COSAC 2022 COSAC Connect COSAC APAC 2023

Welcome to COSAC - Information Security conferencing the way it should be! Join us in Ireland this October for 4 days of innovative & participative information security value.


For 28 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2022 agenda is now live and delegate registration is open!

Wednesday 5th October 2022

09:00 - 09:30 Registration & Coffee

09:30 8A: Liquidation of a Security Viewpoint Speaker(s): Pieter Siedsma

Pieter Siedsma

Domain Architect Technology & Security, Heineken (Netherlands)

Pieter is currently the domain architect for technology & security for HEINEKEN. As a security architect he is working for over 20 years in the overlap of technology and security. He worked mainly for a large global financial with some side steps to the military and engineering. Now he works for the best beer company. Pieter acts also quite often as a threathunter, engineer or “a guy with an opinion”.
X
 

End of 2019 I decided to change my career from the world of mainly digital products in a worldwide financial company to a world of fast moving consumer goods, BEER. Over the past 2 years I have seen some interesting parallels and differences between these two worlds.

The session will explain how a beer company is changing from an offline traditional brewery to a modern connected brewery. We will focus on two aspect (and then mainly on the security aspects) of this transition. We will expand on the IT in the physical world, the so called Operational Technology (OT) or Process Control Domain (PCD). The breweries and warehouses are built to last for a long time and the IT components are never designed with security in mind. This leads to some interesting challenges in both threats to these OT components but also to threats to the physical world that is controlled with these OT components.

The other aspect of the transition to the connected brewer is the fast amounts of data that is collected for analytics in order to improve all parts of the “from barley to bar” processes. This includes the collection of weather data at the farmers to predict raw material quality to the collection of temperature and pressure data in customer installations to control the quality of the beer for the consumers.

The session will conclude with some personal reflections on the security and control aspects of both worlds and where it will become clear that both worlds can learn from each other.

09:30 8B: Dividi ed Impera or Empowerment - Security Strategies of Concentration or Distribution Speaker(s): Helvi Salminen

Helvi Salminen

Senior Advisor and Board Member & Information Security Specialist, Kiisec Oy & Thales DIS Finland Oy (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014.
X
 

The classical dividi ed impera (divide and rule) principle isa strategy of concentrating power and control to one central entity by decreasing the power and autonomy of the controlled entities. This can include manipulating them to work against each other and doing so these minor entities consume their forces in mutual battles which makes control by the central entity easier to apply.

Big corporations and public organizations have strong traditions of concentrating decision making and controls to the central entities. This leads to building powerful central fortresses which control the satellites (or subordinates) by defining strict and rigid managerial procedures which often are characterized by strictly controlled information flows –often being complete visibility of all levels to the central decision makers and very limited visibility to the lower levels.

This centralization strategy is often also applied to information systems architecture where the “one size fits all” principle rules.

Are these principles still applied in practice? The presenter’s observations tell: yes, they are still strong in many contexts, including technical solutions. They are justified by the reasoning that when we need efficiency and strong security, concentration is the solution to build strong security which best responds to the increasing threats.

But is concentration the best efficiency and security strategy? Would distribution of decision making with well defined organizational procedures lead to better decision making and efficiency of the organization? Would standardized distributed system architecture improve the stability of the organization by decreasing the impact of a single point of failure which is a major risk in strong centralization? Especially in these times when some things that we who live in stable democratic societies have taken for granted for decades are in danger.

This session discusses the pros and cons of centralization and distribution as business model and security architecture, and the applicability of these strategies to various business cases.

09:30 8S: Transforming a Control-focused Organization into Risk-based Value Speaker(s): Peter De Gersem

Peter De Gersem

Security Management Specialist, SWIFT (Belgium)

Peter is a security management specialist at SWIFT, the world’s leading provider of secure financial messaging services. He has over 22 years of experience in information security, having covered a broad spectrum of security domains. His current role is managing the SWIFT security assessment practice, from business objectives over threat landscape to deriving the security painpoints and identifying security requirements that speak to both business as technical stakeholders.
X
 

This paper is about the journey, along a long and winding road, of the evolution of an organization. This organization has security as one of the main business drivers, which has enabled it to be the birthplace of SABSA, but also allowed a very large number of security controls and policies to be put in place such that over the years no one remembered exactly what purpose they actually served. Over the last decade, several steps have been taken to rationalize this situation, the most recent of which again focused on a control framework aligned with ISO 27002, linked to security risks on the classical CIA triad. The question of “Well, how will we report to our executives on how this effort brings value to the organization?” was the catalyst to ensure this control rationalization would be business driven after all, supporting an enterprise risk and opportunity strategy – and sneaking in SABSA concepts without formally calling it entreprise security architecture.

10:30 - 10:50 Morning Coffee

10:50 9A: From Values to Decisions - Value Based Decision Making in Security Speaker(s): Helvi Salminen

Helvi Salminen

Senior Advisor and Board Member & Information Security Specialist, Kiisec Oy & Thales DIS Finland Oy (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014.
X
 

Managing security is human activity impacted by various conflicting interests. These interests can be well justified from the point of view of the person representing them, and often the decision maker does not have a well defined formula to resolve the equation. But security practitioners are obliged to take a position and make decisions –often based on incomplete information and under pressure from different interested parties.

There are various situations in which this difficulty of decision-making manifests itself and the different points of view must be considered: security vs. privacy, trust vs. assurance, threat prevention vs. detection and correction of consequences, carrot vs. stick as motivator, detailed rules vs. principles and problem solving methods ...

The above mentioned situations have something in common –decision must be made between alternatives which both may be justified and the solution cannot be found in the black andwhite scaleor in a detailed rule book. What is the guide in this kind of decision making challenge?

The answer is in the values –personal or organizational. In this session we will study the topic of value-based decision making applied to security management problems. The session participants are challenged by presenting some problems loaded with conflicting interests and by asking them to participate in resolving them.

10:50 9B: Misinformation for Fun and Profit Speaker(s): Ashling Lupiani

Ashling Lupiani

Cognitive Solutions Developer, Cancer Treatment Centers of America (USA)

Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
X
 

This timely discussion centers on the structural incentives of social media to allow misinformation to circulate on their platforms. Companies such as Facebook (Meta), YouTube and Twitter have long complained there is no way for them to effectively fight bots or misinformation, yet bot activity significantly decreased when Russian accounts were cut off after the invasion of Ukraine. This demonstrates that there are steps these companies can take if given sufficient incentive.

The problem is that the profit incentive of social media companies is diametrically opposed to some of their mission statements.The success of a social media platform is determined by engagement, whether that engagement is positive or negative. Engagement is easier using the tactics of disinformation. Showing people information that they will react to emotionally increases activity and profits for these corporations, regardless of whether the information is true or not.

This session will be unique in its scientific perspective on misinformation geared specifically toward security professionals. Our approach will be to examine the competing incentives of social media companies and discuss how the scales might be tipped in favor of accurate information. The value of our discussion will come from providing ways to leverage positive engagement and other tools to improve the culture of the internet landscape.

10:50 9S: What's the Point of Risk Appetite? How I Learned to Love Appetite to Feed Security Speaker(s): Andy Wall

Andy Wall

Chief Security Officer, Office for National Statistics (UK)

Andy Wall is a cyber, information security & assurance leader with 25+ years’ experience within global & national commercial organisations and UK Govt providing business focused security advice & management. Currently Chief Security Officer at the Office for National Statistics, developing new approaches to secure operations of leading edge big data analytics that support the organisational mission of statistics production on a range of key economic, social & demographic topics.
X
 

Within most modern organisations data and underpinning services are at the heart of business operations. Increasing attacks on systems to obtain data force business leaders to choose how best to protect these assets. What drives these choices? Do leaders understand security risk relative to other business risks?

At the Office for National Statistics we collect process huge amounts of data – commercial, personal, business, intellectual. Our point in collecting this data is to give it to people to look at, link, match and analyse – it’s what we do as a business. Our security measures are based on the value of the data and the relative risk of access and processing. Can these decisions really reflect risk appetite – the choices that the business have made about the assets it values and how it wants to protect these assets?

This session is a debate about risk appetite using the ONS approach that has emerged. It strongly links what the business care about to the security measures actually implemented, directed by what appetite we’ve all signed up to.

It features a lot of challenges, tests where risk ownership really sits in an organisation but shows positive possibilities from trying to making risk appetite work in a complex environment as a meaningful driver for security. Ultimately it presents a series of hard-won lessons from ONS that bring security and business more closely together, highlights some hard discussions, necessary business trade offs and what risk acceptance means in practice for security measures and mitigations.

12:00 10A: Ransomware/Wiperware in Healthcare Speaker(s): Kathleen Mullin

Kathleen Mullin

CISO, Cancer Treatment Centers of America (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...
X
 

This timely presentation addresses the escalation seen in ransomware (wiperware) tied to the Russian Federation, uniquely framed by an experienced hospital system CISO. Healthcare is currently one of the top three sectors being targeted, and healthcare systems are particularly susceptible because basic security controls are not in place within highly integrated systems with limited funds and manufacturers still sell systems with obsolete operating systems.

Organizations are being advised to spend resources on ransomware tabletop exercises, technology solutions, security awareness training, memberships in organizations, and specific technology controls to protect them from ransomware. Recommendations from the FBI include “be[ing] a cautious and conscientious computer user,” implying that the average user is not being conscientious if they fall victim to ransomware.

The approach of this presentation is to discuss the different strategies that should be used in healthcare while providing patient care and finding innovative treatments and cures, with complex systems that are constantly changing. Participants will have the opportunity to challenge or build on these strategies, which can also be leveraged in other business verticals.

The value in this discussion is that it will leverage SABSA to focus on the business requirements to determine which controls help meet the business objectives.

12:00 10B: Digital Torches and Binary Pitchforks Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a team of security analyst with a global remit at FedEx, owning implementing and executing various GRC processes. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
 

For hundreds of years in times of unrest the people would use demonstrations, angry mobs, flyers, petitions and sometimes revolutions or civil wars as instruments to try and influence current affairs. In the 21st century these are still viable options, however most of these now have digital equivalents and our interconnected lives actually create a lot of new ones as well. We see, social media campaigns, doxing, hacktivism, misinformation, dog whistles and foreign involvement in active elections amongst others.

Some of these are easily spotted, while others are more covert. During this session we will review the current techniques, trends, and impacts. With op to date knowledge, we can educate ourselves, our colleagues, and our families to try and minimize any negative impact to our personal lives, businesses, and society.

Therefore, during this talk we will dive into the most used and most successful digital activism techniques, and we will explore:

  • How do they work, how are they used and by whom?
  • How successful are they?
  • What’s the impact on this on society? Is it ethical?
  • Are we aware of the impact this digital activism has on us personally?
  • Can you prepare to prevent or counter these actions?
  • If you use these actions yourself, what would be the risk associated?
12:00 10S: Cyber Risk Quantification Dilemma: Building Digital Resilience or Adding a Number to Our Gut’s Feeling? Speaker(s): Dimitrios Delivasilis

Dimitrios Delivasilis

CEO, Qiomos (UK)

Strong technology executive, specializing in business-driven security architectures and business risk control management. I have more than 16 years of extensive experience gained within information security consultancy firms as well as financial services and telecom organizations. During the last eight years I have been offering enterprise security strategy services to C-Level executives across Europe due to my ability to simplify complex technological issues.
X
 

Despite the ever-increasing investment in cyber security, organisations are still struggling to architect an effective, integrated approach to cyber risk management and reporting. More often than not decision makers have to rely on poorly structured reports which are skewed towards technical jargon and as such fail to convey an accurate or consistent articulation of the risk exposure.

This presentation will cover the common pitfalls of attempting cyber risk quantification, even in mature end-client environments, in an attempt to frame the problem and identify its main root causes. It will then move to introduce a more architecture-focused approach on how to build an integrated single data model that encapsulates the security fabric and holds everything together as an interdependent network of nodes. The structure of the data model with its various layers of abstraction, provides a reliable fact base to support effective decision making. Most importantly, it breaks away from the siloed mentality and the disconnected thinking it usually fosters, puts the emphasis on what is materially important and communicates the most essential information for a complete risk profile.

13:00 - 14:00 Lunch

14:00 11A: Hiring and Managing in Infosec: The Importance of Brain Diversity Speaker(s): Ashling Lupiani,

Ashling Lupiani

Cognitive Solutions Developer, Cancer Treatment Centers of America (USA)

Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
X
Kathleen Mullin

Kathleen Mullin

CISO, Cancer Treatment Centers of America (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...
X
 

This is a novel and unique discussion on who we hire and how we manage from the perspectives of both neuroscience and information security. Debunking prevalent Human Resource and Information Security thought leadership and training materials, this presentation addresses how many are adversely impacting the credibility of their presentations, themselves, and the profession by using a misinterpretation and misunderstanding of how the brain works.

Utilizing the false concept of “left-” and “right-brained thinkers” and other myths about brain differences to explain how we think and decide influences perceptions and detracts from otherwise accurate information and can skew materials to make them entirely incorrect. By establishing a faulty knowledge foundation, this impairs the ability of information security professionals to create appropriate defenses for malicious hacking attempts including hiring and managing diverse teams well-equipped to tackle problems.

The value in this session is providing information from current brain science to use in hiring and managing, including addressing gender bias. This discussion is timely as social engineering, human resource, and behavior experts are spreading misinformation. The approach of this session provides opportunities to challenge and give input while imparting attainable science on the real brain and the importance of diversity.

14:00 11B: Breaking Through the Metaverse Speaker(s): Ali Abdollahi

Ali Abdollahi

Infosec Engineer, Picnic Technologies B.V. (Netherlands)

Ali is an Infosec engineer at Picnic Technologies B.V. and researcher with a decade of experience working in a variety of fields. He was a trainer at OWASP summer of security 2020, 2021 July training and reviewer for Springer Cluster Computing Journal as well as 2021 Global AppSec US event. In addition, He was speaker or trainer at IEEE AI-ML-Workshop-2021, SSD TyphoonCon, c0c0n2019, BSides Toronto, Budapest, Calgary, Newcastle, Barcelona, OWASP Ottawa chapter, Defcon RedTeam, AppSec and...
X
 

Since October of last year (2021) when Facebook changed the name of the parent company to Meta, we have heard the word Meta and Metavers a lot. For the first time, this talk wants to review all the vulnerabilities that threaten users and infrastructure owners at different layers.

In general, Metavers is a full-scale digital life experience. This talk will cover all possible attack vectors that threaten Metaverse infrastructure as well as users. I will starting with vulnerabilities in common layers like specific flaws in libraries, basic classes and so on. Then I’ll go one step forward to component layer which I think is very interesting; because we will deep dive into P2P network, database, transaction verification module. “Model Layer” will be the next stop in the session to demonstrate potential vulnerabilities on Ledger and Account which are two main modules in this layer. In addition in “Service Layer” , HTTP/query/subscription services will be under attack which is the most part of Metaverse architecture as they are connecting blockchain core node servers to human-machine interface using APIs, Json RPC and WebSocket. The final section will be dedicated to endpoint clients like browser based attacks and sophisticated attacks on mobile clients. In this talk I will emphasis on both security risks and technical flaws in Metavers from zero to hero. All adversary scenarios will be based on MITRE ATT&CK and vulnerabilities complies both OWASP (Top10, ASVS, MASVS) and NIST standards.

14:00 11S: SABSAfying the NIST Cybersecurity Framework Speaker(s): Glen Bruce

Glen Bruce

Cybersecurity Consultant, GDB Cybersecurity (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...
X
 

The NIST Cybersecurity Framework (CSF) continues to be one of the de-facto global framework for representing the collection of information security policies, processes and controls for an organization to reduce and manage the risk of cybersecurity threats. Although the NIST CSF is widely adopted, it still lacks some of the elements deemed essential for a comprehensive program to effectively manage all of the business risk facing the organization. That is why many industry, regulatory and other organizations have addressed several shortcomings of the NIST CSF to augment the framework with additional components to fill in the missing pieces. In this session we will review the current state of NIST CSF development, how it has been adapted to a variety of requirements and is positioned to be continually leveraged for expanding adoption.

During COSAC 26, a session was presented to introduce the SABSA Enhanced NIST CSF (SENC) project to apply the SABSA method and thinking to provide a business risk driven foundation to augment the framework of processes, practices and controls defined by the framework for the benefit of the SABSA community. One of the elements to enhance the framework is to apply business attribute profiling to ensure the business risks are well considered and used to manage the risk, and the overall effectiveness of the security program. Too often, the application of the NIST CSF gets a bit lost in the processes, technologies and controls while losing sight of the business value and risks involved.

We will outline some of the interesting issues and challenges in applying SABSA to a framework and the winding path for progress. The session will provide some insight into the problems that the NIST CSF is solving and the benefit that SABSA brings to solve a larger problem. We will conclude with example content from the deliverables of the SENC project and what will be available to the SABSA community.

15:10 12A: What Got You Here Won’t Get You There: Forging Your Future in Cybersecurity Leadership Speaker(s): Valerie Lyons

Valerie Lyons

COO, BH Consulting (Ireland)

Recently included as one of Europe's top 100 women in cybersecurity, Dr. Valerie Lyons is a highly experienced senior cybersecurity and privacy professional. Currently COO of BH Consulting (a data protection and cybersecurity firm based in Ireland), Valerie is also a subject matter expert in European data protection and privacy. She recently completed an award-winning PhD, researching organisational approches to Information Privacy. She lectures on the topic of cybersecurity, privacy and ethics...
X
 

Your hard work is paying off. You have a successful career and are progressing in the field of cybersecurity or privacy (or both). But there is something standing between you and the next level of achievement. According to Marshall Goldsmith, author of the renowned book What Got You Here Wont Get You There’, that something may just be one of your own annoying habits. Perhaps one small flaw - a behaviour you barely even recognise - is the only thing that's keeping you from where you want to be. It may be that the very characteristic that got you where you are - like the drive to win at all costs - is what's holding you back. Goldsmith explains how you can reach your full potential by eliminating 21 harmful work behaviors. He argues that while engaging in these behaviors may not have stopped you from getting “here”—to your current level of success—they won’t get you “there”—to the heights of success that you ultimately aspire to. For each behaviour – Marshall suggests a healthier choice that may more positively influence ‘getting there’.

In this talk, I present those 21 harmful work behaviours that may negatively influence ‘getting there’ (many of these behaviours actually positively influence ‘getting here’) and discuss Marshall’s recommended healthier choices.

15:10 12B: The World is Not Enough, but the Metaverse Will Do Speaker(s): Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

In 2021, Gucci sold a digital version of its Dionysus handbag on the Roblox gaming platform for $4,115, more than the price tag of the physical bag. K-POP supergroup BTS broke the record for the largest paid virtual concert with numbers peaking at 756,000 viewers, which pales in comparison to a Travis Scott virtual concert, held in partnership with Fortnite, that had 12.3 million unique attendees.

In this talk we will be exploring what this means for architecting tomorrow’s continuum securely and how we can start preparing ourselves now for what is to come in the world of virtual and augmented reality. We will discuss the security impacts of full stack programmability, the use of cyber ranges and digital twins in attack simulation and recovery, and of course the importance of how, now more than ever, security needs to be seen as a property of everything else.

15:10 12S: Security Modelling Case Studies Speaker(s): Steven Bradley,

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is an independent security consultant based in Brussels with 25+ years in IT. He has undertaken major assignments for clients in the national & European public sector, finance, telecoms & utilities and also lends his support to local cyber-security initiatives. His work in recent years has broadened geographically while becoming more specialised in the field of security by design through automation & modelling, leading to the foundation in 2021 of a niche consultancy in this...
X
Bonnie Demeyer

Bonnie Demeyer

Security Consultant, Cyber Enterprise Modelling (Belgium)

Bonnie is a freelance Security Analyst and Information Security Manager who has been working in, and advocating for, a model-driven approach to security since 2016. She returns for her third COSAC as the co-founder of Cyber Enterprise Modelling: a niche consultancy specialising in the application and advancement of model-driven security. Bonnie holds certifications in security, information risk management, privacy and ArchiMate.
X
 

Since a means of expressing the security concepts in standard Enterprise Architecture modelling notation was first proposed at COSAC 2018, a great deal of progress has been made: a Working Group has developed, enriched and extended the original White Paper with the collective wisdom and experience of SABSA practitioners, the Security Overlay has been defined as a schema and the approach has been made accessible through webinars, presentations and this year, as a SABSA Training course with basic tool support.

While COSAC 2018-21 has traced the emergence of security modelling as an technique, its early-stage technical readiness meant that conference sessions were limited to discussion of concepts, ideas, possibilities and envisioned benefits based on small scale, proof of concept ‘laboratory models’.

For the first time, we expect to be able to present feedback from the application of this technique at scale in real-world case studies with an honest appraisal of where modelling delivered technical & business benefit, scenarios that were challenging or thought-provoking and where the technique might be headed in light of this experience.

At the time of CfP, the contracts for this work are just being signed with projects set for completion in the summer – so fresh content to be unveiled for the first time at COSAC. In addition to presenting the projects from the security architect’s perspective, we hope to be joined via video-link by a client representative who can present, and answer questions, from the customer viewpoint.

The value to the conference will not only be an awareness of an emerging technology but to stimulate a better understanding of what is increasingly possible, based on what is already being achieved.

16:10 - 16:30 Afternoon Tea

16:30 13A: The Case of the Mistaken Identity - When is an Architect not an Architect Speaker(s): Rob Campbell,

Rob Campbell

Security Architecture, PA Consulting (UK)

I'm a consulting security architect in the UK. I have over 30 years experience in IT with 25+ focused on security across sectors. I consider myself more as an Enterprise architect who works in security rather than and Enterprise Security Architect because I end up having to do both more often than not. I love learning and also contributing and am known to share useful personal intellectual capital to help bring on our great profession. I am a nerd with interests that extend beyond security and...
X
Gordon Jenkins

Gordon Jenkins

Head of Security Architecture, Admiral (UK)

Dr Gordon Jenkins heads up the security architecture team at Admiral Insurance in the UK. He has 25+ years’ experience in IT and security for large financial services organisations in the UK and US, across investment banking, life & pensions, asset management, and general insurance. He has worked as a security architect for the last 13 years, providing guidance to dozens of major business and infrastructure projects and helping to shape enterprise security functions.
X
 

The title of Security Architect is used often in many different ways. As a result, people's interpretation of the role varies, leading to many different issues across the industry and within organisations.

You just need to look at job descriptions on any job board to realise that no two definitions are the same.

"So what?" you say, what does it matter?

Well, let’s start with education and recruitment. How does one become an architect if the industry doesn't know what an architect is? And how does an architecture hiring manager know that they are hiring the right people?

More significantly, it can lead to architecture being misunderstood, undervalued or completely ignored. When architects can't clearly describe who we are and what we do, then how will business leaders understand the purpose and value of security architecture in their organisations? As a result, architects are often expected to perform roles that don't actually add value to the architecture. And in turn, the architecture fails to meet business expectations and becomes undervalued and under-invested, sometimes leading to the collapse of the architecture function.

Within this session, we will break down common architecture definitions and misconceptions, explore the constraints this problem presents, and explore how we, as architects, can start fixing the problem. The journey will begin in our own organisations, but we need to explore how to address the issue across industry and education. Ultimately, the aim is to be better at explaining what we do and why it matters to the business.

16:30 13B: This was Solved in an Alternate Dimension:  Demystifying the Quantum Threat to Encryption Speaker(s): Rob Hale

Rob Hale

Fellow, Lockheed Martin (USA)

Rob is a Lockheed Martin Fellow with over 25 years of experience in information systems and security. During his career he has been responsible for conducting and supporting information assurance and cyber security activities for federal, state and commercial organisations in the defense, law enforcement, financial services, utility and healthcare industries. Additionally, he has designed and implemented secure networks to support nuclear emergency response teams and top US banks.
X
 

This session will take a look at the threat quantum computing poses to encryption algorithms. Based on the concepts of Shor’s algorithm, quantum computers should be able to rapidly compromise current encryption algorithmic solutions putting massive quantities of data at risk of breach. However, the threat itself is pretty well defined, though rarely explained. For example, the threat posed by Shor’s algorithm is contained to asymmetric algorithms and does not extend to symmetric algorithms. This is still a major threat however, it demonstrates the need to take an open and honest look at what quantum computing can do in the near term rather than fear the unknown unknowns of quantum technologies.

This presentation will look at strategies for employing both pre- and post-quantum algorithms to address encryption across a notional enterprise. It will discuss the current state of quantum-resistant algorithms, examine how emerging processes and technologies in quantum random number generation, key management, and deployment can and should be addressed by organizations over the next 5-7 years.

16:30 13S: A SABSA Approach to Health and Well Being Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Director, David Lynas Consulting (Australia)

Michael has 20 years’ experience in Information Security and is a Director of David Lynas Consulting and the Chair of the SABSA Founders Bursary. He has provided high level assistance on information security related matters to a range of clients within Australia and internationally. He was formerly the Chief Information Officer and CISO at the Australian Commonwealth Department of Finance where he had executive responsibility for ICT as well as physical security.
X
 

I had a brilliant 2019 having embarked on a spiritual pilgrimage walking the Camino in Spain and my intellectual pilgrimage to Ireland but like many of us my follow up experience in 2020 was less than ideal and I came out of that year needing to take stock of my general health and wellbeing.

It is a shared observation of my colleagues, that as we approach retirement, we look back at the last years of our careers to realise too late that we have worked harder, worked longer hours, taken less time for ourselves, managed very stressful jobs and feel like we are about to collapse, exhausted, over the finish line at the end of a marathon.

We have, to a certain extent, let ourselves go and we are no longer the fit young 30 somethings we used to be as we enter the next phase of our lives. Not the greatest when we now have the time to engage and enjoy the good things in life.

In this vein, and following 2020, I sort of undertook a personal health and wellbeing journey in 2021 with the aim of being "retirement fit". I took a haphazard approach and by the end of the year I realised three things:

Firstly, this is not a one-year project – it is going to be an ongoing iterative process.

Secondly, a structured approach to this project (health and wellbeing) should deliver better and more consistent results; and

Thirdly, many of my younger colleagues (those thirty and forty somethings) who are falling into the ‘Working Harder, Working Longer, and Not Looking after themselves’ category might be able to benefit from this structured approach.

So, heading into 2022 I have applied SABSA to my health and wellbeing project to see if that will deliver long term sustainable outcomes.

This presentation uses SABSA as framework for health and well-being and presents the fundamentals of SABSA in a non-security and non-IT context.

17:45 14P: The COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• Electronic submission: Send email to the rump session chair David Lynas at [email protected]

• Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday

5th October.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Drinks Reception & Dinner

19:30 Drinks Reception
20:00 Dinner