Ireland Melbourne

Welcome to COSAC - Conferencing the way it should be!

Call for Papers is now open for COSAC 2020!

For 27 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

Wednesday 2nd October 2019

09:00 - 09:30 Delegate Registration & Coffee

09:30 8S: SABSA Enhanced NIST Cybersecurity Framework Speaker(s): Glen Bruce

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures and Policies supporting business and governments in their approach to managing information security risk. He has over 42 years of in-depth experience in information security consulting, systems management and technical positions. He has lead many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies and infrastructure implementations.

The NIST Cybersecurity Framework (CSF) has proven to be a de-facto global standard for an organized collection of policies, processes and controls that an organization should have in place to reduce and manage the risk of cybersecurity threats. Global organizations such as NTT have embraced the NIST CSF as a way of providing consistent management of cybersecurity risk across all of their nearly 1,000 companies. The NIST CSF however, lacks direction and support for identifying and managing real business drivers and demonstrating business value enhancement. A number of industry organizations and associations have addressed several perceived shortcomings of the NIST CSF by defining a number of extensions and enhancements to the framework.

The SABSA Institute recognized the limitations of the NIST CSF and established the SABSA Enhanced NIST Cybersecurity Framework (SENC) project to develop a SABSA business-risk driven front end to the NIST CSF. The objective of the SENC project is to use the SABSA Business Attribute Profiling method to specify the business risks for an organization in the form of a Business Attribute Profile and define a series of measurement approaches, specific measurements and performance targets that the reflects the views and concerns of the organization. Illustrative attribute profiles will be proposed for each of the sectors of critical infrastructure to which the NIST CSF is targeted.

In this session we will review the structure and content of the current version of the NIST CSF and then identify areas where enhancements to the framework and supporting reference material are needed. We will outline where SABSA can contribute to improving the framework and how the framework is used. We will also provide a current update on the activities of the SENC project to enhance the framework and solicit advice to further the efforts of the project.

09:30 8A: Privacy, Hunh, What is it Good for? Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.

Increasingly, privacy and security are diverging into separate fields, with Chief Information Security Officers being responsible for application of technical fixes to secure data, and Chief Privacy Officers or even Data Protection Officers responsible for issues related to data collection, privacy policies, and privacy protection agreements. However, this bifurcation of roles and responsibilities in antithetical to the concepts of security by design and privacy by design, particularly where the data collection points include things like low-power, low sophistication IoT devices. This session will focus on the interplay between privacy and security, how security enables privacy, but is not sufficient to guarantee privacy, and the role of the security professional in both enabling privacy and in questioning assumptions made by privacy personnel. It will address the need for security professionals to collect and analyze data (e.g., log data, IP addresses, user behavior) in order to promote security, as filtered through the lens of GDPR, CCPA (California privacy law and regulation) and other data privacy provisions which may restrict the ablity of companies to collect, store and process data. It will also address the collection of security related data from the Deep Dark Web, profiling, and data sharing agreements in light of privacy law and regulation.

09:30 8B: Empowering Agriculture with I&AM Speaker(s): Mark McKenzie

Mark McKenzie

Director - Information Security, Dept. of Agriculture & Water Resources (Australia)

Mark leads the Information Security program at the Australian Dept of Agriculture, where he has overall responsibility for risk management, security architecture and incident detection and management. He has held similar roles in other Australian Govt agencies, including Dept of Finance and Dept of Human Services, and prides himself on building security programs that are focussed on managing organisational risk in ways that provide good security outcomes as well as good business outcomes.

Identity and access management (IAM) processes are typically seen as an IT and security responsibility (and problem), but at Agriculture, we saw our IAM deficiencies as an opportunity to transform and improve parts of our business through better security management by empowering them with better control over their data and improving IT’s ability to react to their needs.

In around six months we turned a largely paper based and fragmented system with little accountability into a logical identity and access management system with high levels of transparency and usability. We achieved this by ensuring that our business was engaged (not merely informed), that we were solving their problems as well as ours, and that at every stage of the program we demonstrated that we delivered on our promise to them.

In this session, I’ll talk about:

  • - why IAM was the first big security issue I tackled at Agriculture;
  • - how our project went from concept from planning to implemented;
  • - how we brought our business along the journey;
  • - how we used the Agile (Scrum) project methodology to organise ourselves and achieve better results;
  • - and how we are ensuring our capability is sustainable in the long term.

10:30 - 10:50 Morning Coffee

10:50 9S: SABSA for Scaled Agile Speaker(s): Steven Bradley,

Steven Bradley

Consulting Security Architect, Lavender Bytes Consulting (Belgium)

Steven is a SCP with 10+ years experience in the SABSA methodology. He works as an independent Security Architect and develops a research interest in model-driven approaches to security architecture - a topic on which he has presented at COSAC 2018 and authored a paper for the SABSA Institute.
Bonnie Demeyer

Bonnie Demeyer

Security Consultant, Lavender Bytes Consulting (Belgium)

Bonnie is a Security Analyst and Information Security Manager with two years experience in the application of security to Agile and Scaled Agile projects. She has also worked with Steven in the development and practical application of the model-driven approach.

Agile Scrum works best with small teams that work to deliver software which is prioritized by the team backlog. But the lack of holistic scope and the difficulty in translating user stories into actionable security requirements expose the limitations of treating security as another type of user story.

Scaled Agile Frameworks, devised for the development and co-ordination of larger projects, provide the broader canvas, longer cycles and architectural roles that allow security to be managed as system property.

In this presentation, we summarise the limitations of attempting security at the Agile/Scrum level only, make the case for the Scaled Agile approach - highlighting the common touch-points between the Agile Release Train & the SABSA methodology, and demonstrate techniques for adapting SABSA to the Agile philosophy and mindset.

The session will crystallise why a scaled approach is necessary and how it can be achieved.

10:50 9A: Digital Ethics: A Blueprint for the Future Speaker(s): Valerie Lyons

Valerie Lyons

COO & PhD Scholar, BH Consulting & DCU (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.

Digital ethics, together with privacy, are one of Gartner’s top ten strategic technology trends for 2019. Digital ethics was also the key theme of the 2018 International Conference of Data Protection and Privacy Commissioners. In the world of Cybersecurity, we are acutely aware of what privacy means but are we so clear about digital ethics? The current discourse on digital ethics focusses either on the intended ethical breaches resulting in damage to consumer trust – in other words ‘not doing right’ or on the potential misuse of big data and artificial intelligence. However digital ethics reaches far beyond this. With digital ethics comes the added variable of the ethical implications of things which may not yet exist, or things which may have impacts we cannot predict. Organisations continue to struggle to recognize and anticipate the unintended ethical issues associated with digital technologies. For instance, who twenty years ago would have anticipated the ethical issues now associated with current digital technologies such as reduced social skills, addiction, bullying and loss of self-determination - or in a broader digital context - the emerging erosion of democracy and the socio-political divisiveness of national security surveillance?

“..two young fish are swimming along and happen to meet an older fish swimming the other way, who nods at them and says “Morning, boys. How’s the water?”. The two young fish swim on for a bit, and then eventually one of them looks at the other and says “What the hell is water?” - David Foster Wallace, This is Water.

To help navigate these digital ‘waters’ and fairly harness current and emerging digital technologies we will need to create coherent ethical governance structures for digital activities, including both privacy and security. Essentially this translates into some sort of digital ‘hippocratic oath’ taken by the creators of these digital technologies. Such an oath would not only define how to avoid being unethical, but also define how to make ethics part of the fibre of the technologies themselves and their interface with society. The biggest challenge right now is in thinking we can regulate digital ethics with compliance type checklists. This is because digital technologies are not neutral; they enshrine a vision and reflect a worldview which cannot be checklisted. Unless the creators of digital technologies are given the means to develop and foster an autonomous vision that reflects their values we will inevitably drift towards digital autocracy. What if, instead of checklists we could construct a navigational tool which guides our teams to focus, and refocus, on key areas more likely to be vulnerable to ethical compromise? Drawing on nascent research from the Omidyar Network and Institute for the Future, an overview of the recently launched ‘Ethical OS’ toolkit is presented including an overview of the process of undertaking a digital ethics review and the 8 key risk areas that organisational teams need to focus on. This toolkit does not make an organisation 'ethical' but it does provide the organisation with an essential guide for its digital endeavours now and into an unknown future.

10:50 9B: Adaptable Access Controls Using Identity-Trust Scoring Models Speaker(s): Gordon Jenkins

Gordon Jenkins

Enterprise Security Architect, Structured Security Ltd (UK)

Gordon is a security architect, working as an independent consultant since the beginning of 2018. He has 20+ years experience in IT and security for large financial services organisations in the UK and US, across investment banking, life & pensions and asset management. He has worked as a security architect for the last 9 years, providing guidance to dozens of major business and infrastructure projects and helping to shape enterprise security functions.

Classic identification controls like ID and password are binary - the user is successfully authenticated or they are not. But an authentication decision always carries a risk of error (eg., compromised password) so an identity assertion can't really be trusted 100%. More modern authentication technologies introduce additional factors that can be used to assess or improve the level of trust in an identity assertion. But once you have assessed the level of trust, what are you going to do with that information?

Identity trust-scoring and authorisation models provide a way to make access decisions based on the level of trust you have in an identity assertion. By applying these models in the conceptual and logical layers of an architecture, we can create re-usable authentication and authorisation services that are - trust-driven, based on the level of trust in an identity assertion - flexible, allowing consistent decisions to be made across diverse systems and technologies - adaptable, allowing quick and easy responses to changes in the threat landscape or risk appetite.

This talk will introduce the concept of identity trust-scoring models and demonstrate how they can be incorporated into a security architecture. It will illustrate how the models can be used to architect access solutions that:

  • - offer authentication mechanisms that adapt to the user's risk context
  • - enable consistent access authorisation decisions across diverse systems
  • - improve the user experience of access control
  • - adapt quickly and easily to changes in the threat landscape without cutting code
12:00 10S: The SABSA Minimum Viable Product Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with over 20 years in multiple sectors including retail, hospitality tertiary education, sporting and gaming multi-nationals, as well as consulting in the financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board and a Founding Member of the SABSA Institute. He is currently the CISO of the Phoenix Group.

One of the most common questions that befalls a newly minted SABSA architect is “Where do I start?” And it’s not just SABSA neophytes faced with this problem ‒ we have all struggled in some way with delivering effective value whilst justifying the lengthy time and breadth needed to develop (often nascent) enterprise security architecture, particularly when first joining a new organisation where the SABSA practitioner has to produce the goods to make it through their probation. So where do you start? And more importantly, where you should be spending your precious time and energy, particularly during those first crucial months in a new role when all eyes are watching you in silent judgement of your level of competency and effectiveness? Taking inspiration from the much-heralded approach by the Australian Signals Directorate (ASD) in producing the Top 4 / Essential 8, this entertaining, thought-provoking and, no doubt, controversial presentation proposes a set of core set of architectural ‘products’ and the minimum criteria they must meet that the Enterprise Security Architect needs to focus on in order for their efforts to be rightly deemed ‘security architecture’ in the eyes of your peers, as well as allow the budding architect to pass probation and keep their job!

12:00 10A: This Weird Thing Called Ethics Speaker(s): Dan Houser

Dan Houser

Senior InfoSec Manager, The American Chemical Society (USA)

Dan Houser is a practitioner who brings 30 years of experience to his presentations from knowledge learned in the trenches, and is a published author and frequent speaker at international conferences. Mr. Houser has set strategy, lead strategic projects and established EA/Security Architecture practices at several Fortune 500/Global 500 firms, including banking, insurance, finance, healthcare, retail and higher education. He is formerly head of cryptographic practice for a top-20 insurer.

This is an interactive session with both lecture and audience participation in case studies on ethics, created from real cases of ethical challenges. This session will explore professional ethics, information security professional ethics, and how these vary from other ethical constructs. We will discuss principles of false comfort and false alarm, interaction with policy and the law, and some of the ways to resolve conflicts of interest. As one of the most dominant and pervasive professional ethics frameworks in the Information Security profession, the (ISC)2 Code of Ethics will be examined for how it guides ethical behaviors in our field, and explain each of the canons. We we then review several ethics cases, what made these difficult, and discuss the pivotal aspects of these cases that made them either ethical or unethical. As an interactive session, this will involve substantive audience participation with questions & answers. Content for this presentation was created with the guidance and assistance of the (ISC)2 Ethics Committee members.

12:00 10B: Does eiDAS have the Midas Touch? Speaker(s): Martin Hopkins

Martin Hopkins

Vice President, Aon (UK)

Martin is a Vice President at Aon's Cyber Solutions Group. He has over 25 years experience in technology, primarily in security related fields. In between delivering consultancy he leads security research and solutions innovation with a current focus on security architecture and advisory. He is a strong advocate of business driven security, security architecture and secure software development practices.

From 29 September 2018, EU citizens can use electronic ID to access online public services in other EU member states. Or can they?

The EU eIDAS regulation came into force on 1 July 2016. This regulation is intended to enhance trust in electronic transactions by providing cross-border recognition of electronic ID and consistent rules on trust services. The ID can refer to an individual or a business. The services include not just identify verification but also electronic document authenticity.

The benefits of increased access and reduced friction for consumers are clear. For commercial services, e.g. banks, cross-border service delivery might look much simpler. But is it? Do the banks really want disruption of their established customer onboarding processes? Adoption will not be entirely voluntary though, the European Banking Association Regulatory Technical Standards mandate that use of eIDAS certificates by Third Party Providers to identify themselves to Account Servicing Payment Service Providers must be available by 14 September 2019. Will eIDAS deliver on the promise of cross border federated identity?

Will we see eIDAS based identity combined with other technologies, such as attribute based encryption, to deliver data-centric security between disparate systems cross-border and between organisations all across the EU? Come and join me to discuss whether eIDAS will be a giver of gold for digital identity. Or is this a case of the standards not delivering on the conceptual promises, or politicians over reaching and delivering something unworkable or outdated and inferior before it is even used.

13:00 - 14:00 Lunch

14:00 11S: Leveraging Business Value Chains in Information Risk Management Speaker(s): William Schultz

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards.

The challenge of integrating business drivers and business impacts into an Information Risk (or Cybersecurity) Program can be an elusive task. It is mentioned in most risk management frameworks and is a common theme from industry strategy leaders. It sounds simple enough, but the actual implementation is usually anything but. Even with solid approach, there are challenges in getting the business to buy-in, getting the right people involved, getting the right information, and then scaling and managing the information in a reproducible way for the enterprise. In this session we will look at an organization that has recently revamped its enterprise cybersecurity program and is intentionally striving to build a foundation that engages the business to this end using value chains. We will review how the organization is leveraging SABSA Risk Management and Architecture approaches to tie in existing risk management processes and control frameworks (Including NIST and HITRUST) to a vendor introduced process that engages business leaders to identify value chains and align them to information assets and systems. We will look at some of the theory and methods behind the approach, including some of the ways we had already introduced SABSA business attributes and risk management in the organization, and will look at how the use of value chains is integrating with, and complementing them. We will look at the process around building value chains, and also discuss the systems that are being used to support these activities. Finally, we will discuss the successes that we have seen so far, as well as the obstacles that had to be overcome (some to even get started) and that we anticipate as we continue down this path.

14:00 11A: Bias Ex Machina (Lessons from Tay) Speaker(s): Siân John MBE,

Siân John MBE

Chief Security Advisor, Microsoft (UK)

Siân John MBE is Chief Security Advisor for E MEA in the Cybersecurity Solutions Group at Microsoft. Siân leads the EMEA security advisors who work with Microsoft’s customers to help them to develop their cyber security strategy, security best practices and to understand how Microsoft’s technology and services can help support digital transformation and cloud services. Sian was awarded an MBE in the Queens New Years Honours List for 2018 for services to Cybersecurity.
Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.

In March 2016 Microsoft released Tay, a Twitter chat bot designed to mimic the language patterns of a 19 year old American girl and to learn appropriate behaviour based upon the interactions “she” had. Users quickly started tweeting offensive remarks at Tay and within a short period of time many internet users were tweeting offensive material to the bot leading it to share offensive and racist material and need to be taken off line. Some important lessons were learnt from this into how to build an ethical, secure and robust AI system, avoiding introducing the biases of either the programmers or the data fed to the system.

This is an important consideration in building AI and machine learning systems in general but is also important as we start to build machine learning models for automating security response. We can expect hackers to start to ‘game’ the system understanding the algorithms in use to determine how to avoid creating signal marked as malicious. This session will focus on the considerations in building a secure, resilient and ethical AI system as well as the techniques we need to consider as we use machine learning for security.

14:00 11B: Attacking and Securing Healthcare Standards & Hospital Secured Systems Speaker(s): Ajay Pratap Singh

Ajay Pratap Singh

Product Security Engineer, Philips Healthcare (India)

Ajay Pratap Singh has 5+ years of experience in security & research. He is working as a Product security engineer in Philips healthcare where his responsibility is to make Philips medical devices hack proof. His interest lies in breaking the secured medical devices & infrastructure. Speaker at c0c0n & Nullcon international conference.

The Health Care Industry has evolved exponentially over the last decade. It's no secret that advancement in technology & it's adoption was the driving force behind this positive growth. Initially, interfaces between medical devices were custom designed & posed a huge challenge as far as interoperability was concerned. HealthCare standards like HL7 & DICOM standards have come to the rescue by providing interoperability to store, manage & exchange information among one or more devices, product, systems etc.

HL7 is a set of international standards for the exchange, integration, sharing, and retrieval of electronic health information. DICOM (Digital Imaging & Communications in Medicine) is the international standard for the communication and storage of medical images and related data. Both of the standards are supported by the majority of vendors & hospitals however secure implementation of these standards is still a concern as security risks were given less importance while designing products (software & hardware) for healthcare services.

This presentation will be primarily focused on HL7 2.x, FHIR & DICOM messages, their implementation, the sensitivity of the information and how to attack these messages. The talk will cover workflow testing and its business implications, penetration testing of the hardened/secured medical system in the hospital network and the approach that needs to be taken to pentest the hardened medical system. The talk will be concluded by sharing insights on the proper implementation of these standards to better defend healthcare devices & systems against cyber-attacks.

15:10 12S: Feed Me Seymour - Taking Control of One's Appetite Speaker(s): Martin Hopkins,

Martin Hopkins

Vice President, Aon (UK)

Martin is a Vice President at Aon's Cyber Solutions Group. He has over 25 years experience in technology, primarily in security related fields. In between delivering consultancy he leads security research and solutions innovation with a current focus on security architecture and advisory. He is a strong advocate of business driven security, security architecture and secure software development practices.
Jaco Jacobs

Jaco Jacobs

Senior Manager, Accenture (Netherlands)

Jaco is Cyber Defense domain lead for the Gallia region at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to a number of companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.

SABSA, and many risk management frameworks, implore us to manage risk within the risk appetite. But what is the risk appetite? Can anyone articulate it? In SABSA it is expressed in the thresholds defined on metrics that measure our control objectives, but isn't it a first-class entity in its own right? How is it described, communicated and managed? Risk appetite is dynamic, and we need to be able to change it and readily identify the systemic impacts this has when we do.

Risk is important to us, as it underpins a large part of our jobs. So what do we do when the risk appetite is apparently huge? How does security deliver value? By enabling the business of course. If risk appetite is linked to our metrics for controls, do we not have an opportunity appetite linked to our enablement objectives? What does an opportunity appetite look like, how could we express it? If we don't do this, how can we align to the business and ensure enablement is appropriately targeted?

In between the temptations delivered so frequently by the Killashee Hotel chefs, if you've lost your appetite, join us to discuss how we can find, maintain and align to it, and help build a path to satisfaction

15:10 12A: Rotten Tomatoes Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various roles. He currently manages an international team of security analysts for FedEx - TNT express Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.

These days anything can and will be rated: food, film, theatre, schools, employers, and your company’s cyber security posture. While many of these ratings are solicited, in cyber security we see a trend: (-of-) vendors using public data sources and scans to create unsolicited ratings on companies to sell to their clients as a vendor risk management product.

It is not the question if, but when one of your clients puts an unsolicited cyber security report on your desk and asks for a response. When unprepared this will be the beginning of a multi-dimensional game of chess, between InfoSec, communications, the client and the provider of the report.

This session explores how these reports are created, what you can do to influence them and how the different potential responses to these reports might impact your business. It looks at the challenges you might face, but also at the opportunities it creates. That cyber security has an ever-growing impact on a company’s reputation is already clear, but the impact of perceived but unvalidated risk by a third party raises the stakes again and needs a game plan.

True to COSAC tradition, this session will be fully interactive. Please bring your points of view and experience to the table so we can collectively decide on potential playbooks to support our businesses in the best possible way.

15:10 12B: Cavalry vs Rifles: Evolving Tactics in Cybersecurity Speaker(s): Lisa Lorenzin

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security.

Pre-Napoleon, the primary modern weapon of infantry was smoothbore muskets, which were both short-range and highly inaccurate. A cavalry charge was an effective tactic against unmounted fighters all the way back to the days of Alexander the Great… but give those fighters accurate, long-range weapons, and the advantage shifts.

Today, our battlegrounds have changed and our timescales are compressed, but we're still tackling the same challenge: changes in the weapons we're facing. As information security threats evolve, we must recognize that some of our traditional tools are also becoming obsolete, and that our tactics must evolve to meet the demands of today's environment. The question is: which tactics? And how? We will discuss risk assessment, data-driven threat modeling, which of our current solutions to leverage - and which to discard, and whether any of the much-hyped new domains (AI, ML, blockchain - bingo!) are actually adding value today.

16:10 - 16:30 Afternoon Tea

16:30 13S: Always Look on the bright Side of Life: A Positivity Modelling Workshop Speaker(s): Esther Schagen-van Luit

Esther Schagen-van Luit

Specialist Master, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.

SABSA is a problem-solving framework for anything. We just happen to mostly apply it to security. And as security professionals we tend to gravitate towards the negative. Your website will be DDoSsed, you PII stolen and at the end of the day all that remains of your building are ashes…

Although looking at positive risk is part of the SABSA A1 curriculum, the speaker feels that the concept has not been fully embraced yet by security architects. Even when trying to account for positive risk in a risk assessment, the negative risks come easier to us. The solution therefore seems simple: full abstinence of negativity. This workshop is about modelling the positive – the speaker will ensure positive vibes through a light-hearted case study and abundant use of props, memes and music. Apart from being entertained, the audience can expect to feel challenged on conventional notions of risk during the session.

The workshop consists of three parts:

  • - Recap on the concepts of positive and negative risk as outlined in the SABSA A1 course;
  • - A reflection and discussion on why positive risk is not part of many architectures and what needs to change to create a balanced risk approach throughout organizations;
  • - Lastly a fictional case study will be presented and the audience will be asked to draw out positive risks and determine impact on an architecture versus a focus on negative risk only.

The speaker is a very positive and upbeat person and regrets that positive risk is not embraced by everybody. The speaker has over 28 years’ experience in positivity and feels confident in inspiring the audience to always look on the bright side of life, even as security professionals.

16:30 13A: Decrypt, Deceive, Destroy: Joe Rochefort, Midway & 8 Miraculous Minutes Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

The battle of Midway turned WWII around in 8 minutes on the morning of June 4, 1942. And decryption and deception played a substantial part in the victory. Pilots sacrificed themselves, sailors were killed, and officers went down with their ships as 3 Japanese carriers were destroyed in the 8-minute span. A fourth aircraft carrier was sunk later in the day, but the damage had already been done, and the mighty Japanese Navy could not manage an offensive mission for the rest of the War.

A small group of dedicated Pearl Harbor cryptanalysts, led by Joe Rochefort- who not only spoke Japanese, but understood their way of thinking and decision making – was tirelessly working to decrypt Japanese Naval radio traffic. They unscrambled and intuited enough to identify Midway and predict where the attack would come from. We knew where they were, but they couldn’t find us quickly enough to save their carriers.

We’ll detail the decryption of JN-25 and JN-25b and how Midway was pinpointed. We’ll also describe the unfortunate situation of Joe Rochefort, a true hero who got anything but proper recognition. Finally, we’ll analyze some potential lessons from this 1941 drama relevant in 2019.

16:30 13B: Integrate Security Architecture with Cyber Resilience or Not? Speaker(s): Lori Murray

Lori Murray

PhD Student, Iowa State University (USA)

Lori Murray is a Senior Advanced 3 Information Assurance Systems Engineer, currently enrolled at Iowa State University as a PhD student studying Computer Engineering. She has her Masters of Science degrees in Information Assurance and Business Analytics from Iowa State University, along with her CISSP. Lori has 15 years of experience between Systems Engineering as a Cyber Security SME building security architecture from requirements definition to design.

Ever evolving adversaries drive the need for system architectures to protect both critical resources and business operations. How does one approach designing a security architecutre to mitigate security risk while enabling completion of critical business operations. A cyber resilient architecture is engineered for completing critical objectives in the “face of persistent, stealthy, and sophisticated attacks of cyber resources (MITRE, 2011)”. Similar to cyber security, resilience must be engineered into all layers of system architecture at inception, baking protections for security and redundancies for resilience through all layers of the system architecture. We will explore how to build upon the SABSA security architecture framework to integrate protections to meet goals of resilience to, in the case of an adversary attack anticipate the attack across system functions, continue system functions to complete system functions, recover system functions after execution of an attack, and changes to system functions to recover from an attack.

Plenary Session

17:45 14P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.

The COSAC "rump" has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 2nd October.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Networking & Dinner

19:30 Drinks Reception
20:00 Dinner - Sponsored by VEST