For the 22nd iteration of the Forum, we feature a group of experienced, smart, tough, honest, politically savvy, creative, resilient, reality-grounded, and, of course, good looking professionals to address the existing and emerging set of information security problems and issues. Recognize yourself? Always learning, willing to listen to and learn from others who’ve encountered things you might not have, not shy about sharing strategies and techniques, and committed to our strange and but very necessary profession.

With minimal moderating by an ancient security geek, a roomful of you and your peers will analyze current events, trends, publications and situations NOT to admire the problems, but to craft possible solutions based on multiple universes of knowledge and experience. It’s a full-day immersion in the COSAC way. Moderator questions or comments on associated issues might engender wildly divergent reactions from attending professionals who experienced a similar event, but had different constraints or objectives or working tools or eventual outcomes. The moderator tries to avoid getting in the way, allowing participants to illuminate topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

In 2022’s Forum, we solved the information security problems of the world. Unfortunately the world allowed new problems to arise and blossom. And some we stuck stakes into the hearts of didn’t stay down and buried. Join us and help solve the current and maybe future information security problems of the world.

Returning for a 7th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Ransomware attacks, outages, general failure of your products – how much thought is going into your communications to your customers? Is it fully vetted by your legal counsel – and you aren’t making statements that are untrue or incomplete? How critical is timing? This session addresses the need for establishing a communication protocol in advance and walks through some of the good, the bad and ugly from past incidents. Takeaways will be ideas on what to include, what to avoid, how quickly to communicate and making crisis communication a critical part of your incident response. We’ll run through real world practice sessions and work as a team to create responses to a shifting landscape during and after a breach.

This was a one hour session in 2022 and was recommended by that group of attendees to make it a longer presentation to go over the practical applications and run through scenarios.

Tabletop exercises are an essential tool for testing the preparedness of organizations in responding to crisis situations. However, traditional tabletop exercises often lack the element of unpredictability that can make real-life crises so challenging. This is where the Dungeons & Dragons (D&D) 5e tabletop role-playing game (TTRPG) system can be a valuable addition to cybersecurity crisis simulations.

By using the D&D 5e TTRPG system, cybersecurity tabletop exercises can be gamified, adding an element of randomness, unpredictability and fun to the simulations. Participants can take on roles, such as security analysts or executives, and work together to solve challenges that are presented in the game. This approach not only makes the simulations more engaging but also provides an opportunity for participants to practice decision-making under pressure.

The D&D 5e system is well-suited for this purpose due to its flexibility and versatility. It allows for a wide range of cybersecurity scenarios and challenges to be created and can accommodate varying levels of experience and skill among participants.

Come and join us for a game of Hackers & Crackers (H&C) where we will be using the D&D 5e TTRPG system in a cybersecurity tabletop crisis simulation.

Resilience is widely considered the antidote to many of the problems that plague cybersecurity. The problem is that resilience definitions vary, and solutions typically fail to address all aspects of resilience. Furthermore, when working resilience into a Zero Trust Architecture (ZTA) many of the goals can quickly become conflicting.

This, 4-part workshop first defines and discusses the challenges of how to identify, measure and improve resilience in existing environments. We set the overview for the day by introducing each of the areas that we will cover during the day to include hardware, operating systems, software, networks, data, users and residual security gaps.

Part 2 deals with the identified issues found in part 1 of the workshop we will break into small groups and perform exercises that incorporate the 4 R’s of resilience (robustness, resourcefulness, redundancy and rapidity) into various ZTA views that include hardware, software, data, users, supply chain and other views. Time permitting, we will attempt to add an additional R (reliability). Finally, we will discuss how each of the views can be compromised.

Part 3 – Data Resilience – Trust, privacy, data fidelity, this is complex and has various points of potential vulnerability and exploit, which are not easily solved. There are very real and justified examples of data being used against certain individuals and sometimes groups, so there is a problem with trust and data fidelity, which leads to issues with privacy, civil liberties and data protection. The use of AI/ML relies on systems learning lessons and extrapolating those lessons into larger rules that inform decision-making. But what data is being used? The existence of reinforcement learning is an implicit admission that they training data is flawed. Thus, new lessons must be provided and properly absorbed. This data must be free of biases, the data must be protected from exposure, contextualized, and temporally stamped. Furthermore, the cost of data compromise should be “gamed” or “tabletop exercised” to determine ramifications in objective metrics that measure the impact economically, politically, and socially to individuals, and society.

Part 4 – Human Resilience – Training, education, decision-science, this is not easily solved with trustworthy mechanisms that can detect fraud, abuse of power and manipulation of the data.

Resilient humans have an ability to self-correct; this is not always easy and can be professionally embarrassing. This section explores different approaches to cybersecurity education. We will spend time discussing logical fallacies and how they have successfully fueled flawed decisions. We will also discuss attempts in the educational realm to advance cybersecurity into a discipline rather than a short-sighted training ground. In addition to the educational aspects, we will discuss how professionals can remain mentally resilient self-checking to determine how our own thought process maps to the 4 R’s of resilience, using 5 Thinking Hats and checking against logical fallacies in our various views. All of this while working through examples where Resilience and ZTA compliance are required, and the gaps must be reconciled.