Ireland Sydney

Welcome to COSAC - Conferencing the way it should be!

For 25 years COSAC has delivered a trusted environment in which to deliver value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

Registration is now open.

Sunday 30th September 2018

19:30 Delegate Registration
19:30 Drinks Reception - Sponsored by Killashee
20:00 COSAC 2018 Welcome Dinner

Monday 1st October 2018

Breaks COSAC Masterclasses are full-day, 09:30 - 17:30
09:00 Registration & Coffee
11:00 Morning Coffee
13:00 Lunch
15:30 Afternoon Tea

Masterclass M1

09:30 18th International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

The 18th International Forum should once again prove to be a microcosm of the COSAC experience – seasoned security veterans trading ideas and opinions based on real experience in real situations; heavyweights offering and defending their opinions, but ever-willing to help others and learn from each other; trenchant analysis of recent security-related events and trends from perspectives illuminated by knowledge and experience. The moderator posits real-life scenarios, asks a question or two about relevant issues, then tries to not get in the way so that participants may discuss topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

Back in the pre-cloud, pre-Ransomware, pre-GDPR, pre-Cambridge Analytica and pre-IoT era when the professionals attending COSAC started this 1-day full-body immersion in the COSAC way, the overriding premise was that “the most significant benefit of attending any conference is the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis.” That’s still true. In late 2018 we’ve been handed some truly original problem scenarios, ones that could keep us busy 24/7 seeking viable solutions or workarounds. But we can’t devote 24/7 to the new issues because the old ones also keep rearing their heads and roaring, perhaps with updated verbiage and at different decibel levels from their original manifestations. What makes the Forum so valuable is learning from the hard-earned skills, fortitude and wisdom of others who have run this gauntlet, perhaps several times, are facing similar challenges and know how to avoid or survive the tomahawks.

The discussions (and arguments) started here in the Forum almost always continue throughout COSAC, sometimes even beyond that, leading to unique, realistic and workable solutions to seemingly intractable dilemmas. Come join us and help solve the information security problems of the world and develop unerring predictions for the future.

Masterclass M2

09:30 Understanding the Least Understood Link in Security: The Human Speaker(s): Lynette Hornung,

Lynette Hornung

Senior Enterprise Security Architecture & Privacy Manager , TCG (USA)

Lynette Hornung is a Senior Enterprise Security Architecture and Privacy Manager with TCG, Inc. She has her SABSA Foundation and SCPR in Risk Assurance and Governance and SCPA in Architectural Design and her CIPP-US. She has over 20 years of experience in information security and privacy.  She has worked with a variety of federal agencies providing various enterprise security architecture, computer security and privacy solutions and services working with a variety of stakeholders.  
X
Esther van Luit,

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
X
Helvi Salminen,

Helvi Salminen

Information Security Manager, Gemalto (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014. 
X
Char Sample

Char Sample

Research Fellow, ICF Army Research Labs (USA)

Dr. Char Sample is research fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
 

A frequent quote among security professionals states, “the human is the weakest link in security”. We challenge this statement suggesting that the human is the least understood link in a security system. This workshop provides the foundation for understanding the last (or perhaps) first frontier of the security landscape… the human mind.

This workshop is designed to improve the understanding of the human and the complex relationship between the human and machine when making decisions, while explaining how this relationship influences and impacts the security environment. We offer a fresh examination of the human security relationship with the hope of making security user enabling. This requires examination from several points of view, including the following:
• Understanding the commonalities and differences between humans and machines?
• Understanding how the human machine relationship gives rise to complex systems.
       o Defining security in this way, we will also discuss complexity theory and how it relates to human-machine behavior.
       o A discussion of neural networks and other classifiers in behavioral modeling.
• Artificial intelligence technology is increasingly applied in various contexts, including security. In many areas of expertise people fear – sometimes for a good reason - that AI systems will make their skills obsolete.
       o What does it mean in security?
       o What prevents AI systems from providing optimal performance
       o Can AI systems be subverted?
• Perception management and how it can be manipulated in spite of target awareness.
       o Factors that influence problem perception, organization, and data formation and why this is important in the age of AI
       o Data encoding & visualization
       o Context recognition and evaluation
• Understanding of the human brain from biology to decisions.
       o Can the brain be re-programmed?
       o Hardwiring, learned, conscious and unconscious behaviors
• Environmental factors (physical reality, virtual reality and augmented realities) and how the brain acts and responds in these environments. .
• How to apply these discussions to security in your organization.

Masterclass M3

09:30 The 4th COSAC Design-Off Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
X
William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
 

Returning for a 4th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Last year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome. 

Networking & Dinner

18:30 Drinks Reception
19:00 Dinner

Tuesday 2nd October 2018

09:00 - 09:30 Delegate Registration & Coffee

09:30 1A: Hiding in Plain Sight Speaker(s): Rob Hale

Rob Hale

Fellow, Lockhead Martin (USA)

Rob is a Lockheed Martin Fellow with over 25 years of experience in information systems and security. During his career he has been responsible for conducting and supporting information assurance and cyber security activities for federal, state and commercial organisations in the defense, law enforcement, financial services, utility and healthcare industries. Additionally, he has designed and implemented secure networks to support nuclear emergency response teams and top US banks. 
X
 

This presentation will walk through a history and demonstration of steganographic tools as well as a demonstration of how data can be hidden and recovered from broadcast audio. Steganography has been a mechanism for hiding data since 440 BC but has enjoyed a renaissance in the computer era. Although steganographic techniques have continued to evolve from the early days of hiding data in images and audio files to more complex network communications techniques using TCP and VOIP, this mechanism for data exfiltration still remains a viable means to thwart cyber defenses. This presentation will demonstrate classic steganographic techniques, newer techniques using audio and light to transmit data, and techniques exploiting the network communications protocols themselves to transmit hidden information. The presentation will contain live demonstrations of these techniques and will provide common steganographic tool sets.

09:30 1B: Are We All Just Snake Oil Salespeople? Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
 

“We cannot solve our problems with the same thinking we used when we created them.”

- Albert Einstein

Join me for a rant; I mean discussion, about the potentially damaging approach we continue to take to address the information security problems we face.

Information Security is not a science, in fact, I'd argue it doesn't even qualify as art. So, what is it then? The closest thing I can find to equate it to is folklore.

Security solutions have been handed down from generation to generation, either as oral histories or enshrined in texts as 'best practices'. As a result, we employ the same control or combination of controls over and over again to address a particular security problem and expect different results, which as the old saying states is the very definition of madness.

I’ll discuss some standard information security practices and solutions, explore their origins before looking at whether they are even designed to solve the problems they are applied to.
I’ll then discuss why we need to abandon the status quo and refocus on our efforts on understanding the problems

09:30 1S: Cloud Security Architecture: A Place to Start Speaker(s): Gordon Jenkins

Gordon Jenkins

Enterprise Security Architect, Structured Security Ltd (UK)

Gordon is a security architect, working as an independent consultant since the beginning of 2018. He has 20+ years experience in IT and security for large financial services organisations in the UK and US, across investment banking, life & pensions and asset management. He has worked as a security architect for the last 9 years, providing guidance to dozens of major business and infrastructure projects and helping to shape enterprise security functions. 
X
 

There is a sudden and rapid push to take advantage of cloud platforms, even in the highly regulated sectors that previously considered cloud too risky. This poses a challenge for security teams and architects - the security strategy for cloud needs to develop at that rapid pace.

A set of cloud security reference patterns would help security teams coming to the cloud for the first time, especially in organisations that lack the architecture skillset or just need a boost to get started quickly. However, I haven't seen any attempt to describe such a set of patterns.

I set out to develop a set of generalised cloud security patterns, starting from the Cloud Security Alliance's top 12 threats. For each threat I followed a SABSA thought process to derive high level control objectives and security capabilities, and a reference pattern diagram that places the capabilities in an enterprise context.
These generalised patterns support a variety of conversations, from threat and opportunity discussions with senior management, to requirements discussions with cloud solution analysts and designers. The process can be repeated to customise the patterns, or it can be iterated to add and refine details, allowing security architects to keep up with their cloud programme's expanding demands.

This session will describe the process followed and share examples of the reference patterns derived. The patterns and process are generic and will be published for use by the community.

10:30 - 10:50 Morning Coffee

10:50 2A: Industrial Internet of Things & Industry 4.0: Architectural & Security Challenges Speaker(s): Hugh Boyes

Hugh Boyes

Principal Engineer, University of Warwick (UK)

Hugh Boyes is a Chartered Engineer, a Fellow of the Institution of Engineering and Technology (IET) and divides his time between working as a Principal Engineer at the University of Warwick and undertaking cyber security consultancy assignments. Hugh is the leading industry expert on cyber threats in the built environment and supports infrastructure protection. He has written four guidance documents for the IET on cyber security in the built environment, ports and vessels. 
X
 

Adoption of Industrial Internet of Things (IIoT) and Industry 4.0 solutions will create a number of architectural and security challenges affecting the safety, security and resilience of manufacturing and processing systems. This session will set the stage by reporting on recent IIoT research undertaken as part of the PETRAS programme, a UK Research Council funded initiative that is examining the security of the Internet of Things. We will then examine how proposed IIoT and Industry architectures impact current industry practice, e.g. the Purdue Model for security of industrial control systems, and the potential gaps in current standards landscape. Topics to be addressed include: de-perimiterization of cyber-physical systems, integration of systems across the supply chain and increasing integration of design and manufacturing systems.

The session will also look at the challenges we face in seeking to adopt appropriate and proportionate information management measures to address the provenance, quality and security of the data and information that lies at the heart of these implementations.

Join us to explore the challenges of the fourth industrial revolution that will face enterprise IT departments and their engineer colleagues responsible for operational technologies used in manufacturing and process control as they seek to implement IIoT and Industry 4.0 solutions.

10:50 2B: 25 Years of COSAC = 4 Generations of Security Professionals Speaker(s): Todd Fitzgerald

Todd Fitzgerald

SVP, Chief Administrative Officer - Information Security & Technology Risk, Northern Trust (USA)

Todd is SVP and Chief Administrative Officer – Information Security and Technology Risk, Northern Trust. He led multiple Fortune 500/large company information security programs for 19 years, was named 2016 Chicago CISO of the Year by AITP, ISSA, ISACA, Infragard and SIM, ranked Top 50 Information Security Executive and authored 3 books on Information Security. 
X
 

Since COSAC began, we have added 2 generations of security professionals, yes, TWO!! - Generation Y (Millennials) and now Generation Z (or the iGeneration). What does this mean for the workforce? Why are we different? How are we different? This session will explore in a fun, interactive way involving the participants in an exploration of our differences in technology, work expectations, family values, how we were raised differently, and most importantly WHY they are different and the implications for information privacy and security. Understanding these differences will enable greater respect, acceptance, team building, leadership, and build better relationships between all 4 generations (boomers, generation X, Y, and Z).

10:50 2S: Agile SABSA? Yes, You Can Speaker(s): Andrew S. Townley

Andrew S. Townley

Founder & CEO, Archistry (South Africa)

Andrew is an international speaker, published author and thought leader on business execution, security, risk and technology who has extensive practical, hands-on experience working in the US, Europe, Middle East, Africa and Brazil. His Enterprise and Security Architecture experience includes leading SABSA adoption organizational change initiatives for Fortune Global 300 customers and is built on not only SABSA certification but personal mentoring by two of SABSA’s principal authors.
X
 

Frustrated because they won’t let you do proper security architecture? You know it's is a critical part of a security program so you're trying to fit it in around the edges, but it never quite happens. You're staying late, you're trying to do what you can for the bigger picture, and yet projects are still delayed, customers are upset and "security" is still a bottleneck. 

It doesn't have to be like that. Really.

We all know that the SABSA lifecycle is a control-feedback loop, and we all know from SABSA Foundation course that the recommended approach to applying SABSA in practice follows “architecture as sketch.” However, after to speaking with dozens of SABSA practitioners around the globe, it seems like it’s harder than it should be to put that guidance in practice—especially in agile organizations.
This perceived dissonance between SABSA and Agile is a big problem, and it undermines the confidence of competent architects who know architecture is important.

How big is the problem?

According to the VersionOne 11th Annual State of Agile Report, 94% of their respondents practice agile, 60% of those have been using agile for at least 3 years, and 71% of the respondents indicated they were doing or would be doing DevOps by next year.

Obviously, there’s probably a self-selection bias here and the exact number of respondents seems vague, but that won’t change the way these stats might be used by executives to drive Agile and DevOps adoption in your organization. All that aside, the trends are repeated in other research, so if we’re committed to keeping our organizations safe, we’d better also be committed to figuring out how to do it right in the current and future environments we have.

In this session, we’re going to give security architects who are struggling to leverage the full power of SABSA in agile environments practical ways SABSA enhances and enables agile and Dev[Sec]Ops.

Specifically, we’ll cover:

• An initial summary of Agile, Agile Architecture and Dev[Sec]Ops
• How SABSA makes agile faster, easier and more consistent
• What foundations need to be in place to enable Agile SABSA
• An iterative interpretation of the SABSA Lifecycle
• A walk-through of Agile SABSA for different types of security demands

The fundamental objective of this session is to give you ideas you can put in practice once you get back to the office so you can expand your practice of SABSA and enhance the effectiveness of your security program as a whole.

12:00 3A: 5G, A Quantitative Evolution in Need of Qualitative Security Speaker(s): Mary Dunphy

Mary Dunphy

Security Architect, TEK Systems (USA)

Mary is an IT Security Architect for TEK systems. She has worked on projects in advanced cyber defense for RSA & Program Manager for Vendor Solutions/Integrations for Google headquarters in Mountain View, CA. Mary is the former CTO for Pro-Tec Design where clients included DHS, MSP, Best Buy, City of Minneapolis, FBI and departments at all levels of government. She also provided consulting services for Attorney General Settlement Agreement and Office of the Comptroller of the Currency. 
X
 

With the coming of 5G mobile technology there arises additional security considerations. There will be the need for new trust models, service delivery modules, an evolved threat landscape, as well as privacy concerns. This session will open a dialog that may help shape trajectory of security long before the projected 2020 planned implementation of every post, building, vehicle, to bounce super high frequency or beam forming frequency waves. This technology builds the IoT to include things such as augmented reality amongst other enhanced capabilities.

12:00 3B: Who Shifted My Paradigm? Speaker(s): Glen Bruce,

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures and Policies supporting business and governments in their approach to managing information security risk. He has over 42 years of in-depth experience in information security consulting, systems management and technical positions. He has lead many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies and infrastructure implementations.
X
Lisa Lorenzin

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security. 
X
 

The evolution of information technology has prompted many fundamental changes to the way we conduct business, both at the enterprise and individual levels.

Protection of information / assets is often an afterthought, in response to a belated recognition of problems introduced by these changes. From a security perspective, the realization that a significant change - a paradigm shift - is occurring often doesn't strike until the change is well underway. This session will examine the definition of a paradigm shift, how these shifts can fundamentally change our environment, and how the protections required for that environment need to keep pace. Understanding paradigms and how to recognize when they shift is essential to ensure we can continue to manage associated risk. 

We will discuss past examples of significant changes and their impact on security. Using our definitions and characteristics, were these paradigm shifts or not?

Then we will look at two current potential paradigm shifts that are fundamentally changing the way business is conducted. What are the security models required to meet these foundational changes?

Finally, with your help, we will identify a set of rules to recognize when a paradigm shift may be occurring, and establish some basic guidelines for staying ahead of an occurring shift.

12:00 3S: Delivering DWP Universal Credit in an Agile Way Using SABSA Speaker(s): Mahbubul Islam

Mahbubul Islam

Head of Secure Design, Department for Work and Pensions (UK)

I have 10+ years of experience in numerous aspects of security from GRC to Security Architecture. Currently Head of Secure Design at DWP and have held numerous senior security positions in UK Govt, I hold certifications in SABSA SCF, CISM, CESG Certified Professional & ISO27001. I also have an PGDip in Information Security from Royal Holloway and an MSc in IT Consultancy from London Metropolitan University. I am a Chartered Security Professional and a member of the Security Institute. 
X
 

DWP is rolling out a multi billion pound solution called Universal Credit (UC). It is the biggest welfare programme in a generation. It is the first to build from ground up and by having embedded security, as opposed to an afterthought.

The presentation will demonstrate how SABSA was applied initially for domain modelling and to ensure the correct level of decision making was taking place whilst reducing Shadow Security. This included an extended RACI, as the organisation is too large for a standard RACI.

Additionally the programme focused on attributes at business level which then worked hand in hand to trace controls. Whilst the whole programme is being delivered in an Agile way, each control can be linked to the first principles, and then prioritised for delivery.

I have re-used some controls diagrams to demonstrate 3 layers of the SABSA framework, with clear RAG ratings on each diagram, which makes it easy for management to trace their investment. This is what colleagues with experience can take away for board level discussions.

I will talk about the next steps with UC, and how UC is managing risks and opportunities and in particular managing the security debt whilst exploring opportunities.

Applying SABSA in an Agile way is still maturing, it is anticipated that this session will open further discussion points on how to apply the framework without losing control.

13:00 - 14:00 Lunch

14:00 4A: How to Rob A Bank Over The Phone Speaker(s): Joshua Crumbaugh

Joshua Crumbaugh

Chief Hacker, PeopleSec (USA)

Joshua is one of the world's leading security awareness experts and a world-renowned cyber security speaker. He is the developer of the Human Security Assurance Maturity Model (HumanSAMM) and Chief Hacker at PeopleSec. He is also an expert social engineer who has talked his way into bank vaults, fortune 500 data centers, corporate offices and restricted areas of casinos. His experiences highlighted a significant need for a better "human solution" leading to a passion in social engineering.
X
 

Lessons Learned and Real Audio from an Actual Social Engineering Engagement

This talk will be 50% real audio from a social engineering engagement and 50% lessons learned from the call. During this call I talk a VP at a bank into giving us full access to his computer as well as facilities. At one point during the call, the AV triggers (thanks to a junior submitting the payload to virustotal :)). This is an intense call with a ton of valuable lessons for any social engineer or defender looking to learn how to identify attacks.

• Importance of recon and how it can help in social engineering
• Why it's important to know what information attackers can get about you and your organization and how this data can be used against your organization.
• How to create a good pretext
• How to spot the pretext
• Building rapport
• Playing to selfish interests of the target
• What to do when things go wrong – (During the call an antivirus triggers – very intense moment)
• The importance of never breaking cover
• The importance of being aware of and spotting red flags
• How multiple social engineering attack vectors can be chained together for more effective social engineering engagements

Approximately 25 minutes of the total 45 minutes is sanitized audio from the social engineering call.

14:00 4B: Agility Revisited - In Search of the Philosopher's Stone Speaker(s): Helvi Salminen

Helvi Salminen

Information Security Manager, Gemalto (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014. 
X
 

The classical Philosopher’s Stone was believed to have many beneficial properties. The most common belief was its ability to transmute base metal into gold or silver. This magic stone was also believed to have the power to heal all forms of illness and prolong the life. And the ability to resolve many minor problems was considered to be in its competence. 

Agile methods have been valued by many people as the philosopher’s stone of software developers. And so has the lean management method – first in manufacturing industry, then in many other areas, including management of IT services - been seen to bear an equal halo. 

Agile approach applied to security management got some attention a few years ago. However, it did not gain much interest among security professionals. Even today articles, research or examples of agility in security management are hard to find. 

Does the increasing number of regulatory requirements lead the agility oriented security professional to a dead end? Is agility just a daydream for security managers? 

My answer is no. 

Increasing complexity of the security landscape makes the agile thinking and acting more important than ever. In this session we discuss why, and following the ideas of agility applied to security management we may find something useful – maybe not the philosopher’s stone which magically resolves all problems, but the improved ability to identify and implement good security solutions. 

14:00 4S: SABSA Modelling in Archimate Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Lavender Bytes Consulting (Belgium)

Independent consultant with 25+ years in IT whose interest in application security began with the Millennium bug and a first-time speaker at COSAC. Based in Brussels, where he has undertaken major assignments for clients in the public sector, agencies, finance, telecoms and utilities and also lends his support to local cyber-security initiatives. Much of his work in recent years has been in the field of developing tools, processes and models to support security analysis.
X
 

I propose a presentation on the development of security architectures (specifically, the artefacts generated by the SABSA process) using the ArchiMate modelling language. 

The presentation is in two parts in which the first explains: 

- the drivers & benefits of integrating security into models and; 

- the techniques for expressing security within ArchiMate's notational constraints, its capacity for extensibility and tool support. 

The second extends the first by exploring (and hopefully demonstrating) some novel approaches for computer-assisted security design (incl. model validation, query & evaluation, control selection etc.) that become feasible once security concerns have been captured in a formal notation. 

15:10 5A: Go Hack Yourself: Moving Beyond Assumption Based Security Speaker(s): Brian Contos

Brian Contos

CISO, Verodin (USA)

Brian Contos is the CISO & VP Technology Innovation at Verodin. Brian has over 20 years experience in the security industry. He is a seasoned executive, board advisor, security company entrepreneur & author. After getting his start in security with the Defense Information Systems Agency (DISA) and Bell Labs, Brian began the process of building startups, taking multiple companies through successful IPOs & acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks.
X
 

You have many security products, probably too many. But you are still not secure because it's nearly impossible to know if your security products are actually doing what you want. Through live network and endpoint attack demonstrations, see how to use attack behaviors with Bartalex, Vawtrak, Mimikatz, PowerShell, Tunneling and others to validate your actual security products are working. See startling statistics, based on real-life case studies, that illustrate how ineffective many organizations, some with massive security budgets and teams, actually are because of a lack of validation. See how you can turn these attacks into an opportunity to instrument more effective security. 

15:10 5B: Whoever Said (Security) Innovation Was Straightforward Speaker(s): Martin De Vries

Martin De Vries

Information Security Officer, Rabobank (Netherlands)

Martin has been working for Rabobank his whole working life. Starting in project management in 1998. Then moved to the international side of the organization in 2005 starting as a Service Manager for Rabobank's direct banking initiatives. And finally as of 2008 he changed to security. First as a Security Officer for the direct banks and later (2012) as a Global Security Officer with a focus on Retail (until 2014) and IT and Software Development. As of October 2016 he has a focus on innovation.
X
 

Rabobank was the first bank to launch an online banking platform in the Netherlands back in the late ’90’s of the previous century and has been innovating its banking services ever since. Not only from a business perspective, but also from a security perspective. As we all know, innovation doesn’t necessarily follows the expected beaten tracks. It’s journey is or might be filled with surprises and unexpected turns. 

In this presentation I would like to share with the COSAC audience two experiences of (security) innovations that came out successfully but differently from the initial intentions. A behavioral biometrics solutions that turns out to be great in crushing bot attacks and a social media payment initiative that turns out to be an excellent fraud killer. I will provide insight, under Chatham House Rules, in the journey of the two initiatives and share the initial scope, the surprises, lessons learned and the successful implementations. It will provide an interesting insight to the experienced COSAC audience. 

15:10 5S: The Missing Link - A Universal Security Capability Model Speaker(s): Andreas Dannert

Andreas Dannert

Enterprise Security Architect, NBN Co (Australia)

Andreas is an Enterprise Security Architect for Australia’s national broadband network (NBN Co). At nbn he is responsible for defining Security Strategy and Roadmap across the organisation. Prior to nbn, Andreas has worked for Deloitte and HSBC in the role of Enterprise Security Architect, developing Enterprise Security Architecture Frameworks and solutions. Andreas is currently the Research Director on the ISACA Melbourne Chapter board and an industry advisor to various organisations.
X
 

Most organisations have a consistent need for adjusting to changing market conditions and new customer demands if they want to survive in the long run. As business objectives and priorities are being adjusted as in response to the market, organisations need to adapt and fine tune their business capabilities, including their security services. Security service gaps need to be identified and immature services need to be optimised, in order to survive the constant battle for supremacy. 

From a security perspective, one of the challenges for organisations often appears to be that they have immature processes in place to quickly adjust their business, including their security services. While SABSA provides a mature methodology for the delivery of security architecture, organisations often struggle to implement a framework around it that optimises the delivery process itself. Further tools and processes need to be developed to address this issue and assist organisations in maturing and adjusting their security services faster and in a more efficient way. One of these tools could be security capability model that complements the idea of a security service catalogue by providing a pre-defined security service taxonomy through the definition of meaningful security capability domains. 

In this session we will be looking at a an organisation independent security capability model that defines a well-structured set of security capability domains and associated security capabilities. This model, as part of an Enterprise Security Architecture Framework, can assist larger organisations in more systematically assessing, communicating and transforming their security services landscape. The presented security capability model is based on experience gained through the implementation of similar models at various organisations across different industries. It has also been analysed against various control frameworks and their grouping of controls, which we also touch on. 

At the end of this session, participants should be able to understand the value of such a reference model and how it can be utilised within an organisation. 

The key takeaway from this session will hopefully be a new viewpoint of looking at the importance of security governing structures when faced with the challenge of more systematically and efficiently maturing an organisations security architecture service landscape. 

In the spirit of COSAC, this session is designed to be interactive and it will allow participants to share their experiences in similar circumstances, governing and maturing the process of continuous security architecture solution delivery in an organisation. This session will provide attendees with an insight into some issues that were encountered during the development of the model and the introduction into other organisations with a less mature security architecture framework in place. 

16:10 - 16:30 Afternoon Tea

16:30 6A: NATO Resilience by Design: Enhancing Resilience Through Cybersecurity Speaker(s): Perri Nejib,

Perri Nejib

Technical Fellow - Cyber Solutions Architect, Northrop Grumman (USA)

Ms Nejib has 33+ years of system engineering and program protection experience and 27+ years of technical leadership & DoD acquisition management experience. Currently part of the Advanced Cyber Technology Center (ACTC) as one of its senior engineering consultants & is deployed to the Missile Defense & Protective Systems Division (MDPS) as Cyber Solutions Architect. In this role she supports key programs, serves as stakeholder on MDPS IRADs and provides SSE subject matter expertise.
X
Edward Yakabovicz

Edward Yakabovicz

Technical Fellow, Northrop Grumman (USA)

Edward Yakabovicz is an innovative technical leader at Northrop Grumman responsible for advanced technologies for enhancing cybersecurity, resilience, and security engineering throughout enterprise, SCADA, and the Internet of Things. He is a cybersecurity doctorate candidate researching the current human capital crisis and inability to staff cyber related jobs.
X
 

Cyber Resilience (as opposed to merely risk-based approaches) is an ever increasing topic of interest in literature and in practice with many nations expressing it in their cyber strategies to apply newer practices in providing system protection from the rapidly changing cyber threat environment. This presentation addresses the engineering-driven actions necessary to develop more resilient systems by integrating Cyber Security/ Systems Security Engineering (SSE) to that of the well known Systems Engineering (SE) process. This concept, shown in Figure 1 (see attachment), infuses systems security engineering techniques, methods, and practices into systems and software engineering system development lifecycle activities, thus becoming part of the core solution/process rather than an isolated and expensive add-on, bolt-on, and separate task/process. The presentation will be based on a position paper developed on this topic area (see attached)-this is intended to be presented and discussed in a forum such as COSAC to allow for audience interaction and feedback on the concept of Cyber Resiliency in the NATO construct. Cyber Resiliency by Design is an important topic area across NATO and the COSAC/SABSA event will be a perfect forum to discuss and examine current standards and methods in this area and possible implementations. Our intention is for this event to be a catalyst of change for cyber resiliency across NATO. 

16:30 6B: Computing at School - Securing Our Children's Digital Future Speaker(s): Esther van Luit,

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
X
Kirsten Meeuwisse

Kirsten Meeuwisse

Consultant, Deloitte (Netherlands)

Kirsten Meeuwisse is a consultant at Deloitte Netherlands. She graduated from the TU Delft of the study Systems, Engineering, Policy Analysis and Management with her research about the trade-off between security and usability. Next to her work in supporting companies to improve their security, she wants to help children as well by educating them on cyber security & technology. She does that by organising hacklabs and by introducing the Microbit at primary schools.
X
 

Whilst our society is becoming increasingly digital, our children’s education has followed this trend in form with fancy iPads and flashy online learning, but not in content. The goal of the educational system is to prepare children for the future, but digital skills, let alone cyber security skills, are in many countries not part of the school curriculum. Children should learn how to protect their personal information on social media, be aware of the threat posed by malicious actors online and be informed about the legal implications of their own actions online. 

The goal of this session is to create a robust outline for teaching cyber security skills to children in primary and secondary schools, based on the ‘computational thinking’ curriculum that some countries have sought to implement. The speakers present an overview of various attempts from government- and not-for-profit initiatives to include digital and cyber security skills in children’s development and education. The speakers are both actively supporting some of these initiatives and will share factors for success and barriers to implementation. Conference participants are invited to actively share their perspective based on their own involvement with educational initiatives, experiences with their own children and cultural enablers and barriers they feel they should be considered to improve the suggested outline. The end product will be shared with participants after the conference and can be used to advance the status of cyber security in education in their respective countries. 

16:30 6S: Applying SABSA in Project Delivery Speaker(s): Rob Campbell

Rob Campbell

Security Architect, Secure Constitution Ltd (UK)

A Security Architect with 28 years IT experience, the last 20 in Information Security. I have been formally trained in security consultancy and architecture methodologies.These include Togaf (including Archimate) and of course SABSA. I have 10+ years in the financial/insurance sectors and another 10+ years experience in the Government sector. In that time I have developed security strategy,performed risk assessment and compliance roles as well as designed, developed and implemented solutions. 
X
 

Delivering a solution or service within a project framework can present obstacles which can prevent the effective application of SABSA tools and techniques. These obstacles are largely related to the project focus and constraints such as time, resource, poor supporting documentation and poor requirements. Most security involvement in projects revolves around either design or assurance. SABSA can be used within the context of a project but developing the right tools and techniques can help streamline the process and deliver consistent reliable results which can be used by other disciplines as well as our own. 

This session looks to present an approach which can be used both in design and assurance activities as well as demonstrate a tool to capture the focus of interest and drive out gaps or aid in control selection. The approach works in most project circumstances and utilises a number of SABSA techniques however it assumes a level of maturity within the organisation and is most effective when done collaboratively with SME’s from other disciplines. 

Within the session I will be seeking attendee participation to explore the processes deficiencies and seek suggestions to improve the effectiveness of the approach and supporting toolset. The toolset will be made available to the SABSA community. 

Plenary Session

17:45 7P: Welcome to the Cybersecurity Smithsonian Speaker(s): Esther van Luit

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
X
 

Museums bring to life elements from our history, present and future for children and adults alike. A good museum is relevant, engages, educates and makes us wonder. Which is why, in an era that everyone should have sufficient grasp of the cybersecurity domain, it is a loss for this world that there is no such thing as a cyber security museum. 

Inspired by the ‘Secrecy and Security: Keeping Safe Online’ exhibition at Bletchley Park, this session takes it upon itself to propose to and engage with the audience on the pivotal moments in cybersecurity history and look forward to new technologies and trends under development – from Enigma to Quantum Cryptography. Our museum should be more relevant than simply a collection of old computers to display. It should take the visitor beyond the main discourse of ‘having a strong password’, draw out reflection and discussion amongst all generations on the governance of their data, their actions in cyberspace and on the impact of new technologies on our security society a la Star Trek and Black Mirror. 

What are the IT and security developments that you feel should be included in such our Cybersecurity Smithsonian? How should they be depicted for the visitor to effectively engage with and learn from? Instead of images of Alice & Bob, have children lock a written message in a physical box and exchange it securely with a parent without being intercepted to explain how encryption works? How can we best facilitate discussion on cybersecurity matters, inside and outside the museum (after the visit)? 

This session sets the scene by presenting engaging museum examples from over the world and covering what the presenter thinks are pivotal moments and technologies to include in such a museum. The speaker has contributed to creating an escape room-inspired TV program in which children have to solve cybersecurity puzzles to catch a hacker and will share lessons learned on how to create digital elements in an engaging physical set-up. Participants are then invited to ‘build their own museum’ and do a deep-dive by operationalising two elements in their Cybersecurity Smithsonian. The session closes by sharing some of these examples in the plenary group. This session uses the museum as a vehicle to have security professionals reflect on pivotal moments and technologies for cybersecurity, the ways in which the lay people interact or should interact with these elements and new engaging ways of explaining cybersecurity issues and solutions to our stakeholders. 

Networking & Dinner

19:15 Drinks Reception
19:45 onwards COSAC Gala Dinner & Networking

Wednesday 3rd October 2018

09:00 - 09:30 Delegate Registration & Coffee

09:30 8A: You ARE The Weakest Link: Goodbye! Speaker(s): Jaco Jacobs

Jaco Jacobs

Senior Manager, Accenture (Netherlands)

Jaco is Cyber Defense domain lead for the Gallia region at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to a number of companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

A COSAC Debate: 

Isaac Asimov's [slightly adjusted] "Three Laws of [Artificial Intelligence and] Robotics" 

• A robot [or AI] may not injure a human being [that which matters most] or, through inaction, allow a human being [that which matters most] to come to harm. 

• A robot [or AI] must obey orders given it by human beings except where such orders would conflict with the First Law. 

• A robot [or AI] must protect its own existence as long as such protection does not conflict with the First or Second Law. 

Is AI and Robotic Process Automation (RPA) going to replace the need for humans in the future? Will this eliminate the mistakes and oversights so typically made by people that expose organizations? Is making logic based decisions, devoid of ego and emotion, the right approach to protecting that which matters most and what is the impact of “smart malware” left to survive on its own in the wild? 

Join us as we debate the positive and negative impacts of introducing AI and RPA into the security world. 

09:30 8B: Taking Your Stakeholders Along: More Lessons From Burning Man Speaker(s): Mike Broome,

Mike Broome

Senior Software Engineer, Tanium (USA)

Mike is a Senior Software Engineer at Tanium, developing large-scale enterprise security and operations software. He spent two decades in networking and low-level embedded software, including writing code for the fastest-ramping mid-range router at Cisco. After a stint in embedded industrial control systems, he  has spent the past 3 years working on a threat response solution that enables real-time monitoring of data at rest for indicators of compromise across an entire enterprise.
X
Lisa Lorenzin

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security. 
X
 

So you've decided to tackle a major security initiative. Whether you're a CISO, an enterprise security architect, or a consultant, two key questions arise: how do you get buy-in from your stakeholders? And how do you work with them to ensure success? 

Seven years ago at COSAC, we discussed security lessons learned at Burning Man, a week-long annual art event and temporary community deep in the heart of the Nevada desert. Since then, we've continued to attend - and last year, my mother joined us. She's 70, has MS, has limited mobility and heat tolerance... so let's go ride bikes in the desert for a week! What could go wrong? 

The most difficult part of any enterprise security project is the Layer 8 considerations: how to ensure that stakeholders understand the project, and that we understand its impact on them, so we can succeed together. For months prior to the Burn, we went through an iterative process of identifying potential issues and potential mitigations - and then we tested those mitigations in the field. Sound familiar? Once again, Burning Man has much to teach us about the infosec arena. 

09:30 8S: (Re)Discovering Your Risk Assessment Mojo - How to Ditch the Dread & Find Love for SABSA Risk Assessments Speaker(s): Andrew S. Townley

Andrew S. Townley

Founder & CEO, Archistry (South Africa)

Andrew is an international speaker, published author and thought leader on business execution, security, risk and technology who has extensive practical, hands-on experience working in the US, Europe, Middle East, Africa and Brazil. His Enterprise and Security Architecture experience includes leading SABSA adoption organizational change initiatives for Fortune Global 300 customers and is built on not only SABSA certification but personal mentoring by two of SABSA’s principal authors.
X
 

Love SABSA but dread doing risk assessments? You’re comfortable building Business Drivers in your head, and yet, when you go to sit down and do a “proper” risk assessment, you feel the overwhelming urge to look the clock, go get a coffee and check your emails/social media accounts—anything to put off venturing into the rat’s nest of PESTELIM, Internal Factors Analysis, SWOT and Control & Enablement Objectives. 

You know the techniques, and you dutifully apply them, but the result is a very large number of potential risk scenarios that you feel are all ultimately very similar, you’re not really sure where to draw the line between direct and systemic impact, and looking back at the work you’ve done, you see that you’re not always associating similar scenarios with the same domains and attributes. Ultimately, you’re doing a lot of work, but you’re just not confident of your results, and you really believe SABSA ought to be able to solve this problem—after all, it’s all about making risk-driven decisions, so how are you supposed to do that if doing a risk assessment is this hard? 

The good news is that there’s nothing missing in SABSA. You just need a better way to think about the whole process, and, fortunately, there’s a solution. 

In this session, we’ll explore an approach that will increase the speed and consistency of your risk assessments and ultimately give you much higher levels of confidence in your results and recommendations—no matter where in the lifecycle the assessment is performed. 

In particular, we’ll cover: 

• A very quick refresher of risk assessments in SABSA 

• A common root cause of getting lost and overwhelmed doing risk assessments 

• The elements of the solution: VERIS and the critical SABSA architecture elements you need to have in place 

• How you proactively answer the most important risk assessment questions 

• Effective ways for keeping direct vs. systemic impact clearly separated 

• The overall impact of the approach to full-lifecycle SABSA delivery 

The fundamental objective of this session is to give you ideas and techniques you can put in practice once you get back to the office so you learn to love risk assessments as the key, critical aspect of the SABSA method—or at least, not hate them quite so much. 

10:30 - 10:50 Morning Coffee

10:50 9A: Optimal Machine Learning Algorithms for Cyber Threat Detection Speaker(s): Hafiz Farooq

Hafiz Farooq

Chief Cyber Security Architect, Saudi Aramaco (Saudi Arabia)

Hafiz Farooq is currently serving as a Senior Cyber Security Architect for Saudi Aramco's Global Security Operations Centre (SOC). With 15 years of research and professional experience in Cyber and Network Security domain, harnessing the first-line-of-defence against huge spectrum of targeted and untargetted cyber attacks from adversaries. His acute academic and professional experience helped him orchestrating the security processes for Saudi Aramco after the well-known Shamoon attack in 2012. 
X
 

Seeing the exponential hike in global cyber threat spectrum, organizations are now striving for better data mining techniques in order to analyse security logs received from their IT infrastructures to ensure potent cyber threat detection and subsequent incident response. Machine Learning based analysis for security machine data is the next emerging trend in cyber security, aimed at minimizing the operational overheads of maintaining conventional static correlation rules in the security-monitoring devices. However, selecting the optimal algorithm with least number of false-positives still remains the impeding factor against the success of data science, especially in the case of any largescale and global level Security Operations Centre (SOC) environment. This fact brings a dire need for an effective and efficient machine learning based cyber threat detection model. In this research, we are proposing optimal machine learning algorithms for detecting multiple types of threat actors by analytically and empirically comparing gathered results from various anomaly detection, classification and forecasting algorithms.

10:50 9B: Organisational Risk & Threat Modelling Workshop Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
X
William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
 

Risk managers often find it difficult to communicate threats and risk (and the difference) to those who must understand what is at stake in the context of the organizations mission. Identifying ways to model and visualize risk is key to helping stakeholders determine which mission objectives or organizational assets are at risk, and where risk treatments are needed. To add to the complexity, many risk managers have to give assessments on the fly, or with short notice. There are many effective methods that can be used to model risk and address these challenges, and this workshop aims to explore different risk and threat modeling methods and practices. This same workshop was given in the inaugural COSAC APAC in December of 2017 and resulted in valuable discussion, and even in the creation of a working group to continue the progress. In this highly interactive session we will review the progress of the COSAC APAC contributors and will work in groups to visually model risk on the fly in a 15-20 minute activity with a given challenging mission scenario. We will then share, brainstorm, and discuss advantages and disadvantages to these risk models. We have found that working in this way we can make progress in areas that would be near impossible to achieve working remotely. 

10:50 9S: Putting Metrics into Context: Why it Matters & How to Do It Speaker(s): Michael Krumbak

Michael Krumbak

Enterprise Security Architect, DSV A/S (Denmark)

Michael Krumbak has been working with information security, in various roles, for more than 20 years. The last 10 years with main focus on the management part of security, compliance and risk issues. Michael prefers to work in the space between business executives and technology teams, facilitating communication and mutual understanding among stakeholders. Currently, Michael works in the role of EnterpriseSecurity Architect in a global logistics company. 
X
 

For ages security people (myself included) have measured security by counting raw metrics, incidents, blocked spam emails and reported them 'as-is' to their Executive Management teams. All the time complaining that their audience do not support security, understand what security is and why it is important... Is it possible there is a connection? Is your success not solely depending on your security skills - but also on your communication skills? 

Reality is that never before in time, has security had so much attention in board rooms and with executive teams as it has now. If you can "get it right", now is a window of opportunity of unprecedented proportions. Give your exec-guys what they ask for. This presentation will explain why it is important to "meet your audiences' on their turf"? Why management support is heavily related to your (communication) skills? There is a reason why most people still "count" when they measure security, building context around your metrics is not a trivial task. This presentation will demonstrate how to use SABSA methods to break-down strategic objectives and build-up the business context around the metrics. 

12:00 10A: Artificial Intelligence Gone Wrong: How Classifiers Can Mis-characterise the Environment Speaker(s): Char Sample,

Char Sample

Research Fellow, ICF Army Research Labs (USA)

Dr. Char Sample is research fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
Lori Murray

Lori Murray

PhD Student, Iowa State University (USA)

Lori Murray is a Senior Advanced 3 Information Assurance Systems Engineer, currently enrolled at Iowa State University as a PhD student studying Computer Engineering. She has her Masters of Science degrees in Information Assurance and Business Analytics from Iowa State University, along with her CISSP. Lori has 15 years of experience between Systems Engineering as a Cyber Security SME building security architecture from requirements definition to design.
X
 

Artificial intelligence and machine learning algorithms are becoming the latest buzzword in security technology, promising to improve the lives of security professionals. To many long time security practitioners these promises have a familiar ring. 

This session begins by first examining how learning and intelligence impact the structure of a dataset and how variations in cognitive processes associated with learning and intelligence differ according to linguistics, culture, psychology, pedagogy and other factors. These factors have a direct influence on the structure of the data set, having a profound impact optimization of classifiers that use training data. These factors can result in unintentional or intentional poisoning the training data, or violate underlying statistical assumptions through generating a weak data set. 

We will individually explore several popular classification algorithms showing how the data set utilizes classifiers, exploring how they can work well in one environment while failing in another based on the aforementioned differences in the cognitive environments (linguistics, culture, psychology, pedagogy etc.). The following classifier types will be discussed: 

- Heuristics 

- Neural networks 

- Random forests 

12:00 10B: In Search of the Elusive "Securiton" Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Cyber Security Adviser, Envista (Australia)

Michael is a Cyber Security Adviser with Envista providing high level assistance on Cyber Related matters. He was formerly the CIO and CISO at the Australian Department of Finance where he had executive responsibility for ICT as well as physical security within that agency. He has previously held senior roles with government agencies including Department of Foreign Affairs. 
X
 

Early in my career, around 2001, I first heard the term “Securiton” used in the context of measuring effective return on investment for ICT Security Projects. “Securiton” was used, in a humorous way, as a fictitious measure of the outcomes of computer security projects to illustrate what we knew the executive wanted to hear to approve business cases for our projects. 

We dreamed of being able to say: 

“This project will make us 37 Securitons more secure at a cost of only $370,000 – a bargain at only $10,000 per securiton!” 

Mark Twain has been quoted as saying “Humor is the good natured side of a truth.” And there is more than a grain of truth in the use of “Securiton”. We, as an industry, long for an objective measure that can help us explain what our complex and technical subject to the executive in a meaningful way. 

As Peter Drucker said: “What gets measured gets managed.” and it is time that we started building effective and objective measures within security. 

This workshop will interactively explore the possibility of building such an objective measure for risk in our industry. 

We will start with a look at how people, in general, approach the consideration of ordinary risks in a very subjective way. 

We will then look at real known risks and threats in our industry and discuss how organisations measure likelihood and consequences, both subjectively and objectively, to determine “risk”. 

We will then workshop the possibility of building a standard subjective measure for various known cyber security risks considering a range of factors that might increase these risks in particular industries and organisations impacting. 

This session will be run as a workshop. 

12:00 10S: Tag, You're It! Speaker(s): Jaco Jacobs

Jaco Jacobs

Senior Manager, Accenture (Netherlands)

Jaco is Cyber Defense domain lead for the Gallia region at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to a number of companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

Being able to visualize an Enterprise Security Architecture in a meaningful way across all of the SABSA layers, is an amazing way to bring the ESA to life and enabling the use of ESA on an almost daily basis by a variety of stakeholders who have different priorities and needs. 

In this workshop, we will build an ESA on a page (or rather on the wall) for one of the best-known and successful companies on the planet and allow the teams to explore the best ways and techniques to tie all of the defined architectural artefact together. 

13:00 - 14:00 Lunch

14:00 11A: A Solution Architecture for Establishing Provenance Speaker(s): John Sherwood

John Sherwood

Chief Architect, The SABSA Institute (UK)

John Sherwood is the Chief Architect of SABSA, working at The SABSA Institute, leading the development of the SABSA framework by engaging with the global SABSA Community to harness new thinking and innovation in the practice of security architecture. He also leads the collaboration between the institute and The Open Group in this area of work.
X
 

This theoretical case study is an approach for tracing the provenance of goods and their associated values using an ‘information centric’ architecture, as opposed to being system centric. The security is embedded in the data structures, not in the system technology. In that regard it is innovative and unlike most implementations of traceable sourcing.

At a time when 'blockchain' is all the rage, this session presents of an alternative, less costly and less complex approach to proving the authenticity of certified goods and services and the digitised documents that support them. There is an increasing need for such a service, and those who have an interest in digital provenance will find this excursion into architectural design of value to their thinking. It will be of particular value to all those for whom blockchain is a step too far but who require inherent strong traceability in digital documentation. It’s not a product, just an architectural design, but no doubt someone could productise it, or something like it. The values to be protected may be financial but may also be concerned with assurance of authenticity of source, which in itself may or may not carry premium financial value. From designer fashion, to organic food production, to ethical sourcing, and to authentic financial accounting documents, there are many applications. Each application would probably require a customised version of the generic design presented here.

The value of anything depends upon what someone will pay to obtain it. Value is a market driven thing. There is no absolute value scale in the market place. What someone will pay depends upon how much confidence and trust they have in the authenticity of the item according to the claims made by the seller. An extreme example would be a work of art. If it is a genuine piece by a famous artist it might have huge worth, whereas a fake would be relatively worthless. Provenance is everything in such transactions.

Proving authenticity requires documented evidence that cannot be fraudulently misrepresented. Paper documentation has fulfilled this evidence function for hundreds of years. As we move into a digital age there is a need for inherently secure digital evidence. An ‘information-centric’ solution architecture would fulfil these functions.

The session will present the contextual, conceptual and logical security architectures of the solution, following the layering of the SABSA framework. There will then be an open discussion of the merits of the design, during which the speaker expects some robust constructive criticism from the audience.

14:00 11B: Using Transmedia Storytelling to Develop Cyber Talent Speaker(s): Rob Hale

Rob Hale

Fellow, Lockhead Martin (USA)

Rob is a Lockheed Martin Fellow with over 25 years of experience in information systems and security. During his career he has been responsible for conducting and supporting information assurance and cyber security activities for federal, state and commercial organisations in the defense, law enforcement, financial services, utility and healthcare industries. Additionally, he has designed and implemented secure networks to support nuclear emergency response teams and top US banks. 
X
 

Identifying and growing cyber security talent is a critical challenge to many organizations. While a number of universities and other organizations are offering more in-depth programs on cyber security and information assurance, the need is still outpacing the supply of qualified personnel. Our organization is rolling out an initiative to identify and develop such talent using a combination of transmedia storytelling and a face-to-face final challenge. 

Transmedia storytelling is a means of engaging and absorbing a participant in a cohesive story experience across traditional (e.g., books, articles, posters, etc.) and digital (Twitter, YouTube, web sites, etc.) platforms. It allows the participant to actively discover the story a piece at a time, taking them through the adventure of the narrative. While this technique has been used by Amazon with "The Man in the High Castle" and the television show Mr. Robot, there are many interesting ways to apply it to identifying and growing cyber security talent. In our case, we have crafted a narrative across the surface web, the dark web, text messages, phone calls, YouTube videos, twitter feeds and other sources to engage university partners, which will culminate in a face-to-face challenge, where qualified candidates will be interviewed and offered positions. This presentation will walk through the narrative, discuss the challenges and lessons learned from the preparation of the event and will discuss concepts for a talent development exercise using a similar construct. 

14:00 11S: SABSA Domain Trust Modelling: Good Enough for the Modern Business? Speaker(s): Andy Wall

Andy Wall

Chief Security Officer, Office for National Statistics (UK)

Andy Wall is a cyber, information security & assurance leader with 25+ years’ experience within global & national commercial organisations and UK Govt providing business focused security advice & management. Currently Chief Security Officer at the Office for National Statistics, developing new approaches to secure operations of leading edge big data analytics that support the organisational mission of statistics production on a range of key economic, social & demographic topics. 
X
 

This session will show a potential extension of the SABSA domain model to better facilitate multi-stakeholder trust and policy modelling where chains of suppliers are used for security delivery. 

- Explore multi-domain direct and indirect relationships and policy associations where interaction is extensive 

- Debate potential differences between policies and domains as security is implemented and assured in multi-stakeholder environments 

- Challenge a modelling extension for policy requirements that applies on a multiple partner and supplier basis, beyond the existing SABSA model 

Overall the session proposes a new trust model (perhaps 'Community' or 'Federated') and asks fellow SABSA professionals to shoot it down or build on it ! 

15:10 12A: The Architecture of Trust and Its Security Implications Speaker(s): Duncan Greaves

Duncan Greaves

Postgraduate Researcher, Coventry University (UK)

Duncan has 25 years experience in software development and information architecture in the UK and Australia. He is currently transforming the practice of Cybersecurity Management and Trust into theory by studying for a PhD at Coventry University.
X
 

Information systems in cyberspace are responsible for the successful processing of many millions of transactions per second, but perform poorly in terms of being long term trustworthy business partners. Trust is a structured social process that ensures and assures longer term relationships between partners. It reduces the moral hazard of technology dependence and the safe exchange of information to Empower these relationships and produce improved shared outcomes. 

To mark the theme of 25 years of 'Shared Experience and Trust' this session will explain and discuss the role of Security, Privacy and Vulnerability protections in socio-technical systems and how practitioners can visualise the interplay between these variables to maximise the trustworthiness of business systems. This original work is being undertaken as part of a structured PhD research programme and includes new concepts and an exclusive preview of the early analysis and findings of this quantitative experimental work. 

Attendees will find this a fascinating, timely, practical and accessible session on the science and art behind producing architectures that deliver transaction security alongside respect for the processes that promote trust formation.

15:10 12B: Addressing the Cybersecurity Skills Crisis through the Untapped Talent Pool of Diversity Speaker(s): Rosanna Kurrer

Rosanna Kurrer

Managing Director, CyberWayFinder (Belgium)

Rosanna is an Architectural Engineer by training and holds a Masters Degree in Building Physics from Kyoto University in Japan. For the past several years, this certified MIT Master Trainer in Educational Mobile Computing, as well as EU Code Week ambassador, has led hands-on, result-oriented workshops in the areas of computer programming, data visualisation, the Internet of Things, and 3D design and Design Thinking, to promote the uptake of digital skills, particularly among girls and women. 
X
 

At COSAC 2016, Patrick Wheeler presented a vision of how to attract a more diverse talent pool into careers in cybersecurity and how this diversity would not just help fill the skills shortage but also create more innovative, cognitive diverse and effective cyber teams. 

The vision was one of developing professional women with curiosity, transferable skills and the commitment to learn and acquire the necessary skill set, and who are looking for a challenging career transition. 

Two years later, this vision is now manifest in the CyberWayFinder project in Belgium. 

It has just completed the first pilot year with twenty-six women and is about to start its second year with a fresh intake of thirty women. 

There are many discussions at the moment about the barriers to gender balance in the security profession. 

The CWF initiative is in a position to provide some insight and offer some practical answers about what does and doesn't work from first-hand experience, based on a mix of training, mentoring and successes in directly filing roles that immediately add value to existing cyber teams. 

In this presentation, Rosanna will introduce the principles, practices and approach of the CWF programme and share the wisdom and lessons learned from having set up and run the program over the past 2 years and where it is heading in the future. 

15:10 12S: A Night at the Museum Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
 

Developing an Enterprise Security Architecture for a National Museum. 

Te Papa Tongarewa, the national museum of New Zealand, celebrated its 20 birthday this year and is in the middle of a $50 million renewal programme. The museum sector, like many sectors, believes that digital is the key to innovation and transformation. As part of the renewal programme, the CTO was charged with modernising the technology used by the museum to ensure support and enable its digital ambitions. In addition to this, he was also tasked with providing the Board with an appropriate level of assurance that the information security and privacy risks associated with Te Papa’s use of technology are effectively managed. 

In this talk, we will discuss how SABSA was used to develop and implement an Enterprise Security Architecture and Security Strategy for a complex and heterogeneous environment with competing and conflicting business requirements for security (funnily enough confidentiality is not the primary attribute for most of the museum’s information). However, we will also examine some of the other significant challenges that we had to overcome, including the absence of a business or enterprise architecture, organisation culture and communication style, and ageing technology infrastructure in dire need of modernisation. 

This session will provide you with some real-world practical approaches for addressing both the real and perceived roadblocks to developing an Enterprise Security Architecture and Security Strategy that delivers value by genuinely supporting and enabling the business to achieve its desired outcomes. 

Won’t you join us for a night at the museum? 

16:10 - 16:30 Afternoon Tea

Plenary Sessions

16:30 13P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X

Networking & Dinner

18:30 Drinks Reception
19:00 Dinner

Thursday 4th October 2018

09:00 - 09:30 Delegate Registration & Coffee

09:30 14A: Betsy, Fluffy & Herd 51 Speaker(s): William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
 

IT Practices are changing at a rapid pace and are impacting the way we need to look at information security. A few of the hot topics like cloud computing, Dev Ops, zero boundary systems, are perfect examples of this. In some ways we are doing the same old thing, but in a way that doesn’t look exactly familiar. Recently in a conversation with a cloud vendor engineer it was implied that my question regarding configuration management was, well, old fashioned. Why would we treat our application like a pet, which needs a high degree of care and maintenance, rather than as cattle that are maintained in large quantities, and according to the metaphor, individuals can be removed from the herd and replaced with no noticeable impact? (No animals were harmed in the making of this session) After a bit of research, it was clear that this analogy has been around for a little while, but more in the context of servers and now more recently for applications. In this session we will look at a use case of a cloud implementation where several of these concepts came together and were put under a high level of security and compliance scrutiny. We will look at some of the successes as well as the lessons learned throughout this engagement. Finally, we will have group discussion regarding how we as security professionals can embrace, or at least keep up with the progression of IT practices. 

09:30 14B: The Impact of GDPR on Information Security 2.0 Speaker(s): Karel Koster

Karel Koster

Head of Information Security, (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various roles. He currently holds a position as Head of Information Security within Ingenico ePayments, one of the larger payment service providers on the web. Prior to Ingenico, Karel as an information security officer was responsible for information security awareness, vulnerability management and technical compliance at Aegon the Netherlands.
X
 

On the 25th of May 2018 the GDPR has come in to full effect. Therefor GDPR compliancy is the talk of the town within Information security management departments. Last year I facilitated a highly interactive session about the possible impact of the GDPR on information security management. We tried to predict it reach and discussed several roads to GDPR compliancy. 

Last year at COSAC we found that there is no undisputable right or wrong yet since the legislation leaves a lot of room for interpretation. Now with the GDPR into effect, we can monitor how this new law is interpreted within and outside of the EU and see if we can use the knowledge and experience of the COSAC participants to answer the questions your business will have regarding the GDPR. Examples of these questions are but not limited to; 

- What does GDPR enforcement look like? 

- Is GDPR strictly enforces both within as outside of the EU? 

- Are enforcement agencies really fining when companies are incompliant? 

- Our company won’t be compliant any time soon, what should we prioritize? 

- Is there a (unofficial) grace period? 

- Do data subject really ask for the personal information? 

I have monitored the GDPR and its implications closely this past year and will share my answers and views on these topics and invite you to present your questions and views. Then we will work collectively on answering them. 

09:30 14S: Defendable Architecture, Advanced Persistent Threats & SABSA Speaker(s): Gabor Medve

Gabor Medve

Chief Information Security Architect, Telenor Group (Hungary)

Gábor is a communication engineer by education and worked as system administrator during his studies where he has been influenced very early by the information security area. Working with information security since 2000 across different areas but always having the main aspect of how to deliver & maintain secure solutions, with respect to being able to spot & analyse unauthorised access. In recent years he is focusing mainly on security quality assurance in global delivery structures. 
X
 

How to address the trend of increasingly sophisticated and persistent attack types, especially in case a business entity is exposed to APT? 

What are the prioritized relevant characteristics and attributes we may use and focus on in our security architecture? 

What are the most important or interesting implications in case of supply chain, partners and IT service providers? 

How could the potential relevant controls contribute to business objectives and opportunities? 

During the session we will assess as much of the answers as possible in a joint discussion and considering the following set of reference material (pre-read is recommended): 

• Operation Socialist – Belgacom hack by GCHQ 

• Operation Cloud Hopper – APT10 compromising Managed Service Providers 

• Defendable architectures white paper (Lockheed Martin)

• Threat-driven approach to cyber security (Lockheed Martin)

• Intelligence driven computer network defense (Lockheed Martin)

• Cyber Kill Chain (Lockheed Martin)

• Semantic Cyberthreat Modelling  

• MITRE ATT&CK framework 

• Cyber resiliency design principles (MITRE)

• NIST sp800-160 vol. 2 – Systems Security Engineering/Cyber resiliency considerations for the engineering of trustworthy secure systems (note that the really interesting parts are in the appendices) 

• Securing privileged access (Microsoft)

10:20 15A: Helping You Become the Least Powerful CISO in the World Speaker(s): Dave Barnett

Dave Barnett

EMEA Head of CASB, Forcepoint (UK)

Responsible for Forcepoint's CASB and associated information protection portfolio, Dave has been in the industry for over 20 years in a variety of roles, recently Dave was the co-author of PAS555, the first nationally ratified standard for cyber security, he has worked with industry & academia to further knowledge of security. Dave is amazed by the innovation coming from users and his talk will focus on methods to identify cloud apps & work with the business to identify their wider...
X
 

Perfection is the enemy of creativity and a perfect world is one in which business can not thrive. Without putting in place draconian and hard to maintain technical blocks we can not stop the use of cloud by our users and in many cases businesses wants to encourage this. 

This highly interactive session will explore subjects such as: 

- A new model to calculate risk in the cloud (C*D*UBA) - if we don’t have full control over the end point, we don’t have any control over the internet and at best we have a contractual relationship with the cloud app how on earth do we calculate risk? 

- The cloud shared responsibility model - (with CIA in mind) how to select a cloud provider, what do they do, what do you do and what is shared. 

- Digital transformation - Finding demand for new cloud apps - hunting down user generated (shadow IT) innovation, discussion around processes to de-risk and adopt them as new corporate standards. 

10:20 15B: Day to Day Security Management: Improvisation or Science Speaker(s): Helvi Salminen

Helvi Salminen

Information Security Manager, Gemalto (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014. 
X
 

Many security practitioners who manage day-to-day security in an organization have a somewhat skeptical attitude towards the value of scientific thinking in the daily work. It is often considered too academic and theoretical, and getting stuck to irrelevant details forgetting the need to resolve real problems efficiently. 

This attitude has been bothering me, and I have had several debates about the topic. Naturally in a hectic situation, e.g. a critical incident requiring immediate actions, it may be difficult to see the value of scientific thinking. But we shouldn't give up so easily. 

I claim that the principles of scientific thinking and methods can significantly improve security management and the day-to-day security work. Both scientific knowledge and security decisions 

- must be based on observation of the reality, 

- should avoid entering into the trap of "common sense", 

- should strictly respect the principles of validity and reliability, and 

- are based on the idea on continual improvement. 

In this presentation I will point out what scientific methodology and security decision making have in common. I will also take a look at some security frameworks from a scientific point of view. The presentation will also include some scenarios, including incidents, where the security solutions can benefit from scientific approach. 

10:20 15S: Why Cyber Resilience? Speaker(s): Christian Arndt,

Christian Arndt

Partner, PwC (UK)

Christian Arndt is a director at PwC based in London. Christian is an experienced consultant with deep expertise in cyber security, technology, and programme management in a wide range of organisations. He has over 18 years’ consultancy experience working for a broad range of international clients.Specific industry experience includes working for some of the words largest telecoms companies , financial services, and central government.
X
Anton Tkachov

Anton Tkachov

Director, PwC (UK)

I lead Cloud Security proposition nationally and am growing a team of 'hands-on' security architects that can assist our clients with everything from an assessment & definition of cloud security strategy to technical architecture advisory & system integration work. The primary objective of my role is to leverage a vast network of bleeding edge technology start-ups and vendors to help our clients in finding and deploying new, more effective and efficient ways to manage cyber risk. 
X
 

Frameworks solely focusing on Cyber Security are different to frameworks that focus on Cyber Resilience: 

Cyber Security consists of the technologies, processes and measures that companies have designed to protect systems, networks and data. 

Assumptions: A best practice set of security controls must be mature across the board. 

Goal: Knowing where the gaps are. 

Focus: Lagging security controls. 

Thinking Differently - 

Cyber Resilience requires companies to think differently by considering their critical economic functions* and analysing the threats that target those. 

Regular testing is then used to test the ability to rapidly orchestrate the recovery from an attack and helps companies implement advanced techniques. 

Assumption: A breach will happen. 

Goal: Minimise business impact. 

Focus: Availability of critical economic functions. 

Cyber Resilience in a growing concern of UK Financial Sector regulators. We would like to use the opportunity to discuss how we have used SABSA framework to develop Cyber Resilience strategy for our clients and proactively manage conversation with FS regulator. 

11:05 - 11:25 Morning Coffee

11:25 16A: Anatomy of a Breach Speaker(s): John Ceraolo

John Ceraolo

CISO, Sentry Data Systems (USA)

Mr. Ceraolo has been an information security professional for over 25 years in industries ranging from publishing, software, automotive, mobile technology and now healthcare analytics.  He has frequently spoken at COSAC and other US-based security conferences.  He holds his CISM, CISSP, and CISA as well as his Masters in Information Assurance from Norwich University.
X
 

Media reports of breaches only cover a high-level, sanitized version of the event. The real story is behind what a CISO goes through when experiencing what is arguably the worst part of our job, yet the very day we train for above all others. In this session, the speaker will share the inside story; the pain, the anxious moments, the psychology of the culture when a company experiences a breach. Ultimately, we will cover the lessons learned from what can work in an incident response plan and what did not. All names have been changed, but this session will dissect an actual breach and present the most relevant and useful moments so the attendee can review their own plans and adjust accordingly. Intended audience is those that have not experienced a breach, but those that have are welcome to add their personal insights where permissible. Collaboratively, the collective can gain even more insight. 

11:25 16B: There IS an "I" in Team Speaker(s): Valerie Lyons

Valerie Lyons

Information Privacy Researcher & PhD Scholar, (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.
X
 

Amidst the fast-paced changes in the digital space, security and privacy professionals are often preoccupied with keeping up-to-date with the latest technologies, the latest regulations, the latest security architectures and so on. However often they overlook a far more important aspect of their career - their own personal development and that of the teams they lead. The dynamic between individuals, team members, other teams, colleagues, vendors, customers etc. is paramount to individual achievement, team engagement, and team performance. But what factors influence that dynamic and can we control those factors? 

Daniel Goleman, an American Psychologist, believed that at the heart of team dynamics and team leadership lay a series of traits referred to as ‘emotional intelligence’ (EQ). EQ is the capability of individuals to recognise their own emotions and those of others, discern between different feelings and label them appropriately, use emotional information to guide thinking and behaviour, and manage and/or adjust emotions to adapt to environments or achieve one's goals. 

As a qualified executive coach since 2013, I have applied many EQ coaching tools with various team members, including myself. By using these tools, we can help team members sympathetically explore perhaps aspects of personality that might prevent career progress or explain why, despite a great job, someone still feels unfulfilled. Certain coaching tools can also help facilitate exploring our inner critics and negative self-beliefs. 

This presentation aims to briefly outline those tools and is divided into two sections, the first explores some of the more effective coaching tools for individual development: 

· Emotional Intelligence Assessments and 360 reviews. 

· The 9 Enneagram Types 

· The 5 Whys (and other good coaching questions) 

· Mindful Coaching Strategies 

The second section explores tools more suited to coaching teams, to help create more High Performing Teams, and can be applied very successfully after coaching the individuals within a team: 

· Tuckman’s Team Stages Theory 

· Belbin’s Team Roles 

· Beckhard’s GRPI Model 

This hopes to be a very interactive (and hopefully fun) session, with several session takeaways, including directions to some really effective free online tools to help analyse your team members’ roles, and enneagram type analysis. 

11:25 16S: SABSA Open Forum - Part 1
12:15 17A: Intent based Security: Bringing the Security the Organisation Wants or the Next Buzzword? Speaker(s): Kris Boulez

Kris Boulez

Senior Expert, NVISO (Belgium)

Kris is a Senior security expert with extensive experience in Technology Consulting in general and Information Security in more depth. Kris joined NVISO in 2017 and prior to that worked at Ascure, which was acquired by PwC in 2011. The last decade he has mainly worked on Enterprise Security Architectures (ESA), PKI and (Web) Application Security. This vast experience allows Kris to act as a seasoned project manager on complex and technical assignments, while keeping a close link with business. 
X
 

Intent-based security (IBS) will, when finally achieved, allow an organisation to describe “what” it wants to be secure and not “how” it wants this. By using declarative statements (e.g. ‘make a new webserver available’) instead of prescriptive ones (e.g. ‘open port X on firewall Y, configure a reverse proxy and enforce 2FA’) we come closer to delivering the security an organisation needs.

To achieve this IBS relies on full automation for management of security solutions via the so-called “Security Fabric” (in which all security devices are woven together) which spans across today’s borderless network environment. This implies that security solutions are deployed independent of the ecosystem being used and these individual mitigations are then bound together to enable the centrally-defined intentions. Once integrated, these security solutions can compare and correlate events and threat intelligence to not only see new threats, but also begin to anticipate the intent of the security people.

Last year has seen a lot of media coverage on intent-based networking and -security, being described as “the next big thing” by analysists. In this talk we will describe on which building blocks it is building, what is already available at this moment and where it can evolve into in the coming years. And finally trying to answer the question whether by automatically translating business events into infrastructure policies we will be able to bring the security the organisation wants.

12:15 17B: Where Should the CISO report? Speaker(s): Kathleen Mullin

Kathleen Mullin

CEO, MyVirtualCISO (USA)

Kate Mullin is an influential information security practitioner with more than 30 years of experience in various accounting, audit, risk, governance, and information security roles. She has been a CISO at various organizations including publicly traded, private, not-for-profit, and governmental entities. Kate established the role of CISO at Tampa Airport and at Healthplan Services.
X
 

Information security’s organizational placement is frequently a significant contributor to the ineffectiveness of security programs. Information security is supposed to be about data governance and protection. When information security is embedded within IT the focus becomes the technology and not how technology is supposed to use to address the confidentiality, integrity, and availability requirements of the owners of the data. As organizations embrace new technology and are agile in responding to business needs within constrained budgets information security frequently falls behind. 

Some of the largest data breaches and where the CISO reported within organizations has adversely impacted information security’s ability to assist the organizations in protecting data. The inherent segregation of duties merely creates someone to be blamed. 

Regulations such as EU’s General Data Protection Regulation (GDPR) and contractual obligations like PCI exist to protect data and require both technical implementations and business decisions. Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA) are supposed to look at segregation of duties but have never addressed the CISO. Will GDPR finally address the issue or will we continue to push the issue off? This presentation is to discuss the best way to address CISO reporting structure to make CISO’s and information security effective. 

12:15 17S: SABSA Open Forum - Part 2

13:00 - 14:00 Lunch

Workshop W1

14:00 Complexity, Change & Security Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

It’s not getting any easier. The complex, ever-changing work environments of 2018 and beyond pose numerous and unique security problems. And we’re supposed to smoothly and accurately handle all of them.

Computing environments grow more complex by the day, new devices proliferate, and our attack surfaces continue to expand. Big data, analytics and the IoT are definitely shaping the future, but relevant security standards are far from settled. Organizational structure change is almost a constant. People still make mistakes and get socially engineered. And the bad guys seem to find ever more creative ways to defeat our newest and most sophisticated security measures.

In this half-day COSAC class, we’ll give guidance for coping with this complexity and change in securing our vital assets.
Part 1 – Securing the complex environment
– We’ll analyze current and future threats and realistic countermeasures for a computing environment featuring Big Data, the IoT, Analytics and an ever-multiplying population of powerful, portable, connected devices.
Part 2 – Securing the ever-changing organization
– Change agents that can seriously affect security are gaining traction everywhere. Mergers, acquisitions, divestitures, downsizing in many forms, even internal reorganizations can bring danger. We’ll identify areas of security focus and give recommendations for minimizing security incidents and effects in the midst of the upheaval.
Part 3 – Securing the semi-predictable humans
– Phishing, really just automated social engineering, has been an element in almost every Ransomware event and a multitude of other egregious breaches. We’ll examine why social engineering works so well on our employees, on all humans, for that matter. We’ll give suggestions for shoring up this most vital link in our security chain.

Workshop W2

14:00 The Business Prevention Department Speaker(s): Karel Koster,

Karel Koster

Head of Information Security, (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various roles. He currently holds a position as Head of Information Security within Ingenico ePayments, one of the larger payment service providers on the web. Prior to Ingenico, Karel as an information security officer was responsible for information security awareness, vulnerability management and technical compliance at Aegon the Netherlands.
X
Maurice Smit

Maurice Smit

Trustee, The SABSA Institute (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

In this day and age the security department its existential necessity is not questioned any more, but yet it often doesn’t come further then being perceived as ‘The business prevention department’. This negative bias towards security departments is something that unfortunately is based more on truth than on fiction.

Dealing with security departments is often perceived as cumbersome, irrational, bureaucratic and with often not the desired outcome. During this workshop, we will describe strength and weaknesses of 2 stereo type security departments being ‘the Ivory Tower’ and ‘Doctor No’.
We will also describe the profile of a more successful security department and provide useful hands on tips to establish the same in your environment.

Using these strengths and real live user stories, the participants will be presented several challenges. Their response to these challenges will be scored from both a security and business perspective and explored whether both can be achieved or whether security will always impact the business perspective or vice versa.
The facilitators will act as a mirror to the participants and lovingly yet bluntly give them feedback on the proposed strategy. They will tell you what your business stakeholder normally only thinks but does not reveal.

Workshop W3

14:00 Help!? I want to Become a Great SABSA Architect Speaker(s): Esther van Luit,

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
X
Kirsten Meeuwisse

Kirsten Meeuwisse

Consultant, Deloitte (Netherlands)

Kirsten Meeuwisse is a consultant at Deloitte Netherlands. She graduated from the TU Delft of the study Systems, Engineering, Policy Analysis and Management with her research about the trade-off between security and usability. Next to her work in supporting companies to improve their security, she wants to help children as well by educating them on cyber security & technology. She does that by organising hacklabs and by introducing the Microbit at primary schools.
X
 

The Security Architect work role of the NIST SP800-181 Cybersecurity Workforce framework sets out the tasks and requirements for knowledge, skills and abilities for security architects. However, does a great security architect also make a great SABSA security architect? And are you a great SABSA architect? How could you be better?

Under guidance of an experienced cybersecurity workforce developer, participants in this workshop will together evaluate the current NIST SP800-181 Security Architect Role. They will determine improvements to better fit the SABSA architect role using SABSA’s own business driver- and business attribute methodology. Based on the results, participants will be guided through a self-assessment questionnaire to assess their maturity on the relevant tasks, knowledge, skills and abilities.

This session is aimed at furthering the definition of a SABSA architect, clarifying the differentiating features of those who deem themselves SABSA architects versus ‘regular’ security architects. Each of the participants will be leave this session with 1) the resulting work role profile for SABSA architects with tasks, knowledge, skills and abilities, and 2) a personal profile expressed in terms of Bloom’s Taxonomy of what their current maturity is and in what areas they can improve. In addition, an anonymised collation of the results (opt-out) will be offered to The SABSA Institute to allow for better understanding of the learning community and possible improvements to the curriculum.

Plenary Session

17:15 Decrypt, Deceive, Destroy : Joe Rochefort , Midway & 8 Miraculous Minutes Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X

Conference Close

18:15 Conference Close - COSAC Chairman Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X