Ireland Melbourne

Welcome to COSAC - Conferencing the way it should be!

Call for Papers is now open for COSAC 2020!

For 27 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

Thursday 3rd October 2019

09:00 - 09:30 Delegate Registration & Coffee

09:30 15S: SABSA Secret Superpower Speaker(s): Andrew S. Townley

Andrew S. Townley

Founder & CEO, Archistry (South Africa)

Andrew is an international speaker, published author and thought leader on business execution, security, risk and technology who has extensive practical, hands-on experience working in the US, Europe, Middle East, Africa and Brazil. His Enterprise and Security Architecture experience includes leading SABSA adoption organizational change initiatives for Fortune Global 300 customers and is built on not only SABSA certification but personal mentoring by two of SABSA’s principal authors.

Are you mired in the murky muck of poorly defined risk ownership?

Tired of dealing with “kitchen sink” risk scenarios that imply every time someone trips over their shoelaces the company will inevitably go out of business?

Lost in the matrix of an overwhelmingly complex organizational reporting structure that thwarts every attempt to show where the true power over what really gets done is held?

If you’ve answered “yes” to at least one of those questions, then your future sanity, the fate of your children, your career – and even your dog – depend on you attending this talk.

Whether you wear t-shirts, Oxfords or English Spreads, underneath that tightly woven cotton exterior beats a heart infused with an oft under-used super-power: The SABSA® Governance Model

Not true, you say?

You just might need to get re-acquainted…buy it a beer…or even take it to lunch from time to time to remember who it is and why it’s useful.

Or you might not even understand its true power.

The thing’s a slippery little devil. If you don’t give it enough attention, it’ll leave you colder than the last time you forgot your partner’s birthday—again.

So that’s exactly what this talk is about. To reacquaint you with a potentially under-used SABSA superpower that can literally SAVE THE DAY when you least expect it.

Some of the things we’re going to cover:

  • - Why you might’ve missed the importance of this superpower when it’s hiding in plain sight
  • - How it can be harnessed to untangle the most twisted and wicked organizational interactions and relationships (before you can find a convenient phone booth)
  • - When to formally and finally burn forever the broken, ignored and just plain confusing RACI charts clogging your existing security governance model (and what to build in their place)
  • - Exactly what to do when you have trouble finding the right risk owners so you flush them out of hiding and never let them off the hook again
  • - How you can turn abstract arrows into concrete financial impact (predictably, reliably and based on hard numbers “the business” can’t refute)
  • - What to do when you’re asked whether you’ve considered all the information and cyber risks that might derail the business (and build shedloads of stakeholder credibility in the process)
  • - Where to find the ultimate budgetary bottlenecks (and how to make sure the money keeps on flowin’)
  • - How you can give the gift of stress-free sleep to yourself (and the security leadership team) that just keeps on giving the more work you do
  • - A collaborative way of articulating and clarifying the real risk tolerances and performance targets that matter most to the organization
09:30 15A: Building a Positive & Persuasive Security Programme Speaker(s): Mark McKenzie

Mark McKenzie

Director - Information Security, Dept. of Agriculture & Water Resources (Australia)

Mark leads the Information Security program at the Australian Dept of Agriculture, where he has overall responsibility for risk management, security architecture and incident detection and management. He has held similar roles in other Australian Govt agencies, including Dept of Finance and Dept of Human Services, and prides himself on building security programs that are focussed on managing organisational risk in ways that provide good security outcomes as well as good business outcomes.

Building a security program is hard – and building it from next to nothing is harder. Vendors, compliance targets, and competing priorities make it easy to lose sight of what capability you need to build and when. But with the right attitude, a bit of planning, and an understanding of what you need, you can build a positive and pervasive security program that addresses your organisation’s risks and enhances your personal reputation.

In this session I’ll share my experience building security programs for a range of Australian Government agencies – including one where I was their first information security advisor. I’ll describe how I worked to change culture, build people, and improve security capability in challenging organisations, and how you can do the same in your organisations.

I’ll be talking about:

  • - what the core elements of a security program are;
  • - how to develop your strategy;
  • - building your team;
  • - how to overcome common constraints – particularly funding and culture; and
  • - how to work within your business to achieve shared goals.
09:30 15B: How the Attack Chain Really Works & The Evil-Minded Toad Problem Speaker(s): Siân John MBE,

Siân John MBE

Chief Security Advisor, Microsoft (UK)

Siân John MBE is Chief Security Advisor for E MEA in the Cybersecurity Solutions Group at Microsoft. Siân leads the EMEA security advisors who work with Microsoft’s customers to help them to develop their cyber security strategy, security best practices and to understand how Microsoft’s technology and services can help support digital transformation and cloud services. Sian was awarded an MBE in the Queens New Years Honours List for 2018 for services to Cybersecurity.
Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.

The Lockheed Martin Cyber Attack chain, also known as the Cyber Kill chain, has been widely adopted in the literature and is part of the sales promotion techniques for far too many "not actually the magic bullet we claim it to be" security tools. However, anybody who has actually watched "Evil Minded Toads" in action against your systems - whether operational infrastructure or a honeynet - will know that there are some serious short-comings in the Lockheed Martin approach which still, unsurprisingly given their background, owes too much to the traditional military-derived attack chain concept and far too little to the speed and flexibility of the internet age.

Unless you are the target of those few adversaries with the ability and resources to craft an attack specifically to your network (your "attack surface", if we are being pedantic), you are much more likely to see a very shortened attack chain - and fewer steps and shorter timescales give the defenders much less chance to detect and respond to the attack.

This presentation will focus on a selection of very common attack methods, relate them to a modified kill chain, and look at the ways that active and passive defences can best be arranged and managed to prevent, detect and disrupt those attacks.

10:20 16S: Using SABSA to Develop a Cyber Security Strategy Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Executive Consultant, Envista (Australia)

Michael is a Cyber Security Adviser with Envista providing high level assistance on Cyber Related matters. He was formerly the CIO and CISO at the Australian Department of Finance where he had executive responsibility for ICT as well as physical security within that agency. He has previously held senior roles with government agencies including Department of Foreign Affairs.

The SABSA architectural methodology has a number of tools, techniques and frameworks that can help IT Security professionals understand the challenges they face, present and discuss with their executive and stakeholders when building and progressing a Cyber Security Program.

Fundamentally, a strategy is a document that sets out how you plan to achieve a series of long-term objectives.

Within Cyber Security our objectives must be closely aligned with those of the ICT group and, just as importantly, with those of the business as a whole.

If our Cyber Security Strategy isn’t helping the Business or ICT meet their objectives, then we will struggle to articulate our relevance and we will find it difficult to get budget. On the other hand, when our strategy clearly aligns and strengthens the business we are viewed more as a partner.

This presentation will cover a few of the basics of SABSA, provide you with a framework for a Cyber Security Strategy and then demonstrate how understanding and applying some key techniques from the SABSA tool kit can assist you in developing and presenting a coherent and aligned Cyber Security Strategy that the business will understand.

10:20 16A: The Holistic CISO: Applying the 7S Framework to Cybersecurity Leadership Speaker(s): Todd Fitzgerald

Todd Fitzgerald

Managing Director/CISO, CISO Spotlight (USA)

Todd has led information Fortune 500/large security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored 4 books- CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019), Information Security Governance Simplified: From the Boardroom to the Keyboard, ground-breaking CISO Leadership: Essential Principles for Success, E-C Council Certified Chief Information Security Officer BoK.

How do we know if the CISO’s security program has accounted for all the components to be effective? This session will draw on the work in the 1980s by two McKinsey consultants (7-S Framework) and applies it to building and sustaining the cybersecurity program to ensure we have accounted for strategy, structure, systems, skills, style, staff and shared values. The talk will look at each of these components.

This represents an innovative way of combining a time-tested framework for organizational effectiveness and applying it to 13 different topic areas of security (i.e. cybsercurity strategy, reporting relationships, privacy, laws, multi-generational workforce dynamics, senior leadership/board interaction, selecting control frameworks, etc).

10:20 16B: Unlocking the Kill Chain - The Secrets of Mr Robot Speaker(s): Glen Bruce

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures and Policies supporting business and governments in their approach to managing information security risk. He has over 42 years of in-depth experience in information security consulting, systems management and technical positions. He has lead many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies and infrastructure implementations.

Kill chains have been used as an organized approach to attack organizations that have provided very successful results. In some cases the attack appears to be well-planned attack, in other cases, attacks have followed a kill chain approach but may not have been planned that way. In almost all cases, the organizations did not realize they were under a kill-chain attack until after the attack had succeeded. Understanding the components and execution of a kill chain based attack provides some insight into how they have been used and what can be done to limit their success.

We will outline the elements of the generally accepted kill chain model and identify the components that are typically used for a successful result. We will use a few well-known and interesting breaches to illustrate the kill-chain approach used to perpetrate successful attacks and what might have been done to stop or limit their success. The popular TV show, Mr. Robot, has applied very realistic kill-chains in their dramatic activities. We will use some examples from the show to illustrate the attack model. Additional examples from session participants are also most welcome.

We will describe various approaches that can be taken to defend against kill-chain based attacks at each step in the kill chain. The better the kill-chain approach is understood, the better able an organization is positioned to avoid or defeat them.

11:05 - 11:25 Morning Coffee

11:25 17S: SABSA Open Forum - Part 1 Speaker(s): Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.

This open session covers SABSA, The SABSA Institute and the latest goings on in the Enterprise Security Architecture world. If you want to support a SABSA Institute project or the Institute itself, this is the session to join. Meet the Board of Trustees and ask them anything. The Institute will also present an overview of current activities and initiatives.

We would like to discuss what you believe the future of SABSA and the SABSA Institute should be. Let us know what areas the SABSA Institute should focus on.

We propose the following agenda, and are completely open to adjust this to the needs of the SABSA Institute Members:

- Meet the Board of Trustees

- Current Projects

- The future of TSI

- The future of SABSA

- Emerging topics for projects

11:25 17A: So you've Been Hit with Ransomware - Now What? Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.

This session will focus on ransomware preparadeness and response from a technical, political and legal perspective. It will address tools and techniques to minimize the likelihood and potential impact of ransomware, the role of insurance in ransomware preparedness, the role of Service Level Agreements (SLA’s) with respect to third party access and use of data, and the role and elements of a ransomware preparedness program. It will also address the most common sources and impacts of ransomware, the role of cryptocurrency preparedness, and some of the legal issues associated with both paying and failing to pay for restoration of data, including the role of export control laws and regulations, domestic and international sanctions regimes on the flow of cryptocurrencies, the role of “material assistance” laws which may restrict the transfer of cryptocurrency, money laundering and currency exchange laws and their impact on ransomware payment, the use of tumbling, obfuscation, cut-outs and fictitious wallets, tracking money flows through the cryptocurrency exchanges, the use of proxies and third parties, the role of law enforcement (domestic and international), corporate duties and obligations, and will attempt to answer the questions “do I pay?” and if so “how?”

11:25 17B: Building a Working IoT SDLC Business Design Architecture Speaker(s): Shelby Kobes

Shelby Kobes

Director IoT Security, Cognizant (USA)

Shelby is currently leading Cognizant and Verizon Wireless in the development of a IoT design security process. Shelby has been working with a client, developing and designing how their internal departments align with the security mission of the business. Shelby has used the SABSA and ITIL frameworks to develop guidelines and matrix to help align current security services with the strategic mission of the organization.

Building a working IOT SDLC business Design Architecture: A Work Session, Vetting IoT Desing Architecture One of the common problems facing organizations and IT management is how to determine what security controls are needed on IoT devices, how do you develop a process to implement security, and What process are needed throughout the design lifecycle so that security is implemented from a design perspective.

In many organizations, the business of design security follows only security best practices, trends, control lists or highly publicized events without really looking at the specific risks to the business. I lot of design security is only focused on ROI and Time to Market, without realizing the faults and risk adherent is designing a unsecure IoT device/.

SABSA provides a great way to address the business risk, design mythology and patterns an organization will need to develop a secure IoT device. We will show you an example of how the SABSA Architecture can be used in conjunction with IoT security framework models, as well as NIST/ISO guidelines to create IoT design Architecture.

In this work session, we will review the processes needed to develop an IoT device, using the SABSA Matrix. We will look at each layer and review the current process in small teams. The goal is to vet the current process with industry leaders and address any gaps in the process. I built this process to allow organizations to define high level requirements and processes, as well as provide traceability to the lower level strategies, services, and components in the IoT design process. I believe that this will provide a robust lens for design security of IoT devices so that security in not something seen as a process after the development of a device, but as a method to develop systems throughout the design process.

12:15 18S: SABSA Open Forum - Part 2 Speaker(s): Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.

This open session covers SABSA, The SABSA Institute and the latest goings on in the Enterprise Security Architecture world. If you want to support a SABSA Institute project or the Institute itself, this is the session to join. Meet the Board of Trustees and ask them anything. The Institute will also present an overview of current activities and initiatives.

We would like to discuss what you believe the future of SABSA and the SABSA Institute should be. Let us know what areas the SABSA Institute should focus on.

We propose the following agenda, and are completely open to adjust this to the needs of the SABSA Institute Members:

- Meet the Board of Trustees

- Current Projects

- The future of TSI

- The future of SABSA

- Emerging topics for projects

12:15 18A: Security Assessments are Dead! Long Live Security Assessments! Speaker(s): Martin De Vries

Martin De Vries

Information Security Officer, Rabobank (Netherlands)

Martin is an experienced Information Security Professional with a background in Project Management and Service Management. Recent years his focus is on innovation, both security innovation as secure innovation. In this role he scouts for security innovations, trends and technologies, and provides security advice to startups and scale-ups helping them to properly address their cyber security risks.

A revolutionary shift in performing security assessments is needed.

With the ever growing IT landscape of organizations, as well as the growing number of third party IT we depend upon, a discrepancy is rising. The reason for this is that the number of skilled security resources isn’t growing at the same speed (for various reasons) to perform all those assessments. The current, manual, way of performing risk/security assessments is no longer viable. In fact one might say that every organization still performing manual security assessments is inherently insecure and at risk! So, what should we do then?

It’s called ‘Digital Risk Management’ (I know, it’s a Gartner ‘invented term’). More automation, machine learning and AI (Yep, this talk will do good in the hype word bingo at COSAC) will be needed to get up to date insights in the security maturity of an organization. This talk will dive into the benefits and pitfalls of this new way of performing security assessments and as such will provide an interesting insight to the experienced COSAC audience.

12:15 18B: SDN NFV - the Next Big Thing? Speaker(s): Mary Dunphy

Mary Dunphy

Security Architect, TEK Systems (USA)

Mary is an IT Security Architect for TEK systems. She has worked on projects in advanced cyber defense for RSA & Program Manager for Vendor Solutions/Integrations for Google headquarters in Mountain View, CA. Mary is the former CTO for Pro-Tec Design where clients included DHS, MSP, Best Buy, City of Minneapolis, FBI and departments at all levels of government. She also provided consulting services for Attorney General Settlement Agreement and Office of the Comptroller of the Currency.

The wave of Software Defined Networks (SDN) and Network Function Virtualization (NFV) or sometimes referred to as virtual network function (VNF) are disruptors to previously agreed upon best practices for security. Solution providers touting the ease of 3 day installs of overlay networks to provide configuration and orchestration, minimize the potential new risks introduced with OpenStack virtual network function (VNF or NFV) as well as the many NFV flavors vendors have developed for their own market share. The shiny promise of relief regarding management tasks is a siren call to a beleaguered network staff. The promise of the ability to implement multiple network architectures at high levels of abstraction rather than piece by piece, operating as intended simply by telling it your goals and letting it figure out the best path to success. What is left out of this utopia? Where does Security live in this model? This session is designed to facilitate ongoing discussion of roles and placement of security in this changing landscape.

13:00 - 14:00 Lunch

Workshop W1

14:00 How to Build Resilience & Fidelity into our Data Speaker(s): Char Sample

Char Sample

Chief Scientist Cybersecurity Cybercore, Idaho National Laboratory (USA)

Dr. Char Sample is research fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.

The data that we protect and use lacks guaranteed veracity. This problem has been known for years, but because historically the data has been accurate, therefore deemed trustworthy, we have not looked closely at the fidelity of the data. Recent developments in fake news (beyond politics and into economics) with “deep fakes” and artificial intelligence in creating narratives presents an opportunity for all cyber security professionals to question our role in ensuring the accuracy and fidelity of our data and how we can make the data resilient against deception. We will define the problem, discuss the origins of the problem and examine various methods being discussed to address this problem that is only now gathering attention.

Workshop W2

14:00 Security Modelling Workshop Speaker(s): Steven Bradley,

Steven Bradley

Consulting Security Architect, Lavender Bytes Consulting (Belgium)

Steven is a SCP with 10+ years experience in the SABSA methodology. He works as an independent Security Architect and develops a research interest in model-driven approaches to security architecture - a topic on which he has presented at COSAC 2018 and authored a paper for the SABSA Institute.
Bonnie Demeyer

Bonnie Demeyer

Security Consultant, Lavender Bytes Consulting (Belgium)

Bonnie is a Security Analyst and Information Security Manager with two years experience in the application of security to Agile and Scaled Agile projects. She has also worked with Steven in the development and practical application of the model-driven approach.

By the time COSAC 2019 opens, The SABSA Institute is expecting to have established a new Interest Group dedicated to processes and tooling.

The launch will be marked by a working group dedicated to model-driven security architecture.

We would like to use this workshop to provide a more practical, in-depth introduction to tools & resources, both available and in development, that support the SABSA methodology and the production of artefacts.

These will mainly focus on the resources available from the TSI's own Process & Tooling Interest Group site (open-source ArchiMate Security Extension) but will also evaluate & compare an unofficial 3rd Party SABSA module for the Sparx EA modelling environment.

Workshop W3

14:00 Ask Us Anything: A Q&A with a SABSA Masters Panel Speaker(s): Chris Blunt,

Chris Blunt

Chief Strategy Officer, Axenic (New Zealand)

Chris is the Chief Strategy Officer at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 26 years of experience in the ICT industry, specialising in security and privacy for the last 14 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives.
Maurice Smit,

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
William Schultz

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards.

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your problem depends on the question you are trying to answer. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the COSAC way there will be plenty of group debate and interaction, and no shortage of other experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

Workshop W4

14:00 Speaking Security Innovation Fluently: Taking ESA from Boardrooms to Lego Rooms Speaker(s): Rosanna Kurrer,

Rosanna Kurrer

Managing Director, CyberWayFinder (Belgium)

Rosanna is an Architectural Engineer by training and holds a Masters Degree in Building Physics from Kyoto University in Japan. For the past several years, this certified MIT Master Trainer in Educational Mobile Computing, as well as EU Code Week ambassador, has led hands-on, result-oriented workshops in the areas of computer programming, data visualisation, the Internet of Things, and 3D design and Design Thinking, to promote the uptake of digital skills, particularly among girls and women. 
Patrick Wheeler

Patrick Wheeler

Mentor / Director, CyberWayFinder (Belgium)

Patrick Wheeler is an enterprise security architecture lead where he is leading the effort to secure the Kubernetting of Europe’s financial ecosystem merging design thinking and ESA for one of Europe’s largest banking groups (8-12% of Europe’s GDP). He considers this the least most important activity and acts in support of Rosanna’s efforts ushering in new cyber resources. A native of California, via years in Silicon Valley, he now identifies as Belgian.

An introduction to design thinking.

Contextual? Global and local enterprises are all pushing ‘innovation’ mantras, from Agile-IT or Netflix-HR. The rush toward decentralized-small-squad-self-governed-code-fast-publish-now-fail-early-apologize-later-if-needed (Agile, DevOps, etc) place known and growing challenges to ESA. Design Think, Hasso-Plattner; radical-collaboration, bias-toward-action, mindful-of-process, beginners-mindset, show-don’t-tell, embrace-experimentation, prototype-to-discover) is one the latest widely adopted methodological approaches to innovation. Often placed upstream of Agile. Applying the SABSA framework to Design Think in an enterprise can embed ESA concepts early into corporate strategies (boardrooms) and product lifecycles (lego rooms). By embedding ourselves at the earliest stages in decision-making processes we carry ESA to the boardrooms, differently.

What? Business decisions from fintech acquisition, business partnerships through strategic bet-the-company pivots are being made via this process. We propose an introduction, workshop and exercise to get in front of enterprise strategy and setting enterprise security architecture priorities by reverse engineering design think orthodoxy and credos in the enterprise. Includes a 3-hour learning-by-doing exercise on how to identify design opportunities, generate diverse ideas, and create and test prototypes using principles and mindsets of design thinking. This business focus exercise focuses on Business and the Contextual and Conceptual layers. Our presenters are practitioners who can speak to using this throughout all layers in Financial sector (e.g. SWIFT, Euroclear and BNPPF) and governments (e.g. EU).

Why? While we may speak the language of risk, business and enterprise, we must be fully conversant with the buzzwords, concepts and methodologies to be fluent in the language of innovation. Ideas are always in abundance, how do we turn them into concrete, and desirable products, processes or campaigns? In security we strive to create a positive impact and bring value to our teams and relationships. We are faced with complex situations or challenges with known or unknown conditions and uncertainty. These challenges often require creative solutions that actually work, feel right and meet core needs. Using the on-going communications frameworks are key to success. Co-creating solutions is just the beginning.

How? While this can be used as design think for security (and we have indications of success in enterprise security teams) we will focus on the business context of embedding ESA concepts and securing the design think and innovation eco-system process. By making ourselves conversant in and demonstrably using of the design thinking process, by bringing into action the mindsets of creative confidence, tactical empathy, iteration, learning from failure, radical collaboration and embracing ambiguity - we increase the likelihood of gaining real insight on the real and often hidden needs of our audience, users or stakeholders. We look at the mental barriers to security adoption, differently. There are design opportunities for which we could create prototypes and iterate to drive organic adoption (pull, not push) of ESA. (warning: if special dispensation is granted, there may be commercial product placement of Lego’s™, the presenters have no direct or indirect commercial involvement and choking hazards are assumed an acceptable risk).

Plenary Session

17:15 20P: The 2019 Anthony Sale Memorial Session - Connections Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.

In the late 1970s James Burke's ground-breaking TV series 'Connections' explored the various paths of how technological change happens and the social effects of these changes on Western society.  To illustrate this he followed various timelines of how one innovation led to something totally unrelated in the future.  The series had a profound effect on me, in particular how you can learn to think laterally and how that can drive technical innovation.

Tony Sale was an inspirational leader and lateral thinker, his legacy at The National Museum of Computing is not just the Colossus Rebuild Project but the Bletchley Park site as a whole.  In this talk I shall follow some of the connections that led to the birth of the computer security industry and the challenges we face today.

Conference Close

18:15 Conference Close - COSAC Chairman Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.