COSAC 2024 COSAC Connect COSAC APAC 2025

Welcome to COSAC - Information Security conferencing the way it should be! Join us in Ireland this October for 4 days of innovative & participative information security value. For 31 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. #COSAC2024 Delegate Registration is open with Early-Bird rates available until 30 June 2024.

Monday 30th September 2024

Breaks COSAC Masterclasses are full-day, 09:30 - 17:30
09:00 Registration & Coffee
11:05 Morning Coffee
13:00 Lunch
15:35 Afternoon Tea

Masterclass M1

09:30 The 23rd COSAC International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

The 2024 edition of the Forum will not be generated by artificial intelligence. Instead, the actual intelligence and experiences of the attending delegates will be focused to analyze and solve (not just admire) current and emerging information security issues, many more political or organizational than technical. This is where the real-world experience (positive and negative) of battle-hardened COSAC delegates adds significant value to the session. Specific technical or vendor-focused solutions might work fine in one environment but fail or be disallowed in another. Historically, delegates have always been willing to listen to and learn from others who’ve encountered things they might not have, not shy about sharing strategies and techniques. In short, committed professionals.

An ancient security dinosaur will moderate as a roomful of you and your peers dig into current events, trends, and publications. We seek solutions or, at least, pathways to solutions. It’s a front window into the conference, a full-bodied immersion in the COSAC way. Divergent viewpoints are not just expected, but welcomed. Reality and professional experience trumps theory.

Come help us shine light on and solve the latest (and some of the oldest) issues.

Masterclass M2

09:30 The 8th COSAC Security Architecture Design-Off Speaker(s): Jason Kobes,

Jason Kobes

Tech Fellow, Northrop Grumman (USA)

Jason works as a Sr. Staff Cyber Architect & Research Scientist for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa...
William Schultz

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 17 years, with the past 13 focused on Enterprise Architecture, Security Architecture, RiskManagement, and Compliance. Bill has built security programs, risk management programs, anddeveloped strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.

Returning for a 8th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Masterclass M3

09:30 Futures Thinking and Cyber: Modelling Emerging Risks Speaker(s): Siân John MBE,

Siân John MBE

Chief Technology Officer, NCC Group (UK)

Siân John MBE is Chief Technology Officer at NCC Group responsible for intelligence, insight and innovation within the company. Siân has worked in Cybersecurity for 25 years across strategy, business risk, privacy, and technology. She is a Fellow of the UK Chartered Institute of Information Security, Chair of the techUK Cybersecurity committee, and a council member for the Engineering and Physical Sciences Council (EPSRC). Siân was awarded an MBE in the Queen’s 2018 New Year’s Honours List for...
Lesley Kipling,

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
Genevieve Liveley

Genevieve Liveley

Professor of Classics, University of Bristol (UK)

Genevieve is Professor of Classics and Turing Fellow at the University of Bristol. As a narratologist, she has particular research interests in stories and their impact on futures thinking – especially in the context of emerging technologies and cyber security. She is the Futures Challenge Fellow for the UKRI’s Digital Security by Design (DSbD) Discribe Hub+ programme, and is Director of RISCS – the UK’s Research Institute for Sociotechnical Cyber Security.

For over a decade we have been undergoing digital transformation with rapidly evolving technology changing the way we live and work. That brings great opportunities for organisations but also bring new threats. This in turn brings challenges for budgeting and planning to manage the risk over multiple years. How do we predict investment to allow us to fully address the security challenges we may face to ensure that we are preparing for the future? Often the business or sales-people sit on 'happy island' when considering emerging technology landscapes whilst many security people sit in 'despondency dell'. This workshop will help us to develop the futures literacy needed to be able to plan for different emerging futures.

Workshop Part 1

This session will provide an overview of futures thinking techniques and approaches. It will cover some of the key theory of futures thinking, providing guidance on the creative process required to rigorously model emerging technologies, to navigate risk versus opportunity, and to manage the tendency to consider the future in binary terms as offering either utopia or dystopia.

These theories and approaches will include an introduction to:

• Futures literacy through narrative

• Futures and systems thinking

• Strategic foresight

Workshop Part 2

This session will look at some of the technical and threat modelling approaches most relevant to cyber security. We will explore how we can most usefully model the economic, societal, political, and cyber threats. This isn't about doom and gloom but about thinking about broad pressures on thinking. Items covered in this session will include:

• Scenario Planning

• PESTEL and VUCA analysis

• STRIDE threat modelling

• Bow Tie analysis

Workshop Part 3

This part of the workshop will put into practice some of the theory and in groups we will work through some scenarios and futures modelling.

Prizes will be given for the most innovative solutions and a special booby prize given for the weirdest.

Masterclass M4

09:30 Resilience: From Hardware to Humans and Everything in Between V2 Speaker(s): Lynette Hornung,

Lynette Hornung

Principal Security Architecture Manager, Quisitive (USA)

Lynette Hornung is a Principal Security Architecture Manager with Quisitive. She has her MS in Information Assurance from Iowa State University, CIPP-US and SABSA security architecture certifications. She enjoys researching a variety of topics in information security, such as Artificial Intelligence and its many complexities, such as ethics, privacy and security.
Dr. Connie Justice,

Dr. Connie Justice

Professor, Boise State University (USA)

Dr. Connie Justice is a Clinical Associate Professor of Computer and Information Technology and Director of Cybersecurity Education and Experiential Learning, in the Computer Information and Graphics Department, IUPUI. Dr. Justice has over 30 years experience in the cybersecurity, computer and systems engineering field. Professor Justice is a Certified Information Systems Security Professional, CISSP. Dr. Justice created the new BS Cybersecurity degree that will begin accepting student the fall...
Char Sample

Char Sample

Cybersecurity Principal, MTSI (USA)

Dr. Char Sample is a cybersecurity researcher at ICF where she currently supports NSF. Dr. Sample has over 30 years of industry experience beginning in software development, through product test and integration, and finally as a researcher (both applied and academic). Dr. Sample’s research areas are all cybersecurity related with an interest toward decision-making in cybersecurity. Past projects have focused on the influence of cultural values on cybersecurity, cyber deception including but not...

Building on last year’s success the team decided to upgrade the “ From Hardware to Humans and Everything in Between” course. Resilience is widely considered the antidote to many of the problems that plague cybersecurity. The problem is that resilience definitions vary, and solutions typically fail to address all aspects of resilience, thereby resulting in a significant variety in security profiles of “resilient solutions”. This year we decided to upgrade the workshop by including a practical discussion based on a real living network.

This 4-part workshop opens with defining and discussing the challenges of how to identify, measure and improve resilience in existing environments. We set the overview for each day by introducing each of the areas covered to include hardware, operating systems, software, networks, data, users, and residual security gaps, using the framework of “as is”, “to be” and “reality”. The workshop will center around the Living Lab Network, a student real world laboratory housed at Purdue University Indianapolis.

Part 1: What’s new with 2.0? Like releases, this has not been tested. We open with a discussion of the exemplar network. We will examine the network from various viewpoints, noting where the 4 Rs of resilience are already present, and identifying residual gaps. We also will discuss the high level overview (OV-1), the goals of the institution and how the Living Lab Network supports those goals.

Part 2: Part 2 dives into the hardware, firmware, and IoT devices. Understanding fault rates, failure rates, supply chains, vendor data, and transparency goals will be explored. These values will be applied to the exemplar network within the “as is” followed by steps to get to the “to be” state, and finally concluding with the “reality state” where financial concerns are reconciled with risk tolerance..

Part 3: Software & Data Resilience – We will open with a discussion on software resilience (or lack thereof), and reliability. We will discuss secure coding, DevSecOps and other software security solutions along with their effectiveness. After discussing software we will move onto data resilience. Trust, privacy, and data fidelity have various points of potential vulnerability and exploit, which are not easily solved. Using the “as is” followed by “to be” and finally the “reality”state we examine how data can be both trustworthy and resilient. We will discuss the various complexities with this to explore different approaches to trust, privacy and data fidelity determining how we can achieve better transparency with regard to trust and privacy.

Part 4: Intelligence: Artificial (AI) and Human(HI) and Policy Resilience – AI continues to expand in cybersecurity. What are the strengths and limitations? Where do AI outperform HI and where does HI outperform AI? Training, education, decision-science using the “as is” followed but “to be” and finally the “reality”state. How do cognitive models work in the resilience framework? Should ethics be included in this analysis? How can different cognitive models be navigated in the HMI? What is possible through understanding the human mind, and how can this knowledge inform policies and procedures? What guardrails are in place to address various biases with the models? What are the requirements to remove flawed cognitive data?

Dinner & Traditional Irish Music

18:30 Drinks Reception
19:00 Dinner & Traditional Irish Music