COSAC 2023 COSAC Connect COSAC APAC 2024
Welcome to COSAC - Information Security conferencing the way it should be! Join us in Ireland this October for 4 days of innovative & participative information security value celebrating 30 years of COSAC Security Conference. For 30 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. #COSAC2023 Delegate Registration is open.

Wednesday 4th October 2023

09:00 - 09:30 Registration & Coffee

09:30 10A: Access Control – Meeting The Emerging Needs Speaker(s): Hugh Boyes

Hugh Boyes

Director, Bodvok Limited (UK)

Hugh Boyes is a security adviser and was until December 2022 a principal fellow in the Cyber Security Centre at WMG, part of the University of Warwick. He is a Principal member of the UK NPSA-sponsored Register of Security Engineers and Specialists (RSES). Hugh is the technical author of six security-related BSI Publicly Accessible Specifications and three publicly funded cyber security Codes of Practice covering the built environment, ports and port systems, and ships.

With the commercial, and in some cases regulatory, pressures to make data more widely available, there is an emerging need to be able to selectively manage the sharing or disclosure of potentially sensitive data. In many sectors there is also a need to manage access to federated data, some of which may be commercially or reputationally sensitive. Current access control practices are limited in their ability to handle the more sophisticated requirements associated with selective openness and/or federated data sharing.

Using case studies, this session will consider the application of different access control methods and their limitations, particularly with regards to file- or object-based sharing. It will examine the issues that arise from data aggregation and permit the pattern-of-life of assets, individuals, and groups to be determined. It will explore the requirements for more sophisticated controls and consider how the requirements can be expressed in a standardised format.

09:30 10B: How Prepared Leaders Can Manage the Impact of Hybrid Work on Organizational Connection and Culture Speaker(s): Jaco Jacobs

Jaco Jacobs

Director of Consulting Services, David Lynas Consulting (Netherlands)

Jaco is the Director of Consulting Services for David Lynas Consulting based out of the Netherlands. He has been a “security guy” for more than 25 years during which time he has provided security consulting services to many of the largest organizations around the world. He has spent most his career developing security IP, training and services for the largest global security providers as well as co-authoring several security publications.

In the “new normal”, also known as the hybrid workplace, effective leadership is more important than ever, especially when it comes to fostering a sense of connection and strong culture within organizations.

The latest Gallup research shows that in 2023, an overwhelming 59% of employees prefer a hybrid work model (up from 32% in 2019), and that 60% are “extremely likely to change companies” if they cannot be offered the flexibility that they want (up from 37% in 2021). In fact, “managers don’t know what to do and are accumulating dangerous levels of stress and subsequent burnout (real mental health issues)”.

Simon Sinek, renowned leadership expert, has identified a set of key fundamentals of effective leadership, that offers valuable insights to leaders who want to build a strong and connected culture that supports all team members, regardless of their location or work schedule.

This session will look at how to apply these fundamentals to the Gallup research on the future of hybrid work, to create and support strong, high-performing teams that are motivated and engaged in achieving shared goals.

09:30 10S: Do You Trust Your Computer? Speaker(s): Edwin Vos

Edwin Vos

Principal Consultant, Nivo (Netherlands)

After my bachelor study of Electronics I started at Philips Telecommunications and Information Systems in 1989. As a Customer Support Engineer, I built networks for plants of Philips in Eindhoven and I designed networks for KPMG, Heineken and other customers. Recently I’m working for a department of the ministry of Justice and Police, setting up an Enterprise Security Architecture.

Many consultants need a laptop for their work at home or at the office of their clients. In many cases you are totally dependent on your computer and as many years when by, the more complex the systems became.

I did some research on the behaviour of Windows 10 systems, and guess what: A lot of information is sent to and from the system towards Internet, without knowing of the owner or any need to, especially during startup of the system.

When I ask a consultant the question: “Do you trust your computer?”, most of the time the answer is: “Yes, I use bitlocker and a virus program to protect my system.”

In my research I found a lot of information that is sent during startup to or from the internet that can harm your system of even disclose information about the system, yourself or even the data of the client.

In my presentation I will show some examples of information flows during startup and emphasise on the possibilities of disclosure of information at the startup of a system and show a way how SABSA can help you to minimise the risk of any possible disclosure.

10:25 11A: Beware the Trunami Speaker(s): Nick Spenceley

Nick Spenceley

Director, Primary Key Associates (UK)

Nick is an experienced technical specialist with particular subject matter expertise in the application of technology to solve complex problems in secure environments. He consults on business change, system architecture and design, legal disputes, security accreditation and engineering processes. He has over 30 years’ experience in managing significant project portfolios and programmes for BAE Systems Applied Intelligence, Detica and Logica (now CGI).

At COSAC 2021 we learned how businesses had to evolve their approach to risk management as a result of the COVID-19 pandemic, and how individuals need to pay more heed to their own risk management if they are to minimise the impact on themselves of adverse events.

Since 2021, governments, organisations and companies have continued to re-shape the ways in which they engage with their citizens and customers. Generally, it has become harder for customers to engage with organisations on a human-to-human level and the frustration around the resulting impression of the customer ‘not being important’ has driven trust levels heading to an all-time low.

But does this matter? What real power do customers have? Will there be more “Elon moments” or is this the new normal. If you were mapping out an organisation’s Business Attributes, would you be just making sure you had “Resilient” under the Operational Attributes heading of your Taxonomy or would you be trying a different approach?

How does timeliness affect this? Trust is often lost when the trust relationship becomes asymmetric and the power has been mostly moving in organisations’ favour. Being on hold and 947th in the queue and hearing that “your call is important to us” is not timely at all.

But what if it can flip the other way? What if your customers start using crowd-sourced high-speed messaging against you because they cannot contact you? If the trust in your relationship is in doubt, then your organisation could be toast, think Silicon Valley Bank becoming insolvent in a matter of hours because of Twitter.

In this talk I will review the ways in which trust can affect an individual’s or an organisation’s approach to risk and what organisations should be doing about it. Is it feasible to deploy AI to actively engage with customers, or key influencers, to head off a customer Trunami? And what does good look like?

As ever, there will be some illuminating real-world examples and plenty of opportunities for contributions from the COSAC delegates.

10:25 11B: Building a Cybersecurity Strategy – It takes much more than a control framework!! But what approach works? Speaker(s): Todd Fitzgerald

Todd Fitzgerald

Vice President, Cybersecurity Strategy, CyberRisk Alliance (USA)

Todd Fitzgerald promotes cybersecurity leadership collaboration and serves as VP, Cybersecurity Strategy and Chairman of the Cybersecurity Collaborative Executive Committee. Todd authored 4 books including #1 Best Selling and 2020 CANON Cybersecurity Hall of Fame Winner CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019) and ground-breaking CISO Leadership: Essential Principles for Success. Todd also hosts the popular SecurityWeekly CISO STORIES...

One of the first requests of a new security leader is to build a cybersecurity strategy for their organization. How does one go about building one? What are the considerations for the security leader. How does the leader really know what will work and what won’t? This session will focuses on 4 main methods to build a cybersecurity strategy, a proposed 6 step process, and 13 control frameworks that are in use by different organizations today. This is intended to be an open discussion across the pros and cons of each of these approaches, with the goal to debate which frameworks work well in which situations.

For several decades, the presenter has used an innovative approach to delivering content - props, videos, sound, and audience participation to create a memorable entertaining and informative experience with actionable material. The speaker is a top-rated RSA speaker (2013-2022) and ISACA top-rated speaker.

10:25 11S: Bringing the Fight to the Adversary: Integrating SABSA and Cyber Threat Intelligence Speaker(s): Bruce Large

Bruce Large

OT Cyber Security Team Leader, Powerlink (Australia)

Bruce Large has 15 years experience working with IT and OT in network, telecommunications and system engineering roles. Bruce has worked in Electricity Generation & Transmission, Railway, Aviation, Emergency Services and Consulting industries. Bruce considers himself a security architecture enthusiast as well as an infrastructure tourist. He is a Foundation Chartered SABSA Architect (SCF), is (still..) working on his A3 SCP paper, holds the GIAC Response and Industrial Defense (GRID)...

This session will present an integration and enhancement of the SABSA Risk Management Process using Cyber Threat Intelligence. During the Chaos Monkey Threat Modelling session in COSAC APAC 2023, the conversation turned to the Intelligence Preparation of the Battlefield methodology and its utility for threat modelling in cyber security.

This session will introduce the Intelligence Life Cycle, its application to cyber security with the Intelligence Preparation of the Cyber Environment and will align with the SABSA Risk Management Process. The session will also discuss modern Intelligence Driven incident response processes and help network defenders to build a security architecture that meets with the capabilities of modern threats.

The session will come back to the fictitious State Power Corporation and will help architects with a worked example of how to build cyber threat intelligence informed cyber security architectures. The session will encourage participation and aim to educate on the why we need to use threat modelling to inform defensible architectures.

11:15 - 11:35 Morning Coffee

11:35 12A: Recent Developments in Ransomware Response Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.

This presentation will provide an in-depth analysis of recent developments in ransomware response, with a focus on alternatives to paying the ransom. The growing threat of ransomware attacks has led many organizations to consider paying the ransom as a last resort, but this option can be costly and may not guarantee the safe return of data.

One significant challenge is the use of cryptocurrency for ransom payments, which can exacerbate the problem by making it easier for criminals to demand payment and avoid detection. Moreover, recent regulatory efforts in various countries seek to make the payment of ransom illegal, which further complicates the response to ransomware attacks.

In addition to the ethical and legal considerations, the cost-benefit analysis of paying ransom also needs to be taken into account. In some cases, paying ransom may seem like the most cost-effective option in the short term, but it could ultimately lead to more attacks and higher costs in the long term.

Export control regulations, sanctions regulations, and Specially Designated National regulations also need to be taken into consideration when devising ransomware response strategies. These regulations may restrict the ability of organizations to use certain technologies or engage in business transactions with certain individuals or entities, which can limit the available options for responding to ransomware attacks.

Moreover, there may be laws, regulations, or restrictions on paying ransom under the laws of Ireland or Great Britain, which can further complicate the decision-making process. The presentation will examine the legal and regulatory landscape in these jurisdictions and provide guidance on how to navigate these complex issues.

Alternative approaches to ransomware response will also be discussed, including hacking the ransomware itself, hacking the encryption keys, and taking affirmative action against the threat actors behind the ransomware attacks. These options may offer a viable alternative to paying the ransom, but they are not without risks and challenges.

The presentation will conclude with a discussion of the importance of taking a proactive approach to ransomware response, including investing in cybersecurity measures that can help prevent ransomware attacks from occurring in the first place. By adopting a comprehensive strategy that includes both preventive and responsive measures, organizations can better protect themselves against this growing threat and avoid the need to pay ransom.

11:35 12B: What’s So Funny About Peace, Love, and Understanding? Architecting Security Cultures Speaker(s): Chris Blunt

Chris Blunt

Enterprise Security Architect, ESO (Northern Ireland)

Chris is the Enterprise Security Architect for a SaaS provider specialising in software and data analytics for health and fire services. He is a seasoned cybersecurity professional and is passionate about business-driven security and delivering pragmatic advice that enables organisations to achieve their business objectives.

Security is often seen as a technical problem that can be solved by implementing technical controls. Yet, effective security requires more than just technical controls.

We know that culture plays a significant role in cybersecurity, perhaps the most critical. Despite this, for the past 30 years, it has received little attention, and our efforts are limited to publishing security policies and delivering awareness training in an attempt to make security everyone's responsibility.

But how effective are these initiatives? How successful are they at establishing positive security cultures? Are they more than a compliance box-ticking exercise? Can they cause more harm than good?

Is it time for us to explore a different approach? In this interactive session, we will:

  • • examine why traditional methods fail to establish security cultures,
  • • discuss the factors that influence culture and explore how they apply to organisations and cybersecurity, and
  • • explore what we can borrow from other theories and disciplines** to architect effective security cultures.

** These may include social norms, organisation design, and team topologies.

11:35 12S: Sharing A Security Architecture Journey Speaker(s): Gordon Jenkins

Gordon Jenkins

Head of Security Architecture, Admiral (UK)

Dr Gordon Jenkins heads up the security architecture team at Admiral Insurance in the UK. He has 25+ years’ experience in IT and security for large financial services organisations in the UK and US, across investment banking, life & pensions, asset management, and general insurance. He has worked as a security architect for the last 14 years, providing guidance to dozens of major business and infrastructure projects and helping to shape enterprise security functions.

Over the last year we have almost doubled the size of our team. It’s been hard work finding the right people and starting to shape our future. But the real work starts here.

Until now, the organisation expected us to deliver the security designs for individual project solutions, but we know we have more to offer. We want to deliver an enterprise security architecture that shapes all our solutions and enables the business. We want to sell our vision and convince our stakeholders what they should (and shouldn’t) expect from us. We want to be shaping the security investment portfolio for 2024. We want to flip from project-based design methods to fast-paced security architecture in a scaled agile methodology. We want to introduce SABSA. And we want to make everything we do more organised, repeatable, consistent.

It’s ambitious. Will we do all of this in 12 months? Probably not. But we have started.

In this talk, I will describe the journey we’re on, how we’ve decided to tackle the challenges, what’s working, what’s not, and what we’ve learned in the process so far. Whatever happens, we’re looking forward to understanding ourselves better along the way. By sharing, I’m hoping our experience can help you, and your experience can help us.

12:30 13A: Exploratory Panel: Cyber-trauma in 3 Dimensions – Acute, Chronic & Organisational Speaker(s): Rosanna Kurrer,

Rosanna Kurrer

Educator, CyberWayFinder (Belgium)

Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas,, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.
Patrick Wheeler

Patrick Wheeler

Security Architect, CyberWayFinder (Luxembourg)

Leader of Transformative Security Initiatives: Patrick Wheeler is a specialist in combatting cybercrime and has been involved in IT consulting, business and security for over 20 years. Originally from California’s Silicon Valley and San Francisco, and now as a naturalized Belgian he focuses on the European Financial sector (e.g. SWIFT, Euroclear, BNP Paribas) specializing in security, compliance and innovation with rubric of ‘Cybrepreneurship’ which he defines as including opportunistic...

Leveraging our discussion at COSAC Connect 2021 on Critically Destructive Cyber Incidents and Cyber Trauma (thanks to Sian John for excellent moderation of discussion and quizzes!)… informed by our on-going work with professional Hostage Negotiators (Kidnap & Ransom experts ex- U.N., Politie Netherlands & Canada), a deeper dive with Professional Psychologists who are also Cybersecurity practitioners.

1. Acute Toxicity – Cyber Incidents can be directly traumatizing or merely a vector for existing trauma. From cyber-bullying through sextortion, cyber can be just an accelerant for long-standing toxic-behaviors. But it can also lead to new modus operandi that can and should be recognized. We explore this in true COSAC fashion with an examination of the attributes and artifacts and the help of our six honest serving wo/men “(they taught me all i knew); Their names are What and Why and When And How And Where and Who.”

2. Chronic Toxicity – “… is the development of adverse effects as the result of long term exposure to a toxicant or other stressor. It can manifest as direct lethality but more commonly refers to sublethal endpoints such as decreased growth, reduced reproduction, or behavioral changes ...” Multiple cyber-incidents over an extended period of time, the continued feeling of inadequacy and never ever is it ‘good enough’ as there is always yet another attainment just out of reach in our search for the unattainable ‘perfect security.’ We set ourselves up for failure at the outset. Whether it is something we carry from role to role and accrue over time. We explore the artifacts and evidences and negative behaviors thought processes and exacerbating mental models …

3. Organizational Toxicity: Lessons learned from the RSA Hack 10-years later: What are the behaviors during the ‘worst shitstorm ever’ and the narratives developed by momentary behaviors and how do these impact us long-term? What are the damages caused by the culture of secrecy and of the ten-leading-indicators of organizational toxicity, how many of these can we see in the cyber-defense teams and reactions to cyber incidents?:

And, what does Lesly Kipling and Sian John along with Marie Kondo approach to cybersecurity (discussed at COSAC long before Bob Lord chatted about it at RSA in 2022 [ref]. From cleaning out our mental attic to figuring out how to spark joy in our cybersecurity ecosystems? How many excess solutions and workarounds have we layered upon ourselves by making tactical decisions time after time until we trip over our own feet and diminish our performance and satisfaction exacerbating our daily frustrations. How do we take a retrospective ‘cleaning’ and ‘trash-taking’ exercise to our security layers.

Lastly we explore evolutions of thought and ‘therapy’ in treating the individual and the aggregate entity: ”…The trauma can always be conceptualized as a dent in your identity. The traumatic part isn't that a car almost ran you over, the traumatic part is what kinds of things you tell yourself about it, like "I'm not in control of the situation" or "bad things happen to me repeatedly because I'm unworthy …these are all equally much nonsense as telling yourself you ARE in control … 'corporate identity' is a group identity that can be similarly healed through the individuals, by creating a new narrative and going through the neutral events (this happened, that happened, then this happened) with the new positive narrative in hand. A kind of appreciative enquiry into the worst shitstorm ever. Switch the focus from all the things that were bad to the things that worked, and tie it all into the more positive narrative. Don't avoid the trauma or silence it to death, because like emotions and personal trauma, everything pushed into the closet will just grow, and tend to repeat…”

12:30 13B: The Dial-a-CISO Game: 100 Security Leadership Issues Speaker(s): Todd Fitzgerald

Todd Fitzgerald

Vice President, Cybersecurity Strategy, CyberRisk Alliance (USA)

Todd Fitzgerald promotes cybersecurity leadership collaboration and serves as VP, Cybersecurity Strategy and Chairman of the Cybersecurity Collaborative Executive Committee. Todd authored 4 books including #1 Best Selling and 2020 CANON Cybersecurity Hall of Fame Winner CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019) and ground-breaking CISO Leadership: Essential Principles for Success. Todd also hosts the popular SecurityWeekly CISO STORIES...

Going on 3 years now, the presenter has been hosting a weekly podcast host, interviewing over 150 Chief Information Security Officers (CISOs) and top industry leaders, discussing top security issues. This session will consist of an interactive game, where we randomly select a “dial-a-CISO”, and listen to a 30 second clip that introduces their topic. We will then briefly discuss, agree, disagree, debate, with their opening statement! This will be an interactive session where we discuss and have an appreciation for the breadth of issues a CISO faces today.

12:30 13S: Beyond The Frontier: SABSA Beyond Security Architecture? Speaker(s): Ross MacKenzie

Ross MacKenzie

Head of Security Controls Assessment Information Security Group, Westpac (Australia)

Ross MacKenzie is the Head of Security Architecture & Design at Westpac Banking Group, and is responsible Globally for the delivery of security architecture, design and security capabilities. Ross has over 15 years of experience in the information security field, and is based in Sydney, Australia. He is also SCF & SCP certified.

This session describes how a SABSA deployment that initially focused on securing change has evolved into an extensive distributed security controls assessment function, spanning both change and run. We also explore how we intend to take this function into the future, including ongoing/continuous controls assessment and the new frameworks we are building.

We start with the back-story of the ‘Secure by Design’ practice at a large financial services organisation in Australia - a practice that was originally inspired by SABSA but has now been operating for over 15 years. We then explore how this ‘Secure by Design’ has evolved over the years, and how it is now delivering value far beyond its initial scope. This leads to a discussion about what might be possible if we continue to extend SABSA beyond Architecture. Finally, we outline our intent for future experimentation.

The speaker has led this program over fifteen years, embedding SABSA at the core of the security architecture function at this large financial organisation in Australia. This speaker helped create and enable a large cohort of SABSA-certified professionals that operated across architecture and security teams, ensuring the concepts permeated far beyond their security architecture roots.

13:20 - 14:00 Lunch

14:00 14A: Around The World in 50 Minutes Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a team of security analyst with a global remit at FedEx, owning implementing and executing various GRC processes. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.

Politics always influences our cybersecurity agenda, geopolitics drives our risk agenda, and compliance requirements with new laws and regulations drive the implementation of various mandatory controls. Currently, the world is changing faster than ever before. Geopolitical tensions, the fight against cybercrime and espionage, state protectionism, and the continued focus on data privacy, on the other hand, create a challenging cocktail of laws and regulations to abide by.

In this session, we will go around the world region by region and discuss new and anticipated laws, regulations, and other political issues that might influence your cybersecurity roadmap in that region. Among other things, this talk will cover:

  • • The new EU Cyber security law “NIS2 Directive”
  • • The US FAR provision 52.204-24, "Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment."
  • • Implementation of the Cybersecurity Law of the People's Republic of China.
  • • India’s 6-Hour Data Breach Reporting Rule
  • • The UK’s update to NIS Regulations

Per region, we will discuss what is new, expected, and strange, and we will discuss the impact those laws and regulations can or will have on our cybersecurity agenda.

14:00 14B: Talking About My Generation Speaker(s): Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.

In this session I will present and discuss some insights gathered during a chat with my daughter and her friends regarding how information is shared, how assets are shared and how security is perceived amongst their generation, the next generation.

A short impression of this was given at the Rump session at COSAC APAC 2023, and many believed this should be extended with more details and insights.

Let us discuss how we can reach out to them on the basis of our observations. How can we best address the messages we need to get across for them to support the required level of security for the organization.

14:00 14S: Stretching Left – Applying a SABSA-based Approach to Cybersecurity Solution Design Speaker(s): Robert Rost

Robert Rost

Cybersecurity Architecture Director, (USA)

Robert Rost has been focused on cybersecurity for the last 20 years. Over the last 5 years, Robert Rost has been the Cybersecurity Architecture Director at one of the largest non-for-profit healthcare systems in the US.Prior to this role, Robert Rost held the position of IT Operations Director, Defensive Services at the same company.

Today, there is not a lot of published case studies on the successful application of a SABSA-based approach to Cybersecurity Solution design, especially from organizations based in the USA. There are several factors for a lack of case studies. The purpose of this talk is to contribute to the body of case studies successfully applying a SABSA-based approach to cybersecurity solution design. The SABSA-based approach utilized for the case study is derived from applying the lessons and techniques learned from official SABSA training classes and from the ”Building Effective Security Architectures” program.

The value of the talk is: 1) to encourage to others to publish and share their SABSA success stories; 2) to learn about barriers and enablers for implementing a SABSA-based approach to Cybersecurity Solution design; 3) to see and discuss architecture artifacts and techniques. All of this content and expected discussion is to help others accelerate their cybersecurity solution design efforts and cybersecurity architecture program in general.

14:55 15A: Unexpected Items in the AREA? Rethinking Responsible Research & Innovation Speaker(s): Lizzie Coles-Kemp,

Lizzie Coles-Kemp

Professor in Information Security, Royal Holloway, University of London (UK)

Lizzie is a qualitative researcher who uses creative engagement methods to explore everyday practices of information production, protection, circulation, curation and consumption within and between communities. She took up a full-time academic post in 2008 and prior to joining Royal Holloway University of London she worked for 18 years as an information security practitioner. Lizzie’s focus is the intersection between perceptions and narratives of individual and community security and...
Genevieve Liveley

Genevieve Liveley

Professor of Classics, University of Bristol (UK)

Genevieve is Professor of Classics, RISCS Fellow, and Turing Fellow at the University of Bristol. As a narratologist, she has particular research interests in stories and their impact on futures thinking – especially in the context of emerging technologies and cyber security. She leads the Futures strand for the UKRI’s Digital Security by Design (DSbD) programme, and as RISCS Fellow, heads the ‘Anticipation and Futures Literacy’ research theme.

Reflecting well established principles of Responsible Research and Innovation (RRI), the UK’s AREA Framework aims to ensure the careful consideration of the future consequences of emerging technical innovation processes, policies, and outputs. The AREA framework is supposed to lend structure to the way in which we approach thinking about the future uses, abuses, and longer-term multi-order impacts of the accessible and inclusive technologies we are designing and introducing to market. First and foremost, the framework asks us to Anticipate – to imagine a wide range of the intended and unintended uses and abuses that a product or service might encounter; the desirable and undesirable outcomes that might result from its release into the real world. Increasingly, however, digital devices designed to enhance security, accessibility, and inclusivity are reportedly being misused: cases of technology-facilitated domestic abuse worldwide, for example, reveals the extent to which connected doorbell apps, banking apps, smart energy meters, and the like, can be exploited to cause real world harms.

This session discusses whether the AREA framework is working well enough in anticipating (and pre-empting these abuses) – especially in critical contexts such as the design of statutory services that are not only digital by default but that are also realisably secure for those who are vulnerable in society. Among possible refinements to the framework, we will explore the ‘universal barriers library’ recently developed by the UK’s Government Digital Service in collaboration with designer and anthropologist Ute Schauberger. We reflect on how security design processes might incorporate universal barriers as part of the AREA framework as a method to ensure we really are designing the most secure, accessible and inclusive technologies that we can.

14:55 15B: Neuroinclusivity Speaker(s): Jack Sussmilch

Jack Sussmilch

Principal Cybersecurity Consultant, Tawfik Consulting (Australia)

Jack Sussmilch has over 25 years’ experience in the definition and enablement of both strategic and operational cybersecurity domains. He has a proven track record in working with business and IT leadership to mitigate cyber security risks in a measurable, scalable, repeatable and sustainable way across a broad range of technologies, compliance and cultural environments in the context of historical, current and emerging threats.

Historically, societal views on people who are different to the more dominant traits of the population have been extremely damaging and compromise our ability to get the best innovative potential from them.

Even with innovative and creative thinking being required more than ever, people who think and learn differently to most are finding it harder than ever to find and retain meaningful employment. Current diversity efforts often focus on key diversity dimensions often at the expense of other dimensions.

One of the hurdles neurodivergent people face is the prisoner’s dilemma of risking discrimination or face not acquiring the very accommodations they need to survive and thrive.

NeuroInclusivity recognises the need for diversity initiatives to focus on the diversity of what is inside people’s brains rather than on the physically obvious by recognising that everyone needs accommodations at some point in their life – whether it’s because they’re going through a divorce, struggling with depression, naturally sensitive to stimuli or whether they need to be able to pickup their kids from school and that these needs should not require people to disclose a diagnosis. By embracing this concept organisations can finally properly tap into the innovative potential that often already exists

14:55 15S: Words Can Be Like Tactical Nuclear Bombs Speaker(s): Steve Crewdson

Steve Crewdson

Lead Enterprise Security Architect , Virgin Atlantic (UK)

Steve leads the Virgin Atlantic Security Architecture practice based in the Crawley, UK. His career has seen him work across an array of industry sectors and roles. Including central government, finance, utilities, retail, and media. As a consultant, pre-sales systems integrator architect, enterprise security architect and strategist, eloquently and effectively bridging business and technological domains. Strength in strategic thinking, strong passion for personal development and the exploration...

Have you ever been in a conversation where one word or phrase alters the entire direction and feeling of it?

We all have internal subconscious filters that delete, distort or generalise inputs we receive every day from our senses. These are formed based upon our own individual experiences and perspectives of those throughout our lives from the moment we are born. A simple word such as “Normal” could have significant differences from person to person. For one going out before breakfast hunting in the Serengeti with a rifle at eight years old is normal. For another sitting at the breakfast table eating their Weetabix watching cartoons is normal.

Now take the word “Architect”…….BOOM! Ask ten different people you get ten different answers when it comes to the technology realm and don’t get me started on what job adverts claim it to be.

Following on from Rob Campbell and Gorden Jenkins sparking debate at COSAC 2022 on “Mistaken Identity” one madman returns with an architected identity of a Security Architect to be placed under the COSAC microscope! Be gentle….please!

15:45 - 16:05 Afternoon Tea

16:05 16A: The Divergence Between Cybersecurity & Data Privacy Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.

This presentation will explore the growing divergence between the fields of cybersecurity and data privacy, as well as the implications of this trend for information security professionals. In recent years, there has been a growing focus on data privacy, particularly in the wake of major data breaches and new regulations such as GDPR and CCPA. However, this focus has often come at the expense of cybersecurity, with some professionals becoming experts in privacy but having little knowledge or experience in cybersecurity, and vice versa.

The presentation will highlight specific examples of this divergence, including the rise of data protection officers (DPOs) who are responsible for ensuring compliance with privacy regulations but may have limited experience in cybersecurity. Conversely, cybersecurity experts may have limited understanding of privacy regulations and may focus more on technical solutions rather than broader data ethics considerations.

The presentation will also explore the implications of this divergence for information security professionals, including the need for greater collaboration between cybersecurity and privacy experts. It will examine the importance of a holistic approach to information security that takes into account both cybersecurity and data privacy considerations. Finally, it will discuss the role of emerging technologies such as artificial intelligence and blockchain in bridging the gap between these two fields.

In conclusion, while the fields of cybersecurity and data privacy have diverged in recent years, they remain inextricably linked. It is essential for information security professionals to have a deep understanding of both fields in order to effectively protect their organizations from cyber threats and ensure compliance with privacy regulations. By embracing a holistic approach to information security, organizations can strike the right balance between cybersecurity and data privacy, and stay ahead of emerging threats and regulations.

16:05 16B: Neurolinguistic Programming – What We Know About Reprogramming the Brain and Enhancing Human Performance Speaker(s): Ashling Lupiani,

Ashling Lupiani

Cognitive Solutions Developer, City of Hope (USA)

Ashling Lupiani ,SCF is a Cognitive Solutions Developer at the City of Hope. A neuroscientist, and biomedical engineer with experience in speech and gait research, she spent 5 years running neurorehabilitation engineering studies with human participants and conducting analysis to investigate sensorimotor systems. She co-authored 5 papers and presented at conferences in Toronto and Boston, and COSAC 28, 29 & 30. Ashling has a BA in Neuroscience from Boston University, & a MS in...
Kathleen Mullin

Kathleen Mullin

CISO, My Virtual CISO (USA)

Kate Mullin CISSP, CCSFP, CDPSE, SABSA SCF is an influential information security practitioner and international speaker with 25+ years of experience. Kate has been a VCISO and was CISO at various organizations, including privately owned (Cancer Treatment Centers of America), publicly traded (WageWorks), private equity (HealthPlan Services), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TPA. Throughout her career, Kathleen has volunteered and participated in...

This is a novel and unique discussion on changing the way we think and enhancing human performance using neurolinguistic programming (NLP) from the perspectives of both neuroscience and information security. This timely presentation debunks current human resource and information security thought leadership and training materials, addressing how many are adversely impacting the credibility of their presentations, themselves, and the profession by using a misunderstanding of how the brain works.

Reprogramming the nervous system through the use of language, dubbed neurolinguistic programming, is referenced in security awareness training, self-help programs and seminars, and leadership training. Authoritative sources claim that one can leverage eye-gaze patterns, posture, tone of voice, and language patterns to communicate effectively, influence others, and change their own thoughts. By exaggerating the potential impact of behavior when presenting otherwise accurate information, these professionals can skew materials to make them entirely incorrect. This impairs the ability of information security professionals to influence system changes, develop awareness training, and create appropriate defenses.

The value in this session is providing information from current brain science to use in training. The approach of this session is to provide opportunities to challenge and give input while imparting attainable, accurate science on the brain.

16:05 16S: Dueling Architects Speaker(s): Kirk Nicholls

Kirk Nicholls

Manager, KordaMentha (Australia)

Kirk is a security advisor with a focus on disaster and incident response exercises. He develops and manages exercise programs through the discipline of serious games, using research-based practice. Through the lens of serious games, simulation and a military background he enables clients to gracefully handle the unexpected.

A game for Security Architects to sharpen their skills in honourable intellectual combat

Duelling Architects is an original competitive team-based serious game designed to create development opportunities for enterprise security architects. Play follows the full lifecycle of an enterprise security engagement. Teams are pitted against each other to create, present their solutions while critiquing other teams work and defending their own. This gameful approach leads to peer learning through social constructivist techniques.

The game is needful as there are few opportunities outside of professional engagements to exercise these skills in full and with other skilled practitioners. Many practitioners find that they only have opportunity to implement parts of a full strategic enterprise security architecture. While this is to be expected it limits personal skills growth and can lead to atrophy of our collective tradecraft.

Duelling Architects creates opportunities for motivated security architects to learn from each other through play. The game aims to complement existing development options such formal training, on-the-job experience and peer presentations or papers.

The session will include an introduction, walkthrough and abridged demonstration of the game. Further video and print resources will be made available for attendees to explore independently.

16:55 - 17:15 Refreshments

2023 Anthony Sale Memorial Session

17:15 17P: Deception As A Service 1940-1946 Speaker(s): Mark Brooks,

Mark Brooks

Consultant , Strident Consultancy Ltd. (UK)

Mark Brooks is a consultant who specialises in advising the defence and security sector in the United Kingdom. He started his engineering career at British Telecom Research Labs in 1985 and joined the Foreign and Commonwealth Office in 1991, serving at home and overseas until he left in 2019 to join UK NACE (which he left in 2022). He now has several advisory roles and is a supporter of the National Museum of Computing at Bletchley Park.
Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.

On 22 July 1940 at the request of the newly appointed British Prime Minister, Winston Churchill, the Special Operations Executive (SOE) was formed officially from the amalgamation of three existing secret organisations. Its purpose was to create and aid resistance organisations to carry out subversive operations in enemy-held territory, mainly in Europe. Its head, Hugh Dalton, wrote in his diary that on that day the War Cabinet agreed to his new duties and that Churchill had told him, "And now go and set Europe ablaze”.

Over seventy country houses, castles, colleges, hunting lodges and other remote properties were requisitioned in Britain and even more overseas to provide this new organisation with the special equipment and services that it required.

One critical service that SOE agents needed was the production of the highest quality forgeries of those official documents that validated their clandestine identity and would withstand scrutiny in the event they were examined by the authorities in Nazi-occupied Europe.

SOE’s False Document (Forgery) Section was first established in the basement of Briggens House, near Harlow in Essex. Initially designated Station 38, the house and grounds had been used to complete the training of elite Polish saboteurs and provide them with counterfeit documents before they were parachuted into Nazi-occupied Poland. SOE’s Forgery Section was designated Station 14 and co-existed with Station 38 until the demand for its false documents required it to expand its space, whereupon Station 38 moved to another location and Station 14 occupied the whole site.

Little was known of Station 14 until Des Turner’s book ‘The Secrets of Station 14 – Briggens House, SOE’s Forgery and Polish Elite Agent Training Station’ was published in 2022.

Its publication came at the same time as we were starting work on handlisting the private collection of the Late Tony Sale that his family had donated to the National Museum of Computing on Bletchley Park. Within that collection were items in a box marked ‘Briggens’, that included several tightly wound rolls of printed paper, cards, photographs and negatives. These original artefacts are of significant historical value and we are in the process of having them professionally conserved so they can form part of a special exhibition in due course.

In this talk we will show some images of those artefacts and, courtesy of one other private archive, put into context the importance of the work at Briggens through stories of individual SOE agents and their activities.

Plenary Session

18:10 18P: The COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 41st year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

  • • Electronic submission: Send email to the rump session chair David Lynas at [email protected]
  • • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 4th October.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Drinks Reception & Dinner

19:15 Drinks Reception
19:45 Dinner & COSAC Prize Night