Ireland COSAC Connect Melbourne

Welcome to COSAC - Information Security conferencing the way it should be! Join us in Ireland this October for 4 days of innovative & participative information security value.

For 28 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2022 Call for Papers is now open!

Thursday 30th September 2021


COSAC Immersion - Deep Dive into Diversity

09:30 Introduction

For many years COSAC has been proud to support a truly global community and present an agenda of interest and value to people with a rich tapestry of backgrounds, cultures, life experiences, skills and talents. We believe that the diversity of our participating community enriches us all and improves the quality and effectiveness of our security decisions.

The COSAC Immersion session is modeled on our traditional COSAC Masterclasses which explore an important topic from multiple perspectives and follow the narrative from introduction of the issues through future solution strategies.

We have had sessions on diversity for many years but for 2021 we have chosen the subject for our deep-dive immersion led appropriately by some of the subject’s most enduring advocates: Valerie Lyons, Rosanna Kurrer and Esther Schagen -van Luit. The diversity immersion will cover:

  • What is diversity?
  • What role does it play?
  • How does it affect behaviour?
  • What is bias and how can it be overcome?
  • How can diversity be measured?
  • What is the role of diversity in managing complex Enterprise problems?
  • When and how can a cognitively diverse team perform measurably better in a security domain, how can ‘better’ be demonstrated, and what are the steps to achieving it?
  • How can we replace historical uniformity and embed valuable fresh perspectives within our teams?
  • How can we scout, onboard and mentor candidates from non-traditional security recruitment pathways?
  • How can we adapt recruitment processes and build tools to remove bias from the recruitment process?
09:30 Part 1 - Building Diverse Security Teams Speaker(s): Valerie Lyons

Valerie Lyons

COO & PhD Scholar, BH Consulting & DCU (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.

“Everyone should learn how to program because it teaches us a new way to think about the world” Steve Jobs

We find ourselves in a global environment, with a tightly connected global workforce, and a shortage of diverse talent in the tech sector. Having people with a diverse set of backgrounds, cultures, life experiences, skills and talents improves the quality of business decisions and helps protect organisations from group-think. Having a diverse workforce also reflects the diversity of the marketplace, making it easier to engage more effectively with a wider talent base and extended customer base.

But what is diversity and how does it differ from equality? Diversity is defined as “recognising, valuing and taking account of people's different backgrounds, knowledge, skills, and experiences, and encouraging and using those differences to create a productive and effective workforce”. The current dialog regarding diversity tends to focus on gender diversity, however diversity extends beyond gender to many other attributes such as neurodiversity, political leanings, culture, religion, nationality, ethnicity, race, colour, education, age, disability, introversion/extroversion etc. Th term 'diversity' however is often used when the term ‘inequality’ is intended, and we therefore risk sanitizing ‘inequality’ with ‘diversity’ as a result. Unlike diversity, equality is a legal requirement. Under the Equality Act people are protected from discrimination on the following grounds: Ethnicity, Sex/Gender, Disability, Religion and belief, Age, Sexual orientation, Family status (e.g. pregnancy and maternity), Marriage and civil partnerships. It is easy to see why the two terms are used interchangeably, given that the grounds for discrimination are similar to the characteristics of diversity. Where equality is about fairness and transparency, diversity is about embracing and valuing difference.

To address historical inequality in many organisations in the past (particularly in public sector organisations) ‘quotas’ were often applied. However, quotas can damage meritocracy, where those recruited under a quota system are judged as nominated under a quota system rather than nominated on merit, thereby possibly increasing the risk of excluding the best candidate or undermining the credibility of the selected candidate. Quotas also omit addressing the issue of implicit bias - where committees/individuals charged with the role of recruitment, promotion and performance evaluation typically tended to select people that looked like them, acted like them, talked like them, had similar backgrounds etc. Implicit bias refers to the attitudes or stereotypes that affect our understanding, actions, and decisions in an unconscious manner.  These biases, which encompass both favourable and unfavourable assessments, are activated involuntarily and without an individual’s awareness or intentional control.  Residing deep in the subconscious, these biases are different from known biases that individuals may choose to conceal for the purposes of social and/or political correctness. The implicit associations we harbour in our subconscious cause us to have feelings and attitudes about other people based on characteristics such as race, gender, education, ethnicity, age, and appearance etc.  Implicit biases are not accessible through introspection. We rarely recognise our own implicit bias, and therefore the rules for ‘equality’ can lack transparency for work recognition, recruitment and promotion etc.

This is where Diversity programs have the potential to bridge a gap.

To encourage Diversity in the workforce, we need to consider a starting point. Publishing a diversity policy for your organisation is about as effective as publishing a privacy policy is for data protection effectiveness – on its own it is meaningless. The key to diversity is to understand how different types of diversity and different demographic characteristics can impact human behaviour. This presentation explores some key characteristics of diversity, and outlines several positive and constructive steps that organisations (and society) can take to encourage diversity and equality in the workforce and outlines the potential benefits of such steps. We pay attention to gender diversity and explore recent pan-European studies that identified factors that influence different genders into selecting tech as a career.

Key learning outcomes from this presentation are:

  • Understanding the differences between diversity and equality
  • Understanding the impact and role that diversity has on both employees and on products, services and revenue.
  • Understanding the challenges of building diversity into our teams
  • Understanding implicit bias/unconscious bias, and strategies to determine and address such bias.
  • Understanding the importance of the role of mentorship in teams

Audience: Senior roles involved in managing security and/or privacy teams: CIOs, CISOs, CROs, CPOs, Team Leaders and anyone involved in the recruitment of security or privacy teams.

10:30 Part 2 - Measuring the Power of Diversity in Cybersecurity Teams Speaker(s): Rosanna Kurrer

Rosanna Kurrer

Managing Director, CyberWayFinder (Belgium)

Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas,, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.

How strong is the business case for cognitive diverse teams in cybersecurity? Applying the research of several diversity academics including that of social scientist Scott E. Page, known for modelling diversity and complexity, how can we apply these models on different security teams to quantify the benefits diversity brings to performance on specific tasks needed to reach a team’s objectives?

Perspectives on Corporate Diversity Initiatives: Identifying three approaches to managing the issue of diversity in the corporate workplace: discrimination-and-fairness paradigm, access-and-legitimacy paradigm and the learning-and-effectiveness paradigm [1]. How do these three approaches differ in leveraging diversity? How are they relevant to cybersecurity teams?

Significance of Proportions: Proportional representation of any demographic can affect behaviour, performance and perceived performance in a group [2]. Four group types are identified according to the relative proportion of a certain population, and the resulting social categories of their membership:, and:

  • uniform group (100:0, homogeneous team),
  • skewed group (85:15, dominants:tokens),
  • tilted group (65:35, majority:minority),
  • balanced group (60:40 to 50:50, potential subgroups).

How might these social categories affect performance in specific security teams?

Toolbox Framework vs Measuring Stick: Measuring, comparing and ranking individual intelligence or ability has traditionally been done using the measuring stick of IQ scores. The toolbox framework (of cognitive tools) - reframes how we think of intelligence [3] - especially in the context of collaborative tasks. It allows us to compare effectiveness of teams according to the number of unique of tools (acquired through training and/or experience) each member brings into the team and the combinations of relevant tools between members to tackle complex problems or situations - such as responding to an incident. Tools can be categorised in frameworks of perspectives, heuristics, interpretations and predictive models. This refers to the knowledge base, experiences, rules of thumb and problem-solving approaches that represent unique contributions of each member.

Complexity and Diversity: Complexity is in the nature of the problem (challenges in securing an organisation), in the complex tasks needed to address them (high-dimensionality and difficult to decompose), as well as in the tools of the team and the combination of tools between members of a team (cognitive repertoire). The challenges facing security teams change at an incredible pace and increase in complexity as new information and technologies are created, i.e., there is a need to be agile, flexible and adaptive, and a need for both broad and deep knowledge base of various domains. How do we face complex challenges with a limited team budget for human resources and the seemingly small talent pool? Could diversity be one of the answers to address these complexities?

Diversity Bonus - When Diverse Teams Trump Homogeneous Groups: Diversity bonuses depend on the team and the tasks at hand (routine vs non routine, manual vs cognitive) [4]. A team with a minimum overlap of relevant tools among its members, or with the number of unique, relevant tools (from each member) may result in a diversity bonus. This bonus enables a team to perform better on complex tasks, frequently required in a knowledge economy. What do ideal teams look like considering: (1) the tasks needed to achieve targets and objectives, (2) the task-relevant cognitive repertoire of the team, and (3) the culture that enables productive interaction within the team? When and how can a cognitive diverse team perform measurably better in a security domain, and what are the steps to achieving this?

11:30 Part 3 - Inclusive Cybersecurity Recruitment Speaker(s): Esther Schagen-van Luit

Esther Schagen-van Luit

CISO, Deloitte (Netherlands)

Esther is a Specialist in Security Architecture at Deloitte Cyber Risk Services. Her ambition is to be a Leading Lady In Cyber, who is the best in her craft (security architecture) and makes societal impact as a role model through making girls & women feel they (could) belong in world of cybersecurity. For her work on getting more women into Cyber, Esther has been awarded prizes and nominations such as the Cybersecurity Award, Techionista Award, VIVA400 and Change in Business Award.

Working with people from diverse backgrounds is key in cybersecurity. How else can you combat the creativity of a black-hat hacker? The reality is that many cybersecurity teams consist of people with similar backgrounds. They have taken similar paths throughout their careers before ending up in this team. So how do you get those fresh perspectives in? Recruiting diverse profiles is easier said than done.

Cybersecurity recruitment is a challenge anyway. You'd like to hire a security unicorn. Just like everybody else, except they pay more. Your recruiter doesn't understand the nuts and bolts of cybersecurity. The people in your security team are not trained in recruitment interviews. You read about the Cybersecurity Skills Gap on a frequent basis and weep. What can you do to get the people you need?

This session should be of interest to security team leaders and those participating in the recruitment process. The speaker has been the business counterpart of the cybersecurity recruiter for a multinational. They have scouted, guided and onboarded candidates from a non-traditional pathways. They have adapted processes and built tools to remove bias from the recruitment process. The audience will leave this session with practical tips on what changes they can make to diversify their security teams.


COSAC Interactive - International Security Roundtable

13:30 International Security Roundtable Speaker(s): John O'Leary,

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
Glen Bruce,

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...
Simon Devlin,

Simon Devlin

Head of Security Architecture, Tesco (UK)

I currently lead the Security Architecture and Application Security teams at the UK’s largest retailer. My career path is probably typical for someone of my age. I started on a technical helpdesk before Ethernet became the de-facto network connectivity standard and progressed into Unix ops, where on my second ever nightshift, the UPS exploded. Not quite a trial by fire, but pretty close. A decade or more of Cisco, Firewall-1 and IDS fun led me into what’s now called application security, and...
Michael Hirschfeld,

Michael Hirschfeld

Director, David Lynas Consulting (Australia)

Michael has 20 years’ experience in Information Security and is a Director of David Lynas Consulting and the Chair of the SABSA Founders Bursary. He has provided high level assistance on information security related matters to a range of clients within Australia and internationally. He was formerly the Chief Information Officer and CISO at the Australian Commonwealth Department of Finance where he had executive responsibility for ICT as well as physical security.
Siân John MBE,

Siân John MBE

Director SCI Business Development, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
Lisa Lorenzin,

Lisa Lorenzin

Director, Transformation Strategy, Zscaler (USA)

Lisa is Director of Transformation Strategy at Zscaler, specializing in secure application access and digital transformation. For more than 20 years, she has worked in a variety of network and information security roles and has contributed to open standards for endpoint integrity and network security from the Trusted Computing Group (TCG) and Internet Engineering Task Force (IETF). Lisa is currently focused on helping customers achieve their security goals and create a seamless user experience...
Helvi Salminen

Helvi Salminen

Security Advisor, (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014.

The COSAC Interactive session is modelled on our traditional International Security Forum which for each of the last 20 years has consistently been one of the most valued sessions of the entire COSAC event. We have made a few adaptions for the online virtual format: we cannot reasonably conduct the session under its normal full NDA but we will bring a flavour of the highly-cherished COSAC Trust Culture to the session and reduce its length from our traditional full-day to 3 hours.

COSAC Interactive will be led as always by our brilliant facilitator John O’Leary, supported by long-standing, highly-respected members of the COSAC community with a huge depth of experience across the breadth of the security spectrum:

  • Glen Bruce (Deloitte, Canada)
  • Simon Devlin (Tesco, UK)
  • Michael Hirschfeld (David Lynas Consulting, Australia)
  • Sian John (Microsoft, UK)
  • Lisa Lorenzin (Zscaler, USA)
  • Helvi Salminen (Consultant, Finland)

John and the COSAC panel will analyse hypothetical scenarios and actual events from widely different perspectives based on widely different experiences and perceptions of success and failure learned in the real-world. All participants in the Interactive session will be encouraged to offer and rigorously defend their own opinions and experiences. Collectively, embracing the COSAC ethos that all of us have an experience worth sharing and an idea with developing, we will help and learn from each other.

16:30 - 17:00 BREAK

COSAC Instant - COSAC Rump Session

17:00 Conference in an Hour Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.

An in-person COSAC conference always ends with the hugely popular “COSAC Rump Session” which is the inspiration for this virtual adaptation - COSAC Instant. The intent is to deliver a conference in an hour. The audience’s expectations of presenters are: get on stage, make your point, interest us, provoke our thoughts, inspire us to action, give us value, but omit the boring basics, delete all padding and remove the fluff.

The COSAC Instant session, facilitated by COSAC Chair David Lynas, will consist of 10 presentations of 5 minutes duration that will collectively deliver the Conference-in-an-hour concept.


18:00 Day 3 - Networking Session