious if they fall victim to ransomware. The approach of this presentation is to discuss the different strategies that should be used in healthcare while providing patient care and finding innovative treatments and cures, with complex systems that are constantly changing. Participants will have the opportunity to challenge or build on these strategies, which can also be leveraged in other business verticals. The value in this discussion is that it will leverage SABSA to focus on the business requirements to determine which controls help meet the business objectives. |
12:00 |
10B: Digital Torches and Binary Pitchforks
Speaker(s):
Karel Koster
Karel Koster Manager IT - Information Security, FedEx Express Int (Netherlands)
Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a team of security analyst with a global remit at FedEx, owning implementing and executing various GRC processes.
Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
|
For hundreds of years in times of unrest the people would use demonstrations, angry mobs, flyers, petitions and sometimes revolutions or civil wars as instruments to try and influence current affairs. In the 21st century these are still viable options, however most of these now have digital equivalents and our interconnected lives actually create a lot of new ones as well. We see, social media campaigns, doxing, hacktivism, misinformation, dog whistles and foreign involvement in active elections amongst others. Some of these are easily spotted, while others are more covert. During this session we will review the current techniques, trends, and impacts. With op to date knowledge, we can educate ourselves, our colleagues, and our families to try and minimize any negative impact to our personal lives, businesses, and society. Therefore, during this talk we will dive into the most used and most successful digital activism techniques, and we will explore:
|
12:00 |
10S: Cyber Risk Quantification Dilemma: Building Digital Resilience or Adding a Number to Our Gut’s Feeling?
Speaker(s):
Dimitrios Delivasilis
Dimitrios Delivasilis Director - Risk & Resilience, David Lynas Consulting (UK)
Strong technology executive, specialising in business-driven security strategy, architecture and operational resilience. Dimitrios has more than 22 years of extensive experience in leadership roles predominantly within financial services (Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC). He has built a success record of simplifying security decisions, delivering future proof information security strategies and helping organisations implement...
X
|
Despite the ever-increasing investment in cyber security, organisations are still struggling to architect an effective, integrated approach to cyber risk management and reporting. More often than not decision makers have to rely on poorly structured reports which are skewed towards technical jargon and as such fail to convey an accurate or consistent articulation of the risk exposure. This presentation will cover the common pitfalls of attempting cyber risk quantification, even in mature end-client environments, in an attempt to frame the problem and identify its main root causes. It will then move to introduce a more architecture-focused approach on how to build an integrated single data model that encapsulates the security fabric and holds everything together as an interdependent network of nodes. The structure of the data model with its various layers of abstraction, provides a reliable fact base to support effective decision making. Most importantly, it breaks away from the siloed mentality and the disconnected thinking it usually fosters, puts the emphasis on what is materially important and communicates the most essential information for a complete risk profile. |
13:00 - 14:00 Lunch
14:00 |
11A: Hiring and Managing in Infosec: The Importance of Brain Diversity
Speaker(s):
Ashling Lupiani,
Ashling Lupiani Cognitive Solutions Developer, Cancer Treatment Centers of America (USA)
Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
X
Kathleen Mullin CISO, My Virtual CISO (USA)
Kate Mullin CISSP, CCSFP is an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information security as a profession. Kate currently...
X
|
This is a novel and unique discussion on who we hire and how we manage from the perspectives of both neuroscience and information security. Debunking prevalent Human Resource and Information Security thought leadership and training materials, this presentation addresses how many are adversely impacting the credibility of their presentations, themselves, and the profession by using a misinterpretation and misunderstanding of how the brain works. Utilizing the false concept of “left-” and “right-brained thinkers” and other myths about brain differences to explain how we think and decide influences perceptions and detracts from otherwise accurate information and can skew materials to make them entirely incorrect. By establishing a faulty knowledge foundation, this impairs the ability of information security professionals to create appropriate defenses for malicious hacking attempts including hiring and managing diverse teams well-equipped to tackle problems. The value in this session is providing information from current brain science to use in hiring and managing, including addressing gender bias. This discussion is timely as social engineering, human resource, and behavior experts are spreading misinformation. The approach of this session provides opportunities to challenge and give input while imparting attainable science on the real brain and the importance of diversity. |
14:00 |
11B: Breaking Through the Metaverse
Speaker(s):
Ali Abdollahi
Ali Abdollahi Infosec Engineer, Picnic Technologies B.V. (Netherlands)
Ali is an Infosec engineer at Picnic Technologies B.V. and researcher with a decade of experience working in a variety of fields. He was a trainer at OWASP summer of security 2020, 2021 July training and reviewer for Springer Cluster Computing Journal as well as 2021 Global AppSec US event. In addition, He was speaker or trainer at IEEE AI-ML-Workshop-2021, SSD TyphoonCon, c0c0n2019, BSides Toronto, Budapest, Calgary, Newcastle, Barcelona, OWASP Ottawa chapter, Defcon RedTeam, AppSec and...
X
|
Since October of last year (2021) when Facebook changed the name of the parent company to Meta, we have heard the word Meta and Metavers a lot. For the first time, this talk wants to review all the vulnerabilities that threaten users and infrastructure owners at different layers. In general, Metavers is a full-scale digital life experience. This talk will cover all possible attack vectors that threaten Metaverse infrastructure as well as users. I will starting with vulnerabilities in common layers like specific flaws in libraries, basic classes and so on. Then I’ll go one step forward to component layer which I think is very interesting; because we will deep dive into P2P network, database, transaction verification module. “Model Layer” will be the next stop in the session to demonstrate potential vulnerabilities on Ledger and Account which are two main modules in this layer. In addition in “Service Layer” , HTTP/query/subscription services will be under attack which is the most part of Metaverse architecture as they are connecting blockchain core node servers to human-machine interface using APIs, Json RPC and WebSocket. The final section will be dedicated to endpoint clients like browser based attacks and sophisticated attacks on mobile clients. In this talk I will emphasis on both security risks and technical flaws in Metavers from zero to hero. All adversary scenarios will be based on MITRE ATT&CK and vulnerabilities complies both OWASP (Top10, ASVS, MASVS) and NIST standards. |
14:00 |
11S: SABSAfying the NIST Cybersecurity Framework
Speaker(s):
Glen Bruce
Glen Bruce Cybersecurity Consultant, GDB Cybersecurity (Canada)
Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...
X
|
The NIST Cybersecurity Framework (CSF) continues to be one of the de-facto global framework for representing the collection of information security policies, processes and controls for an organization to reduce and manage the risk of cybersecurity threats. Although the NIST CSF is widely adopted, it still lacks some of the elements deemed essential for a comprehensive program to effectively manage all of the business risk facing the organization. That is why many industry, regulatory and other organizations have addressed several shortcomings of the NIST CSF to augment the framework with additional components to fill in the missing pieces. In this session we will review the current state of NIST CSF development, how it has been adapted to a variety of requirements and is positioned to be continually leveraged for expanding adoption. During COSAC 26, a session was presented to introduce the SABSA Enhanced NIST CSF (SENC) project to apply the SABSA method and thinking to provide a business risk driven foundation to augment the framework of processes, practices and controls defined by the framework for the benefit of the SABSA community. One of the elements to enhance the framework is to apply business attribute profiling to ensure the business risks are well considered and used to manage the risk, and the overall effectiveness of the security program. Too often, the application of the NIST CSF gets a bit lost in the processes, technologies and controls while losing sight of the business value and risks involved. We will outline some of the interesting issues and challenges in applying SABSA to a framework and the winding path for progress. The session will provide some insight into the problems that the NIST CSF is solving and the benefit that SABSA brings to solve a larger problem. We will conclude with example content from the deliverables of the SENC project and what will be available to the SABSA community. |
15:10 |
12A: What Got You Here Won’t Get You There: Forging Your Future in Cybersecurity Leadership
Speaker(s):
Valerie Lyons
Valerie Lyons COO, BH Consulting (Ireland)
Recently included as one of Europe's top 100 women in cybersecurity, Dr. Valerie Lyons is a highly experienced senior cybersecurity and privacy professional. Currently COO of BH Consulting (a data protection and cybersecurity firm based in Ireland), Valerie is also a subject matter expert in European data protection and privacy. She recently completed an award-winning PhD, researching organisational approches to Information Privacy. She lectures on the topic of cybersecurity, privacy and ethics...
X
|
Your hard work is paying off. You have a successful career and are progressing in the field of cybersecurity or privacy (or both). But there is something standing between you and the next level of achievement. According to Marshall Goldsmith, author of the renowned book ‘What Got You Here Wont Get You There’, that something may just be one of your own annoying habits. Perhaps one small flaw - a behaviour you barely even recognise - is the only thing that's keeping you from where you want to be. It may be that the very characteristic that got you where you are - like the drive to win at all costs - is what's holding you back. Goldsmith explains how you can reach your full potential by eliminating 21 harmful work behaviors. He argues that while engaging in these behaviors may not have stopped you from getting “here”—to your current level of success—they won’t get you “there”—to the heights of success that you ultimately aspire to. For each behaviour – Marshall suggests a healthier choice that may more positively influence ‘getting there’. In this talk, I present those 21 harmful work behaviours that may negatively influence ‘getting there’ (many of these behaviours actually positively influence ‘getting here’) and discuss Marshall’s recommended healthier choices. |
15:10 |
12B: The World is Not Enough, but the Metaverse Will Do
Speaker(s):
Jaco Jacobs
Jaco Jacobs Senior Security Principal, Accenture (Netherlands)
Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
|
In 2021, Gucci sold a digital version of its Dionysus handbag on the Roblox gaming platform for $4,115, more than the price tag of the physical bag. K-POP supergroup BTS broke the record for the largest paid virtual concert with numbers peaking at 756,000 viewers, which pales in comparison to a Travis Scott virtual concert, held in partnership with Fortnite, that had 12.3 million unique attendees. In this talk we will be exploring what this means for architecting tomorrow’s continuum securely and how we can start preparing ourselves now for what is to come in the world of virtual and augmented reality. We will discuss the security impacts of full stack programmability, the use of cyber ranges and digital twins in attack simulation and recovery, and of course the importance of how, now more than ever, security needs to be seen as a property of everything else. |
15:10 |
12S: Security Modelling Case Studies
Speaker(s):
Steven Bradley,
Steven Bradley Consulting Security Architect, Cyber Enterprise Modelling (Belgium)
Steven is an independent security consultant based in Brussels with 25+ years in IT. He has undertaken major assignments for clients in the national & European public sector, finance, telecoms & utilities and also lends his support to local cyber-security initiatives.
His work in recent years has broadened geographically while becoming more specialised in the field of security by design through automation & modelling, leading to the foundation in 2021 of a niche consultancy in this...
X
Bonnie Demeyer Security Consultant, Cyber Enterprise Modelling (Belgium)
Bonnie is a freelance Security Analyst and Information Security Manager who has been working in, and advocating for, a model-driven approach to security since 2016.
She returns for her third COSAC as the co-founder of Cyber Enterprise Modelling: a niche consultancy specialising in the application and advancement of model-driven security.
Bonnie holds certifications in security, information risk management, privacy and ArchiMate.
X
|
Since a means of expressing the security concepts in standard Enterprise Architecture modelling notation was first proposed at COSAC 2018, a great deal of progress has been made: a Working Group has developed, enriched and extended the original White Paper with the collective wisdom and experience of SABSA practitioners, the Security Overlay has been defined as a schema and the approach has been made accessible through webinars, presentations and this year, as a SABSA Training course with basic tool support. While COSAC 2018-21 has traced the emergence of security modelling as an technique, its early-stage technical readiness meant that conference sessions were limited to discussion of concepts, ideas, possibilities and envisioned benefits based on small scale, proof of concept ‘laboratory models’. For the first time, we expect to be able to present feedback from the application of this technique at scale in real-world case studies with an honest appraisal of where modelling delivered technical & business benefit, scenarios that were challenging or thought-provoking and where the technique might be headed in light of this experience. At the time of CfP, the contracts for this work are just being signed with projects set for completion in the summer – so fresh content to be unveiled for the first time at COSAC. In addition to presenting the projects from the security architect’s perspective, we hope to be joined via video-link by a client representative who can present, and answer questions, from the customer viewpoint. The value to the conference will not only be an awareness of an emerging technology but to stimulate a better understanding of what is increasingly possible, based on what is already being achieved. |
16:10 - 16:30 Afternoon Tea
16:30 |
13A: The Case of the Mistaken Identity - When is an Architect not an Architect
Speaker(s):
Rob Campbell,
Rob Campbell Security Architecture, PA Consulting (UK)
I'm a consulting security architect in the UK. I have over 30 years experience in IT with 25+ focused on security across sectors. I consider myself more as an Enterprise architect who works in security rather than and Enterprise Security Architect because I end up having to do both more often than not. I love learning and also contributing and am known to share useful personal intellectual capital to help bring on our great profession. I am a nerd with interests that extend beyond security and...
X
Gordon Jenkins Head of Security Architecture, Admiral (UK)
Dr Gordon Jenkins heads up the security architecture team at Admiral Insurance in the UK. He has 25+ years’ experience in IT and security for large financial services organisations in the UK and US, across investment banking, life & pensions, asset management, and general insurance. He has worked as a security architect for the last 13 years, providing guidance to dozens of major business and infrastructure projects and helping to shape enterprise security functions.
X
|
The title of Security Architect is used often in many different ways. As a result, people's interpretation of the role varies, leading to many different issues across the industry and within organisations. You just need to look at job descriptions on any job board to realise that no two definitions are the same. "So what?" you say, what does it matter? Well, let’s start with education and recruitment. How does one become an architect if the industry doesn't know what an architect is? And how does an architecture hiring manager know that they are hiring the right people? More significantly, it can lead to architecture being misunderstood, undervalued or completely ignored. When architects can't clearly describe who we are and what we do, then how will business leaders understand the purpose and value of security architecture in their organisations? As a result, architects are often expected to perform roles that don't actually add value to the architecture. And in turn, the architecture fails to meet business expectations and becomes undervalued and under-invested, sometimes leading to the collapse of the architecture function. Within this session, we will break down common architecture definitions and misconceptions, explore the constraints this problem presents, and explore how we, as architects, can start fixing the problem. The journey will begin in our own organisations, but we need to explore how to address the issue across industry and education. Ultimately, the aim is to be better at explaining what we do and why it matters to the business. |
16:30 |
13B: This was Solved in an Alternate Dimension: Demystifying the Quantum Threat to Encryption
Speaker(s):
Rob Hale
Rob Hale Fellow, Lockheed Martin (USA)
Rob is a Lockheed Martin Fellow with over 25 years of experience in information systems and security. During his career he has been responsible for conducting and supporting information assurance and cyber security activities for federal, state and commercial organisations in the defense, law enforcement, financial services, utility and healthcare industries. Additionally, he has designed and implemented secure networks to support nuclear emergency response teams and top US banks.
X
|
This session will take a look at the threat quantum computing poses to encryption algorithms. Based on the concepts of Shor’s algorithm, quantum computers should be able to rapidly compromise current encryption algorithmic solutions putting massive quantities of data at risk of breach. However, the threat itself is pretty well defined, though rarely explained. For example, the threat posed by Shor’s algorithm is contained to asymmetric algorithms and does not extend to symmetric algorithms. This is still a major threat however, it demonstrates the need to take an open and honest look at what quantum computing can do in the near term rather than fear the unknown unknowns of quantum technologies. This presentation will look at strategies for employing both pre- and post-quantum algorithms to address encryption across a notional enterprise. It will discuss the current state of quantum-resistant algorithms, examine how emerging processes and technologies in quantum random number generation, key management, and deployment can and should be addressed by organizations over the next 5-7 years. |
16:30 |
13S: A SABSA Approach to Health and Well Being
Speaker(s):
Michael Hirschfeld
Michael Hirschfeld Director, David Lynas Consulting (Australia)
Michael has 20 years’ experience in Information Security and is a Director of David Lynas Consulting and the Chair of the SABSA Founders Bursary. He has provided high level assistance on information security related matters to a range of clients within Australia and internationally. He was formerly the Chief Information Officer and CISO at the Australian Commonwealth Department of Finance where he had executive responsibility for ICT as well as physical security.
X
|
I had a brilliant 2019 having embarked on a spiritual pilgrimage walking the Camino in Spain and my intellectual pilgrimage to Ireland but like many of us my follow up experience in 2020 was less than ideal and I came out of that year needing to take stock of my general health and wellbeing. It is a shared observation of my colleagues, that as we approach retirement, we look back at the last years of our careers to realise too late that we have worked harder, worked longer hours, taken less time for ourselves, managed very stressful jobs and feel like we are about to collapse, exhausted, over the finish line at the end of a marathon. We have, to a certain extent, let ourselves go and we are no longer the fit young 30 somethings we used to be as we enter the next phase of our lives. Not the greatest when we now have the time to engage and enjoy the good things in life. In this vein, and following 2020, I sort of undertook a personal health and wellbeing journey in 2021 with the aim of being "retirement fit". I took a haphazard approach and by the end of the year I realised three things: Firstly, this is not a one-year project – it is going to be an ongoing iterative process. Secondly, a structured approach to this project (health and wellbeing) should deliver better and more consistent results; and Thirdly, many of my younger colleagues (those thirty and forty somethings) who are falling into the ‘Working Harder, Working Longer, and Not Looking after themselves’ category might be able to benefit from this structured approach. So, heading into 2022 I have applied SABSA to my health and wellbeing project to see if that will deliver long term sustainable outcomes. This presentation uses SABSA as framework for health and well-being and presents the fundamentals of SABSA in a non-security and non-IT context. |
17:45 |
14P: The COSAC Rump Session
Speaker(s):
David Lynas
David Lynas Chairman, COSAC (Northern Ireland)
David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
|
The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures: • Electronic submission: Send email to the rump session chair David Lynas at [email protected] • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 5th October. Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation. |
Drinks Reception & Dinner
19:30 | Drinks Reception |
20:00 | Dinner |
09:00 - 09:30 Registration & Coffee
Workshop W1
09:30 |
Cyberwar and the Law of Armed Conflict
Speaker(s):
Lawrence Dietz,
Lawrence Dietz General Counsel, TAL Global Corporation (USA)
Lawrence Dietz, Attorney has served as General Counsel of TAL Global since April 2010 where he had extensive experience in international contracts. Prior to joining TAL Global Dietz served in senior roles at Symantec Corporation to include Director of Market Intelligence and Global Public Sector Evangelist. He retired as a Colonel in the U.S. Army Reserve and is the author of the authoritative Blog on Psychological Operations (PSYOP).
X
Elizabeth O. Dietz Professor Emerita, San Jose State University (USA)
Dr Elizabeth 'Liz' O. Dietz, EdD, CS-NP, CSN, FAAN began her nursing career as a Lieutenant Junior Grade, Charge Nurse for the US Public Health Service during the Vietnam Conflict. She is a Professor Emeritus of Nursing from San Jose State University after a 29-year career there. She has been a volunteer with American Red Cross in Service to Armed Forces, Disaster Health Service Manager, Expert Instructor in International Humanitarian Law program, as well as Regional Disaster Lead for the...
X
|
This interactive session puts participants in the middle of the legal dilemmas and uncertainties of cyberwar and the application of International Humanitarian Law (IHL) or the Law of Armed Conflict.A very basic primer on IHL based on the International Committee of the Red Cross fundamentals will be presented in the first half the class. During the second half of the session hypothetical and/or historical vignettes of cyberspace operations will be presented. This may include denial of service attacks on the power grid and health resources as well as phishing and intelligence operations aimed at commercial entities. Other targets and techniques may be used as well. Charges in the form of potential IHL violations will be developed based on the scenario. Participants will be selected to portray prosecution, defense and a jury. Each side will be allowed to present a 5 minute opening and closing argument. Once these are completed, the jury will render a verdict. An open Forum will be held to discuss the trial(s) and identify key issues. |
Workshop W2
09:30 |
Security for the Gobsmacked Human
Speaker(s):
John O'Leary
John O'Leary President, O'Leary Management Education (USA)
John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
|
They’ve had enough. They just get used to one environment and some SOB changes it. And we security geeks want to add change to the change. No wonder they growl at us. Complex, ever-evolving work environments turn communities of competent, veteran users into fumbling rookies who make new-guy mistakes, some of which impact security. Organizational restructuring is almost a constant. People still resist change, make mistakes, painstakingly follow bad security practices and get socially engineered. And bad guys find creative ways to defeat our newest, most sophisticated security measures. We’ll give guidance for coping with human foibles, complexity and change in securing our vital assets. Part 1 – Securing the semi-predictable humans – Phishing, really automated social engineering, has been an element in almost every Ransomware event and a multitude of other egregious breaches. We’ll examine why social engineering works so well on our employees, on all humans, for that matter. We’ll give suggestions for shoring up this most vital link in our security chain. Part 2 – Securing the ever-changing organization – Change agents that can seriously affect security are gaining traction everywhere. Massive organizations are making their own rules and privacy decisions, at least until governments levy gargantuan fines. Mergers, acquisitions, divestitures, downsizing in many forms, even internal reorganizations can bring danger. We’ll identify areas of security focus and give recommendations for minimizing security incidents and effects in the midst of the upheaval. |
Workshop W3
09:30 |
Ask us Anything: A Q&A Session With a SABSA Master’s Panel
Speaker(s):
Maurice Smit,
Maurice Smit Principal Security Architect, David Lynas Consulting (Netherlands)
Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
Chris Blunt Enterprise Security Architect, Aflac NI (Northern Ireland)
Chris is a seasoned cybersecurity professional. He has recently moved to Belfast from New Zealand where he co-founded and ran a highly successful information security and privacy consultancy.
He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables organisations to achieve their business objectives.
X
|
In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your question/problem depends on your situation and what you are trying to achieve. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in. In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Any SABSA Masters in attendance at COSAC will be welcome and encouraged to participate as they are available. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the “COSAC way” there will be plenty of group debate and interaction, and no shortage of experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way. |
12:30 - 13:30 Lunch
13:30 |
SABSA World Forum at COSAC 2022
Speaker(s):
Maurice Smit
Maurice Smit Principal Security Architect, David Lynas Consulting (Netherlands)
Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
|
At COSAC 2022 we will organise the SABSA World Forum meeting. We hope you will attend while you are there at COSAC. During the Forum session, we would like to hear your opinion about what the future may hold for SABSA, what can be done, what should be done, for the members, for the Institute, and for SABSA as the framework, and methodology. If you have any suggestions or ideas to put on the agenda, let us know beforehand. The SABSA World Forum meeting will be held at COSAC on Thursday October 6 from 1.30pm to 3.30pm. Looking forward to seeing you there. |
15:30 Conference End