Ireland COSAC Connect Melbourne

Welcome to COSAC - Information Security conferencing the way it should be! Join us in Ireland this October for 4 days of innovative & participative information security value.

For 28 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2022 Call for Papers is now open!

Wednesday 29th September 2021


09:00 A8: Kill Chain in Practice Speaker(s): Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.

Microsoft – the worlds’ second most attacked entity on the planet or a victim of ego and paranoia?  Let’s look at some numbers: We analyse 8.2trillion signals for signs of malicious activity per day; we see 300 million fraudulent sign-in attempts targeting Microsoft cloud services per day and we block more than 5 billion distinct malware threats per month.  Industry wide, hackers attack every 39 seconds, on average 2,244 times a day and the average time to identify a breach in 2019 was 206 days.  Is sleep an option for security professionals?  Come along to this session to hear about attackers in the wild and how Microsoft protect ourselves and our customers while getting in much needed beauty sleep.

09:00 B8: Starting the Cyber Security Conversation; Introducing Cyber Security to Very Young Children Speaker(s): Wendy Goucher

Wendy Goucher

Cyber Security, Risk & Awareness Consultant, Goucher Consulting (UK)

Wendy Goucher is a Cyber Security, Risk and Awareness Consultant at Goucher Consulting. Her current range of work includes reviewing and revising incident response and risk management for an organisation within Scottish Government as well as looking at making security awareness messages relevant to staff working from home. Wendy also writes, mostly books at the moment. She is the author of the successful ‘Nettie in Cyberland’ series of books which use stories to start the conversation about...

By the time of COSAC 2021 Nettie will have published the second in a series of story books that aim to open the conversation around cyber security with children of between 4 to 7 years old and their parents and carers. This project has taken 6 years from first concept to publication of the first book by the University of Buckingham Press in July 2020.

Beneath the pictures of cute bunnies and a girl with her happy robot enjoying their adventures in ‘Cyberland’ there has been, and continues to be, a lot of research. From the before the start of the creation of the second book I have become involved in academic research with Professor Karen Renaud of University of Strathclyde and am in discussions with members of the Research Institute of Socio Technical Security, which is associated with NCSC.

The way research and discussion has played such a vital part in the existing books and going forward will help to identify areas that may be covered in future books, is something I can only really touch on in other conferences as delegates generally want spoon-fed information then move on to the next presenter.

COSAC would give me opportunity to discuss the development of Nettie and thoughts to area of cyber security for an ever-younger end user. I know that COSAC delegates will not only appreciate a deeper background view but would also be keen to join in the discussion of where Nettie needs to go in further books.

09:00 C8: I See Fields are Green …. Architecting the Smart Hospital of the Future Speaker(s): Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.

Greenfields opportunities are far and few between, and most of us, if we are really lucky, get to be part of one Greenfields ESA project in our careers. If it is in support of something greater than us, the proverbial good cause, so much better.

In this session, we will explore the ESA created for Galactic Inc. Healthcare (GIH), a relatively young healthcare institution, specialising in children's oncology, and the first to bring together healthcare, research, and education under one roof.

We will focus on the architecture elements that set them on their way to:

  • Increase the cure-rate to 90% by 2030 through better treatments
    and reduction of side-effects
  • Reduce collateral health damage from treatment to less than 50%
    of patients effected by 2030
  • Be the #1 children’s oncology centre in Europe by 2025
  • Be a first-class internationally accredited education institution for
    children’s oncologists and other oncological specialisations by 2025
  • Be amongst the most innovative and attractive employers within the healthcare industry by 2025
  • Go about business in a socially responsible, efficient, and risk driven manner
09:00 D8: Help! I()AM reporting to a SABSA-certified CISO Speaker(s): Marten Gerssen

Marten Gerssen

Freelance Security Consultant, unConceptual (Belgium)

After graduating in Control Engineering, Marten started his professional career in Telecom Network Management at Alcatel in 1996, holding various pre-sales and marketing positions. In 2010, Marten founded unConceptual as an independent consulting company, growing from IT project management into IT Security. Customers include energy, telecom, government and banking sector. In those 10 years, the focus evolved to Identity and Access Management with projects in IAM overhaul, Privileged Access...

On an IAM project, my CISO had a SABSA Security Architecture background. We had differences in understanding. So I dove into the SABSA framework. SABSA 2018 does capture IAM completely, but in an implicit way.


Enrich insight on the interaction between Security Architecture and IAM Naturally, the value of both SABSA and IAM is undisputed.

Talking points:

  1. IAM usually appears as “some boxes” in design (business enabler).
  1. IAM is in one SABSA Cell. IAM people recognize IAM matter in every cell.
    As SABSA rightfully notes, Identities are components. However, identities spring into existence on every layer, while needing one (meta)store.

Similarly, all entitlements end up in the same IAM platform(s). A user needs an entitlement concatenation for access. Per layer, access needs vary.

  1. Different “pace” between Architecture and IAM and the consequences
  1. Identity lifecycle specifics
  1. Remediations:
  1. RBAC, but pragmatically
  1. Birth rights
  1. Delegates fine grained access to service platforms
  1. Advices for Enterprise architecture

How can Architecture help IAM?

  1. Deliver explicit input in design already identified SABSA concepts: Domain Authorities, Entity Schema, Privilege Profiles, Trust Relationship Models, Envisioned users, new/affected roles
  1. Deliver a look from the asset perspective, to pro-actively define technical/privileged roles.
  1. Co-monitor the use of scripts and other Machine to Machine integrations

09:45 - 10:05 BREAK

10:05 A9: Cyber Espionage Reloaded Speaker(s): Derek Middlemiss

Derek Middlemiss

Head of Security Solutions - EMEA, Check Point Software Technologies (UK)

Starting out as a hardware engineer for Texas Instruments more than 30 years ago, I have the honor of spending my entire career at the high end of IT. From cutting my teeth on Xenix System V and SCO Unix systems to managing an elite team of EMEA wide Security Experts for Check Point Software Technologies Derek have had an interesting career to thus far. His current role covers a wide range of integrated security infrastructure including Hybrid Datacenters, Cloud Native, Remote Office...

Recently Check Point Research discovered new evidence of an ongoing cyber espionage operation against several national government entities in the Asia Pacific (APAC) region. This operation, which we were able to attribute to the Naikon APT group, used a new backdoor named Aria-body, in order to take control of the victims’ networks. In this talk, I will describe the tactics, techniques, procedures and infrastructure used by the Naikon APT group over the 5 years since the last report, and offer some insight into how they were able to remain under the radar. I will also shed light on countries that are being targeted by this threat actor.

10:05 B9: Protecting Citizens Online in the Face of a Global Epidemic Speaker(s): Martin Sivorn

Martin Sivorn

Head of Cybersecurity, Cabinet Office, UK Government (UK)

Martin built and lead the first cyber security capability for prestigious global news organisation The Financial Times for many years, building a team spanning 2 continents that plays a pivotal role in protecting FT systems and data, and the integrity of the FT's journalistic content. Having a dedicated cyber security capability has enabled the business to expand into new ventures like investigative journalism, made possible with a secure whistle-blowing platform.

The premise of my talk is keeping citizens secure online against the continuous menace of online scams, particularly at a time like this when current events and affairs like a global health crisis are being exploited to fuel new scams and fake news.

We will look at the moral dilemma of who is actually responsible when your brand is being exploited by criminals to rip off citizens, as well as a technical dive into some of the methods that we use to combat this issue.

As cybersecurity for the Cabinet Office I feel that we have a moral obligation to protect all citizens of the UK from online scams, particularly when our website ( serves as the basis for perpetuating these scams.

I will share details of our approach to combating the problem of phishing, including  detection of malicious websites and how we get them taken down from the internet. The talk will cover some of the technical challenges and considerations that we struggle with when trying to action the takedown of malicious sites. I will also give an example of how current events are exploited for malicious purposes with a timeline of the malicious activity that has been detected during the current COVID-19 health situation.

10:05 C9: Use of SABSA in AXA Group Enterprise Security Architecture to date Speaker(s): Simon Griffin,

Simon Griffin

Senior Enterprise Security Architect, AXA (UK)

I’ve been working at AXA for nearly 20 years in a number of global roles including security consultancy, engineering and presently as an enterprise security architect within AXA’s Group Operations organisation. I have so far achieved SABSA SCF, attended both the A1 and A3 courses and hope to start work on my paper for Practitioner soon. I spend most of my time taking a business driven approach to security and utilising what I’ve learned from SABSA in developing our security reference model.
Bhupesh Rana,

Bhupesh Rana

Security Advisory and Standards - Information Security, AXA Group Operations (UK)

John Sluiter

John Sluiter

Lead Global Enterprise Security Architect, AXA (UK)

As member of the AXA Group Enterprise Security Architecture team, John leads development of the Enterprise Security Architecture as part of the Global Target Architecture, as well as contributing to various strategic programmes and topics such as global workplace, API management and DLP. Before joining AXA early 2016, John worked as security architect for business and IT consultancies for the most part of his career, working on TOGAF and SABSA integration amongst others.

AXA Group Enterprise Security Architecture (GESA) has embarked on a journey in 2017 to introduce SABSA to the security design activities in AXA Group and promoting its use in AXA entities. GESA have presented early progress to SABSA World in London on this topic and presented our status of progress in 2018 at I-4.

This presentation provides an overview of the subsequent step in our journey. It will contain 4 sections as below.

  1. AXA Context

Explain the complexity and federated nature of the AXA organisation, the structure of the security organisation (1st and 2nd line), the GESA role and mandate plus challenges.

Describe the foreseen maturity journey of ESA in AXA and which stage we see ourselves today:

  • Key reasons for using SABSA is to introduce and establish rigor and structure in strategy development process plus to make security architecture real for the practitioners, operational security teams and our leadership team.
  • We have encouraged and trained members in SABSA that are not architects. For example, we have included in the training program people, risk management, security assurance and operational security teams, because we believe that more people outside the architecture teams understand AXA ESA/SABSA approach and methodology the better it is for AXA and for us. That may be a bit different approach other companies take.
  1. Security Capability Reference Model

Describe first key deliverable GESA have produced in 2018/2019 is a Security Capability Reference Model (SCRM). It is a deep dive and security specific view of the Business Capability Reference Model managed by the Business Architecture Working Group and therefore follows the business capability structure and definitions to maximise business alignment. It defines 5 levels of capabilities covering business and IT/security services (services are renamed lower level capabilities), that are mapped to mechanisms and components, used to form a library of the as-is security capability status.

The presentation will describe and show what it is, what the expected benefits will be (supporting analysis, security requirements definition and architecture design) and how much value we have experienced to date (quick turn-around of requests for global cost savings opportunities, consistent strategic IT programme security requirements definition, etc.).

  1. Business Attribute Profiling and SWOT analysis

Explain how BAP and SWOT are used for security design in global technology / IT strategy development (BI strategy, network strategy, data centre strategy, DLP and EPP position papers, etc.). Explain how risk scoping is incorporated into this work to determine primary and reliance scope in risk assessments, design work, etc.

  1. Future steps planned for further ESA maturity improvements

Describe the currently ongoing projects and activities related to ESA:

  1. Linking SCRM with MITRE att&ck framework to be used for the SOC NG. Aim is to be able to have meaningful discussions with operational security and influence technology choices by talking to them in the language they understand, i.e. threats and security controls that we link with security components in SABSA.
  1. Improved use of data to support security capability related decision making (control effectiveness, coverage, cost) using sources such as
  • IS assurance framework self-assessment compliance reports and secondary assurance findings
  • SOC alert and incident data
  1. Increased use of domain modelling for defining governance requirements in particular, but also to explain the relationships plus R&Rs. We have been experimenting with domain models but not used in practice. Early feedback is positive, so we want to expand its use.
10:05 D9: Automating Security Compliance Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is a SCP with 10+ years’ experience in the SABSA methodology. He works as an independent Security Architect and develops a research interest in model-driven approaches to security architecture - a topic on which he has presented at COSAC 2018, COSAC 2019 and COSAC APAC 2019. Steven has authored a paper for The SABSA Institute on the topic of security modelling with ArchiMate which is now being developed via a joint SABSA Institute / Open Group Working Group.

Organisations increasingly operate in a multi-regulatory environment where audits are more frequent, more numerous, more stringent and subject to higher levels of scrutiny with each passing year.

Staying on top of continual compliance cycle proves to be extremely onerous. Organizations typically respond by first streamlining their operations into a single, enterprise-wide capability but still find that despite the efficiency savings, they are still left with a task of formidable scope and complexity that remains a costly, largely manual operation.

Perhaps the most significant development in this field for decades is NIST’s Open Security Controls Assessment Language (OSCAL), version 1.0 of which was published at the end of 2020. OSCAL defines a series of inter-locking data schema that progressively apply a control framework to a target system via pipeline of compliance “transforms”.

In this presentation, the speaker will present an introduction to OSCAL based on first-hand experience of using it since the early pre-release versions. The session will include practical demonstration of how OSCAL artefacts can be created and consumed, holding out the promise of end-to-end automation.

The value to the conference, will be an early awareness of an emerging technology that is set to have a major impact in highly-regulated or infrastructure-critical sectors for whom multi-regulatory compliance is a primary concern.

10:50 - 11:10 - BREAK

11:10 A10: Critical Destructive Cyber Incidents Speaker(s): Patrick Wheeler,

Patrick Wheeler

Mentor / Director, CyberWayFinder (Belgium)

Leader of Transformative Security Initiatives: Patrick Wheeler is a specialist in combatting cybercrime and has been involved in IT consulting, business and security for over 20 years. Originally from California’s Silicon Valley and San Francisco, and now as a naturalized Belgian he focuses on the European Financial sector (e.g. SWIFT, Euroclear, BNP Paribas) specializing in security, compliance and innovation with rubric of ‘Cybrepreneurship’ which he defines as including opportunistic...
Rosanna Kurrer

Rosanna Kurrer

Managing Director, CyberWayFinder (Belgium)

Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas,, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.

Cyberwar is Pervasive: We are all potentially ‘collateral damage’ in the on-going cyberwar/influence operations of nation state actors (Maersk incident) in a hyperconnected world everyone is ‘within reach’.

Cybercrime is Industrialised: Crypto-extortion has proven itself a viable and sustainable business model (Multiple Municipalities, Coveware.

Lessons drawn from world-class professional incident and extortion handling techniques in police, nation-state, NGO and with a humanistic perspective (book reference: Anja Shortland’s “Kidnap: Inside the Ransom Business”). No-one never wishes to enrich criminals and always wish them to be placed well behind bars.

Inspired by our Financial Sector Major Client’s (>4Bio turnover) Experiences: Corporates experience significant hardship when hit with a cyber-extortion attempts. Every indication is this will grow worse. Client’s inability to gain support and ‘sympathy’ from their usual partners (Banks, IT Service Providers, Police, Government CSIRT and Consultancies) are endemic and toxic. The typical esponse “Never Pay Ransom” does not support clients in their time of need. We invited three gentlemen recently retired from Global Police forces (Canada, Netherlands/United Nations, Israel) to Brussels, Luxembourg and London to explore this.

Here we examine thorny issues:

  • Critically Destructive Cyber Incident Response:
  • Seeing this Empathetically from the Attacker and Business Executive and Personal Role
  • False Ransom / Dead Body Exchanges
  • What about insurance?
  • Fraudulent Decrypter Services!
  • Not Only Enabling Criminals to Profit from Crime, but Potentially Funding Terrorism
  • Banks and FS, Anti-Money Laundering, KYC, ATF
  • Corporate vs Personal Incidents

We end this exploration in the Luxembourg Cyber Incident Simulator Room 42, when faced with a multi-pronged live immersive simulation, an inexperienced team under the tutelage of master Incident Handlers and Negotiators: “No-one has ever handled the scenarios like your team did. No matter what I did, you did not respond the way anyone else ever did. I could not control the situation. No-one, ever, did what you did…” Former French Military Lieutenant, Cyber Incident Simulator ‘Attacker’. We did not pay the ransom (but we may have lost a person).

Look Where You Are Going: We may not wish to be going here. Cyber Extortion is bad. Cyber-induced Critical Incidents as a Business-Halting experience is not what our ‘exciting digital future’ promised us. But in the near and mid-term ransomware, cyber extortion and Critical Cyber Incidents are going to become the new norm. To ignore or simply wait is insupportable and invites the worst-case scenario. To prepare our individual Operational Security, to build our Vauban Citadel a little bit higher and thicker is the conventional response. Some argue we can build our walls a little bit ‘smarter.’ Those with larger budgets are already building Smarter, Higher and Thicker, and it is still not enough. But perhaps most importantly, the lesson from our new friends and very interesting gentleman: “Be Prepared and Engage.” And have friends!

11:10 B10: GDPR Rights for Consumer Wrongs Speaker(s): Valerie Lyons

Valerie Lyons

COO & PhD Scholar, BH Consulting & DCU (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.

Whilst GDPR provides individuals with rights over how their data is used and processed, it also mandates that organizations have certain obligations to protect personal information. Many consumers do not understand the obligations for organizations as outlined in GDPR, or understand the relationship between those obligations and the data subject's rights. However their awareness is growing, and by understanding the organization's obligations, together with the data subject's rights - GDPR can be leveraged to not only provide data protection rights but also consumer rights.

This has implications for organizations - as now GDPR can affect other departments such as customer services and marketing, by exposing bad consumer practices that may not necessarily relate to GDPR directly.

Using personal case examples from the speaker, this presentation outlines how GDPR can be used to demand consumer rights. This presentation will be of interest to anyone responsible for privacy, security, risk management AND/OR customer services and marketing. However, this presentation will also be of interest to anyone who simply wants to know how to enhance their consumer rights using GDPR.

11:10 C10: Cyber Security at E.ON is Having the BLUES Speaker(s): Roland Schad

Roland Schad

Senior Cyber Security Architect, E.ON (Germany)

Roland Schad started his career in the area of border security at Siemens, creating automatism to effectively control Internet Access Services globally and establishing worldwide functionalities like Corporate Spam-protection, designing a high security data center and much more. During his time at BWI, the full-service provider for the German Armed Forces, he created the Enterprise Architecture Management based on several Frameworks such as ITIL, IREB, TOGAF, Archimate, SABSA. At innogy (now...

Core components of modern utility business nowadays are treated as critical infrastructure. As energy company we have an exceptional responsibility to deliver our services in a stable and resilient way, independently to environmental changes of any kind. Today, as almost every other business segment, the utility business is strongly influenced by increasing digitalization and connectivity of crucial assets for the provided services. Moreover, due to the great variety of exciting digital business opportunities, most utility organizations cannot be seen as pure utility businesses anymore. Topics such as eMobility, power transmission and distribution in the context of highly distributed power generation are pushing us to position ourselves as technology vendors, early adopters, and innovators. On this challenging journey, cyber security becomes even more existential topic on the broad utility agenda.

Couple of years ago, innogy founded a team of cyber security architects to do the right things with appropriate effort and to make cyber security tangible for the organization. This team consists of a wild mixture of people experienced in software development, system integration and useable security, coming from security vendors, mobile providers, IT service providers, and more. With the merger of innogy and E.ON the cyber security architects created a unique composition of selected methods derived from frameworks such as ITIL, IREB, TOGAF, ArchiMate, SABSA and visits at COSAC named the Security by Design BLUES (Business Led Unified Enterprise Security).

Security by Design BLUES offers modular architectural and design security methods seeking the optimal balance between business needs and customer expectations, potential cyber risks and threats, risk appetite and appropriate countermeasures thus enabling the business to explore emerging opportunities. The approach was applied in more than 70 projects in theinnogy and E.ON contexts, clearly showing the desired value.

In this session I share details on the Security by Design BLUES and how SABSA inspired E.ON’s BLUES.

11:10 D10: Herding Cats in a DevSecOps World Speaker(s): Rob Campbell

Rob Campbell

Enterprise Security Architect, Secure Constitution Ltd (UK)

A Security Architect with 30 years IT experience, the last 23 in Information Security. I have been formally trained in security consultancy and architecture methodologies. These include Togaf Enterprise Architecture methodology (including Archimate) and of course SABSA. I have 10+ years in the financial/insurance sectors and another 10+ years experience in the Government sector. In that time I have developed security strategy, performed risk assessment and compliance roles as well as designed,...

DevSecOps has moved on as has the adoption of Container based deployments. With Agile working, design, development and deployment of software at pace has relegated the traditional waterfall methods of testing to the bin. We can no longer spend time testing software when it is ready to go into production. Instead we need to manage vulnerabilities and perform testing at every stage of the development and deployment if we are to stand a chance minimising vulnerabilities in production. Even beyond deployment we need to keep track of what components and libraries are used and get them updated as the need arrives. By inserting Policy based Code Firewalls, SAST, DAST and Composition Analysis into the Development and CICD environments we can reduce attack surfaces dramatically and respond to issues at pace.

This session will present a model for managing threats at every stage of the development and deployment lifecycle. This particular model focuses on the use of containers and delves into trust and public code repositories such as GitHub etc. I hope to help participants rethink their approach to security testing in todays fast paced development environments.

11:55 - 12:15 BREAK

12:15 A11: Threat-Based Security Engineering: A Stochastic Framework for Calculating Cyber Security Risk Speaker(s): John Leach

John Leach

Owner, John Leach Information Security Ltd (UK)

I have been an Information Risk and Security professional for more than 30 years. I have held senior positions in the security teams of a number of organisations, including NatWest Bank, and led the security teams for the UK branches of two US boutique technical consultancies. In late 2002, I formed JLIS to enable me to provide my unique brand of Security Risk Management consultancy services independently.

Cyber security is a highly technical subject. This disguises the fact that, even today, we still practise it as a craft, not as a science. We have a series of ‘recipes’ (Best Practices and international standards) but they have been compiled over time from common responses to attacks and breaches, not designed analytically using scientific methods, data and results. These recipes provide us with an uncertain level of security no matter how carefully we follow them, we can’t readily optimise them to suit our particular situation, and they limit our ability to adapt and innovate.

It doesn’t have to be this way. In this presentation I will describe some of the benefits of treating cyber security as a science, and outline how that could transform the way we conduct cyber security. We would be able to measure the amount of security protection a given practice or product provides and perform cost-benefit analyses for security improvement projects. Directors and regulators could set objective security risk targets and Risk Managers demonstrate that their security arrangements satisfy those targets. And security risk could be managed with no less a level of transparency and objectivity than any other type of business risk.

Using Threat-Based Security Engineering (TBSE) as a candidate method, I will describe what treating cyber security as a science could look like, and outline a number of ways people could give this a try to see what it can do for them.

12:15 B11: The Big Bang: What Creating a Greenfield Security Program and an IT Infrastructure at the Same Time Looks Like Speaker(s): Timothy Sewell,

Timothy Sewell

CIO / CISO, Reveal Risk (USA)

Tim is a lifelong technology and security enthusiast with broad experience in multiple industries. He spent over a decade at Lockheed Martin designing and deploying solutions to some of the hardest cybersecurity problems in the national security space: Cryptography, weapon systems, aircraft, satellites, critical networks, APTs, hardware security, supply chain and third-party security, anti-tamper and industrial control systems using a blend of best-of-breed from the commercial space, coupled...
Todd Wilkinson

Todd Wilkinson

Chief Information Security Architect, Elanco Animal Health (USA)

Todd Wilkinson has been in the technology Industry for 23 years and most recently is serving as the Chief Information Security Architect for Elanco Animal building their new security program as part of a divestiture and IPO. He has advised and was accountable for the technology direction and product development of solutions that Elanco offers to our animal health customers, developed innovation in disease detection, wearables, implantable and mobile imaging capabilities with Elanco.

What if I said you could build an entirely new security program from scratch in a greenfield environment? How about when that environment is a 64 year old international company going through an IPO split from it's parent? Also, you have to stand up the entire IT infrastructure at the same time, all while meeting the aggressive cost savings promised to the market? Let’s discuss the beginnings of a security program while restarting from scratch on everything.

This talk will cover every aspect of security from architecture to governance to detection and onto response, share the wins, the losses and the lessons learned along the way.

How to start small, prioritize and increase the security of your company’s future.

12:15 C11: Converging IT, OT and Cloud – Creating an ESA for an Oil and Gas company Speaker(s): Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.

In 2018, I was asked to lead a project that would establish the beginnings of Enterprise Security Architecture for an oil and gas company. It was a great opportunity to build an ESA capability from scratch that I grabbed with both hands.

As we started the project, I realized that I was caught in the middle of a massive turf-war between the IT and OT teams who very firmly believed that there was no reason for them to even talk to one another about anything seeing that they are responsible for entirely different worlds. And on top of that, there was the “Cloud First” strategy of the company.

At the beginning of 2020, the project ended, and we had concluded 3 phases of architecture work with artefacts that are being used by the business, IT and OT. So, what changed? How did we settle the turf war and include cloud?

In this session I will talk about the initial struggles, how I used SABSA methods to bring the three worlds together, aligned and integrated with the policy and risk management frameworks, creating and applying a zoning model to create consistent patterns used in high- and low-level designs.

12:15 D11: Redefining the Modern Digital Security Enterprise Architect Speaker(s): Rosanna Kurrer,

Rosanna Kurrer

Managing Director, CyberWayFinder (Belgium)

Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas,, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.
Patrick Wheeler

Patrick Wheeler

Mentor / Director, CyberWayFinder (Belgium)

Leader of Transformative Security Initiatives: Patrick Wheeler is a specialist in combatting cybercrime and has been involved in IT consulting, business and security for over 20 years. Originally from California’s Silicon Valley and San Francisco, and now as a naturalized Belgian he focuses on the European Financial sector (e.g. SWIFT, Euroclear, BNP Paribas) specializing in security, compliance and innovation with rubric of ‘Cybrepreneurship’ which he defines as including opportunistic...

Defining the Modern Architect: There has been much discussion since Vitruvius’ days about what architecture is in the context of the built environment, but how do we define the role of the modern architect in a security context in a fast-paced digital world? In building architecture we have the Pritzker Prize. In the arts we have endless awards. Where are the Olympics, Oscars or the Pritzkers in digital architecture and security? Is it really just about the technical certifications?

Democratisation of Architecture: Security Architecture, arguably, is currently practiced as a first-world solution to first digital-world problems. Why should enterprise security architecture be restricted to major enterprises? Stereotypes of architects and engineers should not be exclusive. What can we learn from the other architecture professions about democratising knowledge and making it available to everyone.

How to Educate an Architect: As if writing for today, Vitruvius could have been about what the modern digital enterprise security architect needs to be, whether conversant in history, business, mathematics, medicine, music and legal - and add a big dose of creativity and design. Fundamentally we are all solving human-needs problems - with more complexity to it than solely engineering challenge. We need a wide range of skillsets to come up with innovative solutions: business, legal, technology , history … the analogy works … not the attributes of architecture itself, but the attributes of the architect … some wise words from Vitruvius … and how to build ourselves to enable the building of the next generation of Enterprise Security Architects.

History of Technology: Know your history, how we architect early systems and languages and interactions remain in place today, ‘legacy ‘ is the legacy of our digital founders and their (civil libertarian?) mindset…   as we ‘cloud’ is it still ‘just someone else’s computer’ at a different scale?

Philosophy of High-Trust Security:  In social psychology high-trust societies advance more using the “truth-default” mindset, distrustful - and we remain tribal - and we might not have advanced to building cities. Our goal needs to enable ‘trust’ and relieve our digital citizens of the needs to be ‘worried’ about their systems at all times …

As taken from: Becoming an Architect by Janelle Zara

We might find comfort in knowing that building architects have similar challenges - and yet we get to admire structurally-safe, useful and inspiring structures in our cities.

An architect’s work is hard. A single project takes years to complete, and not at a slow and steady pace. The years are labor-intensive; high-level precision is paramount; and compromise is inevitable. Architects’ ideas undergo a stream of revisions based on the review of endless collaborators, pit against the whims of difficult clients, disputes with contractors, the red tape of bureaucracy, and the ordinary constraints of physics. Before construction begins, there’s a mountain of paperwork. And once construction does break ground, it’s bound for delays and budget shortages, miscommunications and incorrect shipments of door handles.”


13:45 A12: A "Theory of Vulnerability" for Cybersecurity Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect / Cyber Project Design Authority, Thales (Australia)

Alex Parkinson is a senior cybersecurity architect at Thales Australia. Qualifications include a Master of Science (Internetworking), a Graduate Diploma in Applied Finance and CISSP, CRISC and SABSA Practitioner (SCP) professional certifications. Alex has 30+ years of experience in understanding and dealing with complex systems and organisations in multiple sectors, including Defence and National Security, Trading and Financial Services and Mission Critical Engineering projects.

In security there is a large body of knowledge on how to find vulnerabilities in existing systems. This is matched to a great deal of research activity, both commercial and academic, to find vulnerabilities in existing systems. Thus, security finds vulnerabilities by the application of trial and error searching on existing built systems – we effective go prospecting for vulnerabilities out in the real world.

As useful as this is, it contrasts with other fields of engineering endeavour that use accepted scientific theories to analyse and model possible outcomes and to predict and therefore avoid problems with the solution. Note that is before real resources are expended on building / creating the actual solution.

The problem is that there is no theory that describes where security vulnerabilities come from, what are the root causes of them and how they can be modelled. This means that security engineers and architects are unable to do cost-effective prior analysis to prevent / design out vulnerabilities. It is also not possible reliably fix existing vulnerabilities in a manner that guarantees to not create other vulnerabilities.

The field of Safety Engineering does have a “Theory of Hazard” that describes how hazards are caused and therefore how they can be prevented, thus providing a reliable way for modelling a solution, predicting hazards and removing the risk of accidents at the system design stage.

Therefore the field of security needs a “Theory of Vulnerability” that can explain how vulnerabilities come into existence and can be used to model and predict the existence of vulnerabilities. This is critical for systems that must provide users with real certainty about their safe and secure operation prior to the systems being implemented or operated.

13:45 B12: The Nature of Security Speaker(s): John Ceraolo

John Ceraolo

CISO, Sentry Data Systems (USA)

Mr. Ceraolo has been an information security professional for over 25 years in industries ranging from publishing, software, automotive, mobile technology and now healthcare analytics. He has frequently spoken at COSAC and other US-based security conferences. He holds his CISM, CISSP, and CISA as well as his Masters in Information Assurance from Norwich University.

This session takes a step back from the traditional technical approach and explores what we have and have not learned from the many non-human life forms around us. Defense mechanisms of camouflage, distraction and evasion have been perfected to the point of species survival. What are humans doing wrong when we fall for the same phishing attacks, social engineering and poor security hygiene after all that we know today? By looking at how “nature finds a way”, this session explores that evolution and how as security practitioners, we need to project a “virtual instinct” into the people and companies we protect. What can we gain from thousands of years of evolutionary defenses that we aren’t exploring today? We’ll delve into the parallels of predator vs prey and threat vs defense. Which side are you on?

13:45 C12: Reorganising Cybersecurity for Business Agility Speaker(s): Ilker Sertler

Ilker Sertler

Enterprise Security Architect,

Ilker helps organisations build modern practices and capabilities delivering cybersecurity and enterprise agility in harmony. He is a researcher and practitioner with 20+ years of diverse professional experience within large enterprises. His research and work practice focus on architecting cybersecurity for modern delivery models and practices such as Agile, DevOps and the cloud. Previously, Ilker assumed various consultative roles for leading technology solution providers and he is currently...

Agile principles have been widely adapted by software development communities for decades. Presently, the digital era and increasing uncertainty of business environment compels to extend these principles across the whole organization. Many established enterprises attempt to transform their structures and processes to build the culture of agility and flexibility so that they can defend their market place. While traditional architecture and governance functions are eroded during transformation journeys, cybersecurity is still considered as one of the top concerns and usually manifests as a constraint for agility.

Business leaders often lack understanding of business value within the cybersecurity initiatives and just choose to delegate responsibility to exclusive teams. SABSA Business Attribute Profiling has been an effective technique to connect security and business; however, tailored approaches are required to organize and represent cybersecurity services within the agile delivery models and emerging value streams of uncertain business environments. This session proposes a new approach to organize and present cybersecurity services with meaningful abstractions for all stakeholder groups. A simplified model for security architecture is introduced to promote a common taxonomy and integrated practice for collaborative development and articulation of architecture, also offering better alignment with technology and process constructs of the agile enterprise. Finally, guidance is provided to build the modern cybersecurity organisation, outlining cybersecurity functions, roles, responsibilities, core activities and interactions.

13:45 D12: The Demise of the Cybersecurity Workforce (!?) Speaker(s): G. Mark Hardy

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is the author of over 100 articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration.

Our career has been growing like crazy with an estimated 3.5 million unfilled cyber security jobs within the next few years. More certs, more quals, more money, right? But what if we’re wrong? AI, outsourcing, and visa programs may put a huge downward pressure on future job opportunities (and pay) in Europe and North America. Of course, we don’t WANT this, but shouldn’t a wise professional prepare for possibilities? We’ll look at facts, figures, industry trends, and possible futures that might have us thinking that 2021 represents “the good old days.” No gloom-and-doom here; just a risk-based look at what happens if we really can NOT get the talent regardless of price, and why financial incentives haven't effectively raised the ability level of our cybersecurity workforce. Not just speculation but tons of research.

14:30 - 14:50 BREAK

14:50 A13: Learn Techniques to Automatically Identify System Vulnerabilities, Weaknesses, and Common Attack Patterns Speaker(s): Phil Bridgham

Phil Bridgham

Principal Investigator, Northrop Grumman (USA)

Dr. Phillip Bridgham is a Cyber Architect and researcher for Northrop Grumman and applies AI, Machine Learning, and Information Fusion techniques to achieve advanced automation and risk management. Dr. Bridgham brings 25 years of software engineering and technical leadership experience across a wide range of industries, including: Aerospace, Industrial Controls, Robotics, Banking and Finance, Medical Devices, Fraud Detection, Risk Analysis, and more.

This session demonstrates and explains, to a non-technical audience, how three complementary data management techniques help to automatically identify system vulnerabilities, weaknesses, and common attack patterns. A comparison of the trade-offs of using relational, graph, and semantic ontological data stores is presented as real-working examples. These complementary technologies are demonstrated and explained in non-technical terms to provide a broad audience with the opportunity to learn about the value propositions and trade-offs of each technique.

A relational database demonstration will highlight achieving the speed and performance required for querying and retrieving large and complex data sets. A graph database is then demonstrated to showcase the power of specifying graph structures and relationships to quickly and intuitively extract patterns of interest, such as vulnerabilities and weaknesses related to system elements. Finally, a semantic ontology is demonstrated as state-of-the-art knowledge generation through inference, where system elements are automatically classified into technology domains.

14:50 B13: Security is for Humans, Not Lizards Social Engineering Brain Science Speaker(s): Ashling Lupiani,

Ashling Lupiani

Recent Graduate, (USA)

Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
Kathleen Mullin

Kathleen Mullin

CISO, Healthmap Solutions, Inc. (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...

This novel and unique discussion on how we decide and react comes from the perspectives of both neuroscience and information security. This presentation addresses how many information technology and security thought leaders are adversely impacting the credibility of their presentations, themselves and the profession by using the thoroughly debunked triune theory. Utilizing the false concept of an amphibian, reptilian, or lizard brain to explain how we decide and react detracts from otherwise accurate information at best and at worst can skew materials to make them entirely incorrect. This also impairs the ability of information technology and security professionals to create appropriate defenses for social engineering attempts by establishing a faulty knowledge foundation.

The value in this session is providing real tools from current brain science to use in identifying potential weaknesses, attacks, and defenses for the human system. This discussion is timely as social engineering, body language, and behaviour experts are spreading misinformation in life-coaching sessions, public speaking events, YouTube, Twitter, Instagram, books, and magazines. The approach of this session is to provide opportunities to challenge and give input while imparting attainable science on the real brain doing information security - a human one. 

14:50 C13: Shapeshifting Enterprise Security Architecture Speaker(s): Andreas Dannert

Andreas Dannert

Head of Security Architecture, Standard Chartered Bank (Singapore)

Andreas is currently the interim Head of Security Architecture at Standard Chartered Bank in Singapore. At SCB he is responsible for a core Security Architecture team that is delivering the organization’s Security Architecture Framework, Strategy, and relevant Security Capabilities. Before this he was a Principal Enterprise Security Architect at Australia’s national broadband network (nbn), which is a government owned enterprise, providing critical infrastructure services to millions of...

SABSA is a powerful methodology for problem solving and has been defined as a structured approach to security architecture development. While SABSA can be extremely useful for security architects, it is not answering all questions, especially not the aspect of continues delivery and transformation that large organizations heavily depend on. Having a well-defined and robust security architecture is one thing, but continuously adjusting it to meet the requirements of new technologies, like bot IDs and machine learning, shift to cloud or changing regulations, are another problem. Organizations that want to drive security in a structured way, supporting continuously delivery and do it fast, need to have mechanisms and processes in place that support the continued transformation of their security capabilities. Their security architecture needs to have the ability of “shapeshifting”. Can yours do this and can you do it fast and efficient?

In this presentation we will explore the challenges of continuous security transformation and ways of addressing them in a structured and repeatable way. The benefit of applying methods to the agile madness here is that the idea of a well-engineered security architecture, as described in SABSA, can be made easily repeatable and governable. This leads to a more mature way of delivering the right security outcomes consistently and to a defined level of quality. The presentation will describe the organizational drivers for continued change, like legal and regulatory requirements and shift to cloud platforms, their impact on a security architecture, and how to change security architecture delivery to better address these challenges. Ideas presented in this session are based on real world scenarios in the financial and other industries. Some of the approaches have or are to be implemented and others are still currently in development. Nevertheless, all the ideas presented are real and not of theoretical nature.

At the end of this session participants should be able to understand what challenges need to be addressed when continuously transforming and pro-actively driving the delivery of security capabilities. It is not just a rinse and repeat approach, but intrinsically build into the Security Architecture Framework of an organization.

In the spirit of COSAC, this session will hopefully provoke lots of questions and discussions due to the fact that shapeshifting Security Architecture is really not a thing, but more an idea and concept that the presenter feels needs to be explored further and developed. Only then can we enable security capability in organizations that want to go faster and be more flexible.

14:50 D13: Security Frictions in Digital Healthcare Speaker(s): Matthew Gerry

Matthew Gerry

Postgraduate - MSc Information Security, Royal Holloway University of London (UK)

Matthew is a postgraduate student at Royal Holloway, reading MSc Information Security. Having graduated from the University of Bradford with a degree in Business Economics, he has spent the last 5 years working within treasury for organisations in office space, oil & gas, and the finance sector. He has always had a passion for computing and is a big believer that digital security has become a defining issue of our time. This has prompted him to pursue a career in security. He has a keen...

The digitalisation of the classic healthcare system model between the (UK) NHS and the patient has been a widely debated topic in the security community for several years. Now, “Big Tech” has made an overt entry into the healthcare sector, presumably in search of the valuable, and relatively unexploited, ocean of patient medical data. More recently, there has also been a huge drive to collect more and more data to aid our understanding of the spread of COVID-19. This has led to a proliferation of data gathering IoT tools, which are being rapidly developed and pushed to the public to meet this demand.

Telemedical brokers are keen to be the first to collect, analyse, and profit from the healthcare data of consumers – incentivising commercially-driven decisions over security concerns. In the same vein, healthcare providers such as the NHS are economically incentivised to partner with such organisations. Given this momentum, consumer requirements often come second, creating an asymmetrical power dynamic, and increasing the tension surrounding the use of personal data.

The rising fears over the use and misuse of personal data have led patients to row back consent to share medical information, presenting an obstacle to academic research and the overall potential of big data to improve healthcare outcomes. It is therefore vital then that we “start afresh”, that we learn from last decade’s experience of data security and evolving attitudes towards security, and that we consider information security at the core of this new system.

In this presentation I present my research that:

  • identifies the objectives of stakeholders involved in the development of a digital healthcare system and determine what security frictions are generated by conflicting objectives;
  • explores how these frictions would manifest in the design decisions of a future digital healthcare system;
  • maps where identified security frictions occur in the defined digital healthcare systems and consider how they might be resolved.

I look forward to engaging with a COSAC audience that I hope will provide me with further insight into where security weaknesses are already being built into a future digital healthcare system, and how best to address them.

15:35 - 15:55 BREAK

15:55 A14: Ransomware - Pay Up or the Data Gets It! Speaker(s): Glen Bruce

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...

It would be a real shame if something happened to your data. Ransomware is increasingly a commodity malware service generating significant returns for cyber criminals in the order of multi-billions per year. Ransomware attacks have morphed from: hostile encryption of data to be released for a fee; to copying data and threatening exposure unless a fee is paid; to mounting attacks to inhibit business operation (DDoS) unless a fee is paid to stop; to a protection racket by merely threatening to do any or all of this unless a fee is paid without actually actively engaging the intended victim. Is it possible to keep avoiding this quickly evolving threat?

The DearCry ransomware, enabled by mass exploit of the ProxyLogon vulnerability, highlights how pervasive the ransomware threat has become. We will examine the evolution of the ransomware threats and the risks and challenges that they continue to present to business. What is needed to combat this type of threat? Is prevention possible? What is available to help organizations combat the impact of ransomware? What do you do if you are a victim? What avenues have been effective and what hasn’t worked? We will explore several approaches to combat this menace including advice from several organizations including Carnegie Mellon University, NIST and the US National Cybersecurity Centre of Excellence (NCCoE). We will describe various approaches to defend against ransomware attacks and tips to limit the impact if an attack is successful. Have you have experience with Ransomware? We look forward to an interactive session to share the secrets to success and what to avoid doing.

15:55 B14: Zero nation Speaker(s): Robert Laurie

Robert Laurie

Enterprise Security Architect, David Lynas Consulting (Australia)

Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.

In 1986 Ph.D. student Fred Cohen coined the phrase "computer virus" borrowing from what we knew about biological viruses to describe "a program that can infect other programs by modifying them to include a, possibly evolved, version of itself."

It was only when Robert T. Morris released the Morris Worm in 1988, that the population grew fascinated with a piece of code that could attack the very mainframe servers that maintained the balance of "mutually assured destruction" throughout the cold war.

It's clear that our understanding of new technology has been somewhat underpinned by the medical industry in this regard, but are there any concepts that the medical fraternity can learn from cyber security?

In this session we will examine some of the take-aways from the onslaught of technology and covid that we have witnessed over the last two years.

15:55 C14: SABSA and the Framework Hunger Games Speaker(s): Dimitrios Delivasilis

Dimitrios Delivasilis

Managing Director, Qiomos (UK)

Strong technology executive, specializing in business-driven security architectures and business risk control management. I have more than 16 years of extensive experience gained within information security consultancy firms as well as financial services and telecom organizations. During the last eight years I have been offering enterprise security strategy services to C-Level executives across Europe due to my ability to simplify complex technological issues.

The ever-increasing attention in the area of information security, cyber security and, as of lately, risk resilience is being followed by significant investments organisations make in an attempt to stay in control and consequently protect their operations. The flux of money, especially evident in the aftermath of a visible security breach in the public domain, usually results in a plethora of technical controls with very little justification and almost non-existent acknowledgment of the business context. Instead of investing time and resources to define the problem space first, security professionals hide behind numerous security frameworks, pre-built lists of controls, and best-practices.

This presentation will analyse the driving forces behind this phenomenon in an attempt to identify the root cause and then explore how SABSA can provide a credible way to alleviate, if not solve, the problem. In doing so the emphasis will be: on the need these frameworks and control repositories aim to address, its relevance to build operational resilience and meet regulatory expectations, and the prioritisation of the investment required to perform active risk management. SABSA principles and logic will be put to the test as we explore the differences between a compliance- and improvement-driven mindset.

15:55 D14: Social Engineering in Healthcare Speaker(s): Kathleen Mullin

Kathleen Mullin

CISO, Healthmap Solutions, Inc. (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...

Built on a COSAC presentation that never was, due to COVID-19, this unique presentation is framed by a healthcare security professional. This is timely since healthcare has seen an escalation in social engineering attacks.

Malicious hacking against healthcare has multiple goals, including stealing money (often ransomware), research, or data. Healthcare systems are particularly susceptible because basic security controls are not in place within highly integrated systems with limited funds and manufacturers still selling systems with obsolete operating systems. This discussion analyses how targets are selected, and attempts are delivered, why social engineering is effective, and how to protect and the options if they fail.

Seasoned professionals recognize hacker motivations and threats to vulnerabilities. These need to be communicated to lay persons, whose backgrounds are especially varied in healthcare.

The value in this discussion is a prebuilt response to protect against social engineering in general and for healthcare in specific. Proposed is a non-technical checklist for use by laypersons to start addressing risks.

The approach is the discussion of a plan to reduce the likelihood of social engineer’s success using training, testing, and technical controls based on the risks from common methods used to victimize healthcare organizations.

16:40 - 17:00 - BREAK

17:00 A15: Ransomware Response - A Lawyer's Perspective Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.

Your company is hit with a ransomware attack. You have to decide whether to try to decode the bitlocker, rebuild the database, or pay the ransom. Who makes the decision? IT? CISO? Legal? Your insurance company? If you decide to pay, how do you do this as a practical matter? Are the costs of paying ransomware covered by insurance? What about the costs of NOT paying ransomware? Are you subject to criminal prosecution for the mere act of paying to release your funds? This session will focus on the legal and practical aspects of ransomware including violations of international sanctions, aiding and abetting terrorists or other criminals, operating as an unlicensed money transfer agent, money laundering and other KYC regulations, providing material support to criminal activities, and other potential liability sticking points.

17:00 B15: The Wisdom of Insecurity Speaker(s): Helvi Salminen

Helvi Salminen

Security Advisor, (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014.

We are used to looking at security through the lenses of rules and discipline. This is often useful – even necessary – and we find solutions of many problems in this way. However, purely rule-based security is no longer sufficient in the business which operates in an increasingly complex technical reality and rapidly changing society.

Our methods, standards, guidebooks and countless rules prepare us to resolve known problems by answering predefined questions. But if we rigidly stick to the predefined rules we don’t develop the capability to understand issues which are not included in our recipe books. How can we be sure that we have asked all the important questions?

This session is designed to discuss the limits of the applicability of standard and rule based way of doing security. What do we miss when limiting our thinking to this type of approach? What we can learn from other areas of knowledge – e.g. social psychology and philosophy - and apply this knowledge in our security work? How can for instance the principles of creative idleness and reversed effort help us to resolve complex problems better?

Welcome to the adventurous journey which is inspired by thinkers whom we usually don’t see in the context of security. Alan Watts says that it is only by acknowledging what we do not—and cannot—know that we can learn anything truly worth knowing. Aldous Huxley states that the harder we try with our conscious will to do something, the less we shall succeed. Proficiency and results come only to those who have learned the paradoxical art of doing and not doing, or combining relaxation with activity. With the concept of creative idleness Domenico De Masi embeds elements of pleasure to the hardness of duty. And many others help us to get out of the box.

Also in security.

17:00 C15: SABSA for Humankind Speaker(s): Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.

When I started my career working in a hospital as a nurse, I was always interested in the terminals/computers.

Long story short, I switched career are some point and got in IT Security. When I met SABSA I instantly connected the methodology to the work I did in the hospital. Working on properties to help patients achieve a balance between physical , social and psychological elements.

Therefore I decided in the Foundation course already I would pursue becoming a master, and would probably take it outside the IT Security field.

In this session I will present to you my approach towards SABSA as a problem-solving framework applied to Humankind.

17:00 D15: The Great Security Leadership Debate - 20 Questions Speaker(s): Todd Fitzgerald

Todd Fitzgerald

CISO & Cybersecurity Leadership, CISO Spotlight (USA)

Todd has built and led multiple Fortune 500/large company information security programs for 20 years across multiple industries. Todd serves as Executive In Residence and Chairman of the Cybersecurity Collaborative Executive Committee, was named 2016-17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, and named Ponemon Institute Fellow. Fitzgerald authored CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.

The information security leader has evolved much over the past 25 years, or have they? This session takes a look at the evolution of the Chief Information Security Officer (CISO) and then discusses 20 cybersecurity leadership perspectives provided by expert CISOs and security leaders of some of our largest organizations today. We will discuss – are these ideas increasing our maturity or are they moving us backwards? The questions are based upon writeups some of the top CISOs and cybersecurity leaders have provided to the presenter on different topics such as developing strategies, managing MSSPs, hiring talent, privacy, organizational structure, orchestration, use of AI/Machine Learning/Blockchain, etc – from practical experience, not theory.

For several decades, the presenter has used an innovative approach to delivering content - props, videos, sound, and audience participation to create a memorable entertaining and informative experience with actionable material. The speaker is a top-rated RSA speaker (2013-2020) and ISACA top-rated speaker.

17:45 - 18:00 BREAK


18:00 Building Digital Empathy into Cybersecurity Speaker(s): Siân John MBE

Siân John MBE

Director SCI Business Development, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...

The last year brought home the importance of the need for helping people to be both productive and secure. As everyone moved to be more agile and digital transformation then securing access to data became more critical. Cybersecurity is the underpinning to protecting data, helping organizations remain compliant and maintaining business continuity while organizations adapt to this new world.

When billions of people formed the largest remote workforce in history, overnight, we learned much more than how to securely scale Virtual Private Networks. We were reminded that security technology is fundamentally about improving productivity and collaboration through inclusive end-user experiences.

Cybersecurity needs to focus on “digital empathy.”  How do we truly understand how people engage with technology and build protection into that rather than blaming them for unexpected behaviour? Being empathetic to the end user experience is something we must consider during times of constant disruption and change. As Cybersecurity professionals we need to put ourselves in others shoes and consider how they engage with technology.

This session will look at how we can build security architectures that are empathetic of someone’s situation - and forgiving of mistakes - to ensure people are protected, and blockers to productivity are removed.


18:45 Day 2 - Networking Session