Ireland Melbourne

Welcome to COSAC - Conferencing the way it should be! Call for Papers is now open!

For 26 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

Registration for COSAC 2019 is now open - 29th September - 3rd October.

Tuesday 2nd October 2018

09:00 - 09:30 Delegate Registration & Coffee

09:30 1A: Hiding in Plain Sight Speaker(s): Rob Hale

Rob Hale

Fellow, Lockhead Martin (USA)

Rob is a Lockheed Martin Fellow with over 25 years of experience in information systems and security. During his career he has been responsible for conducting and supporting information assurance and cyber security activities for federal, state and commercial organisations in the defense, law enforcement, financial services, utility and healthcare industries. Additionally, he has designed and implemented secure networks to support nuclear emergency response teams and top US banks. 

This presentation will walk through a history and demonstration of steganographic tools as well as a demonstration of how data can be hidden and recovered from broadcast audio. Steganography has been a mechanism for hiding data since 440 BC but has enjoyed a renaissance in the computer era. Although steganographic techniques have continued to evolve from the early days of hiding data in images and audio files to more complex network communications techniques using TCP and VOIP, this mechanism for data exfiltration still remains a viable means to thwart cyber defenses. This presentation will demonstrate classic steganographic techniques, newer techniques using audio and light to transmit data, and techniques exploiting the network communications protocols themselves to transmit hidden information. The presentation will contain live demonstrations of these techniques and will provide common steganographic tool sets.

09:30 1B: Are We All Just Snake Oil Salespeople? Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.

“We cannot solve our problems with the same thinking we used when we created them.”

- Albert Einstein

Join me for a rant; I mean discussion, about the potentially damaging approach we continue to take to address the information security problems we face.

Information Security is not a science, in fact, I'd argue it doesn't even qualify as art. So, what is it then? The closest thing I can find to equate it to is folklore.

Security solutions have been handed down from generation to generation, either as oral histories or enshrined in texts as 'best practices'. As a result, we employ the same control or combination of controls over and over again to address a particular security problem and expect different results, which as the old saying states is the very definition of madness.

I’ll discuss some standard information security practices and solutions, explore their origins before looking at whether they are even designed to solve the problems they are applied to.
I’ll then discuss why we need to abandon the status quo and refocus on our efforts on understanding the problems

09:30 1S: Cloud Security Architecture: A Place to Start Speaker(s): Gordon Jenkins

Gordon Jenkins

Enterprise Security Architect, Structured Security Ltd (UK)

Gordon is a security architect, working as an independent consultant since the beginning of 2018. He has 20+ years experience in IT and security for large financial services organisations in the UK and US, across investment banking, life & pensions and asset management. He has worked as a security architect for the last 9 years, providing guidance to dozens of major business and infrastructure projects and helping to shape enterprise security functions. 

There is a sudden and rapid push to take advantage of cloud platforms, even in the highly regulated sectors that previously considered cloud too risky. This poses a challenge for security teams and architects - the security strategy for cloud needs to develop at that rapid pace.

A set of cloud security reference patterns would help security teams coming to the cloud for the first time, especially in organisations that lack the architecture skillset or just need a boost to get started quickly. However, I haven't seen any attempt to describe such a set of patterns.

I set out to develop a set of generalised cloud security patterns, starting from the Cloud Security Alliance's top 12 threats. For each threat I followed a SABSA thought process to derive high level control objectives and security capabilities, and a reference pattern diagram that places the capabilities in an enterprise context.
These generalised patterns support a variety of conversations, from threat and opportunity discussions with senior management, to requirements discussions with cloud solution analysts and designers. The process can be repeated to customise the patterns, or it can be iterated to add and refine details, allowing security architects to keep up with their cloud programme's expanding demands.

This session will describe the process followed and share examples of the reference patterns derived. The patterns and process are generic and will be published for use by the community.

10:30 - 10:50 Morning Coffee

10:50 2A: Industrial Internet of Things & Industry 4.0: Architectural & Security Challenges Speaker(s): Hugh Boyes

Hugh Boyes

Principal Engineer, University of Warwick (UK)

Hugh Boyes is a Chartered Engineer, a Fellow of the Institution of Engineering and Technology (IET) and divides his time between working as a Principal Engineer at the University of Warwick and undertaking cyber security consultancy assignments. Hugh is the leading industry expert on cyber threats in the built environment and supports infrastructure protection. He has written four guidance documents for the IET on cyber security in the built environment, ports and vessels. 

Adoption of Industrial Internet of Things (IIoT) and Industry 4.0 solutions will create a number of architectural and security challenges affecting the safety, security and resilience of manufacturing and processing systems. This session will set the stage by reporting on recent IIoT research undertaken as part of the PETRAS programme, a UK Research Council funded initiative that is examining the security of the Internet of Things. We will then examine how proposed IIoT and Industry architectures impact current industry practice, e.g. the Purdue Model for security of industrial control systems, and the potential gaps in current standards landscape. Topics to be addressed include: de-perimiterization of cyber-physical systems, integration of systems across the supply chain and increasing integration of design and manufacturing systems.

The session will also look at the challenges we face in seeking to adopt appropriate and proportionate information management measures to address the provenance, quality and security of the data and information that lies at the heart of these implementations.

Join us to explore the challenges of the fourth industrial revolution that will face enterprise IT departments and their engineer colleagues responsible for operational technologies used in manufacturing and process control as they seek to implement IIoT and Industry 4.0 solutions.

10:50 2B: 25 Years of COSAC = 4 Generations of Security Professionals Speaker(s): Todd Fitzgerald

Todd Fitzgerald

SVP, Chief Administrative Officer - Information Security & Technology Risk, Northern Trust (USA)

Todd is SVP and Chief Administrative Officer – Information Security and Technology Risk, Northern Trust. He led multiple Fortune 500/large company information security programs for 19 years, was named 2016 Chicago CISO of the Year by AITP, ISSA, ISACA, Infragard and SIM, ranked Top 50 Information Security Executive and authored 3 books on Information Security. 

Since COSAC began, we have added 2 generations of security professionals, yes, TWO!! - Generation Y (Millennials) and now Generation Z (or the iGeneration). What does this mean for the workforce? Why are we different? How are we different? This session will explore in a fun, interactive way involving the participants in an exploration of our differences in technology, work expectations, family values, how we were raised differently, and most importantly WHY they are different and the implications for information privacy and security. Understanding these differences will enable greater respect, acceptance, team building, leadership, and build better relationships between all 4 generations (boomers, generation X, Y, and Z).

10:50 2S: Agile SABSA? Yes, You Can Speaker(s): Andrew S. Townley

Andrew S. Townley

Founder & CEO, Archistry (South Africa)

Andrew is an international speaker, published author and thought leader on business execution, security, risk and technology who has extensive practical, hands-on experience working in the US, Europe, Middle East, Africa and Brazil. His Enterprise and Security Architecture experience includes leading SABSA adoption organizational change initiatives for Fortune Global 300 customers and is built on not only SABSA certification but personal mentoring by two of SABSA’s principal authors.

Frustrated because they won’t let you do proper security architecture? You know it's is a critical part of a security program so you're trying to fit it in around the edges, but it never quite happens. You're staying late, you're trying to do what you can for the bigger picture, and yet projects are still delayed, customers are upset and "security" is still a bottleneck. 

It doesn't have to be like that. Really.

We all know that the SABSA lifecycle is a control-feedback loop, and we all know from SABSA Foundation course that the recommended approach to applying SABSA in practice follows “architecture as sketch.” However, after to speaking with dozens of SABSA practitioners around the globe, it seems like it’s harder than it should be to put that guidance in practice—especially in agile organizations.
This perceived dissonance between SABSA and Agile is a big problem, and it undermines the confidence of competent architects who know architecture is important.

How big is the problem?

According to the VersionOne 11th Annual State of Agile Report, 94% of their respondents practice agile, 60% of those have been using agile for at least 3 years, and 71% of the respondents indicated they were doing or would be doing DevOps by next year.

Obviously, there’s probably a self-selection bias here and the exact number of respondents seems vague, but that won’t change the way these stats might be used by executives to drive Agile and DevOps adoption in your organization. All that aside, the trends are repeated in other research, so if we’re committed to keeping our organizations safe, we’d better also be committed to figuring out how to do it right in the current and future environments we have.

In this session, we’re going to give security architects who are struggling to leverage the full power of SABSA in agile environments practical ways SABSA enhances and enables agile and Dev[Sec]Ops.

Specifically, we’ll cover:

• An initial summary of Agile, Agile Architecture and Dev[Sec]Ops
• How SABSA makes agile faster, easier and more consistent
• What foundations need to be in place to enable Agile SABSA
• An iterative interpretation of the SABSA Lifecycle
• A walk-through of Agile SABSA for different types of security demands

The fundamental objective of this session is to give you ideas you can put in practice once you get back to the office so you can expand your practice of SABSA and enhance the effectiveness of your security program as a whole.

12:00 3A: 5G, A Quantitative Evolution in Need of Qualitative Security Speaker(s): Mary Dunphy

Mary Dunphy

Security Architect, TEK Systems (USA)

Mary is an IT Security Architect for TEK systems. She has worked on projects in advanced cyber defense for RSA & Program Manager for Vendor Solutions/Integrations for Google headquarters in Mountain View, CA. Mary is the former CTO for Pro-Tec Design where clients included DHS, MSP, Best Buy, City of Minneapolis, FBI and departments at all levels of government. She also provided consulting services for Attorney General Settlement Agreement and Office of the Comptroller of the Currency. 

With the coming of 5G mobile technology there arises additional security considerations. There will be the need for new trust models, service delivery modules, an evolved threat landscape, as well as privacy concerns. This session will open a dialog that may help shape trajectory of security long before the projected 2020 planned implementation of every post, building, vehicle, to bounce super high frequency or beam forming frequency waves. This technology builds the IoT to include things such as augmented reality amongst other enhanced capabilities.

12:00 3B: Who Shifted My Paradigm? Speaker(s): Glen Bruce,

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures and Policies supporting business and governments in their approach to managing information security risk. He has over 42 years of in-depth experience in information security consulting, systems management and technical positions. He has lead many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies and infrastructure implementations.
Lisa Lorenzin

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security. 

The evolution of information technology has prompted many fundamental changes to the way we conduct business, both at the enterprise and individual levels.

Protection of information / assets is often an afterthought, in response to a belated recognition of problems introduced by these changes. From a security perspective, the realization that a significant change - a paradigm shift - is occurring often doesn't strike until the change is well underway. This session will examine the definition of a paradigm shift, how these shifts can fundamentally change our environment, and how the protections required for that environment need to keep pace. Understanding paradigms and how to recognize when they shift is essential to ensure we can continue to manage associated risk. 

We will discuss past examples of significant changes and their impact on security. Using our definitions and characteristics, were these paradigm shifts or not?

Then we will look at two current potential paradigm shifts that are fundamentally changing the way business is conducted. What are the security models required to meet these foundational changes?

Finally, with your help, we will identify a set of rules to recognize when a paradigm shift may be occurring, and establish some basic guidelines for staying ahead of an occurring shift.

12:00 3S: Delivering DWP Universal Credit in an Agile Way Using SABSA Speaker(s): Mahbubul Islam

Mahbubul Islam

Head of Secure Design, Department for Work and Pensions (UK)

I have 10+ years of experience in numerous aspects of security from GRC to Security Architecture. Currently Head of Secure Design at DWP and have held numerous senior security positions in UK Govt, I hold certifications in SABSA SCF, CISM, CESG Certified Professional & ISO27001. I also have an PGDip in Information Security from Royal Holloway and an MSc in IT Consultancy from London Metropolitan University. I am a Chartered Security Professional and a member of the Security Institute. 

DWP is rolling out a multi billion pound solution called Universal Credit (UC). It is the biggest welfare programme in a generation. It is the first to build from ground up and by having embedded security, as opposed to an afterthought.

The presentation will demonstrate how SABSA was applied initially for domain modelling and to ensure the correct level of decision making was taking place whilst reducing Shadow Security. This included an extended RACI, as the organisation is too large for a standard RACI.

Additionally the programme focused on attributes at business level which then worked hand in hand to trace controls. Whilst the whole programme is being delivered in an Agile way, each control can be linked to the first principles, and then prioritised for delivery.

I have re-used some controls diagrams to demonstrate 3 layers of the SABSA framework, with clear RAG ratings on each diagram, which makes it easy for management to trace their investment. This is what colleagues with experience can take away for board level discussions.

I will talk about the next steps with UC, and how UC is managing risks and opportunities and in particular managing the security debt whilst exploring opportunities.

Applying SABSA in an Agile way is still maturing, it is anticipated that this session will open further discussion points on how to apply the framework without losing control.

13:00 - 14:00 Lunch

14:00 4A: How to Rob A Bank Over The Phone Speaker(s): Joshua Crumbaugh

Joshua Crumbaugh

Chief Hacker, PeopleSec (USA)

Joshua is one of the world's leading security awareness experts and a world-renowned cyber security speaker. He is the developer of the Human Security Assurance Maturity Model (HumanSAMM) and Chief Hacker at PeopleSec. He is also an expert social engineer who has talked his way into bank vaults, fortune 500 data centers, corporate offices and restricted areas of casinos. His experiences highlighted a significant need for a better "human solution" leading to a passion in social engineering.

Lessons Learned and Real Audio from an Actual Social Engineering Engagement

This talk will be 50% real audio from a social engineering engagement and 50% lessons learned from the call. During this call I talk a VP at a bank into giving us full access to his computer as well as facilities. At one point during the call, the AV triggers (thanks to a junior submitting the payload to virustotal :)). This is an intense call with a ton of valuable lessons for any social engineer or defender looking to learn how to identify attacks.

• Importance of recon and how it can help in social engineering
• Why it's important to know what information attackers can get about you and your organization and how this data can be used against your organization.
• How to create a good pretext
• How to spot the pretext
• Building rapport
• Playing to selfish interests of the target
• What to do when things go wrong – (During the call an antivirus triggers – very intense moment)
• The importance of never breaking cover
• The importance of being aware of and spotting red flags
• How multiple social engineering attack vectors can be chained together for more effective social engineering engagements

Approximately 25 minutes of the total 45 minutes is sanitized audio from the social engineering call.

14:00 4B: Agility Revisited - In Search of the Philosopher's Stone Speaker(s): Helvi Salminen

Helvi Salminen

Information Security Manager, Gemalto (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014. 

The classical Philosopher’s Stone was believed to have many beneficial properties. The most common belief was its ability to transmute base metal into gold or silver. This magic stone was also believed to have the power to heal all forms of illness and prolong the life. And the ability to resolve many minor problems was considered to be in its competence. 

Agile methods have been valued by many people as the philosopher’s stone of software developers. And so has the lean management method – first in manufacturing industry, then in many other areas, including management of IT services - been seen to bear an equal halo. 

Agile approach applied to security management got some attention a few years ago. However, it did not gain much interest among security professionals. Even today articles, research or examples of agility in security management are hard to find. 

Does the increasing number of regulatory requirements lead the agility oriented security professional to a dead end? Is agility just a daydream for security managers? 

My answer is no. 

Increasing complexity of the security landscape makes the agile thinking and acting more important than ever. In this session we discuss why, and following the ideas of agility applied to security management we may find something useful – maybe not the philosopher’s stone which magically resolves all problems, but the improved ability to identify and implement good security solutions. 

14:00 4S: SABSA Modelling in Archimate Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Lavender Bytes Consulting (Belgium)

Independent consultant with 25+ years in IT whose interest in application security began with the Millennium bug and a first-time speaker at COSAC. Based in Brussels, where he has undertaken major assignments for clients in the public sector, agencies, finance, telecoms and utilities and also lends his support to local cyber-security initiatives. Much of his work in recent years has been in the field of developing tools, processes and models to support security analysis.

I propose a presentation on the development of security architectures (specifically, the artefacts generated by the SABSA process) using the ArchiMate modelling language. 

The presentation is in two parts in which the first explains: 

- the drivers & benefits of integrating security into models and; 

- the techniques for expressing security within ArchiMate's notational constraints, its capacity for extensibility and tool support. 

The second extends the first by exploring (and hopefully demonstrating) some novel approaches for computer-assisted security design (incl. model validation, query & evaluation, control selection etc.) that become feasible once security concerns have been captured in a formal notation. 

15:10 5A: Go Hack Yourself: Moving Beyond Assumption Based Security Speaker(s): Brian Contos

Brian Contos

CISO, Verodin (USA)

Brian Contos is the CISO & VP Technology Innovation at Verodin. Brian has over 20 years experience in the security industry. He is a seasoned executive, board advisor, security company entrepreneur & author. After getting his start in security with the Defense Information Systems Agency (DISA) and Bell Labs, Brian began the process of building startups, taking multiple companies through successful IPOs & acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks.

You have many security products, probably too many. But you are still not secure because it's nearly impossible to know if your security products are actually doing what you want. Through live network and endpoint attack demonstrations, see how to use attack behaviors with Bartalex, Vawtrak, Mimikatz, PowerShell, Tunneling and others to validate your actual security products are working. See startling statistics, based on real-life case studies, that illustrate how ineffective many organizations, some with massive security budgets and teams, actually are because of a lack of validation. See how you can turn these attacks into an opportunity to instrument more effective security. 

15:10 5B: Whoever Said (Security) Innovation Was Straightforward Speaker(s): Martin De Vries

Martin De Vries

Information Security Officer, Rabobank (Netherlands)

Martin has been working for Rabobank his whole working life. Starting in project management in 1998. Then moved to the international side of the organization in 2005 starting as a Service Manager for Rabobank's direct banking initiatives. And finally as of 2008 he changed to security. First as a Security Officer for the direct banks and later (2012) as a Global Security Officer with a focus on Retail (until 2014) and IT and Software Development. As of October 2016 he has a focus on innovation.

Rabobank was the first bank to launch an online banking platform in the Netherlands back in the late ’90’s of the previous century and has been innovating its banking services ever since. Not only from a business perspective, but also from a security perspective. As we all know, innovation doesn’t necessarily follows the expected beaten tracks. It’s journey is or might be filled with surprises and unexpected turns. 

In this presentation I would like to share with the COSAC audience two experiences of (security) innovations that came out successfully but differently from the initial intentions. A behavioral biometrics solutions that turns out to be great in crushing bot attacks and a social media payment initiative that turns out to be an excellent fraud killer. I will provide insight, under Chatham House Rules, in the journey of the two initiatives and share the initial scope, the surprises, lessons learned and the successful implementations. It will provide an interesting insight to the experienced COSAC audience. 

15:10 5S: The Missing Link - A Universal Security Capability Model Speaker(s): Andreas Dannert

Andreas Dannert

Enterprise Security Architect, NBN Co (Australia)

Andreas is an Enterprise Security Architect for Australia’s national broadband network (NBN Co). At nbn he is responsible for defining Security Strategy and Roadmap across the organisation. Prior to nbn, Andreas has worked for Deloitte and HSBC in the role of Enterprise Security Architect, developing Enterprise Security Architecture Frameworks and solutions. Andreas is currently the Research Director on the ISACA Melbourne Chapter board and an industry advisor to various organisations.

Most organisations have a consistent need for adjusting to changing market conditions and new customer demands if they want to survive in the long run. As business objectives and priorities are being adjusted as in response to the market, organisations need to adapt and fine tune their business capabilities, including their security services. Security service gaps need to be identified and immature services need to be optimised, in order to survive the constant battle for supremacy. 

From a security perspective, one of the challenges for organisations often appears to be that they have immature processes in place to quickly adjust their business, including their security services. While SABSA provides a mature methodology for the delivery of security architecture, organisations often struggle to implement a framework around it that optimises the delivery process itself. Further tools and processes need to be developed to address this issue and assist organisations in maturing and adjusting their security services faster and in a more efficient way. One of these tools could be security capability model that complements the idea of a security service catalogue by providing a pre-defined security service taxonomy through the definition of meaningful security capability domains. 

In this session we will be looking at a an organisation independent security capability model that defines a well-structured set of security capability domains and associated security capabilities. This model, as part of an Enterprise Security Architecture Framework, can assist larger organisations in more systematically assessing, communicating and transforming their security services landscape. The presented security capability model is based on experience gained through the implementation of similar models at various organisations across different industries. It has also been analysed against various control frameworks and their grouping of controls, which we also touch on. 

At the end of this session, participants should be able to understand the value of such a reference model and how it can be utilised within an organisation. 

The key takeaway from this session will hopefully be a new viewpoint of looking at the importance of security governing structures when faced with the challenge of more systematically and efficiently maturing an organisations security architecture service landscape. 

In the spirit of COSAC, this session is designed to be interactive and it will allow participants to share their experiences in similar circumstances, governing and maturing the process of continuous security architecture solution delivery in an organisation. This session will provide attendees with an insight into some issues that were encountered during the development of the model and the introduction into other organisations with a less mature security architecture framework in place. 

16:10 - 16:30 Afternoon Tea

16:30 6A: NATO Resilience by Design: Enhancing Resilience Through Cybersecurity Speaker(s): Perri Nejib,

Perri Nejib

Technical Fellow - Cyber Solutions Architect, Northrop Grumman (USA)

Ms Nejib has 33+ years of system engineering and program protection experience and 27+ years of technical leadership & DoD acquisition management experience. Currently part of the Advanced Cyber Technology Center (ACTC) as one of its senior engineering consultants & is deployed to the Missile Defense & Protective Systems Division (MDPS) as Cyber Solutions Architect. In this role she supports key programs, serves as stakeholder on MDPS IRADs and provides SSE subject matter expertise.
Edward Yakabovicz

Edward Yakabovicz

Technical Fellow, Northrop Grumman (USA)

Edward Yakabovicz is an innovative technical leader at Northrop Grumman responsible for advanced technologies for enhancing cybersecurity, resilience, and security engineering throughout enterprise, SCADA, and the Internet of Things. He is a cybersecurity doctorate candidate researching the current human capital crisis and inability to staff cyber related jobs.

Cyber Resilience (as opposed to merely risk-based approaches) is an ever increasing topic of interest in literature and in practice with many nations expressing it in their cyber strategies to apply newer practices in providing system protection from the rapidly changing cyber threat environment. This presentation addresses the engineering-driven actions necessary to develop more resilient systems by integrating Cyber Security/ Systems Security Engineering (SSE) to that of the well known Systems Engineering (SE) process. This concept, shown in Figure 1 (see attachment), infuses systems security engineering techniques, methods, and practices into systems and software engineering system development lifecycle activities, thus becoming part of the core solution/process rather than an isolated and expensive add-on, bolt-on, and separate task/process. The presentation will be based on a position paper developed on this topic area (see attached)-this is intended to be presented and discussed in a forum such as COSAC to allow for audience interaction and feedback on the concept of Cyber Resiliency in the NATO construct. Cyber Resiliency by Design is an important topic area across NATO and the COSAC/SABSA event will be a perfect forum to discuss and examine current standards and methods in this area and possible implementations. Our intention is for this event to be a catalyst of change for cyber resiliency across NATO. 

16:30 6B: Computing at School - Securing Our Children's Digital Future Speaker(s): Esther van Luit,

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
Kirsten Meeuwisse

Kirsten Meeuwisse

Consultant, Deloitte (Netherlands)

Kirsten Meeuwisse is a consultant at Deloitte Netherlands. She graduated from the TU Delft of the study Systems, Engineering, Policy Analysis and Management with her research about the trade-off between security and usability. Next to her work in supporting companies to improve their security, she wants to help children as well by educating them on cyber security & technology. She does that by organising hacklabs and by introducing the Microbit at primary schools.

Whilst our society is becoming increasingly digital, our children’s education has followed this trend in form with fancy iPads and flashy online learning, but not in content. The goal of the educational system is to prepare children for the future, but digital skills, let alone cyber security skills, are in many countries not part of the school curriculum. Children should learn how to protect their personal information on social media, be aware of the threat posed by malicious actors online and be informed about the legal implications of their own actions online. 

The goal of this session is to create a robust outline for teaching cyber security skills to children in primary and secondary schools, based on the ‘computational thinking’ curriculum that some countries have sought to implement. The speakers present an overview of various attempts from government- and not-for-profit initiatives to include digital and cyber security skills in children’s development and education. The speakers are both actively supporting some of these initiatives and will share factors for success and barriers to implementation. Conference participants are invited to actively share their perspective based on their own involvement with educational initiatives, experiences with their own children and cultural enablers and barriers they feel they should be considered to improve the suggested outline. The end product will be shared with participants after the conference and can be used to advance the status of cyber security in education in their respective countries. 

16:30 6S: Applying SABSA in Project Delivery Speaker(s): Rob Campbell

Rob Campbell

Security Architect, Secure Constitution Ltd (UK)

A Security Architect with 28 years IT experience, the last 20 in Information Security. I have been formally trained in security consultancy and architecture methodologies.These include Togaf (including Archimate) and of course SABSA. I have 10+ years in the financial/insurance sectors and another 10+ years experience in the Government sector. In that time I have developed security strategy,performed risk assessment and compliance roles as well as designed, developed and implemented solutions. 

Delivering a solution or service within a project framework can present obstacles which can prevent the effective application of SABSA tools and techniques. These obstacles are largely related to the project focus and constraints such as time, resource, poor supporting documentation and poor requirements. Most security involvement in projects revolves around either design or assurance. SABSA can be used within the context of a project but developing the right tools and techniques can help streamline the process and deliver consistent reliable results which can be used by other disciplines as well as our own. 

This session looks to present an approach which can be used both in design and assurance activities as well as demonstrate a tool to capture the focus of interest and drive out gaps or aid in control selection. The approach works in most project circumstances and utilises a number of SABSA techniques however it assumes a level of maturity within the organisation and is most effective when done collaboratively with SME’s from other disciplines. 

Within the session I will be seeking attendee participation to explore the processes deficiencies and seek suggestions to improve the effectiveness of the approach and supporting toolset. The toolset will be made available to the SABSA community. 

Plenary Session

17:45 7P: Welcome to the Cybersecurity Smithsonian Speaker(s): Esther van Luit

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.

Museums bring to life elements from our history, present and future for children and adults alike. A good museum is relevant, engages, educates and makes us wonder. Which is why, in an era that everyone should have sufficient grasp of the cybersecurity domain, it is a loss for this world that there is no such thing as a cyber security museum. 

Inspired by the ‘Secrecy and Security: Keeping Safe Online’ exhibition at Bletchley Park, this session takes it upon itself to propose to and engage with the audience on the pivotal moments in cybersecurity history and look forward to new technologies and trends under development – from Enigma to Quantum Cryptography. Our museum should be more relevant than simply a collection of old computers to display. It should take the visitor beyond the main discourse of ‘having a strong password’, draw out reflection and discussion amongst all generations on the governance of their data, their actions in cyberspace and on the impact of new technologies on our security society a la Star Trek and Black Mirror. 

What are the IT and security developments that you feel should be included in such our Cybersecurity Smithsonian? How should they be depicted for the visitor to effectively engage with and learn from? Instead of images of Alice & Bob, have children lock a written message in a physical box and exchange it securely with a parent without being intercepted to explain how encryption works? How can we best facilitate discussion on cybersecurity matters, inside and outside the museum (after the visit)? 

This session sets the scene by presenting engaging museum examples from over the world and covering what the presenter thinks are pivotal moments and technologies to include in such a museum. The speaker has contributed to creating an escape room-inspired TV program in which children have to solve cybersecurity puzzles to catch a hacker and will share lessons learned on how to create digital elements in an engaging physical set-up. Participants are then invited to ‘build their own museum’ and do a deep-dive by operationalising two elements in their Cybersecurity Smithsonian. The session closes by sharing some of these examples in the plenary group. This session uses the museum as a vehicle to have security professionals reflect on pivotal moments and technologies for cybersecurity, the ways in which the lay people interact or should interact with these elements and new engaging ways of explaining cybersecurity issues and solutions to our stakeholders. 

Networking & Dinner

19:15 Drinks Reception
19:45 onwards COSAC Gala Dinner & Networking