COSAC 2024 COSAC Connect COSAC APAC 2025

Welcome to COSAC - Information Security conferencing the way it should be! Join us in Ireland this October for 4 days of innovative & participative information security value. For 31 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. #COSAC2024 Delegate Registration is open with Early-Bird rates available until 30 June 2024.

Thursday 3rd October 2024

09:00 - 09:30 Registration & Coffee

11:15 - 11:35 Morning Coffee

Workshop W1

09:30 The COSAC Risk Workshop Series: Risk Aggregation & Compound Risk Speaker(s): Jason Kobes,

Jason Kobes

Tech Fellow, Northrop Grumman (USA)

Jason works as a Sr. Staff Cyber Architect & Research Scientist for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa...
William Schultz

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 17 years, with the past 13 focused on Enterprise Architecture, Security Architecture, RiskManagement, and Compliance. Bill has built security programs, risk management programs, anddeveloped strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.

The purpose of the risk workshop is to explore the hard parts of understanding risk. We have previously conducted workshops in Ireland and Australia on how to understand and model risk, how to explain and display risk to stakeholders, and how to think like our adversaries to identify threats that we would otherwise miss. In this workshop we will begin to explore the challenge of how to aggregate risk in a complex environment to help determine which mission objectives are most at risk. We understand single weaknesses and single risks well, but once things get complex it becomes complicated to understand how the risk compounds. Averages don’t do the trick; neither does plotting all the risk on a graph. Actuarial science has solutions, but these solutions require years of data we don’t have. This collaborative workshop will dive into this risk problem to discuss the specific challenges and collectively try to uncover a path forward.

Workshop W2

09:30 The 2nd COSAC Lab Speaker(s): Ghariba Bourhidane

Ghariba Bourhidane

CyberSecurity Transformation Consultant, Freelance - TreeBridgeMosaic srl (Belgium)

Ghariba is a dreamer, sensitive and unconditional coffee lover. She is currently working as Cybersecurity Transformation Consultant providing services in CyberSecurity Culture and giving deeper experiences advice in Security Awareness, two main topics which drive her passion for the field. Previously, she worked as Deputy CISO of an insurance group by managing the Third-Party Security, IT project security, responsible for IT-Security communication and becoming a security awareness specialist....

This year, I propose the second edition of the COSAC LAB.

For the year 2024, the lab will use a new approach based on the lessons learned from the first edition performed in 2023.

1. What is the COSAC LAB?

The intent is to create an environment where people can come together and explore ideas and solutions that were generated during COSAC and develop them in a way which will give the ideas greater potential for further development by the creator or a team they create during the lab.

COSAC LAB speakers: « Hello, the first condition to get in the COSAC LAB workshop is to accept the rules without knowing them”.

Participant: Atchoo !

COSAC LAB speakers : « Bless you »

Participant: Psssst, come here, COSAC reviewers, I will tell you what’s happens here but for now, it’s a secret so keep it for you. Ok we enter in the workshop. Oh, the speakers bring some materials: games, computer, paper, paints, music and so one. I’m not so good at DIY and common, it’s not my age anymore!

Participant: Now, the speakers explain that the first rule is to put away watches and phones. They are the time masters and timekeeper. Interesting, isn’t it? They said that we will work during a time breach. I am curious and interested. Let’s continue, they ask us to propose an idea and I have one: be vulnerable to increase awareness: paradox or reality? They ask other participants if they would like to join my idea to work together on that, and maybe create a new learning model based on paradoxical behaviour.

Participant: Oh wait! Someone else proposes something very new.

Participant: You know what, it is interesting too! A lot of people have ideas. Like I said before they bring some materials to unleash our creativity. I see that I can use AI Art platform. I will try it. People join my idea about paradoxical behaviour. Let’s begin...

COSAC LAB speakers: We give you some steps to follow to achieve your objectives in a COSAC style. Of course, you are free to follow steps or not. Here the aim is to break the figure. We are here to participate too and help if we can.

Participant: Ok the conclusion is ... SURPRISE!

2. Characteristics of the COSAC LAB

Value: These design workshops not only build teams from people who may have never worked together before. This workshop will bring a list of ideas which can be developed. It will provide potential ideas for sponsorship by the SABSA foundation and provide interesting future COSAC presentation. This is new and the goal is to "break the figure". The opportunities for evolution and modification are limitless. The more feedback is given, the more people play the game, the more creative possibilities the COSAC Lab will offer.

Uniqueness: The COSAC Lab comes from its essence the COSAC which is a completely different conference as we know them. This conference is intended for people who build, create, and innovates. A laboratory’s main objective is to provide reliable results.

A laboratory whose results are too often unsafe could not be approved by the competent authorities. The COSAC Lab is the only laboratory that demands to be in danger. Everything is possible. It wants to be opportunist, nutcracker, refractory and innovative.

The first condition to be "accepted" in the COSAC Lab is to accept the conditions and the rules of COSAC Lab without knowing them. Bring the ideas together instead of losing them in discussion.

Timeliness: It is important to develop to get ideas on paper at COSAC instead of losing them.

Approach: The COSAC Lab is the place where the theoretical exchanges will take place in a practical way. Steps to follow are proposed, they remain flexible, only value creation counts.

We will create a time breach when you evolve. We will be the master of the time.

Rule 1 : No phones and no watches

Rule 2 : A commitment to attribute to all authors

Rule 3 : You must agree not to steal ideas and use competitively in a negative way

Rule 4 : You agree to build on good ideas collaboratively, the COSAC-way

A group of people trust each other, will exchange ideas, work together on an issue, an idea, a problem or other. This laboratory aims to export its creations in the real world. Its ultimate goal is to enable the creation of innovations in real life.

Workshop W3

09:30 Incident Response Exercise Design Workshop Speaker(s): Kirk Nicholls

Kirk Nicholls

Consultant, SABSA World (Australia)

Kirk is a security advisor with a focus on disaster and incident response exercises. He develops and manages exercise programs through the discipline of serious games, using research-based practice. Through the lens of serious games, simulation and a military background he enables clients to gracefully handle the unexpected.

Do you want to learn to build a functional incident response exercise?

Perhaps you’d like to have clear and measurable exercise goals and performance reporting. The kind that will endear you to your training team and produce clear and actionable reporting. Good news, we can do that together. After all it’s dangerous to go alone.

The workshop will provide attendees with both support and guidance in developing a plan for a simple incident response exercise. Attendees will be walked through the process of making key decisions and creating usable exercise documents. The workshop will include an introduction to exercise concept development, scenario planning, exercise logistics, communication plans, effective evaluation and post-exercise reporting.

Attendees will leave with a usable exercise plan that will be relevant and usable within their organisation. A selection of video and print resources will be made available for attendees to explore and utilise post-workshop.

Workshop W4

09:30 Please Mind The Gap: Practical Requirements Engineering in Agile or DevOps Environments Speaker(s): Chris Blunt

Chris Blunt

Enterprise Security Architect, ESO (Northern Ireland)

Chris is the Enterprise Security Architect for a SaaS provider specialising in software and data analytics for health and fire services. He is a seasoned cybersecurity professional and is passionate about business-driven security and delivering pragmatic advice that enables organisations to achieve their business objectives.

Everyone with experience using SABSA knows that Attributes are great for capturing and reflecting business needs. However, they can be less beneficial when working with Agile teams.

Last year, I presented a pragmatic approach to requirements engineering in agile environments. This workshop builds upon that session and aims to provide delegates with practical skills to close the requirements gap.

In this workshop, you will learn how to use SABSA Attribute profiles to develop a codified set of 'non-functional' requirements in Agile and DevOps environments.

We will explore:

  • • Creating SABSA Attribute profiles for your organisation using the Multi-Tiered Attribute
  • Profiling (MTAP) methodology.
  • • Using SABSA Attributes to define security requirements in Agile and DevOps environments.
  • • Developing user stories that clearly articulate the who, what, and why of security features.
  • • Prioritising security User Stories to ensure that they are not overlooked.

Learning outcomes:

  • • Understand how to use MTAP to develop SABSA Attributes tailored to your organisation's needs.
  • • Comprehend the difference between SABSA Attributes and security User Stories.
  • • Understand how to create security User Stories that reflect the intent of, and are traceable to, a SABSA Attribute.
  • • Ability to ensure that security User Stories are priori2sed and addressed in the relevant Program Increment (PI) or sprint.

12:30 - 13:30 Lunch

16:30 - 16:45 Afternoon Tea

Workshop W5

13:30 Security for the Gobsmacked Human Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

They’ve had enough. They just get used to one environment and some SOB changes it. And we security geeks want to add change to the change. No wonder they growl at us. Complex, ever-evolving work environments turn communities of competent, veteran users into fumbling rookies who make new-guy mistakes, some of which impact security. Organizational restructuring is almost a constant. People still resist change, make mistakes, painstakingly follow bad security practices and get socially engineered. And bad guys find creative ways to defeat our newest, most sophisticated security measures.

We’ll give guidance for coping with human foibles, complexity and change in securing our vital assets.

Part 1 – Securing the semi-predictable humans – Phishing, really automated social engineering, has been an element in almost every Ransomware event and a multitude of other egregious breaches. We’ll examine why social engineering works so well on our employees, on all humans, for that matter. We’ll give suggestions for shoring up this most vital link in our security chain.

Part 2 – Securing the ever-changing organization – Change agents that can seriously affect security are gaining traction everywhere. Massive organizations are making their own rules and privacy decisions, at least until governments levy gargantuan fines. Mergers, acquisitions, divestitures, downsizing in many forms, even internal reorganizations can bring danger. We’ll identify areas of security focus and give recommendations for minimizing security incidents and effects in the midst of the upheaval.

Workshop W6

13:30 Digital Transformation Masterclass Speaker(s): MZ Omarjee

MZ Omarjee

Head: Client Security and Moonshots, Standard Bank Group (South Africa)

Muhammed Zubair (Mz) Omarjee, is a former Enterprise Security Architect providing advisory to leading banking institutions in South Africa and abroad. He is instrumental in crafting technology strategies as it relates to digital transformation, mobile banking and cyber security. He plays a pivotal role in shaping information technology practices as a transformative business driven and risk-oriented discipline.

An intriguing session that will attempt to re-orient the mindset required to undergo a Digital Transformation. In an unusual manner (not about just technology or apps) session will provide real world insight and experiences as it relates to the following:

  • • The drivers of why we have to undergo Digital Transformation.
  • • The thinking required for a Digital Transformation.
  • • The Organizational Shift to a Digital Transformation.
  • • New ways of marketing.
  • • New ways of Hiring.
  • • Technologies at play in that enable Digital Transformation.
  • • Interactive practical activity on how to digitize something that’s highly physical and manual in nature.

Workshop W7

13:30 Beyond the Script: Using Improv to Enhance Tabletop Exercises Speaker(s): Ashling Lupiani,

Ashling Lupiani

Cognitive Solutions Developer, City of Hope (USA)

Ashling Lupiani, SABSA SCF is a Cognitive Solutions Developer at City of Hope. She is a neuroscientist and biomedical engineer with experience in speech and gait research. She spent 5 years running neurorehabilitation engineering studies with human participants and conducting data analysis to investigate sensorimotor systems. She co- authored 5 papers and presented at conferences in Toronto and Boston, USA, COSAC APAC 2023 & 2024, and COSAC 28, 29 & 30.
Kathleen Mullin

Kathleen Mullin

CISO, MyCareGorithm (USA)

Kathleen Mullin is an influential information security practitioner and international speaker with over twenty-five years of experience. Starting her career in Accounting and Internal Audit before moving into IT and finally Cybersecurity. She has been CISO, focusing primarily on healthcare. Most recently, she is CIO|CISO for MyCareGorithm. Throughout her career, Kate has volunteered and contributed to information security as a profession, including serving on multiple board and advisory...

Cybersecurity is known as the department of “NO” while SABSA uses business opportunity risk to transform it to “YES”. This session leverages improvisational skills to increase the engagement, imagination, and impact of tabletop exercises.

We will show how to strategically leverage a tabletop exercise scenario and expand upon it with methods from improv comedy for continuing the scene. Using the techniques of “Yes, And” and “No, But”, we will overcome scenario objections, get participant buy-in to expand upon the premise, address unrealistic recovery options, and keep creativity in the solutions proposed. The optimal outcome is making tabletop exercises fun while producing more relevant and actionable results.

This material is relevant and timely as cyber-risk insurers ask if tabletop exercises are conducted, external audit firms look at scope and reports from tabletop exercises, and the business looks for tangible results from exercises that use many hours of valuable human resources.

This session, redesigned from the bottom up based on our experience at COSAC APAC, will be interactive with the attendees being called upon to participate in games and exercises leveraging improv to show the value of using this novel approach and adding fun to what might otherwise be a compliance ritual.

Workshop W8

13:30 This is the Way! Using SABSA to Transform a Global Managed Security Services Provider Speaker(s): Jaco Jacobs

Jaco Jacobs

Director of Consulting Services, David Lynas Consulting (Netherlands)

Jaco is the Director of Consulting Services for David Lynas Consulting based out of the Netherlands. He has been a “security guy” for more than 25 years during which time he has provided security consulting services to many of the largest organizations around the world. He has spent most his career developing security IP, training and services for the largest global security providers as well as co-authoring several security publications.

In late 2022 I was assigned to lead a team mandated with creating and implementing a strategy to transform the Managed Security Services business of a global organization that provides end-to-end security services. This organization operates more than twenty delivery centres globally and has grown, organically and through acquisition, to more than 3000 delivery centre employees. Due to the rapid growth, many of the delivery centres were operating in their own bubbles and using their own operating models, service definitions, delivery processes, playbooks, runbooks, people management processes, SLAs, metrics and technology stacks. This caused a high degree of inconsistency in the quality, delivery methods and collaboration between the centres, especially when providing services to clients with global footprints.

In this session we will look at how SABSA was used in this transformation journey and the value and impact that it has had on the organization.

Part 1: Context – Setting the context of the requirements and putting the necessary governance in place (Program Governance Model)

Part 2: Setting the baseline – Creating a way to consistently communicate priority and value through language and terminology (Business Attributes & Glossary)

Part 3: Organization – Creating a repeatable organization model based on priorities, requirements, skills and technology (Domain Model & Talent Program)

Part 4: Performance Targets – Creating internal and external facing KPIs and SLAs to measure performance

Part 5: Processes – Creating repeatable operational processes

Part 6: Delivery Method – Updating existing mandated delivery methods to reflect and implement changes

Conference Close

16:45 COSAC Chairman's Closing Remarks Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 42nd year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.