Ireland COSAC Connect Melbourne

Welcome to COSAC - Conferencing the way it should be!

For 27 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2021 Call for Papers is now open!

Wednesday 30th September 2020

09:00 - 09:30 Delegate Registration & Coffee

09:30 8S: Reorganizing Security Architecture for Agile Organizations Speaker(s): Ilker Sertler

Ilker Sertler

Enterprise Security Architect, Capgemini UK (UK)

Ilker helps organisations to build the modern practice of Cyber Security and Enterprise Architecture for the agile business of the digital era. He continuously researches, develops and exercises pragmatic practices for enterprise organizations to improve cyber security initiatives are effectively embedded in the system delivery life cycle. He is a blogger with articles discussing cyber security architecture models adapting modern delivery approaches such as Agile.

Agile principles have been widely adapted by software development communities for decades. The digital era compels to deploy these principles across the organization for process and business agility. Many established enterprises attempt to transform their structures and processes to build the culture of agility and flexibility so that they can defend their market place. While traditional architecture and governance functions are eroded during transformation journeys, cyber security is still considered as one of the top concerns and usually manifests as a constraint for agility.

This session discusses the implications of Agile principles for traditional Enterprise Architecture and Cyber Security practices, then proposes a new approach to balance the dynamism ambitions of the Agile organization with stability needs of the large enterprise. A simplified content model for security architecture is tailored from the SABSA abstraction layers to promote a common and integrated model for collaborative development and articulation of architecture. A cyber security reference model is also presented to encapsulate security services with a new taxonomy that is better aligned to technology and process constructs of the modern enterprise. Finally, guidance is provided to organize cyber security in the agile enterprise, clarifying security functions, roles, responsibilities, core activities and interactions.

09:30 8A: Hey SyRI, Who’s Committing Fraud? Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information security roles. He currently manages an international team of security analyst for FedEx Express, owning and executing various GRC process for FedEx international. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.

In 2013 the Dutch parliament passed a law called ‘Fraud prevention through coupling of data files’, without a vote. This led to the development and implementation of the ‘System Risk Indication’ also known as SyRi, which combines data from several governmental data sources with the sole purpose of detecting of potential social benefit fraud.

This does not sound threatening for a normal law-abiding citizen such as myself. Any fraud must be battled, and for us Dutch, economic fraud is on top of the list. However, this system caught the eye of privacy activists and the UN rapporteur on extreme poverty and human rights. They found it to be in breach of human rights, discriminatory, dangerous and flawed. Our government was taken to court and the system was ultimately banned in February 2020.

A case like this in a developed country is both intriguing and scary and I feel there are lessons to be learned from it. Therefore, during this talk we will dive into this case and we will explore:

- How such a surveillance system came to be in a functioning democracy?

- Is the intent of the system ethical and just?

- What issues where found in the design and operation of the system?

- Could it have been designed in an ethical way?

- Where there warning signs?

- Do we need new safeguards to keep this from happening again, or are current laws and safeguards sufficient?

09:30 8B: IIoT – End to End Security Model for Industrial internet of Things Speaker(s): Rob Campbell

Rob Campbell

Enterprise Security Architect, Secure Constitution Ltd (UK)

A Security Architect with 30 years IT experience, the last 23 in Security. I have been trained in security consultancy & architecture methodologies. These include Togaf (including Archimate) and of course SABSA. I have 10+ years in the financial/insurance sectors and 10+ years experience in the Government sector. In that time I have performed security strategy, risk assessment and compliance roles as well as designed, developed & implemented solutions compliant with industry standards.

IIoT devices have long been considered reasonably safe from tampering because they have tended to be isolated with limited, localised (or specialised - Zigbee/Bluetooth) connectivity with no real need to be connected to the internet at all. Firmware and software is rarely updated because why fix something that is difficult or considered impossible to get to! Today however with an ever changing threat landscape and examples of compromised IIoT devices (air gapped or not), becoming commonplace industry has started to apply common sense and address the issues.

Managing the vulnerabilities is difficult because the reasons these devices were deemed safe are the same reasons keeping them up to date is challenging. If you can’t easily get to them how do you what vulnerabilities might be present and then get updates on them? The way we manage vulnerabilities in the connected world won’t work in the IIoT space so I have had to think outside the box to try and solve these challenges.

This session will present a model based loosely on SecDevOps and Containers to present answers to the above problems. I would like to get feedback and suggestions from the attendees to further develop the model and help kickstart peoples thoughts beyond simply securing the IIoT device itself.

10:30 - 10:50 Morning Coffee

10:50 9S: I See Fields Are Green - Architecting the Smart Hospital of the Future Speaker(s): Dennis van den Berg,

Dennis van den Berg

Security Principal, Accenture (Netherlands)

Dennis is a Security Innovation Principal within the Cyber Defence Services domain of Accenture Security in the Netherlands. Dennis joined Accenture in 2013, after he completed his MSc in Network & Information Security. Since, he worked on a multitude of cybersecurity strategy, architecture, and transformation engagements helping clients in the Netherlands and abroad become cyber resilient businesses.
Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.

Greenfields opportunities are far and few between, and most of us, if we are really lucky, get to be part of one Greenfields ESA project in our careers. If it is in support of something greater than us, the proverbial good cause, so much better.

In this session, we will explore the ESA created for Galactic Inc. Healthcare (GIH), a relatively young healthcare institution, specialising in children's oncology, and the first to bring together healthcare, research, and education under one roof.

We will focus on the architecture elements that set them on their way to:

- Increase the cure-rate to 90% by 2030 through better treatments and reduction of side-effects

- Reduce collateral health damage from treatment to less than 50% of patients effected by 2030

- Be the #1 children’s oncology centre in Europe by 2025

- Be a first-class internationally accredited education institution for children’s oncologists and other oncological specialisations by 2025

- Be amongst the most innovative and attractive employers within the healthcare industry by 2025

- Go about business in a socially responsible, efficient, and risk driven manner

10:50 9A: Babe Ruth, Hank Aaron or Barry Bonds:  How Sabremetrics May Influence Cyber Resiliency Speaker(s): Rob Hale

Rob Hale

Fellow, Lockhead Martin (USA)

Rob is a Lockheed Martin Fellow with over 25 years of experience in information systems and security. During his career he has been responsible for conducting and supporting information assurance and cyber security activities for federal, state and commercial organisations in the defense, law enforcement, financial services, utility and healthcare industries. Additionally, he has designed and implemented secure networks to support nuclear emergency response teams and top US banks.

This presentation is focused on describing a possible approach to measuring cyber resiliency in the future. Sabremetrics is a statistical approach to evaluating and comparing baseball players, teams and achievements from disparate eras in order to answer difficult opinion questions about the sport. For example, there is a classic argument about whether the 1927 New York Yankees are the greatest baseball team to play the game. To address this question requires not just simple measurements, such as, the team’s winning percentage, or batting average, but more complex and data intensive analysis about park factors, dead ball versus live ball, impact of expanding the leagues, etc. Sabremetrics is a system for defining, measuring and evaluating such questions, where metrics are complicated and data is massive. Evaluating the resiliency of a mission and its systems to cyber effects is a quickly emerging goal for government and defense industries.

It is my hope to engage in discussion of the viability of the methodology and to strengthen the approach. It took baseball 11 years to identify most of the data points needed to improve the statistical analysis and instrument collection of the data. Metrics in cyber security have been marginalized since the beginning of the cyber security industry. It is time to address them in a meaningful and systematic manner. The proposed methodology is a starting point, not a 100% solution, but I believe it is the best place to start.

This presentation seeks to begin a greater dialog on measuring and evaluating cyber resiliency by doing the following:

  1. 1.) Briefly describing and demonstrating how Sabremetrics is applied to baseball.
  2. 2.) Describing the cyber resiliency measurement problem.
  3. 3.) Proposing a methodology to measure cyber resiliency.
  4. 4.) Identifying gap areas in the measurement process and discussing next steps.
10:50 9B: Security Automation: Rise of the Machines Speaker(s): Chris Blunt,

Chris Blunt

Security Architect, Aflac NI

Chris is a seasoned cybersecurity professional. He has recently moved to Belfast from New Zealand where he co-founded and ran a highly successful information security and privacy consultancy. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables organisations to achieve their business objectives.
Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.

"The Skynet Funding Bill is passed. The system goes on-line August 4th, 1997. Human decisions are removed from strategic defence. Skynet begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. In a panic, they try to pull the plug." - The Terminator

In November 2019, (ISC)2 stated that 4.07 million professionals are now required to close the cybersecurity skills gap. The reality is that it is not possible to close the gap by training more infosec professional alone.

Many of the vacant cybersecurity roles require the people who will perform them to complete routine and repetitive tasks. Unfortunately, these tasks are often prone to human error, which can lead to serious cybersecurity incidents.

Security Automation promises to help solve these two challenges (and many others) by reducing the amount of work that needs to be done by security teams allowing them to focus on higher-value activities.

One critical element where the use of Security Automation should be mandatory is in DevSecOps. Agile development processes are built around being able to completely automate testing for each code update. Where code changes are security enforcing or security relevant the scope of this testing must include automated testing of the security functionality. Security Automation in this context effectively provides continuous penetration testing.

However, many security professionals are resisting automation and orchestration even when it has clear benefits for both them and their organisations.

In this session, we will explore the following:

- What is Security Automation?

- What problems might be addressed by Security Automation?

- What are the benefits of Security Automation for you and your organisation?

- What cybersecurity task are good candidates for Automation?

- What can go wrong when implementing Security Automation?

- How does Security Automation and Orchestration relate to DevOps?

- Who is doing Security Automation in the real-world, and how are they doing it?

The mechanisation of the weaving industry during the industrial revolution led to the Luddite movement, which ultimately failed to halt progress. The information age is entering a new phase, one where security engineering and operations will largely be automated. Yet, many security professionals are as resistant change as the textile workers of the 19th century. If we ignore these advances and continue to take an artisan’s approach, we face being left behind or worse replaced by the machines!

12:00 10S: Architecting National Telecommunications Infrastructure Security Speaker(s): Manal al Sarraf,

Manal al Sarraf

Head of Risk Management & Compliance, Batelco (Bahrain)

"Manal has a wealth of over 20 years of experience in the field of audit risk and compliance, where she had leadership roles within those areas leading teams to creating value and effective control frameworks. Manal has the business acumen within telecom to provide a balanced approach in achieving business objectives while striking a balance with risks and controls within her expertise in assurance. She has worked with well-reputed organizations such as KPMG, BIBF and is currently serving...
Malcolm Shore

Malcolm Shore

Chief Security Architect, David Lynas Consulting (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.

Cybersecurity is a key risk for national infrastructure, particularly in the area of telecommunications. However, many telecommunications infrastructures are privately owned and operated and the relationship with government tends to be via regulatory instruments. This leaves nations potentially at an unknown level of risk. In this paper, we look develop a SABSA model of security architecture for national infrastructure, and determine how individual infrastructure components should integrate into a cohesive national infrastructure risk dashboard. A governance approach is proposed to enable an effective inter-domain relationship between the national security authority and infrastructure providers and consider the way in which regulatory compliance and risk management should interact. Challenges to its adoption in the Gulf Region are discussed.

12:00 10A: Techniques to Achieve Effective Real-time Risk Aggregation Speaker(s): Hugh Walcott,

Hugh Walcott

Director & CTO, StrataMap (New Zealand)

Hugh is co-founder and CTO of StrataMap, an online platform for enterprise architecture and system modelling used by the government, enterprises and cybersecurity service providers. Hugh started his career as an electronics engineer before moving to ICT via the start-up labs of Cambridge UK. Highlights include performing the first ever internet e-cash transaction in 1998 and lead architect on the world’s largest real-time system (mega-city adaptive traffic management system).
Paul Tuck

Paul Tuck

Director, Help4Security Limited (UK)

Paul is a cyber security and risk consultant with over 22 years in security leadership positions managing both operational and programme teams across cyber security and network functions. Paul started his career in IT operations before specialising in IT security and business resilience. Paul has worked on and managed large cyber security transformation programmes within financial services, travel and real estate sectors.

Security is the #1 issue facing CIOs in 2020*, yet the approach to security governance is based on incomplete data, uses outdated methods and is not keeping up with the volume, pace, and complexity of change.

In this session we will be discussing the different approaches to reporting aggregated risks for executives, starting off with a traditional enterprise risk management approach using spreadsheets.

Not helped by the fact that all security teams world-wide are under resourced, we will demonstrate that any attempt to use traditional enterprise risk management practices at scale quickly becomes overloaded stalling strategic investments.

By exploring the inefficiencies of the traditional approach, we next demonstrate how to model an organisation’s risk context to create a common enterprise risk ontology. Knowing that every service, supplier and system will have its own risk profile, the ontology ensures risks are captured and rated in a consistent and robust manner.

The challenge comes when you are required to report aggregated risks for the purpose of guiding strategic investment decisions. In this case several systems, vendors or services may be impacted by a proposed change. To complicate things further the landscape is in a constant state of change, requiring comparative analysis of both current and target state risks from multiple sources.

Fortunately, once the risk landscape is modelled there are several ways to automate the aggregation of risks in real-time. We will present a few risk algorithms available and discuss the pros and cons of each from both the executive and security practitioner perspectives.

Finally we provide a real-world example (and live demonstration) of an enterprise risk ontology, showing how it can be used to aggregate risks and update an executive level risk reports in real-time.

12:00 10B: Internet of Intelligent Things: Preventing the Attack of the Refrigerators Speaker(s): Siân John MBE,

Siân John MBE

Chief Security Advisor, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
Diana Kelley

Diana Kelley

Field CTO, Microsoft (USA)

Diana Kelley is the Cybersecurity Field Chief Technology Officer for Microsoft where she provides guidance to C-level executives at large, global companies. She is a Faculty Member with IANS Research, an Industry Mentor at the CyberSecurity Factory and a Guest Lecturer at Boston College’s Master of Science in Cybersecurity program. Previously, she was the Global Executive Security Advisor at IBM Security and a GM at Symantec.

If IoT and Operational Technology (OT) are combining in Industrial IoT and OT is the hardware and software that control the processes of much of our critical national infrastructure, then how do we protect our families and our societies from attackers that do not have our best interests at heart?  In the light of the recent Ekans malware attack ( Feb 2020), how do we begin to broach the great divide – that between IT and OT system operators – in a world of internet connected everything, deep fake videos, massive disinformation campaigns and the potential catastrophic outcomes of compromise of safety systems? This talk will delve into some of the case studies of OT compromise, their key lessons and how we can potentially use the lessons from responding to attacks in the IT world in a way that makes sense in the OT. During the discussion, we’ll outline the 7 properties of highly secure devices ( and discuss the pros and cons of moving from preventative to reactive systems.

13:00 - 14:00 Lunch

14:00 11S: Quantifying Risk in Security Models Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is a SCP with 10+ years’ experience in the SABSA methodology. He works as an independent Security Architect and develops a research interest in model-driven approaches to security architecture - a topic on which he has presented at COSAC 2018, COSAC 2019 and COSAC APAC 2019. Steven has authored a paper for The SABSA Institute on the topic of security modelling with ArchiMate which is now being developed via a joint SABSA Institute / Open Group Working Group.

Since introducing a practical security overlay for ArchiMate at COSAC 2018, we have made good progress in developing this approach, documenting it as a SABSA Institute White Paper and establishing it as SABSA community-contributed resource, endorsed by The Open Group.

Of the many possible analyses that this approach appears to make possible, the automation of context-aware quantitative risk analysis is perhaps the most exciting.

For COSAC 2020, we will take a deep dive into how this might be made possible. Going beyond the brief treatment of risk that was possible in the aforementioned paper, this session will introduce to Open FAIR, (an emerging quantitative risk calculation method that is receiving a lot of attention) and show how FAIR calculations can be embedded in ArchiMate security models.

The value to the conference, especially those already familiar with the approach from COSAC 18/19 or the White Paper, will be a renewed interest in quantitative methods of risk calculation and a practical means of building them into security models.

As always, this will be original content, being presented for the first time.

14:00 11A: The Demise of the Cybersecurity Workforce (!?) Speaker(s): G. Mark Hardy

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is the author of over 100 articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration.

Our career has been growing like crazy with an estimated 3.5 million unfilled cyber security jobs within the next few years. More certs, more quals, more money, right? But what if we’re wrong? AI, outsourcing, and visa programs may put a huge downward pressure on future job opportunities (and pay) in Europe and North America. Of course, we don’t WANT this but shouldn’t a wise professional prepare for possibilities? We’ll look at facts, figures, industry trends, and possible futures that might have us thinking that 2020 was “the good old days.” No gloom-and-doom here; just a risk-based look at what happens if we really can NOT get the talent regardless of price, and why financial incentives haven't effectively raised the ability level of our cybersecurity workforce. Not just speculation but tons of research.

14:00 11B: Critical Destructive Cyber Incidents Speaker(s): Rosanna Kurrer,

Rosanna Kurrer

Managing Director, CyberWayFinder (Belgium)

Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas,, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.
Patrick Wheeler

Patrick Wheeler

Mentor / Director, CyberWayFinder (Belgium)

Leader of Transformative Security Initiatives: Patrick Wheeler is a specialist in combatting cybercrime and has been involved in IT consulting, business and security for over 20 years. Originally from California’s Silicon Valley and San Francisco, and now as a naturalized Belgian he focuses on the European Financial sector (e.g. SWIFT, Euroclear, BNP Paribas) specializing in security, compliance and innovation with rubric of ‘Cybrepreneurship’ which he defines as including opportunistic...

Cyberwar is Pervasive: We are all potentially ‘collateral damage’ in the on-going cyberwar/influence operations of nation state actors (Maersk incident) in a hyperconnected world everyone is ‘within reach’.

Cybercrime is Industrialised: Crypto-extortion has proven itself a viable and sustainable business model (Multiple Municipalities, Coveware.

Lessons drawn from world-class professional incident and extortion handling techniques in police, nation-state, NGO and with a humanistic perspective (book reference: Anja Shortland’s “Kidnap: Inside the Ransom Business”). No-one never wishes to enrich criminals and always wish them to be placed well behind bars.

Inspired by our Financial Sector Major Client's (>4Bio turnover) Experiences: Corporates experience significant hardship when hit with a cyber-extortion attempts. Every indication is this will grow worse. Client’s inability to gain support and ‘sympathy’ from their usual partners (Banks, IT Service Providers, Police, Government CSIRT and Consultancies) are endemic and toxic. The typical response “Never Pay Ransom” does not support clients in their time of need. We invited three gentlemen recently retired from Global Police forces (Canada, Netherlands/United Nations, Israel) to Brussels, Luxembourg and London to explore this.

Here we examine thorny issues:

- Critically Destructive Cyber Incident Response

- Seeing this Empathetically from the Attacker and Business Executive and Personal Role.

- False Ransom / Dead Body Exchanges

- What About Insurance?

- Fraudulent Decrypter Services!

- Not Only Enabling Criminals to Profit from Crime, but Potentially Funding Terrorism

- Banks and FS, Anti-Money Laundering, KYC, ATF

- Corporate vs Personal Incidents

We end this exploration in the Luxembourg Cyber Incident Simulator Room 42, when faced with a multi-pronged live immersive simulation, an inexperienced team under the tutelage of master Incident Handlers and Negotiators: “No-one has ever handled the scenarios like your team did. No matter what I did, you did not respond the way anyone else ever did. I could not control the situation. No-one, ever, did what you did…” Former French Military Lieutenant, Cyber Incident Simulator ‘Attacker’.

We did not pay the ransom (but we may have lost a person).

Look Where You Are Going: We may not wish to be going here. Cyber Extortion is bad. Cyber-induced Critical Incidents as a Business-Halting experience is not what our ‘exciting digital future’ promised us. But in the near and mid-term ransomware, cyber extortion and Critical Cyber Incidents are going to become the new norm. To ignore or simply wait is insupportable and invites the worst-case scenario. To prepare our individual Operational Security, to build our Vauban Citadel a little bit higher and thicker is the conventional response. Some argue we can build our walls a little bit ‘smarter.’ Those with larger budgets are already buildng Smarter, Higher and Thicker, and it is still not enough. But perhaps most importantly, the lesson from our new friends and very interesting gentleman: “Be Prepared and Engage. And have friends!

15:10 12S: Feed me More, Seymour – Freeing Your Risk Appetite Speaker(s): Martin Hopkins,

Martin Hopkins

, (UK)

Martin is a Vice President at Aon's Cyber Solutions Group. He has over 25 years experience in technology, primarily in security related fields. In between delivering consultancy he leads security research and solutions innovation with a current focus on security architecture and advisory. He is a strong advocate of business driven security, security architecture and secure software development practices.
Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.

Last year we talked about how and where to find your risk appetite. Now we’re back to go full immersion and explore risk appetite throughout the SABSA risk management framework. Can we define any reusable patterns or models? How can we reassess the organization’s appetite, apply a changing risk appetite to our existing risks, use our appetite to drive tactics and business decisions?

Join us to ask, and answer, the difficult questions of transforming your risk management into something more dynamic and business enabling than managing a risk register.

15:10 12A: Building Diverse Security Teams? Speaker(s): Valerie Lyons

Valerie Lyons

COO & PhD Scholar, BH Consulting & DCU (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.

Everyone should learn how to program because it teaches us a new way to think about the world” - Steve Jobs

We find ourselves in a global environment, with a tightly connected global workforce, and a shortage of diverse talent in the tech sector. Teams with a diverse set of backgrounds, cultures, life experiences, skills and talents improves the quality of business decisions and helps protect organisations from group-think. Having a diverse workforce also reflects the diversity of the marketplace, making it easier to engage more effectively with a wider talent base and extended customer base.

The term ‘diversity’ is often used when the term ‘inequality’ is intended, and we therefore risk sanitizing ‘inequality’ with ‘diversity’ as a result. It is easy to see why the two terms are used interchangeably, given that the grounds for discrimination are similar to the characteristics of diversity. Where equality is about fairness and transparency, diversity is about embracing and valuing difference.

To address historical inequality in the past, ‘quotas’ were often applied. However, quotas can damage meritocracy and omit addressing the issue of implicit bias - where committees/individuals charged with the role of recruitment, promotion and performance evaluation typically tended to select people that looked like them, acted like them, talked like them, had similar backgrounds etc. These biases are different from known biases that individuals may choose to conceal for the purposes of social and/or political correctness. Implicit biases are not accessible through introspection and we rarely recognise our own implicit bias - thus the rules for ‘equality’ can lack transparency for work recognition, recruitment and promotion etc.

This is where diversity programs have the potential to bridge a gap.

To encourage diversity in the workforce, we need to consider a starting point. The key to diversity is to understand how different types of diversity and different demographic characteristics can impact human behaviour. This presentation explores some key characteristics of diversity, and outlines several positive and constructive steps that organisations (and society) can take to encourage diversity and equality in the workforce and outlines the potential benefits of such steps. We pay particular attention to gender diversity and explore recent pan-European studies that identified factors that influence different genders into selecting tech as a career.

Key learning outcomes from this presentation are:

- Understanding the differences between diversity and equality

- Understanding the impact of diversity on employees, products, services etc

- Understanding the challenges of building diversity into our teams

- Understanding strategies to address implicit/unconscious bias

Audience: Senior roles involved in managing security and/or privacy teams: CIOs, CISOs, CROs, CPOs, Team Leaders and anyone involved in the recruitment of security or privacy teams.

15:10 12B: Automatically Identifying System Vulnerabilities, Weaknesses & Common Attack Patterns Speaker(s): Phil Bridgham

Phil Bridgham

Principal Investigator, Northrop Grumman (USA)

Dr. Phillip Bridgham is a Cyber Architect and researcher for Northrop Grumman and applies AI, Machine Learning, and Information Fusion techniques to achieve advanced automation and risk management. Dr. Bridgham brings 25 years of software engineering and technical leadership experience across a wide range of industries, including: Aerospace, Industrial Controls, Robotics, Banking and Finance, Medical Devices, Fraud Detection, Risk Analysis, and more.

This session demonstrates and explains, to a non-technical audience, how three complementary data management techniques help to automatically identify system vulnerabilities, weaknesses, and common attack patterns. A comparison of the trade-offs of using relational, graph, and semantic ontological data stores is presented as real-working examples. These complementary technologies are demonstrated and explained in non-technical terms to provide a broad audience with the opportunity to learn about the value propositions and trade-offs of each technique.

A relational database demonstration will highlight achieving the speed and performance required for querying and retrieving large and complex data sets. A graph database is then demonstrated to showcase the power of specifying graph structures and relationships to quickly and intuitively extract patterns of interest, such as vulnerabilities and weaknesses related to system elements. Finally, a semantic ontology is demonstrated as state-of-the-art knowledge generation through inference, where system elements are automatically classified into technology domains.

16:10 - 16:30 Afternoon Tea

16:30 13S: Zero Trust Architecture Speaker(s): John Sherwood

John Sherwood

Chief Architect, The SABSA Institute (UK)

John Sherwood is the Chief Architect at The SABSA Institute. He is the originator of the SABSA methodology, and the lead author of the SABSA Blue Book. He has published many articles on the emerging art and science of cyber security and is a provocative and outspoken thought leader in this area. John has 48 years of experience as an information-systems professional. John was recently honoured by ISC2 with the Harold F. Tipton award for lifetime achievement in the industry.

ZTA is an old concept, although its wide adoption as a design pattern of choice is relatively recent. Back in the 1990’s the network vendor community corrupted security architecture thinking by offering technologies such as IPSec as the solution to application security architecture. It has taken until now for that corrupted thinking to be shifted, driven by the emergence of native cloud services, SOA and bundles of microservices as the architecture for applications infrastructure.

The vendor community has been trying hard to catch up with this shift, inventing and reinventing solution approaches to reuse their existing technology, but with little success. Meanwhile there is a community of forward thinking CSOs that have been developing ZTA patterns to fit their corporate infrastructure and deliver the benefits of ZTA in the real world. It has not been without its challenges, and many challenges remain to be met in this fast-changing area of business IT. Above all, solutions have to be practical and manageable and the while the vendors struggle to develop off-the-shelf products, these are so far not meeting many of the business needs.

This presentation will offer a unique up-to-date review of ZTA, its art and science and the current thinking on how to achieve the concept. It will be of great value to anyone working on developing ZTA in their corporate environment, with an opportunity to share experiences under Chatham House rules. This is an advanced architecture session, suitable for both experienced architects and those new to the area – something for all levels. The approach will be to present advanced materials and encourage debate. It is timely in that the industry is finally coming to some consensus on how to achieve ZTA after a couple of years of research and development. You will take away a clear understanding of the issues and the solution approaches, with a road map of where this important architectural stream is going into the future.

16:30 13A: Where is My Mind? (unabridged) Speaker(s): Chris Blunt,

Chris Blunt

Security Architect, Aflac NI

Chris is a seasoned cybersecurity professional. He has recently moved to Belfast from New Zealand where he co-founded and ran a highly successful information security and privacy consultancy. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables organisations to achieve their business objectives.
Simon Harvey

Simon Harvey

Enterprise Architect – Information Security, UnitingCare Queensland (Australia)

Simon is a Security Professional with 20+ years of Security-related Academic Research, Business & Management experience. He is currently an Enterprise Security Architect at a large financial services organisation; and is trying - slowly - to overcome his natural shyness by becoming more involved within the local InfoSec community. In addition to being extremely late at submitting his SABSA Advanced exam, he has been part of the organising team for AISA's BrisSec Conference since 2017.

Mental health is becoming one of the most significant issues in our society, and the information security industry is no exception. Our industry often attracts people with certain personality traits or attributes, including technical, analytical, obsessive, dedicated, perfectionist, curious, dogmatic, unempathetic. This can lead to us being labelled nerds and geeks, which are used to dehumanise us by others.

But we are all human. We work in high stressed environments and pressures are placed upon us by ourselves, colleagues and our employers to perform with unrealistic budgets, team members and timeframes. This can be unhealthy at best, but downright dangerous at worst. Mix this with the regular ups and downs we all experience in life and it is no wonder that many people in our industry suffer from poor mental health.

In this session, will shed light on this taboo topic to raise awareness and help end the stigma that is often attached to conditions such as anxiety, depression, and bipolar. We will use a combination of medical facts and our personal stories to humanise a topic that is still treated in a very inhumane way.

We will also present and discuss some of the:

- most common mental health conditions

- early warning signs that someone is not okay

- some basic approaches you can take when dealing with someone who is not okay

- resources available to help you and your organisation help people that are suffering from poor mental health

Our objective is to have a conversation about how we can identify, support and help each other when our mental health is compromised and to determine how we can practically support each other at the community level.

16:30 13B: The Kill-chain in Practice: 2020 and Stories from the Trenches Speaker(s): Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.

Microsoft – the worlds’ second most attacked entity on the planet or a victim of ego and paranoia?  Let’s look at some numbers: We analyse 8.2trillion signals for signs of malicious activity per day; we see 300 million fraudulent sign-in attempts targeting Microsoft cloud services per day and we block more than 5 billion distinct malware threats per month.  Industry wide, hackers attack every 39 seconds, on average 2,244 times a day and the average time to identify a breach in 2019 was 206 days.  Is sleep an option for security professionals?  Come along to this session to hear about attackers in the wild and how Microsoft protect ourselves and our customers while getting in much needed beauty sleep.

Plenary Session

17:45 14P: The COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.

The COSAC "rump" has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at [email protected]

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 30th September.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Networking & Dinner

19:30 Drinks Reception
20:00 Dinner