Ireland COSAC Connect Melbourne

Welcome to COSAC - Conferencing the way it should be!

For 27 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2021 Call for Papers is now open!

Monday 28th September 2020

Breaks COSAC Masterclasses are full-day, 09:30 - 17:30
09:00 Registration & Coffee
11:00 Morning Coffee
13:00 Lunch
15:30 Afternoon Tea

Masterclass M1

09:30 The 20th International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

Picture a roomful of accomplished, creative information security veterans. They’ve faced unending varieties of threat and omission and mistake and security exposure. They’ve ushered sound security ideas from incubation through implementation. They’ve had brilliant security ideas hamstrung by political machinations. Yet they persist in bringing professionalism and dedication to the tasks of securing organizational assets, detecting and averting threats (old and new), and keeping sensitive information private. And they’re not shy.

Recognize yourself?

The 20th iteration of the COSAC International Forum gives these battle-scarred veteran security professionals (that’s you) a full-day immersion in the COSAC way. They’ll analyzing hypothetical scenarios and actual events from widely different perspectives based on widely different experiences and perceptions of success and failure learned in the trenches. They will offer and rigorously defend their opinions, but are also ever-willing to help others and learn from each other. This inevitably leads to using reality as a basis for analysis of recent and probable future events and trends. The perspectives are illuminated by deep and broad information security knowledge and experience. And nobody charges consulting fees.

The moderator, a grizzled if not very knowledgeable security veteran himself, describes some actual recent event or publication or prediction of the future or analysis of security-related activity, then comes up with a question or two about associated issues. He might then prod one or more attendees for their take on the issues in question, but more likely, he’ll try to avoid getting in the way, thus prompting participants who have probably been there and done that to illuminate topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

The basic underlying motivation for the Forum hasn’t changed since it was instituted 20 years ago: "the most significant benefit of attending any conference is the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis." Cybercrime evolution, Ransomware as a business model, measuring security effectiveness, Volumes and types of data collected by social networks, Dependence on foreign, even hostile, countries for critical security infrastructure elements, Recovery strategies, Incident management, GDPR, IoT device proliferation and security, Finding and keeping competent help … – the 2020 roster of real and potential concerns will includes some we hashed out in 2019 and will doubtless provide fodder for 2021 and beyond. We certainly can’t successfully address all of them. Some may be complete surprises. And we can’t ignore the security “oldies but goodies” like awareness, access control, policy implementation, password management, and the list goes on. But having experienced corporate security warriors present means we can call upon them to ask how they set priorities to avoid being stretched a mile wide but only an inch deep.

The often unbounded discussions and analyses here on the first day of COSAC continue throughout, often beyond, leading to unique, realistic and workable solutions. Forum attendees take their profession very seriously, but not necessarily themselves. Being helpful, personable and ready to smile at some of the stranger doings that populate our world encourages building a network of intelligent, experienced, realistic people you can count on for truthful analysis and real help. Come join us and help solve the information security problems of the world.

Masterclass M2

09:30 The 6th COSAC Design-Off Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
William Schultz

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.

This year will mark the 6th year of running this interactive and unique competition at COSAC Ireland. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Masterclass M3

09:30 Mastering the Art of Design Thinking and Execution Speaker(s): Esther Schagen-van Luit,

Esther Schagen-van Luit

Specialist Security Architecture, Deloitte (Netherlands)

Esther is a Specialist in Security Architecture at Deloitte Cyber Risk Services. Her ambition is to be a Leading Lady In Cyber, who is the best in her craft (security architecture) and makes societal impact as a role model through making girls & women feel they (could) belong in world of cybersecurity. For her work on getting more women into Cyber, Esther has been awarded prizes and nominations such as the Cybersecurity Award, Techionista Award, VIVA400 and Change in Business Award.
Roland Schagen-van Luit

Roland Schagen-van Luit

Junior Architect, ZJA Architecture (Netherlands)

Roland is a Junior Architect at ZJA Architecture. His focus on parametric design and fascination with 3D-printing has his portfolio span architecture, graphic and jewelry design. A broad interest in systems and mathematics in general has sparked a desire to convey this thinking outside of parametric design, spreading from the design of buildings into the design of boardgames.

Effectively communicating security, and particularly typically text- and diagram-heavy security architecture, to the stakeholders that are asking/mandating/paying for it, is no small feat. As an industry we have been trained about what is correct, complete and related to one another, but not necessarily on what is relevant, beautiful or intuitive.

As a follow-up to last year’s successful session on visual design, this full-day session brings participants even more insight into the world of design. It allows the participants to develop their design thinking and design execution skills through practical challenges to make them ‘Masters of Design’ in a day. Both security architects and general security practitioners should find the session’s content and exercises equally valuable.

The session is split into five segments:

1.) Design thinking: The session starts by exploring the concepts of design thinking, and how we can apply the process to the way we communicate to our stakeholders that are on the receiving end of our security products. We will go through a number of exercises on target audience determination, needs analysis and perception analysis that participants can tailor to their own context to maximize relevance.

2.) Visual design concepts: The second part of the session focusses on exploring visual design concepts in-depth. Participants are asked to show how they would visualize prepared textual scenarios with pen & paper in groups.

3.) Digital design execution - static: We will dive into the two tools that are most commonly used for visual representation of information by professionals - Powerpoint and Excel. We will investigate ‘advanced’ options in these programs allowing you to create interesting visualizations with minimal effort, including tools & plug-ins to make life easier. We will take into account what design requirements many users have when it comes to interacting with these programs. Lastly, we will venture into the realm of ‘PowerPoint Hacking’. Participants will be invited to apply their skills in both of these programs based on textual scenarios.

4.) Digital design execution – dynamic: We will then explore how make to our visualizations into engaging dynamic content. We will show a number of examples that were simply created in PowerPoint using shapes and animations effectively, and ask participants to recreate some of them on their own computers.

5.) UX & design interaction: We will present on various user experience concepts, inviting participants to reflect on and share examples from which they have used in their security work. We will then present different ways on how to effectively engage your user with your digital design, such as gamification, allowing users to influence the storyline, changing the context of your design in Prezi and integrating user input into your design landscape in a Nureva Span Canvas.

At the end of the session participants will digitally receive the theory and examples presented, so that they may leverage their knowledge and skills learned effectively in their daily jobs.

Participants are advised to bring a laptop with PowerPoint and Excel pre-installed.

Masterclass M4

09:30 That AHA Moment! - The Case for Building Adaptive Hybrid Architectures Speaker(s): Andy Clark,

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
Lynette Hornung,

Lynette Hornung

Principle Security and Privacy Architect, Dell Technologies (USA)

Lynette is a Senior Privacy and Security Architecture Manager leading a privacy program with a federal agency focusing on data protection and security architecture that provides security and privacy by design. She has supported a variety of federal agencies with privacy and security architecture services and solutions. She was CyberCorps and has her MS in Information Assurance from Iowa State University.
Diana Kelley,

Diana Kelley

Field CTO, Microsoft (USA)

Diana Kelley is the Cybersecurity Field Chief Technology Officer for Microsoft where she provides guidance to C-level executives at large, global companies. She is a Faculty Member with IANS Research, an Industry Mentor at the CyberSecurity Factory and a Guest Lecturer at Boston College’s Master of Science in Cybersecurity program. Previously, she was the Global Executive Security Advisor at IBM Security and a GM at Symantec.
Char Sample

Char Sample

Chief Scientist Cybersecurity Cybercore, Idaho National Laboratory (USA)

Dr. Char Sample is Chief Scientist Cybersecurity at the Idaho National Laboratory and a research fellow with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.

Planning a security architecture is a multi-faceted project that typically requires an interdisciplinary effort. The resultant architecture reflects the organizational needs and requirements analysis agreed by all parties and stakeholders. As automation continues to evolve in systems, both traditional architectures and zero trust architectures reveal inflexibilities that make both choices sub-optimal for modern networks.

Traditional security architectures are limited by the abilities of the technologies used. In an attempt to be flexible for users these technologies have to balance security and usability, this results in vulnerabilities which in turn leads to layering and using SDNs. Zero trust architectures have arisen in response to the shortcomings in current security architectures, but they are too restrictive (and possibly cumbersome). What is needed is an adaptive hybrid architecture that flexibly combines strong security with dynamic responses. These responsive behaviors can contain traditional high-assurance components along with newer generation deception technologies. This approach reflects the complex relationships, both internal and external that support organizations where multiple security needs are balanced and administered at a single place.

In this presentation, we will compare the proposed adaptive hybrid architecture against the traditional, zero trust and cloud security options. Because the SABSA method is based on systems engineering methods and well-suited for incorporating diverse viewpoints, we use it as the framework for this endeavor to propose an exemplar that blends traditional and more modern technologies and assumptions to create a hybrid security architecture that is adaptive, intelligent, resilient and capable of growing with the organization.


18:30 Drinks Reception - Sponsored by SABSAcourses
19:00 Dinner - Sponsored by Deloitte

Networking Event

21:00 Data Privacy Jeopardy Speaker(s): Lawrence Dietz,

Lawrence Dietz

General Counsel, TAL Global Corporation (USA)

Lawrence Dietz, Attorney has served as General Counsel of TAL Global since April 2010 where he had extensive experience in international contracts. Prior to joining TAL Global Dietz served in senior roles at Symantec Corporation to include Director of Market Intelligence and Global Public Sector Evangelist. He retired as a Colonel in the U.S. Army Reserve and is the author of the authoritative Blog on Psychological Operations (PSYOP).
Liz Dietz

Liz Dietz

Professor, University of Phoenix (USA)

Dr Elizabeth “Liz” Dietz began her nursing career as a Lieutenant Junior Grade, Charge Nurse for the US Public Health Service during the Vietnam Conflict. She is a Professor Emeritus of Nursing from San Jose State University after a 29-year career there. She has been a volunteer with American Red Cross in Service to Armed Forces, Disaster Health Service Manager, Expert Instructor in International Humanitarian Law program, as well as Regional Disaster Lead for the Disability Integration program.

Data privacy can be a pretty dry subject, but you can count on Liz and Larry Dietz to present a lively and informative session.

Jeopardy is a famous television quiz show. Teams of COSAC participants will compete to correctly answer questions about data privacy. They will face a board covering 5 topics. Each topic has 5 questions of escalating difficulty. This lively and entertaining game show will be hosted by Dr. Liz and Colonel Larry Dietz. Prizes will be given to contestants who answer questions correctly. Questions will be derived from the GDPR, the California Consumer Privacy Act as well as the forerunners of these laws such as the 1995 Data Protection Directive (95/46/EC) and the UK Data Protection Act of 1998. Oh, and a bit of common sense and a great deal of humor.