Ireland Sydney

Welcome to COSAC - Conferencing the way it should be!

For almost 25 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

The Call for Papers for our 25th annual event in Ireland is now open. View our 2017 agenda to gain an understanding of the value COSAC provides for attendees. 

Monday 2nd October 2017

Breaks COSAC Masterclasses are full-day, 09:30 - 17:30
09:00 Registration & Coffee
11:00 Morning Coffee
13:00 Lunch
15:30 Afternoon Tea

Masterclass M1

09:30 17th International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

For the 17th time, we fill a room with international information security veterans and present them with scenarios that have happened recently or probably will happen soon. The assembled delegates use the wisdom accrued in each of their 15+ years of solid IT security experience to examine the given scenarios from business, technical, political and any other viewpoints that might reflect on that situation or similar situations they have faced or analyzed. This puts immediate emphasis on one of COSAC’s most characteristic and valuable features. Interactivity.

COSAC speakers (or moderators) realize that someone, maybe several people in the room, know more about the subject in dispute than the exalted session leader. Here is where COSAC consistently shows itself as the single best Information Security conference anywhere. COSAC session leaders draw out the room’s expertise and thus enrich the learning environment for everyone. In past forums, this moderator has learned much more from the delegates than any of them have from him.

In describing some recent event, the moderator poses a question or two about what the involved people did, whether it was appropriate, what other directions could have been taken, what alternative consequences might still be in play. Not surprisingly, there is often disagreement, occasional discord, but so far no duels. Appropriate solutions tend to be industry-based or public/private sector-based or organizational culture-based. The spirited discussions emanating from these very real differences augment learning for all.

We also predict the future for Information Security. 50 billion IoT devices by 2020! And no universally accepted security standards for them. How do we get our arms around that? Will legal systems ever catch up with technology? Where should we spend our security dollars?

Come help solve the problems of the world with a full day immersion into the COSAC way.

Masterclass M2 - GDPR: Impact, Innovation, Dilemma & Delivery

09:30 Part 1 - The Impact of GDPR on our Security Department Speaker(s): Karel Koster

Karel Koster

Head of Information Security, Ingenico ePayments (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various roles. He currently holds a position as Head of Information Security within Ingenico ePayments, one of the larger payment service providers on the web. Prior to Ingenico, Karel as an information security officer was responsible for information security awareness, vulnerability management and technical compliance at Aegon the Netherlands.

On the 25th of May 2018 the GDPR comes in to full effect. This has an impact on our customers, their clients, our legal department, our contracts, customer facing policies, etc. And a major impact on our information security function.

Besides stating what you can and can’t do with personal data, the GDPR also requires us to protect the personal information entrusted to us in a professional way. It does not specify how, but protecting that personal information is done by the security controls set and implemented by our information security department.

In this session I will share what impact GDPR compliancy has for our information security department. Which processes changed, which remained the same, which were added, and where do we need to go the extra mile.

Since the implementation is new, there is no undisputable right or wrong yet, as with all legislation the boundaries will need to be tested first. I will be sharing our approach and I invite you to share yours. Together this will provide us a more comprehensive view of the impact of the GDPR to our information security profession and responsibilities.

11:30 Part 2 - GDPR Breach Disclosure: Time for a New Approach Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.

With the unveiling of the GDPR, entities worldwide will be subject to mandatory data breach disclosure requirements, and will have to inform both regulators and their customers of the fact, scope, extent, and circumstances surrounding a breach of personally identifiable information. However, these data breach disclosure laws fail to meet the original intent of notification -- to enlist the support of the breach "victim" in mitigating the harm resulting from the breach (e.g., canceling credit or debit cards, monitoring for identity fraud), and simply serve as a mechanism to further embarrass the victim of a criminal attack. Moreover, as companies spend more money on breach notification, lawyers, fines, public relations and mitigation, they have less money to spend on detection, prevention and comprehensive security. Breach notification laws also skew security decisions toward protecting one class of data (personal data) over others (proprietary data, trade secrets) and may not actually achieve meaningful security at all. Finally, despite all efforts toward detection and response, the vast majority of entities learn that they have been breached from a third party. This session will focus on data breaches, breach disclosures, and breach responses, and propose a new, more collaborative approach to breach disclosure and prevention.

14:00 Part 3 - GDPR Research Exemptions: To Do or Not To Do Speaker(s): Valerie Lyons

Valerie Lyons

Information Privacy Researcher & PhD Scholar, (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.

The deadline for GDPR is hurtling towards us, and vendors are working tirelessly at promoting GDPR readiness and 'the work that needs to be done'. Every week we are subject to another 'GDPR readiness summary' presentation but the current rhetoric does not include 'the work that doesn't need to be done'? And the GDPR makes provisions for certain activities related to Research, to have exemptions. These are important exemptions for any organisation, no matter what industry or sector they operate in:

Research occupies a privileged position within the Regulation: In an attempt to recognise how regulation can stifle innovation and/or limit opportunities for serving the public-good, the GDPR introduces several important exemptions for Research (research includes market­ research, historical-research, health data-research and scientific-research). Organisations that process personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data (Article 6(4); Recital SO). As long as they implement appropriate safeguards, these organisations also may override a data subject's right to object to processing and to seek the erasure of personal data (Article 89). In the age of big data, where the data analytics activities of many organisations may qualify as research, it is unclear exactly how far the GDPR's research exemption will extend. This presentation provides an overview of the most significant exemptions for research, as outlined in the GDPR, and will be followed by a discussion of how these exemptions could positively be used to address some of the GDPR challenges our own organisations face.

16:00 Part 4 - GDPR Will Make the Cloud Stronger Speaker(s): Ross Spelman

Ross Spelman

Manager Cyber Risk Services, Deloitte (Ireland)

Role: Manager - Deloitte Advisory - Cyber Risk Services 10 years+ IT Technical and Service Delivery Management 5 years in Information Security specialising in information governance and cloud security Qualifications: MSc in Cloud Computing MSc in Software Engineering Numerous industry qualifications (CISM, ISO 27001, Prince2, ITIL, CCSK, SSCP etc.)

My talk will be on the GDPR and it's impact on Cloud Service Providers and Consumers.

The GDPR is designed to strengthen data protection for EU citizens. Companies must comply by May 2018 or face substantial risk and steep fines. Given the complexity of GDPR requirements, this is a very short time-frame for companies to become fully compliant with the new data privacy regulations. The aim of the new European Data Protection Regulation is to harmonise the current data protection laws in place across the EU member states. The fact that it is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for national implementing legislation.

The GDPR will have a significant impact on Cloud Service Providers (CSP's) and their customers. Companies are becoming increasingly more dependant on cloud services in order to meet business requirements. Issues like shadow IT, CSP security assurance, data processing agreements, “special” data processing, data sharing restrictions, data transfer arrangements, data deletion arrangements and the role of encryption.

My talk will explore a method of effectively aligning a company's utilising cloud services and their cyber security profile to the GDPR requirements.

Masterclass M3

09:30 The 3rd COSAC Design-Off Speaker(s): William Schultz,

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
Maurice Smit,

Maurice Smit

Trustee, The SABSA Institute (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.

Back for the 3rd year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or looking to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge.

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Last year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security architecture practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Networking & Dinner

18:30 Drinks Reception
19:00 Dinner Dinner