Ireland Sydney

Welcome to COSAC - Conferencing the way it should be!

For almost 25 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

The Call for Papers for our 25th annual event in Ireland is now open. View our 2017 agenda to gain an understanding of the value COSAC provides for attendees. 

Thursday 5th October 2017

09:00 - 09:30 Delegate Registration & Coffee

11:00 Morning Coffee

Workshop W1

09:30 Wonderful, Terrible, Inevitable: Big Data, Analytics & IoT Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

Big Data and the Internet of Things are revolutionizing virtually every industry. We’re told of pinpoint accurate medical records and diagnostics, all-encompassing analytics, mastery of industrial processes, effortless control of our static and moving environments and complete connectivity and communication with anything and everything we might ever imagine being useful. Wonderful!

But COSAC delegates have an internal red flag that goes up upon hearing “It’s gonna be great!” Then those euphoria-deflating security questions start multiplying and running through our somewhat addled brains. Where is all this Big Data coming from? Where will it reside? Who controls it? Who grants access? On what basis? How do we know it’s accurate, relevant? Is it complete enough for life and death medical decisions? What about analytics system administration; data monitoring and correction procedures; incompatible security architectures? Oh yeah, and privacy?

What kind of security is built into all these Internet-connected devices? How easy is it to control access? Is the data they trade and store encrypted? Who’s liable if they fail or give erroneous signals?

Big Data and IoT are neither fads nor merely trends, they constitute a revolution. There’s no going back. Join us as we look from a security perspective at both the bright and dark sides

Workshop W2

09:30 COSACopoly: A Surprisingly Serious Approach to Enterprise Security Speaker(s): Chris Blunt,

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
Lisa Lorenzin

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security. 

How can a lifelong infosec practitioner find a new way of looking at enterprise security? 

By learning the way a child does - through play. Our update to a popular childhood game provides a new lens for examining common issues in information security; players start with money and data, and must spend that money acquiring "properties" (security services) to protect their data from "chance" (random risks and opportunities).  

Like all great conference presentations, this one was inspired by a conversation in the pub after a previous COSAC...  We learn best from each other, and from the chance to go off-script and see where inspiration takes us.  From resource utilization to risk mitigation to adaptability in the face of changing circumstances, COSACopoly will spark conversations, demand tough decisions, and offer a free-form venue for exploring a variety of approaches to today's infosec challenges.

Workshop W3: SABSA & Agile

09:30 Part 1 - SAFe and Secure Speaker(s): Narendra Ramakrishna

Narendra Ramakrishna

Business Solution Architect, SEAM Advisory & Consulting (UK)

Narendra Ramakrishna is an accomplished Enterprise and Solution Architect specializing in delivering solutions in the areas of Cybersecurity, CloudSecurity, and PCI-DSS. He has worked in a variety of roles across security development design and security architecture since 1999, with more than a decade of that focused on various transformation programs which include process changes, implementation of various industry strength methods and is currently focusing on enterprise security. 

SAFe ( provides an Agile framework that attempts to achieve agility vertically (from Business Portfolio Management through to delivery teams [Agile/Scrum teams]) through the organization. However, SAFe is heavily oriented towards delivering functionality and classifies security as a set of non-functional requirements.

This presentation intends to augment SAFe with risk based approach mainly using the tenets of SABSA. This would cover -

  1. Practical Agile implementation within large organizations.
  2. An approach to incorporate risk based approach (SABSA) at the portfolio level (alongside business strategy and technology roadmap)
  3. The method through which risk based approach could percolate down to release sprints and Scrum teams
  4. Alignment with DevOps and SABSA Service Management Matrix
11:30 Part 2 - Securing Agile the SABSA Way Speaker(s): Maurice Smit

Maurice Smit

Trustee, The SABSA Institute (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India and the Middle East and is a founding member of the SABSA Institute Board of Trustees.

The analysis, design and delivery of software has changed fundamentally in the last few years, with flowcharts and specification documents giving way to user stories and post-it notes. This seems fundamentally opposed to the more structured architected waterfall approach that typified early software efforts. However, experience with agile has shown it can deliver results early and produce software that fits closely to user needs, outcomes that were becoming increasingly difficult to achieve with the waterfall approach to software development.

There are two agile methodologies currently in play: Scrum and Kanban. These are quite different approaches to making software development agile and many development shops deploy a combination of both – Scrum providing the sprint culture and Kanban the post-it notes. A culture of Extreme Programming – XP – is also often woven into agile deployments.

Agile development is a cultural approach to software delivery which has a number of fundamental implications for security. As a business solution delivery approach which is designed to “fail fast, fix quickly”, it relies upon user identification of functional mismatches. There is little chance that the same approach will identify anything other than very large security holes – the subtle ones will likely go unnoticed. Security has also developed in a strong waterfall manner, with assurance testing and accreditation against recognised standards being a common approach to delivering security assurance. This approach does not work in an agile shop.

This presentation addresses the new paradigm of agile security, in which the approach to security assurance aligns with the cadence of agile delivery. Concepts such as continuous security integration and testing can be effective alternatives to waterfall security, and security guard rails provide the cultural alignment necessary to remove security blocks and ensure security is an effective partner in agile delivery. SABSA provides the agile architectural approach which brings these and other tactics together into a strategic solution for building an agile security program.

13:00 - 14:00 Lunch

14:00 SABSA Open Forum
16:00 Conference Close