COSAC 2023 COSAC Connect COSAC APAC 2024

Welcome to COSAC - Information Security conferencing the way it should be! Join us in Ireland this October for 4 days of innovative & participative information security value celebrating 30 years of COSAC Security Conference.

For 30 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. #COSAC2023 Delegate Registration is open.

Monday 2nd October 2023

Breaks COSAC Masterclasses are full-day, 09:30 - 17:30
09:00 Registration & Coffee
11:05 Morning Coffee
13:00 Lunch
15:35 Afternoon Tea

Masterclass M1

09:30 The 22nd International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President,O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

For the 22nd iteration of the Forum, we feature a group of experienced, smart, tough, honest, politically savvy, creative, resilient, reality-grounded, and, of course, good looking professionals to address the existing and emerging set of information security problems and issues. Recognize yourself? Always learning, willing to listen to and learn from others who’ve encountered things you might not have, not shy about sharing strategies and techniques, and committed to our strange and but very necessary profession.

With minimal moderating by an ancient security geek, a roomful of you and your peers will analyze current events, trends, publications and situations NOT to admire the problems, but to craft possible solutions based on multiple universes of knowledge and experience. It’s a full-day immersion in the COSAC way. Moderator questions or comments on associated issues might engender wildly divergent reactions from attending professionals who experienced a similar event, but had different constraints or objectives or working tools or eventual outcomes. The moderator tries to avoid getting in the way, allowing participants to illuminate topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

In 2022’s Forum, we solved the information security problems of the world. Unfortunately the world allowed new problems to arise and blossom. And some we stuck stakes into the hearts of didn’t stay down and buried. Join us and help solve the current and maybe future information security problems of the world.

Masterclass M2

09:30 The 7th COSAC Security Architecture Design-Off Speaker(s): Jason Kobes,

Jason Kobes

Tech Fellow,Northrop Grumman (USA)

Jason Kobes works as a Tech Fellow for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. Jason holds a...
William Schultz

William Schultz

Senior Director, Enterprise Cybersecurity,Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.

Returning for a 7th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Masterclass M3

09:30 Crisis! An Interactive Masterclass on Crisis Management & Communications
09:30 Part 1 - The Art of Communicating Bad News – A Workshop in Crisis Communications Speaker(s): John Ceraolo

John Ceraolo

Head of Information Security,Skilljar, Inc. (USA)

John Ceraolo, an internationally recognized author, and speaker on multiple security topics including social engineering, security services and awareness, brings more than 30 years of experience in the information security industry. Ceraolo is currently the Head of Information Security at Skilljar, a Seattle-based customer education SaaS platform provider.

Ransomware attacks, outages, general failure of your products – how much thought is going into your communications to your customers? Is it fully vetted by your legal counsel – and you aren’t making statements that are untrue or incomplete? How critical is timing? This session addresses the need for establishing a communication protocol in advance and walks through some of the good, the bad and ugly from past incidents. Takeaways will be ideas on what to include, what to avoid, how quickly to communicate and making crisis communication a critical part of your incident response. We’ll run through real world practice sessions and work as a team to create responses to a shifting landscape during and after a breach.

This was a one hour session in 2022 and was recommended by that group of attendees to make it a longer presentation to go over the practical applications and run through scenarios.

14:00 Part 2 - Wargames: Tabletop Crisis Simulation Speaker(s): Jaco Jacobs

Jaco Jacobs

Security Innovation Principal Director ,Accenture (Netherlands)

Jaco is the Cyber Resilience Detection & Response Global Enablement lead at Accenture Security based out of the Netherlands. He has been a “security guy” for around 25 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.

Tabletop exercises are an essential tool for testing the preparedness of organizations in responding to crisis situations. However, traditional tabletop exercises often lack the element of unpredictability that can make real-life crises so challenging. This is where the Dungeons & Dragons (D&D) 5e tabletop role-playing game (TTRPG) system can be a valuable addition to cybersecurity crisis simulations.

By using the D&D 5e TTRPG system, cybersecurity tabletop exercises can be gamified, adding an element of randomness, unpredictability and fun to the simulations. Participants can take on roles, such as security analysts or executives, and work together to solve challenges that are presented in the game. This approach not only makes the simulations more engaging but also provides an opportunity for participants to practice decision-making under pressure.

The D&D 5e system is well-suited for this purpose due to its flexibility and versatility. It allows for a wide range of cybersecurity scenarios and challenges to be created and can accommodate varying levels of experience and skill among participants.

Come and join us for a game of Hackers & Crackers (H&C) where we will be using the D&D 5e TTRPG system in a cybersecurity tabletop crisis simulation.

Masterclass M4

09:30 Resilience: From Hardware to Humans and Everything in Between Speaker(s): Lynette Hornung,

Lynette Hornung

Principal Security Architecture Manager,Quisitive (USA)

Lynette Hornung is a Principal Security Architecture Manager with Quisitive. She has her MS in Information Assurance from Iowa State University, CIPP-US and SABSA security architecture certifications. She enjoys researching a variety of topics in information security, such as Artificial Intelligence and its many complexities, such as ethics, privacy and security.
Dr. Connie Justice,

Dr. Connie Justice

Professor,Boise State University (USA)

Dr. Connie Justice is a Clinical Associate Professor of Computer and Information Technology and Director of Cybersecurity Education and Experiential Learning, in the Computer Information and Graphics Department, IUPUI. Dr. Justice has over 30 years experience in the cybersecurity, computer and systems engineering field. Professor Justice is a Certified Information Systems Security Professional, CISSP. Dr. Justice created the new BS Cybersecurity degree that will begin accepting student the fall...
Char Sample

Char Sample

Cybersecurity Principal,MTSI (USA)

Dr. Char Sample is Chief Scientist Cybersecurity at the Idaho National Laboratory and a research fellow with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.

Resilience is widely considered the antidote to many of the problems that plague cybersecurity. The problem is that resilience definitions vary, and solutions typically fail to address all aspects of resilience. Furthermore, when working resilience into a Zero Trust Architecture (ZTA) many of the goals can quickly become conflicting.

This, 4-part workshop first defines and discusses the challenges of how to identify, measure and improve resilience in existing environments. We set the overview for the day by introducing each of the areas that we will cover during the day to include hardware, operating systems, software, networks, data, users and residual security gaps.

Part 2 deals with the identified issues found in part 1 of the workshop we will break into small groups and perform exercises that incorporate the 4 R’s of resilience (robustness, resourcefulness, redundancy and rapidity) into various ZTA views that include hardware, software, data, users, supply chain and other views. Time permitting, we will attempt to add an additional R (reliability). Finally, we will discuss how each of the views can be compromised.

Part 3 – Data Resilience – Trust, privacy, data fidelity, this is complex and has various points of potential vulnerability and exploit, which are not easily solved. There are very real and justified examples of data being used against certain individuals and sometimes groups, so there is a problem with trust and data fidelity, which leads to issues with privacy, civil liberties and data protection. The use of AI/ML relies on systems learning lessons and extrapolating those lessons into larger rules that inform decision-making. But what data is being used? The existence of reinforcement learning is an implicit admission that they training data is flawed. Thus, new lessons must be provided and properly absorbed. This data must be free of biases, the data must be protected from exposure, contextualized, and temporally stamped. Furthermore, the cost of data compromise should be “gamed” or “tabletop exercised” to determine ramifications in objective metrics that measure the impact economically, politically, and socially to individuals, and society.

Part 4 – Human Resilience – Training, education, decision-science, this is not easily solved with trustworthy mechanisms that can detect fraud, abuse of power and manipulation of the data.

Resilient humans have an ability to self-correct; this is not always easy and can be professionally embarrassing. This section explores different approaches to cybersecurity education. We will spend time discussing logical fallacies and how they have successfully fueled flawed decisions. We will also discuss attempts in the educational realm to advance cybersecurity into a discipline rather than a short-sighted training ground. In addition to the educational aspects, we will discuss how professionals can remain mentally resilient self-checking to determine how our own thought process maps to the 4 R’s of resilience, using 5 Thinking Hats and checking against logical fallacies in our various views. All of this while working through examples where Resilience and ZTA compliance are required, and the gaps must be reconciled.

Dinner & Traditional Irish Music Night

18:30 Drinks Reception
19:00 Dinner