Ireland Melbourne

Welcome to COSAC - Conferencing the way it should be! Call for Papers is now open!

For 26 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

Registration for COSAC 2019 is now open - 29th September - 3rd October.

Thursday 4th October 2018

09:00 - 09:30 Delegate Registration & Coffee

09:30 14A: Betsy, Fluffy & Herd 51 Speaker(s): William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 

IT Practices are changing at a rapid pace and are impacting the way we need to look at information security. A few of the hot topics like cloud computing, Dev Ops, zero boundary systems, are perfect examples of this. In some ways we are doing the same old thing, but in a way that doesn’t look exactly familiar. Recently in a conversation with a cloud vendor engineer it was implied that my question regarding configuration management was, well, old fashioned. Why would we treat our application like a pet, which needs a high degree of care and maintenance, rather than as cattle that are maintained in large quantities, and according to the metaphor, individuals can be removed from the herd and replaced with no noticeable impact? (No animals were harmed in the making of this session) After a bit of research, it was clear that this analogy has been around for a little while, but more in the context of servers and now more recently for applications. In this session we will look at a use case of a cloud implementation where several of these concepts came together and were put under a high level of security and compliance scrutiny. We will look at some of the successes as well as the lessons learned throughout this engagement. Finally, we will have group discussion regarding how we as security professionals can embrace, or at least keep up with the progression of IT practices. 

09:30 14B: The Impact of GDPR on Information Security 2.0 Speaker(s): Karel Koster

Karel Koster

Head of Information Security, (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various roles. He currently holds a position as Head of Information Security within Ingenico ePayments, one of the larger payment service providers on the web. Prior to Ingenico, Karel as an information security officer was responsible for information security awareness, vulnerability management and technical compliance at Aegon the Netherlands.

On the 25th of May 2018 the GDPR has come in to full effect. Therefor GDPR compliancy is the talk of the town within Information security management departments. Last year I facilitated a highly interactive session about the possible impact of the GDPR on information security management. We tried to predict it reach and discussed several roads to GDPR compliancy. 

Last year at COSAC we found that there is no undisputable right or wrong yet since the legislation leaves a lot of room for interpretation. Now with the GDPR into effect, we can monitor how this new law is interpreted within and outside of the EU and see if we can use the knowledge and experience of the COSAC participants to answer the questions your business will have regarding the GDPR. Examples of these questions are but not limited to; 

- What does GDPR enforcement look like? 

- Is GDPR strictly enforces both within as outside of the EU? 

- Are enforcement agencies really fining when companies are incompliant? 

- Our company won’t be compliant any time soon, what should we prioritize? 

- Is there a (unofficial) grace period? 

- Do data subject really ask for the personal information? 

I have monitored the GDPR and its implications closely this past year and will share my answers and views on these topics and invite you to present your questions and views. Then we will work collectively on answering them. 

09:30 14S: Defendable Architecture, Advanced Persistent Threats & SABSA Speaker(s): Gabor Medve

Gabor Medve

Chief Information Security Architect, Telenor Group (Hungary)

Gábor is a communication engineer by education and worked as system administrator during his studies where he has been influenced very early by the information security area. Working with information security since 2000 across different areas but always having the main aspect of how to deliver & maintain secure solutions, with respect to being able to spot & analyse unauthorised access. In recent years he is focusing mainly on security quality assurance in global delivery structures. 

How to address the trend of increasingly sophisticated and persistent attack types, especially in case a business entity is exposed to APT? 

What are the prioritized relevant characteristics and attributes we may use and focus on in our security architecture? 

What are the most important or interesting implications in case of supply chain, partners and IT service providers? 

How could the potential relevant controls contribute to business objectives and opportunities? 

During the session we will assess as much of the answers as possible in a joint discussion and considering the following set of reference material (pre-read is recommended): 

• Operation Socialist – Belgacom hack by GCHQ 

• Operation Cloud Hopper – APT10 compromising Managed Service Providers 

• Defendable architectures white paper (Lockheed Martin)

• Threat-driven approach to cyber security (Lockheed Martin)

• Intelligence driven computer network defense (Lockheed Martin)

• Cyber Kill Chain (Lockheed Martin)

• Semantic Cyberthreat Modelling  

• MITRE ATT&CK framework 

• Cyber resiliency design principles (MITRE)

• NIST sp800-160 vol. 2 – Systems Security Engineering/Cyber resiliency considerations for the engineering of trustworthy secure systems (note that the really interesting parts are in the appendices) 

• Securing privileged access (Microsoft)

10:20 15A: Helping You Become the Least Powerful CISO in the World Speaker(s): Dave Barnett

Dave Barnett

EMEA Head of CASB, Forcepoint (UK)

Responsible for Forcepoint's CASB and associated information protection portfolio, Dave has been in the industry for over 20 years in a variety of roles, recently Dave was the co-author of PAS555, the first nationally ratified standard for cyber security, he has worked with industry & academia to further knowledge of security. Dave is amazed by the innovation coming from users and his talk will focus on methods to identify cloud apps & work with the business to identify their wider...

Perfection is the enemy of creativity and a perfect world is one in which business can not thrive. Without putting in place draconian and hard to maintain technical blocks we can not stop the use of cloud by our users and in many cases businesses wants to encourage this. 

This highly interactive session will explore subjects such as: 

- A new model to calculate risk in the cloud (C*D*UBA) - if we don’t have full control over the end point, we don’t have any control over the internet and at best we have a contractual relationship with the cloud app how on earth do we calculate risk? 

- The cloud shared responsibility model - (with CIA in mind) how to select a cloud provider, what do they do, what do you do and what is shared. 

- Digital transformation - Finding demand for new cloud apps - hunting down user generated (shadow IT) innovation, discussion around processes to de-risk and adopt them as new corporate standards. 

10:20 15B: Day to Day Security Management: Improvisation or Science Speaker(s): Helvi Salminen

Helvi Salminen

Information Security Manager, Gemalto (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014. 

Many security practitioners who manage day-to-day security in an organization have a somewhat skeptical attitude towards the value of scientific thinking in the daily work. It is often considered too academic and theoretical, and getting stuck to irrelevant details forgetting the need to resolve real problems efficiently. 

This attitude has been bothering me, and I have had several debates about the topic. Naturally in a hectic situation, e.g. a critical incident requiring immediate actions, it may be difficult to see the value of scientific thinking. But we shouldn't give up so easily. 

I claim that the principles of scientific thinking and methods can significantly improve security management and the day-to-day security work. Both scientific knowledge and security decisions 

- must be based on observation of the reality, 

- should avoid entering into the trap of "common sense", 

- should strictly respect the principles of validity and reliability, and 

- are based on the idea on continual improvement. 

In this presentation I will point out what scientific methodology and security decision making have in common. I will also take a look at some security frameworks from a scientific point of view. The presentation will also include some scenarios, including incidents, where the security solutions can benefit from scientific approach. 

10:20 15S: Why Cyber Resilience? Speaker(s): Christian Arndt,

Christian Arndt

Partner, PwC (UK)

Christian Arndt is a director at PwC based in London. Christian is an experienced consultant with deep expertise in cyber security, technology, and programme management in a wide range of organisations. He has over 18 years’ consultancy experience working for a broad range of international clients.Specific industry experience includes working for some of the words largest telecoms companies , financial services, and central government.
Anton Tkachov

Anton Tkachov

Director, PwC (UK)

I lead Cloud Security proposition nationally and am growing a team of 'hands-on' security architects that can assist our clients with everything from an assessment & definition of cloud security strategy to technical architecture advisory & system integration work. The primary objective of my role is to leverage a vast network of bleeding edge technology start-ups and vendors to help our clients in finding and deploying new, more effective and efficient ways to manage cyber risk. 

Frameworks solely focusing on Cyber Security are different to frameworks that focus on Cyber Resilience: 

Cyber Security consists of the technologies, processes and measures that companies have designed to protect systems, networks and data. 

Assumptions: A best practice set of security controls must be mature across the board. 

Goal: Knowing where the gaps are. 

Focus: Lagging security controls. 

Thinking Differently - 

Cyber Resilience requires companies to think differently by considering their critical economic functions* and analysing the threats that target those. 

Regular testing is then used to test the ability to rapidly orchestrate the recovery from an attack and helps companies implement advanced techniques. 

Assumption: A breach will happen. 

Goal: Minimise business impact. 

Focus: Availability of critical economic functions. 

Cyber Resilience in a growing concern of UK Financial Sector regulators. We would like to use the opportunity to discuss how we have used SABSA framework to develop Cyber Resilience strategy for our clients and proactively manage conversation with FS regulator. 

11:05 - 11:25 Morning Coffee

11:25 16A: Anatomy of a Breach Speaker(s): John Ceraolo

John Ceraolo

CISO, Sentry Data Systems (USA)

Mr. Ceraolo has been an information security professional for over 25 years in industries ranging from publishing, software, automotive, mobile technology and now healthcare analytics.  He has frequently spoken at COSAC and other US-based security conferences.  He holds his CISM, CISSP, and CISA as well as his Masters in Information Assurance from Norwich University.

Media reports of breaches only cover a high-level, sanitized version of the event. The real story is behind what a CISO goes through when experiencing what is arguably the worst part of our job, yet the very day we train for above all others. In this session, the speaker will share the inside story; the pain, the anxious moments, the psychology of the culture when a company experiences a breach. Ultimately, we will cover the lessons learned from what can work in an incident response plan and what did not. All names have been changed, but this session will dissect an actual breach and present the most relevant and useful moments so the attendee can review their own plans and adjust accordingly. Intended audience is those that have not experienced a breach, but those that have are welcome to add their personal insights where permissible. Collaboratively, the collective can gain even more insight. 

11:25 16B: There IS an "I" in Team Speaker(s): Valerie Lyons

Valerie Lyons

Information Privacy Researcher & PhD Scholar, (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.

Amidst the fast-paced changes in the digital space, security and privacy professionals are often preoccupied with keeping up-to-date with the latest technologies, the latest regulations, the latest security architectures and so on. However often they overlook a far more important aspect of their career - their own personal development and that of the teams they lead. The dynamic between individuals, team members, other teams, colleagues, vendors, customers etc. is paramount to individual achievement, team engagement, and team performance. But what factors influence that dynamic and can we control those factors? 

Daniel Goleman, an American Psychologist, believed that at the heart of team dynamics and team leadership lay a series of traits referred to as ‘emotional intelligence’ (EQ). EQ is the capability of individuals to recognise their own emotions and those of others, discern between different feelings and label them appropriately, use emotional information to guide thinking and behaviour, and manage and/or adjust emotions to adapt to environments or achieve one's goals. 

As a qualified executive coach since 2013, I have applied many EQ coaching tools with various team members, including myself. By using these tools, we can help team members sympathetically explore perhaps aspects of personality that might prevent career progress or explain why, despite a great job, someone still feels unfulfilled. Certain coaching tools can also help facilitate exploring our inner critics and negative self-beliefs. 

This presentation aims to briefly outline those tools and is divided into two sections, the first explores some of the more effective coaching tools for individual development: 

· Emotional Intelligence Assessments and 360 reviews. 

· The 9 Enneagram Types 

· The 5 Whys (and other good coaching questions) 

· Mindful Coaching Strategies 

The second section explores tools more suited to coaching teams, to help create more High Performing Teams, and can be applied very successfully after coaching the individuals within a team: 

· Tuckman’s Team Stages Theory 

· Belbin’s Team Roles 

· Beckhard’s GRPI Model 

This hopes to be a very interactive (and hopefully fun) session, with several session takeaways, including directions to some really effective free online tools to help analyse your team members’ roles, and enneagram type analysis. 

11:25 16S: SABSA Open Forum - Part 1
12:15 17A: Intent based Security: Bringing the Security the Organisation Wants or the Next Buzzword? Speaker(s): Kris Boulez

Kris Boulez

Senior Expert, NVISO (Belgium)

Kris is a Senior security expert with extensive experience in Technology Consulting in general and Information Security in more depth. Kris joined NVISO in 2017 and prior to that worked at Ascure, which was acquired by PwC in 2011. The last decade he has mainly worked on Enterprise Security Architectures (ESA), PKI and (Web) Application Security. This vast experience allows Kris to act as a seasoned project manager on complex and technical assignments, while keeping a close link with business. 

Intent-based security (IBS) will, when finally achieved, allow an organisation to describe “what” it wants to be secure and not “how” it wants this. By using declarative statements (e.g. ‘make a new webserver available’) instead of prescriptive ones (e.g. ‘open port X on firewall Y, configure a reverse proxy and enforce 2FA’) we come closer to delivering the security an organisation needs.

To achieve this IBS relies on full automation for management of security solutions via the so-called “Security Fabric” (in which all security devices are woven together) which spans across today’s borderless network environment. This implies that security solutions are deployed independent of the ecosystem being used and these individual mitigations are then bound together to enable the centrally-defined intentions. Once integrated, these security solutions can compare and correlate events and threat intelligence to not only see new threats, but also begin to anticipate the intent of the security people.

Last year has seen a lot of media coverage on intent-based networking and -security, being described as “the next big thing” by analysists. In this talk we will describe on which building blocks it is building, what is already available at this moment and where it can evolve into in the coming years. And finally trying to answer the question whether by automatically translating business events into infrastructure policies we will be able to bring the security the organisation wants.

12:15 17B: Where Should the CISO report? Speaker(s): Kathleen Mullin

Kathleen Mullin

CEO, MyVirtualCISO (USA)

Kate Mullin is an influential information security practitioner with more than 30 years of experience in various accounting, audit, risk, governance, and information security roles. She has been a CISO at various organizations including publicly traded, private, not-for-profit, and governmental entities. Kate established the role of CISO at Tampa Airport and at Healthplan Services.

Information security’s organizational placement is frequently a significant contributor to the ineffectiveness of security programs. Information security is supposed to be about data governance and protection. When information security is embedded within IT the focus becomes the technology and not how technology is supposed to use to address the confidentiality, integrity, and availability requirements of the owners of the data. As organizations embrace new technology and are agile in responding to business needs within constrained budgets information security frequently falls behind. 

Some of the largest data breaches and where the CISO reported within organizations has adversely impacted information security’s ability to assist the organizations in protecting data. The inherent segregation of duties merely creates someone to be blamed. 

Regulations such as EU’s General Data Protection Regulation (GDPR) and contractual obligations like PCI exist to protect data and require both technical implementations and business decisions. Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA) are supposed to look at segregation of duties but have never addressed the CISO. Will GDPR finally address the issue or will we continue to push the issue off? This presentation is to discuss the best way to address CISO reporting structure to make CISO’s and information security effective. 

12:15 17S: SABSA Open Forum - Part 2

13:00 - 14:00 Lunch

Workshop W1

14:00 Complexity, Change & Security Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

It’s not getting any easier. The complex, ever-changing work environments of 2018 and beyond pose numerous and unique security problems. And we’re supposed to smoothly and accurately handle all of them.

Computing environments grow more complex by the day, new devices proliferate, and our attack surfaces continue to expand. Big data, analytics and the IoT are definitely shaping the future, but relevant security standards are far from settled. Organizational structure change is almost a constant. People still make mistakes and get socially engineered. And the bad guys seem to find ever more creative ways to defeat our newest and most sophisticated security measures.

In this half-day COSAC class, we’ll give guidance for coping with this complexity and change in securing our vital assets.
Part 1 – Securing the complex environment
– We’ll analyze current and future threats and realistic countermeasures for a computing environment featuring Big Data, the IoT, Analytics and an ever-multiplying population of powerful, portable, connected devices.
Part 2 – Securing the ever-changing organization
– Change agents that can seriously affect security are gaining traction everywhere. Mergers, acquisitions, divestitures, downsizing in many forms, even internal reorganizations can bring danger. We’ll identify areas of security focus and give recommendations for minimizing security incidents and effects in the midst of the upheaval.
Part 3 – Securing the semi-predictable humans
– Phishing, really just automated social engineering, has been an element in almost every Ransomware event and a multitude of other egregious breaches. We’ll examine why social engineering works so well on our employees, on all humans, for that matter. We’ll give suggestions for shoring up this most vital link in our security chain.

Workshop W2

14:00 The Business Prevention Department Speaker(s): Karel Koster,

Karel Koster

Head of Information Security, (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various roles. He currently holds a position as Head of Information Security within Ingenico ePayments, one of the larger payment service providers on the web. Prior to Ingenico, Karel as an information security officer was responsible for information security awareness, vulnerability management and technical compliance at Aegon the Netherlands.
Maurice Smit

Maurice Smit

Trustee, The SABSA Institute (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India and the Middle East and is a founding member of the SABSA Institute Board of Trustees.

In this day and age the security department its existential necessity is not questioned any more, but yet it often doesn’t come further then being perceived as ‘The business prevention department’. This negative bias towards security departments is something that unfortunately is based more on truth than on fiction.

Dealing with security departments is often perceived as cumbersome, irrational, bureaucratic and with often not the desired outcome. During this workshop, we will describe strength and weaknesses of 2 stereo type security departments being ‘the Ivory Tower’ and ‘Doctor No’.
We will also describe the profile of a more successful security department and provide useful hands on tips to establish the same in your environment.

Using these strengths and real live user stories, the participants will be presented several challenges. Their response to these challenges will be scored from both a security and business perspective and explored whether both can be achieved or whether security will always impact the business perspective or vice versa.
The facilitators will act as a mirror to the participants and lovingly yet bluntly give them feedback on the proposed strategy. They will tell you what your business stakeholder normally only thinks but does not reveal.

Workshop W3

14:00 Help!? I want to Become a Great SABSA Architect Speaker(s): Esther van Luit,

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
Kirsten Meeuwisse

Kirsten Meeuwisse

Consultant, Deloitte (Netherlands)

Kirsten Meeuwisse is a consultant at Deloitte Netherlands. She graduated from the TU Delft of the study Systems, Engineering, Policy Analysis and Management with her research about the trade-off between security and usability. Next to her work in supporting companies to improve their security, she wants to help children as well by educating them on cyber security & technology. She does that by organising hacklabs and by introducing the Microbit at primary schools.

The Security Architect work role of the NIST SP800-181 Cybersecurity Workforce framework sets out the tasks and requirements for knowledge, skills and abilities for security architects. However, does a great security architect also make a great SABSA security architect? And are you a great SABSA architect? How could you be better?

Under guidance of an experienced cybersecurity workforce developer, participants in this workshop will together evaluate the current NIST SP800-181 Security Architect Role. They will determine improvements to better fit the SABSA architect role using SABSA’s own business driver- and business attribute methodology. Based on the results, participants will be guided through a self-assessment questionnaire to assess their maturity on the relevant tasks, knowledge, skills and abilities.

This session is aimed at furthering the definition of a SABSA architect, clarifying the differentiating features of those who deem themselves SABSA architects versus ‘regular’ security architects. Each of the participants will be leave this session with 1) the resulting work role profile for SABSA architects with tasks, knowledge, skills and abilities, and 2) a personal profile expressed in terms of Bloom’s Taxonomy of what their current maturity is and in what areas they can improve. In addition, an anonymised collation of the results (opt-out) will be offered to The SABSA Institute to allow for better understanding of the learning community and possible improvements to the curriculum.

Plenary Session

17:15 Decrypt, Deceive, Destroy : Joe Rochefort , Midway & 8 Miraculous Minutes Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

Conference Close

18:15 Conference Close - COSAC Chairman Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.