Ireland Melbourne

Welcome to COSAC - Conferencing the way it should be! Call for Papers is now open!

For 26 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

Registration for COSAC 2019 is now open - 29th September - 3rd October.

Monday 1st October 2018

Breaks COSAC Masterclasses are full-day, 09:30 - 17:30
09:00 Registration & Coffee
11:00 Morning Coffee
13:00 Lunch
15:30 Afternoon Tea

Masterclass M1

09:30 18th International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

The 18th International Forum should once again prove to be a microcosm of the COSAC experience – seasoned security veterans trading ideas and opinions based on real experience in real situations; heavyweights offering and defending their opinions, but ever-willing to help others and learn from each other; trenchant analysis of recent security-related events and trends from perspectives illuminated by knowledge and experience. The moderator posits real-life scenarios, asks a question or two about relevant issues, then tries to not get in the way so that participants may discuss topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

Back in the pre-cloud, pre-Ransomware, pre-GDPR, pre-Cambridge Analytica and pre-IoT era when the professionals attending COSAC started this 1-day full-body immersion in the COSAC way, the overriding premise was that “the most significant benefit of attending any conference is the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis.” That’s still true. In late 2018 we’ve been handed some truly original problem scenarios, ones that could keep us busy 24/7 seeking viable solutions or workarounds. But we can’t devote 24/7 to the new issues because the old ones also keep rearing their heads and roaring, perhaps with updated verbiage and at different decibel levels from their original manifestations. What makes the Forum so valuable is learning from the hard-earned skills, fortitude and wisdom of others who have run this gauntlet, perhaps several times, are facing similar challenges and know how to avoid or survive the tomahawks.

The discussions (and arguments) started here in the Forum almost always continue throughout COSAC, sometimes even beyond that, leading to unique, realistic and workable solutions to seemingly intractable dilemmas. Come join us and help solve the information security problems of the world and develop unerring predictions for the future.

Masterclass M2

09:30 Understanding the Least Understood Link in Security: The Human Speaker(s): Lynette Hornung,

Lynette Hornung

Senior Enterprise Security Architecture & Privacy Manager , TCG (USA)

Lynette Hornung is a Senior Enterprise Security Architecture and Privacy Manager with TCG, Inc. She has her SABSA Foundation and SCPR in Risk Assurance and Governance and SCPA in Architectural Design and her CIPP-US. She has over 20 years of experience in information security and privacy.  She has worked with a variety of federal agencies providing various enterprise security architecture, computer security and privacy solutions and services working with a variety of stakeholders.  
Esther van Luit,

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
Helvi Salminen,

Helvi Salminen

Information Security Manager, Gemalto (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014. 
Char Sample

Char Sample

Research Fellow, ICF Army Research Labs (USA)

Dr. Char Sample is research fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.

A frequent quote among security professionals states, “the human is the weakest link in security”. We challenge this statement suggesting that the human is the least understood link in a security system. This workshop provides the foundation for understanding the last (or perhaps) first frontier of the security landscape… the human mind.

This workshop is designed to improve the understanding of the human and the complex relationship between the human and machine when making decisions, while explaining how this relationship influences and impacts the security environment. We offer a fresh examination of the human security relationship with the hope of making security user enabling. This requires examination from several points of view, including the following:
• Understanding the commonalities and differences between humans and machines?
• Understanding how the human machine relationship gives rise to complex systems.
       o Defining security in this way, we will also discuss complexity theory and how it relates to human-machine behavior.
       o A discussion of neural networks and other classifiers in behavioral modeling.
• Artificial intelligence technology is increasingly applied in various contexts, including security. In many areas of expertise people fear – sometimes for a good reason - that AI systems will make their skills obsolete.
       o What does it mean in security?
       o What prevents AI systems from providing optimal performance
       o Can AI systems be subverted?
• Perception management and how it can be manipulated in spite of target awareness.
       o Factors that influence problem perception, organization, and data formation and why this is important in the age of AI
       o Data encoding & visualization
       o Context recognition and evaluation
• Understanding of the human brain from biology to decisions.
       o Can the brain be re-programmed?
       o Hardwiring, learned, conscious and unconscious behaviors
• Environmental factors (physical reality, virtual reality and augmented realities) and how the brain acts and responds in these environments. .
• How to apply these discussions to security in your organization.

Masterclass M3

09:30 The 4th COSAC Design-Off Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 

Returning for a 4th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Last year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome. 

Networking & Dinner

18:30 Drinks Reception
19:00 Dinner