Cybersecurity has impacted most aspects of life by now. But it is not often seen as an attack vector on human life itself. However, based on the exponential growth of Operational Technology (OT), Gartner has made the following prediction:

“By 2025, cyber attackers will have weaponized Operational Technology Environments to successfully harm or kill humans.”

One can indeed argue that every process that has been automated and centrally managed can be hacked and misused. However, are these threats greater than the enhanced security and control they provide? OT environments do pose unique challenges to cybersecurity. Is this one that should be added to the list, or do our current risk and control frameworks provide enough coverage?

This session explores whether there is proof to support Gartner’s prediction, and whether it should be added to the risk ledger. The following topics and questions will be explored:

• • What threats can lead to the weaponization of OT environments?
• • What are the potential ‘mis’user stories that can weaponize them?
• • Do these have a high likelihood?
• • Do our current risk and control frameworks provide sufficient protection?
• • Teaming up with physical security
• • Out-of-band controls
• • Is protecting human integrity within our risk appetite as cybersecurity professionals?

ChatGPT is an artificial intelligence chatbot developed by OpenAI and launched in November 2022. It is built on top of OpenAI's GPT-3 family of large language models and has been fine-tuned using both supervised and reinforcement learning techniques. ChatGPT quickly garnered attention for its detailed responses and articulate answers across many domains of knowledge. In January 2023, ChatGPT reached over 100 million users, making it the fastest growing consumer application to date.

There are several key issues with ChatGPT. First, OpenAI has acknowledged that ChatGPT "sometimes writes plausible-sounding but incorrect or nonsensical answers". This behavior is common to large language models and is called AI Hallucination. Second, as with all AI – Training data suffers from algorithmic bias, which may be revealed when ChatGPT responds to prompts including descriptors of people. In one instance, ChatGPT generated a rap/song indicating that women and scientists of color were inferior to white and male scientists. Other research suggests that ChatGPT exhibits a pro-environmental, left-libertarian orientation when prompted to take a stance on political statements from two established voting advice applications. Third, ChatGPT is likely to disrupt entire industries and professions founded on text generation. For example, ChatGPT can generate a privacy policy, a security risk assessment or an executive summary. ChatGPT has already disrupted the examination and certification processes both in academia and industry, by enabling a new form of cheating and fraud. These three issues (disinformation, discrimination and disruption) have led to much negative press on ChatGPT right now.

While I have found that it is more often than not incorrect in the text that it generates, the text is constructed and formed very believably -making it all the more difficult to easily discern that the generated text is incorrect or biased. However, ChatGPT presents huge benefits, essentially acting like a search engine on steroids. So in honor of the 30th anniversary of COSAC I thought it would be beneficial to invite ChatGPT to COSAC to attend this session, to generate the slides, and to answer some audience questions. The idea of the presentation is to show attendees that ChatGPT ‘sounds’ great but is often incorrect, and to have some fun while we are at it!

Key Learning Outcomes:

• • An understanding of AI based text generation
• • An understanding of the limitations and strengths of ChatGPT
• • An outline of ten key privacy challenges that Cybersecurity Professionals should know about

Everyone with experience using SABSA will know that Attributes are great for capturing and reflecting business needs. However, they can be less beneficial for Agile teams.

In our experience, Agile organisations either follow a methodology religiously and have well-defined User Stories, or they don't have any documented requirements at all. Both scenarios present a significant challenge for architects attempting to introduce formal security requirements.

For security requirements to be practical, they must be in a language and format that is useful to the recipient. In most Agile and DevOps teams, requirements are expressed as User Stories, which are prioritised on a backlog for implementation. However, how requirements are described can vary significantly depending on the methodology.

It can be difficult, if not impossible, to introduce a new requirement engineering process into agile environments. Any new approach, such as the SABSA Attribute profiling, must integrate seamlessly with the established processes to minimise friction. This can be even more difficult in organisations where each team can choose its own approach, leading to multiple ways of articulating them.

This interactive session will discuss how SABSA Attribute profiles can be used to develop a codified set of 'non-functional' requirements and will explore the following:

• • potential limitations to using SABSA Attribute profiles in Agile and DevOps environments,
• • approaches to addressing missing or non-existent security requirements in Agile and DevOps environments,
• • ways to address environments with no security requirements,
• • issues that arise when security requirements merely reflect a security product's or service's features,
• • User Stories that clearly articulate the who, what, and why of the feature and how attributes might be used to define them, and
• • overcoming the challenges of prioritising security User Stories to ensure they are not overlooked.

More human interaction now occurs in the digital realm, than the physical realm. The internet is where our kids grow up. Software is running our physical world. Yet we have more vulnerabilities and more exploits than ever.

The cyber-security sector has historically been defined as the “protection of computers and networks”, and yet our roles are fast becoming way more than this…

This presentation covers “Digital Safety” and what that means, not only to us as practitioners, but particularly to the people who want to feel and be safe both online and in the physical world.

I’ll be challenging current thinking in areas such as:

• • What happens when exploits to our digital realm impact the physical realm?- Are we equipped to cope? Are our current “IT risk management and security protocols” sufficient to protect the physical world?
  • Should boards be legally liable for physical injury caused by software breaches?
  • Who would be willing to guarantee and warranty their systems against breaches?

In short, security weaknesses in our digital realm are already impacting our physical realm. What insights and learnings can we get from trying to build a world of “Physical Safety” into how we provide “Digital Safety”.

With the rise of big data and the increased availability of powerful AI tools, companies can now use data to train machine learning models that can automate processes, detect patterns, and make predictions. This can help companies to gain a competitive edge. Like gold, it can be difficult to extract and refine, but the payoff can be significant for those who are able to harness its power effectively.

Assuring data privacy and security in the context of data lakes and AI data mining can be challenging, but there are several best practices that can help ensure data is appropriately protected. Overall, it's important to take a comprehensive and proactive approach to data security. By implementing best practices such as classification policies, access control, data masking and anonymization, organizations can better protect sensitive data while still leveraging the power of AI.

Data and security architecture are key to defining and implementing the right capabilities to succeed. These provide a solid foundation for organizations to securely manage, protect, and analyse large amounts of data.

When providing security architecture viewpoints there are several key considerations to keep in mind:

• • Data Privacy: outline how data privacy regulations such as GDPR, CCPA, and HIPAA impact the use of AI.
• • Risk Management: outline how the organization will identify, assess, and manage risks associated with AI usage.
• • Acceptable Use: how AI will be used, who can use AI, and what types of AI applications are allowed.

This paper covers the above capabilities, viewpoints and building blocks to achieve a solid overall architecture for the data domain.

Woah. What a journey.

At some point in their existence, organisations and enterprises big and small – be they government or private sector – will inevitably undertake one or more business-transformation projects. For some, this may be the replacement of core business systems, such as an ERP or what many may affectionally and monolithically call “THE DATABASE”. For others, this may be premised on bringing existing capabilities into the digital age, from hi-tec helicopters, ships, submarines and aeroplanes, to online learning and multi-channel trading platforms.

For many, it is migration to the cloud itself, from lift-shift-and-uplift, all the way through to a full-stack application system rearchitecture.

Whatever the case may be, business transformation projects are fraught with treacherous and turbulent waters, both for the organisation and/or its employees. Rarely do businesses and organisations who undertake these emerge looking and feeling like they did before – otherwise, they wouldn’t be called business transformation projects! As much as these transformations occur with technology stacks and systems, it also inevitably affects its people, for better or worse.

This presentation focuses on a cloud-transformation project scenario, how SABSA can be brought to bear to define and secure the delivery of security objectives, ensure the survival of the organisation that may be entrusted to your care, and finally, ensure the survival of your own health and sanity as the person in the middle of the relentless maelstrom around you.

The 2020 SolarWinds cyber-attack was seen as an eyeopener for supply chain cyber security, particularly in the software supply chain. Although, the operations of every organisation have always been dependent on the security of suppliers of equipment, software, materials and services.

An old problem, but some ideas are new, such as the software bill of materials. For many, including governments, the need for cyber security assurance has never been greater. But the challenges remain. For the past year and a half, the volunteers of the UK NCSC ICS COI Supply Chain Expert Group (SCEG) have been working on this problem and are happy to present the work for the first time during COSAC.

By attending this session, you will:

• • Find out about the work of the SCEG and the results of our analysis of the challenge of assuring cyber security in the supply chain.
• • Learn about the pitfalls of the common approaches, and the success stories in some sectors.
• • What do suppliers find unhelpful?
• • How can customers influence the security of suppliers’ services and products?
• • Learn about the different types of tools, services and approaches used for assurance and how they fit together.
• • See how laws and regulations (particularly in the EU, US and UK) are focusing on supply chain cyber security and the implications.
• • Discover the most useful standards and where to find guidance that will work even for organisations without dedicated supplier assurance teams.

Despite the ever-increasing interest in cyber security risk by the board of directors across all sectors, cyber risk quantification remains a challenge for most of the organisations. Even in highly regulated environments the identification of risk becomes synonymous with technical threat modelling and control evaluations with little, if any, articulation of the business disruption and operational resilience.

This presentation will rely on anonymised case studies, predominantly from financial services and energy sectors across the globe, to demonstrate how technical risk assessments provide, at best, a partial identification of risk, lead to more piece-meal security solutions, and fail to facilitate an intelligent discussion on resilience with senior business executives.

Having identified the root causes, the presentation will then introduce a data driven approach towards active cyber risk management. Drawing strength from data science, it enables the development of 360o view of the risk profile across all high-value assets and provides an accurate representation of the risk position, always in line with the respective governance framework. The rigour of the approach creates transparency and measurable outcomes that help the business know which controls contribute most to risk reduction and inform better decision making. Most importantly, it serves as an effective communication mechanism that resonates with business stakeholders.

Organisations are increasingly looking to change and transform their cyber security to:

• • Increase resistance to cyber security attacks and reduce security risk or rebuild having been impacted by an incident.

• • Align with the organisations future technology vision moving into the cloud, embracing digital enablement

• • Meet increasing regulatory demands for both better capabilities and lower risks, as well as increasing scrutiny.

It’s therefore not unreasonable to assume that most of the architects within the SABSA community will face the need to design and lead a large Cyber Programme within the next 12 months.

The key question for those in the ESA role is ‘where do I focus my efforts to strike the right balance between putting out fires and developing my architecture capability and artefacts?’ or to use my client’s analogy, ‘how do I build a plane while also flying it?’

This presentation of approach, a client case study and Q&A on using SABSA to

• • Demonstrate the value of Enterprise Architecture from the outset of the
• change/transformation programme
• • Engage senior stakeholders (and keep them engaged)
• • Communicate the programme objectives and structure to mobilise delivery teams

“I am more afraid of our own blunders than of the enemy’s devices” - Thucydides1

Last COSAC we had a vigorous discussion about Russian Cyber Strategy. A year later, the world is taking notice of hard lessons learned. Half-century old munitions and tanks are thrown into battle while manufacturing and supply lines struggle to replace what is lost. But there is no cyber equivalent -- one cannot dust off Windows 95 exploits and deploy them at an enemy. Continuous innovation is the coin of the new realm.

How are nations to manage their inventory of ephemeral cyber weapons? Like the Borg of Star Trek®, targets adapt quickly, rendering repeated attacks impotent. Additionally, digital weapons can be modified and hurled back at an opponent in a never-ending cycle of one-upmanship. Can a cyber battle ever be won, or does it merely offer a transient advantage?

We'll highlight available literature detailing how Russia has managed this aspect of war: deploying weapons without delay, husbanding resources for later effect, or coopting criminal and hacker groups while outbidding for zero days on the black market. We'll update the effectiveness of digital combined arms on kinetic actions, and evaluate whether missile salvos on civilian critical infrastructure represents an admission of failure to achieve equivalent digital disruption. We'll finish with lessons for cyber resilience and assess whether our own governments are heeding these lessons learned at the expense of others.

Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability in our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the methods of our adversary!

• • What are the reasons we often discount certain threats, methods, and outcomes as unreasonable, unlikely, or even crazy?
• • Are we working with blinders, unable to understand systemic risk around us which may contribute to the motivation and outcome in our threat model?
• • Are our adversaries using AI to undermine our controls?
• • How do we adapt to rapid changes in our understanding due to observed or experienced events?

In this session we will leverage the work from the 2022 working sessions at both COSACs. We then will address what we know and what processes exist to help us unfold this difficult topic. We will then move into a discussion where we will explore how we can leverage each other’s perspectives and ideas to create a method to address these threats.

The global financial crisis (2007-2009) showed that companies that made significant acquisitions during the economic downturn outperformed those that did not. In today’s uncertain economic environment, we anticipate significant numbers of M&A deals to materialize by the end of 2023 which would reshape industries as the economic outlook improves. Dealmakers are becoming increasingly concerned as a result of the nature and severity of the increasingly complex cyber security threats that have emerged over the past ten or so years during the M&A lifecycle. This has greatly impacted M&A deal values and left acquiring companies with large security holes to fill. Security does not have sufficient representation at the start of the M&A lifecycle and where they do, they are unable to show its significance to executives for decision making.

In this interactive session, we will discuss a real-life case study where the SABSA principles were applied to build in traceability from the key business objectives of the executive stakeholders to the specific security services, mechanisms, and components that every M&A dealmaker needs to incorporate to secure their M&A transaction. The audience will see a demo of an innovative toolkit that has been developed to automate the process of mapping the most common security services, mechanisms, and components required during M&A tied back to the specific business objectives that matter to the CEO and Board.

30 years of COSAC is surely something to reflect on. Over the course of those thirty years, much has changed in cybersecurity and privacy – technology has advanced, regulations have emerged, new applications have blossomed and threats have been amplified. And while data, as an abstract concept, has not changed - the types of data that have emerged over the last three decades has. While the data types evolved, so too did the value of the data, to businesses, governments, and bad actors.

In this presentation, I discuss ‘data’ and the evolution of the different terms and different types of data that have emerged over the course of the last 30 years (such as personal data, sensitive data, special category data, personally identifiable data, personal health data, inferential data, derived data, network data, SIEM data etc.) and the key regulations defining them or prescribing obligations for them. There is much confusion over many of these terms, and many have come to be used interchangeably (however incorrectly).

Key Learning Outcomes:

• • An understanding of the different data types that have evolved over the last three decades
• • An understanding of the driving forces behind the emergence of these data types
• • At the end of this presentation it is hoped that attendees will be able to differentiate between all data types, particularly those related to individuals.

There’s a lot of focus on finding a good information security position and developing and keeping worthy staff and enhancing the job, but not much on when to consider leaving. “Well, I’ll retire when I’m 70 or 80 or something, but there’s a lot of work that needs to be done here, so I’ll be pretty busy till then. Unless I win the Lottery …” Good luck with that, and if it fits you, great! But we know that things change, and the circumstances of working somewhere at some job for someone are subject to varying degrees of volatility. Elements of that volatility can quickly invert your perception of what was a rewarding, fulfilling position. You’ve probably experienced some of the triggering events we’ll examine, so your input is welcomed (this is COSAC, after all).

We’ll list and analyze a host of reasons why you might want to reconsider staying where you are: Upper management succession changes, outside job offers, unrealistic expectations for your function, getting passed over for a promotion, a lack of cooperation from other departments, people reneging on security commitments … the list goes on. For each of the cited reasons/circumstances, we’ll analyze possible strategies for coping or exit, emphasizing your own professionalism and positive outcome.

Much of the Security Architecture literature exhorts us to deliver our security controls as services, but if you have ever tried to follow this advice, you may have found that this is often easier said than done.

Certainly, many controls, such as central authentication (single sign-on), malware scanning, logging or back-up/recovery can be conceptualised very easily as security services.

But a typical control framework will mandate a vast catalogue of objectives: from the allocation of accountability, a segregation of duties, a strong password, a Non-Disclosure Agreement, to a lock on a key cabinet – none of which are such an intuitive fit. indeed, they call for a fair amount of contortion and contrivance to be implemented by Security-as-a-Service.

So what is going on here? How can we resolve this friction between theory and pragmatism?

Are they truly in conflict or merely misaligned? Or is there an underlying truth that allows both paradigms to be simultaneously valid, depending on the analyst’s perspective?

In this presentation, we will probe the fault lines of this conundrum, illustrated through the use of modelling examples and security patterns.

The session should be of value to a wide range of delegates: from architectural ‘philosophers’ to practising SABSA devotees, with both presentation and debate leading to clearer insight and deeper understanding.

This will be original content, being presented at conference for the first time.

As part of a project funded through the UK’s ESRC’s Digital Security by Design (Discribe) Hub+ in 2022, creative writers worldwide were invited to tell stories that would bring to life ‘the secret life of data’ – imagining this life as a journey, a quest, a romance, or a tragedy; thinking of a computer’s internal architecture as a house, a jungle, a zoo, or a city; and data as characters facing danger in the form of various digital threats and vulnerabilities. The question the research team wanted to explore was this: could such stories help us to think more creatively about the movement of data through the new computer chip architectures that will form the cornerstone of a digital security by design approach? This session will share a selection of the best stories from this project and explore the value of storytelling and imagination as part of research and development in cyber security. Can storytelling help build stronger foundations for innovation and help the technical community as it imagines the next generation of security hardware technologies? We’ll share hints and tips on ways to design competitions and commission writing to help cyber security practitioners bring impactful stories and storytelling into their work.

This session will provide an overview of the presenter’s over 50 years of technology experience, from initial technical challenges to creative solutions that have been instrumental in defining the global cybersecurity environment in place at many successful and responsive public and private organizations.

Content will be focused on using historic trends and patterns to project scenarios that can be considered for next stage tactics and strategies. This will NOT be a technical presentation but will focus on an executive approach to establishing a meaningful and rewarding plan for the industry, the enterprise, and most importantly, the professional.

Participation is invited and encouraged with a plan for offering options to consider in exploring:

• • How can I get an accurate status of a current cybersecurity and privacy program?
• • Realistically, what can I accomplish in my remaining productive career?
• • When I’ve done all I can do in my active role, how do I want to spend my time?
• • What does retirement look like for me?

Sailors will tell you that you want to sail as close to the wind as possible to maximise your speed and this risk concept, while oft miss-used by the non-nautical, is a great analogy for maximising your performance in a risky environment.

The often-tragic events in humanity’s conquest of the great oceans, demonstrates the severity of negative outcomes in sea of ever changing risks.

In this SABSA presentation we take a deep dive into managing risk with SABSA, demonstrating clearly, using maritime success and disasters, how doing business means taking risk.

We ask how much risk is enough and how much risk is too much? We will get our feet wet answering the question - In the deep blue do we always want to operate in the green?

We will plumb the depths of SABSA attribute performance targets and suggest raft of extensions to buoy our ability to manage risk within appetite, helping us sail closer to the wind to rapidly meet our goals.

Attendees will take away new findings regarding SABSA performance targets, for both positive and negative risk and systemic risk interactions, helping them and their organisations plot a course through the uncertain business risk environment.

This session is recommended for anyone interested in measuring risk and would serve as a ship load of ideas for a SABSA Masters’ thesis, telescoping suggested extensions to the framework to provide additional guidance to captains of change.

In February 2023, a consortium of journalists made up of reporters from 30 outlets, including the Guardian, Le Monde, Der Spiegel and El Pais newspapers, exposed the operations of a team of Israeli contractors who claim to have manipulated more than 30 elections around the world using hacking, sabotage and disinformation on social media. "Team Jorge" appears to have been working under the radar in elections in various countries for more than two decades, providing its services to intelligence agencies, political campaigns and private companies that wanted to secretly manipulate public opinion.

Tal Hanan, head of Team Jorge said their services had been used across Africa, South and Central America, the US and Europe. He also said “I deny any wrongdoing”.

Deception has been a cornerstone of military and intelligence operations at least since the 5th Century BC when Sun Tzu wrote:

“All warfare is based on deception. Hence, when able to attack, we must seem unable, when using our forces. we must seem inactive. When we are near, we must make the enemy believe we are far away, when far away, we must make him believe we are near.”

Until Tim Berners-Lee’s invention of the World Wide Web in late 1990 the ability to execute highly organised, large-scale deception was generally limited to governments and the military. As the Web developed further a whole new attack surface emerged and in 1993 Peter Steiner’s cartoon in the New Yorker highlighted the problem of trust with its caption "On the Internet, nobody knows you're a dog". With the advent of social media in 2004, the opportunity for deception moved firmly out of the realms of government and military into the hands of legitimate and criminal enterprises.

Ironically, the techniques cyber security companies use today to generate advanced synthetic computing surfaces to detect and repel cyber attackers (including creating fake documents, websites, databases, network services, user profiles and user activity) are equally useful to those creating the attacks and are now available for purchase as (DaaS) services from a variety of suppliers.

Unlike common attacks like ransomware, the threat actor can now use much more subtle techniques to influence their target by mounting highly effective social media campaigns to, for example, destroy public confidence in a company’s brand or management thereby causing such reputational damage that the company becomes the subject of a hostile takeover.

In undertaking these attacks the threat actor does not need to gain a foothold inside the target’s infrastructure. DaaS attacks remain outside the protected IT perimeter which is generally the focus of security professionals within the target enterprise. Deception attacks can be difficult to detect before their effects avalanche and it’s too late.

The emergence of DaaS and the exposure of Team Jorge highlights the importance of looking further than the perimeter of the enterprise and developing balanced responses to DaaS attacks.

In this talk we will look at some examples of how DaaS has emerged by discussing publications from individuals such as Simon ‘Bogan’ Howard and his experience of “Influencing Meat Puppets Through Memes” and companies such as the now defunct Cambridge Analytica who turned Facebook ‘likes’ into a lucrative political tool by using data from users who took a ‘personality test’ but unwittingly exposed not only their own data but those of their Facebook ‘friends’ too.

...the measurable benefits of onboarding diverse profiles to different security teams

This presentation is a follow-up to the presentation made in COSAC 2021 on ‘Measuring the Power of Diversity in Cybersecurity Teams’ where we presented research of diversity academics demonstrating a business case for cognitive diverse teams.

This time we investigate three case studies based on real-life career transition stories of three diverse profiles who, after successfully completing a reskilling program, are onboarded into security roles in three different teams.

Complexity and Diversity: Complexity is in the nature of the problem (challenges in securing an organisation), in the complex tasks needed to address them (high-dimensionality and difficult to decompose), as well as in the tools of the team and the combination of tools between members of a team (cognitive repertoire). The challenges facing security teams change at an incredible pace and increase in complexity as new information and technologies are created, i.e., there is a need to be agile, flexible and adaptive, and a need for both broad and deep knowledge base of various domains. How do we face complex challenges with a limited team budget for human resources and the seemingly small talent pool?

Promoting Reskilling: Could promoting cognitive diversity - reskilling diverse profiles with transferable skills - be one of the answers to address these complexities while addressing the skills gap problem in the industry?

Case Studies: In this presentation we will discuss three ‘diversity bonus’ case studies based on diverse profiles onboarded into the following cybersecurity teams:

1. Incident Response team (in a public sector organisation),

2. Cryptographic Key and Certificate Management team (financial services sector),

3. CISO team (health care sector).

In these case studies we will identify the benefits of diversity bonuses to the teams by:

• • Breaking down and categorising tasks needed to achieve team objectives and by identifying task-relevant skill sets;
• • Using the Tool box model, we will:
• • Give an overall ‘skills score’ to the team
• • Identify gaps in the cognitive repertoire and propose a job description for a new member
• • Determine added-value of a diverse profile
• • Measure the diversity bonus score after onboarding the diverse profile and consider manager feedback after the onboarding process

Conclusion: Questions we attempt to answer: When does diversity make business sense, and what are the steps to ensure an optimal ‘quality of hire’ based on the gap in the skill set of a team? When does diversity improve team output and performance? What are the benefits of reskilling and how do you identify potential candidates?

Security should enable the business, a business driven security architecture. We know alignment to the business is essential, yet is often, challenging to make real. It shouldn't be!

Security teams often find themselves out on a little bit of a limb from the rest of the business. Statements such as 'the dark art of cyber security' remain frequently used, even in 2023. This sentiment is often reflected in the practices of enterprise, solution and security architecture. The enterprise architect lives with the CIO or CTO, solution architect within business units and the security architect with the CISO.

Security enabling the Business immediately becomes only a distant dream when a bunch of organisational barriers or silos stand in the path of success.

Is uniting and digitalising the practice of all architecture in the enterprise possible? Would this doing so allow security architecture to thrive and deliver its true potential?

This talk will present a security architecture view point on uniting and digitalising the practice of architecture in the enterprise. It will explore what could be possible but more importantly what is likely to be possible, and, what probably will never be achieved.

The aim will be to define a vision for the Digitalisation of Security Architecture.

This talk will be of interest to any security architect. Both those with a grand vision of the future and great expectations, but, also the cynics and pessimists. Together, lets create a vision routed in reality, thought provoking and radical.

Disinformation and deep fakes are becoming increasingly prevalent in today’s digital world. They can be used to spread false information, manipulate public opinion, and even influence elections. Tackling disinformation and deep fakes is therefore a critical challenge for governments, organizations, and individuals alike.

This talk will explore the challenges of tackling disinformation and deep fakes and discuss some of the strategies that can be used to combat them. We will look at the role of technology in detecting and preventing disinformation and deep fakes, including the use of machine learning and artificial intelligence. We will also discuss the importance of media literacy and critical thinking in combating disinformation and deep fakes.

Finally, we will discuss some of the ethical and legal issues surrounding the use of disinformation and deep fakes, including the need for transparency and accountability

As we know Cybersecurity has evolved from a peripheral function to a core capability essential for most modern organizations. The growing job opportunities and remit have made cybersecurity an attractive field to work in. However, there is a shortage of skilled cybersecurity staff, which leads to recruitment and retention challenges.

As a result of this shortage, I have hired people on several occasions who did not have the required cybersecurity experience but had other critical skills that would benefit the team. These lateral entrants contribute to the team objectives from day one by utilizing skills they brought with them, while receiving cybersecurity training on the job. They have proven to be key contributors to the team’s success, and I believe that a mix of cybersecurity-trained and professionals with a different background is a great enabler of success.

We all know that diverse teams are more successful, but our hiring practices do not often reflect this. I would not go back to only hiring cybersecurity-trained professionals, and in this session, I will share my views and lessons learned on skills that complement the team, which candidates to consider and where to find them, how to utilize the skills they bring with them, and the ratio of cybersecurity-trained vs. untrained professionals.

By adopting this approach, we can bring diversity into our teams, offer a rewarding career in cybersecurity to more wonderful people and close the skill gap.

As the SABSA matrix states, identities are mere components, such as license plates. If sticking to the component view, privacy would be evident. In reality, privacy is anything but evident.

Triggered by a column by Jan-Werner Müller in the Guardian on December 24th, 2022, privacy is the right to appear to others as stranger.

But there are many pressures on that privacy. Those pressures are usually contextual in nature: (MRF)2: Marketing Madness, Reward Requirements and Forensic Frenzy . Starting with a chess game, it then discusses the nature of identities as attribution conduits – a label to get deliveries at the rightful “destination”. It then shows privacy by design in areas such as telecommunications (data moves between phone numbers or IP addresses as pseudonymous identities). It also points to areas where privacy by design may be problematic (Amazon’s order fulfillment adds personal address data early in the process). It reports on the investigation into research done by others such as Practice of Enterprise Modeling that works on this type of problems. That is then projected back on the SABSA Matrix.

The value is to bring attention to the topic of privacy and design and bring research to COSAC that not everybody may be aware of – in full interactivity of course.

How are the courts and tribunals in the UK addressing the challenge of using a 20th century data protection law to meet 21st century technology? This session will consider how the UK courts and tribunals are responding to the changing demands of the regulation and control of data in a world that is evolving faster than the letter of the law is able. The session will seek to answer the following questions with direct reference to the case law being generated by the UK courts and the First Tier Tribunal for Information Rights

• • In the absence of bespoke legislation can we trust the judges to adapt to the changing demands of society?
• • Does the division of oversight between the civil courts, the criminal courts and the First Tier Tribunal work?
• • Is the law capable of regulating the use of new technologies such as artificial intelligence?
• • Can we draw any conclusions from the penalties imposed by the Information Commissioner and how the appeals from those penalties have been dealt with on appeal to the First Tier Tribunal?
• • Are the courts in Europe and further afield doing any better?
• • In a globalised economy led by data and drive by a market in data sharing is there any scope for countries to take an individualised approach?
• • Is a loss of privacy a necessary corollary to free access to services that are essential to 21st century living? Or is control over our data only illusory?