Contact Us
Get in contact with us by email, phone or just stay social and connect with us on LinkedIn & Twitter
Welcome to COSAC - Information Security conferencing the way it should be! Join us in Ireland this October for 4 days of innovative & participative information security value celebrating 30 years of COSAC Security Conference.
For 30 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. #COSAC2023 Delegate Registration is open.
09:00 - 09:30 Registration & Coffee
09:30 |
1A: What’s the Worst That Could Happen?
Speaker(s):
Karel Koster Karel Koster Manager IT - Information Security,FedEx Express Int (Netherlands) Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a team of security analyst with a global remit at FedEx, owning implementing and executing various GRC processes.
Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
|
Cybersecurity has impacted most aspects of life by now. But it is not often seen as an attack vector on human life itself. However, based on the exponential growth of Operational Technology (OT), Gartner has made the following prediction: “By 2025, cyber attackers will have weaponized Operational Technology Environments to successfully harm or kill humans.” One can indeed argue that every process that has been automated and centrally managed can be hacked and misused. However, are these threats greater than the enhanced security and control they provide? OT environments do pose unique challenges to cybersecurity. Is this one that should be added to the list, or do our current risk and control frameworks provide enough coverage? This session explores whether there is proof to support Gartner’s prediction, and whether it should be added to the risk ledger. The following topics and questions will be explored:
|
09:30 |
1B: What Can ChatGPT Tell Us About Privacy and Security?
Speaker(s):
Valerie Lyons Valerie Lyons COO,BH Consulting (Ireland) Included in the ‘Top 100 Women in Cybersecurity in Europe’, Dr. Lyons is an accomplished and driven cybersecurity & privacy leadership expert, with 20+ years experience in financial services e.g., she served as Head of Information Security Risk in KBC Bank for almost 15 years. COO for BH Consulting since 2015, Valerie has a strong focus on team development and mentoring, with excellent collaborative and interpersonal skills. Valerie has an in-depth knowledge of European data protection law...
X
|
ChatGPT is an artificial intelligence chatbot developed by OpenAI and launched in November 2022. It is built on top of OpenAI's GPT-3 family of large language models and has been fine-tuned using both supervised and reinforcement learning techniques. ChatGPT quickly garnered attention for its detailed responses and articulate answers across many domains of knowledge. In January 2023, ChatGPT reached over 100 million users, making it the fastest growing consumer application to date. There are several key issues with ChatGPT. First, OpenAI has acknowledged that ChatGPT "sometimes writes plausible-sounding but incorrect or nonsensical answers". This behavior is common to large language models and is called AI Hallucination. Second, as with all AI – Training data suffers from algorithmic bias, which may be revealed when ChatGPT responds to prompts including descriptors of people. In one instance, ChatGPT generated a rap/song indicating that women and scientists of color were inferior to white and male scientists. Other research suggests that ChatGPT exhibits a pro-environmental, left-libertarian orientation when prompted to take a stance on political statements from two established voting advice applications. Third, ChatGPT is likely to disrupt entire industries and professions founded on text generation. For example, ChatGPT can generate a privacy policy, a security risk assessment or an executive summary. ChatGPT has already disrupted the examination and certification processes both in academia and industry, by enabling a new form of cheating and fraud. These three issues (disinformation, discrimination and disruption) have led to much negative press on ChatGPT right now. While I have found that it is more often than not incorrect in the text that it generates, the text is constructed and formed very believably -making it all the more difficult to easily discern that the generated text is incorrect or biased. However, ChatGPT presents huge benefits, essentially acting like a search engine on steroids. So in honor of the 30th anniversary of COSAC I thought it would be beneficial to invite ChatGPT to COSAC to attend this session, to generate the slides, and to answer some audience questions. The idea of the presentation is to show attendees that ChatGPT ‘sounds’ great but is often incorrect, and to have some fun while we are at it! Key Learning Outcomes:
|
09:30 |
1S: Requirements Engineering in Agile Environments
Speaker(s):
Chris Blunt, Chris Blunt Enterprise Security Architect,ESO (Northern Ireland) Chris is the Enterprise Security Architect for a SaaS provider specialising in software and data analytics for health and fire services.
He is a seasoned cybersecurity professional and is passionate about business-driven security and delivering pragmatic advice that enables organisations to achieve their business objectives.
X
William Schultz Senior Director, Enterprise Cybersecurity,Vanderbilt University Medical Centre (USA) Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
|
Everyone with experience using SABSA will know that Attributes are great for capturing and reflecting business needs. However, they can be less beneficial for Agile teams. In our experience, Agile organisations either follow a methodology religiously and have well-defined User Stories, or they don't have any documented requirements at all. Both scenarios present a significant challenge for architects attempting to introduce formal security requirements. For security requirements to be practical, they must be in a language and format that is useful to the recipient. In most Agile and DevOps teams, requirements are expressed as User Stories, which are prioritised on a backlog for implementation. However, how requirements are described can vary significantly depending on the methodology. It can be difficult, if not impossible, to introduce a new requirement engineering process into agile environments. Any new approach, such as the SABSA Attribute profiling, must integrate seamlessly with the established processes to minimise friction. This can be even more difficult in organisations where each team can choose its own approach, leading to multiple ways of articulating them. This interactive session will discuss how SABSA Attribute profiles can be used to develop a codified set of 'non-functional' requirements and will explore the following:
|
10:25 |
2A: Digital Safety and Protecting Our Cyber-Physical World
Speaker(s):
Andy Prow Andy Prow Founder, Qubit Cyber (New Zealand) Andy is a cyber-security veteran with 28 years of IT experience, over half of which has been in cyber security. From being a software developer for global giants such as IBM, Ericsson & Vodafone, to pen testing and vulnerability research, to more recently as a tech entrepreneur founding 5 firms, including Aura InfoSec (purchased by Kordia in 2015) and RedShield Security which now protects thousands of web apps and critical systems across globe. Andy is a previous winner of the EY NZ...
X
|
More human interaction now occurs in the digital realm, than the physical realm. The internet is where our kids grow up. Software is running our physical world. Yet we have more vulnerabilities and more exploits than ever. The cyber-security sector has historically been defined as the “protection of computers and networks”, and yet our roles are fast becoming way more than this… This presentation covers “Digital Safety” and what that means, not only to us as practitioners, but particularly to the people who want to feel and be safe both online and in the physical world. I’ll be challenging current thinking in areas such as:
In short, security weaknesses in our digital realm are already impacting our physical realm. What insights and learnings can we get from trying to build a world of “Physical Safety” into how we provide “Digital Safety”. |
10:25 |
2B: On Gold Diggers, Bandits, and Sheriffs
Speaker(s):
Steven Bradley, Steven Bradley Consulting Security Architect,Cyber Enterprise Modelling (Belgium) Steven is an independent security consultant based in Brussels with 25+ years in IT and has undertaken major assignments for clients in the national & European public sector, finance, telecoms & utilities. He also lends his support to local cyber initiatives. His work in recent years has broadened geographically while becoming more specialised in the field of security by design through automation and modelling, leading to the 2021 foundation of a niche consultancy in this domain. Steven...
X
André Mariën Information Security Consultant,MARSTA BV (Belgium) André Mariën is an accomplished information security expert with over 25 years of experience in the field. Throughout his career, he has demonstrated a deep understanding of security policies, processes, and procedures, as well as risk management and application security. As an enterprise architect and security architect, André has had the opportunity to work with some of the most prominent organizations in the world, crafting security strategies that protect against the ever-evolving threat...
X
|
With the rise of big data and the increased availability of powerful AI tools, companies can now use data to train machine learning models that can automate processes, detect patterns, and make predictions. This can help companies to gain a competitive edge. Like gold, it can be difficult to extract and refine, but the payoff can be significant for those who are able to harness its power effectively. Assuring data privacy and security in the context of data lakes and AI data mining can be challenging, but there are several best practices that can help ensure data is appropriately protected. Overall, it's important to take a comprehensive and proactive approach to data security. By implementing best practices such as classification policies, access control, data masking and anonymization, organizations can better protect sensitive data while still leveraging the power of AI. Data and security architecture are key to defining and implementing the right capabilities to succeed. These provide a solid foundation for organizations to securely manage, protect, and analyse large amounts of data. When providing security architecture viewpoints there are several key considerations to keep in mind:
This paper covers the above capabilities, viewpoints and building blocks to achieve a solid overall architecture for the data domain. |
10:25 |
2S: Securing the Cloud with SABSA – A Journey in the Dark
Speaker(s):
Harley Aw Harley Aw CISO,Phoenix HSL (Australia) Harley is an Information Security and IT industry veteran based in Sydney Australia with nearly 25 years in retail, tertiary education, hospitality, sport and gaming, financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board, Founding Member of the SABSA Institute and a director of the SABSA Founders Bursary. He is currently the CISO of the international Phoenix Group.
X
|
Woah. What a journey. At some point in their existence, organisations and enterprises big and small – be they government or private sector – will inevitably undertake one or more business-transformation projects. For some, this may be the replacement of core business systems, such as an ERP or what many may affectionally and monolithically call “THE DATABASE”. For others, this may be premised on bringing existing capabilities into the digital age, from hi-tec helicopters, ships, submarines and aeroplanes, to online learning and multi-channel trading platforms. For many, it is migration to the cloud itself, from lift-shift-and-uplift, all the way through to a full-stack application system rearchitecture. Whatever the case may be, business transformation projects are fraught with treacherous and turbulent waters, both for the organisation and/or its employees. Rarely do businesses and organisations who undertake these emerge looking and feeling like they did before – otherwise, they wouldn’t be called business transformation projects! As much as these transformations occur with technology stacks and systems, it also inevitably affects its people, for better or worse. This presentation focuses on a cloud-transformation project scenario, how SABSA can be brought to bear to define and secure the delivery of security objectives, ensure the survival of the organisation that may be entrusted to your care, and finally, ensure the survival of your own health and sanity as the person in the middle of the relentless maelstrom around you. |
11:15 - 11:35 Morning Coffee
11:35 |
3A: Stronger Together – Tackling the Problem of Cybersecurity in the Supply Chain
Speaker(s):
Paul Dorey Paul Dorey Visiting Professor ,Royal Holloway University of London (UK) Paul Dorey has 35+ years experience in cyber security and enterprise risk management including digital security of IT and OT systems, resilience, privacy and information management. His leadership roles have included Global CISO at BP and Barclays and other CISO roles with global leadership of strategy, information security and risk management functions in financial services, technology and pharmaceutical sectors. He is facilitator for the UK Energy Emergencies Executive Cyber Security Task...
X
|
The 2020 SolarWinds cyber-attack was seen as an eyeopener for supply chain cyber security, particularly in the software supply chain. Although, the operations of every organisation have always been dependent on the security of suppliers of equipment, software, materials and services. An old problem, but some ideas are new, such as the software bill of materials. For many, including governments, the need for cyber security assurance has never been greater. But the challenges remain. For the past year and a half, the volunteers of the UK NCSC ICS COI Supply Chain Expert Group (SCEG) have been working on this problem and are happy to present the work for the first time during COSAC. By attending this session, you will:
|
11:35 |
3B: Cyber Stories from the Risk Quantification Front
Speaker(s):
Dimitrios Delivasilis Dimitrios Delivasilis CEO,Qiomos (UK) Strong technology executive, specialising in business-driven security strategy, architecture and operational resilience. Dimitrios has more than 22 years of extensive experience in leadership roles predominantly within financial services (Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC). He has built a success record of simplifying security decisions, delivering future proof information security strategies and helping organisations implement...
X
|
Despite the ever-increasing interest in cyber security risk by the board of directors across all sectors, cyber risk quantification remains a challenge for most of the organisations. Even in highly regulated environments the identification of risk becomes synonymous with technical threat modelling and control evaluations with little, if any, articulation of the business disruption and operational resilience. This presentation will rely on anonymised case studies, predominantly from financial services and energy sectors across the globe, to demonstrate how technical risk assessments provide, at best, a partial identification of risk, lead to more piece-meal security solutions, and fail to facilitate an intelligent discussion on resilience with senior business executives. Having identified the root causes, the presentation will then introduce a data driven approach towards active cyber risk management. Drawing strength from data science, it enables the development of 360o view of the risk profile across all high-value assets and provides an accurate representation of the risk position, always in line with the respective governance framework. The rigour of the approach creates transparency and measurable outcomes that help the business know which controls contribute most to risk reduction and inform better decision making. Most importantly, it serves as an effective communication mechanism that resonates with business stakeholders. |
11:35 |
3S: Building A Plane While Flying It
Speaker(s):
Jon Cassam, Jon Cassam Senior Security Architect,PwC (UK) Jonathan is a Senior Manager in the PwC Cyber Security practice with diverse experience across both public and private sectors helping organisations tackle some of their most complex security challenges. Jonathan has proven delivery capability and offering real value to businesses with experience that covers a broad range of areas including, strategy, architecture, policy and procedures and training, with particular focus of security architecture and security operations.
X
Anton Tkachov Chief Security Architect,PwC (UK) Anton is a Director of Security Architecture and Transformation and has been with PwC for 8 years. Prior to that, he has been delivering security transformations as a consultant, and running security architecture team as part of his industry role at a blue chip financial services organisations. Anton is an active member of leading architecture forums. His passion, experience and interest lies with the ‘enterprise’ architecture which allows him to solve security problems by looking at those from...
X
|
Organisations are increasingly looking to change and transform their cyber security to:
It’s therefore not unreasonable to assume that most of the architects within the SABSA community will face the need to design and lead a large Cyber Programme within the next 12 months. The key question for those in the ESA role is ‘where do I focus my efforts to strike the right balance between putting out fires and developing my architecture capability and artefacts?’ or to use my client’s analogy, ‘how do I build a plane while also flying it?’ This presentation of approach, a client case study and Q&A on using SABSA to
|
12:30 |
4A: Russian Cyberwarfare in Battle: What Have We Learned So Far?
Speaker(s):
G. Mark Hardy G. Mark Hardy President,National Security Corporation (USA) G. Mark serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is the author of over 100 articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration.
X
|
“I am more afraid of our own blunders than of the enemy’s devices” - Thucydides1 Last COSAC we had a vigorous discussion about Russian Cyber Strategy. A year later, the world is taking notice of hard lessons learned. Half-century old munitions and tanks are thrown into battle while manufacturing and supply lines struggle to replace what is lost. But there is no cyber equivalent -- one cannot dust off Windows 95 exploits and deploy them at an enemy. Continuous innovation is the coin of the new realm. How are nations to manage their inventory of ephemeral cyber weapons? Like the Borg of Star Trek®, targets adapt quickly, rendering repeated attacks impotent. Additionally, digital weapons can be modified and hurled back at an opponent in a never-ending cycle of one-upmanship. Can a cyber battle ever be won, or does it merely offer a transient advantage? We'll highlight available literature detailing how Russia has managed this aspect of war: deploying weapons without delay, husbanding resources for later effect, or coopting criminal and hacker groups while outbidding for zero days on the black market. We'll update the effectiveness of digital combined arms on kinetic actions, and evaluate whether missile salvos on civilian critical infrastructure represents an admission of failure to achieve equivalent digital disruption. We'll finish with lessons for cyber resilience and assess whether our own governments are heeding these lessons learned at the expense of others. |
12:30 |
4B: Chaos Comes To Threat Modeling
Speaker(s):
Jason Kobes, Jason Kobes Tech Fellow,Northrop Grumman (USA) Jason Kobes works as a Tech Fellow for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. Jason holds a...
X
William Schultz Senior Director, Enterprise Cybersecurity,Vanderbilt University Medical Centre (USA) Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
|
Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability in our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the methods of our adversary!
In this session we will leverage the work from the 2022 working sessions at both COSACs. We then will address what we know and what processes exist to help us unfold this difficult topic. We will then move into a discussion where we will explore how we can leverage each other’s perspectives and ideas to create a method to address these threats. |
12:30 |
4S: How SABSA Can Enhance Security During Mergers & Acquisitions
Speaker(s):
Pradeep Sekar Pradeep Sekar Managing Director,Optiv Security Inc. (India) Pradeep Sekar is a seasoned cyber security leader who has worked closely with and guided Fortune 100 and Fortune 500 Chief Information Security Officers (CISO), Chief Information Officers (CIO) and their teams across various industries on developing and sustaining a secure, adaptive and robust cyber security program. His unique expertise includes the delivery of innovative cyber strategy solutions and benchmarking insights for global organizations as they look to transform their cyber programs.
X
|
The global financial crisis (2007-2009) showed that companies that made significant acquisitions during the economic downturn outperformed those that did not. In today’s uncertain economic environment, we anticipate significant numbers of M&A deals to materialize by the end of 2023 which would reshape industries as the economic outlook improves. Dealmakers are becoming increasingly concerned as a result of the nature and severity of the increasingly complex cyber security threats that have emerged over the past ten or so years during the M&A lifecycle. This has greatly impacted M&A deal values and left acquiring companies with large security holes to fill. Security does not have sufficient representation at the start of the M&A lifecycle and where they do, they are unable to show its significance to executives for decision making. In this interactive session, we will discuss a real-life case study where the SABSA principles were applied to build in traceability from the key business objectives of the executive stakeholders to the specific security services, mechanisms, and components that every M&A dealmaker needs to incorporate to secure their M&A transaction. The audience will see a demo of an innovative toolkit that has been developed to automate the process of mapping the most common security services, mechanisms, and components required during M&A tied back to the specific business objectives that matter to the CEO and Board. |
13:20 - 14:00 Lunch
14:00 |
5A: 30 years of COSAC, 30 years of Data
Speaker(s):
Valerie Lyons Valerie Lyons COO,BH Consulting (Ireland) Included in the ‘Top 100 Women in Cybersecurity in Europe’, Dr. Lyons is an accomplished and driven cybersecurity & privacy leadership expert, with 20+ years experience in financial services e.g., she served as Head of Information Security Risk in KBC Bank for almost 15 years. COO for BH Consulting since 2015, Valerie has a strong focus on team development and mentoring, with excellent collaborative and interpersonal skills. Valerie has an in-depth knowledge of European data protection law...
X
|
30 years of COSAC is surely something to reflect on. Over the course of those thirty years, much has changed in cybersecurity and privacy – technology has advanced, regulations have emerged, new applications have blossomed and threats have been amplified. And while data, as an abstract concept, has not changed - the types of data that have emerged over the last three decades has. While the data types evolved, so too did the value of the data, to businesses, governments, and bad actors. In this presentation, I discuss ‘data’ and the evolution of the different terms and different types of data that have emerged over the course of the last 30 years (such as personal data, sensitive data, special category data, personally identifiable data, personal health data, inferential data, derived data, network data, SIEM data etc.) and the key regulations defining them or prescribing obligations for them. There is much confusion over many of these terms, and many have come to be used interchangeably (however incorrectly). Key Learning Outcomes:
|
14:00 |
5B: Time to Depart: Reasons to Re-evaluate or Maybe Leave
Speaker(s):
John O'Leary John O'Leary President,O'Leary Management Education (USA) John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
|
There’s a lot of focus on finding a good information security position and developing and keeping worthy staff and enhancing the job, but not much on when to consider leaving. “Well, I’ll retire when I’m 70 or 80 or something, but there’s a lot of work that needs to be done here, so I’ll be pretty busy till then. Unless I win the Lottery …” Good luck with that, and if it fits you, great! But we know that things change, and the circumstances of working somewhere at some job for someone are subject to varying degrees of volatility. Elements of that volatility can quickly invert your perception of what was a rewarding, fulfilling position. You’ve probably experienced some of the triggering events we’ll examine, so your input is welcomed (this is COSAC, after all). We’ll list and analyze a host of reasons why you might want to reconsider staying where you are: Upper management succession changes, outside job offers, unrealistic expectations for your function, getting passed over for a promotion, a lack of cooperation from other departments, people reneging on security commitments … the list goes on. For each of the cited reasons/circumstances, we’ll analyze possible strategies for coping or exit, emphasizing your own professionalism and positive outcome. |
14:00 |
5S: All Part of the Service?
Speaker(s):
Steven Bradley, Steven Bradley Consulting Security Architect,Cyber Enterprise Modelling (Belgium) Steven is an independent security consultant based in Brussels with 25+ years in IT and has undertaken major assignments for clients in the national & European public sector, finance, telecoms & utilities. He also lends his support to local cyber initiatives. His work in recent years has broadened geographically while becoming more specialised in the field of security by design through automation and modelling, leading to the 2021 foundation of a niche consultancy in this domain. Steven...
X
Simon Cross Head of Enterprise Security Direction,Lloyds Banking Group (UK) As a security leader, I pride myself as being forward thinking, open, trusted, inclusive and accountable. Currently working as product owner for enterprise security design at Lloyds Banking Group. My team is challenging traditional norms to achieve an enterprise security system equipped to deal with the an expected turbulent future. There is life outside of working, surfing is my thing.
X
|
Much of the Security Architecture literature exhorts us to deliver our security controls as services, but if you have ever tried to follow this advice, you may have found that this is often easier said than done. Certainly, many controls, such as central authentication (single sign-on), malware scanning, logging or back-up/recovery can be conceptualised very easily as security services. But a typical control framework will mandate a vast catalogue of objectives: from the allocation of accountability, a segregation of duties, a strong password, a Non-Disclosure Agreement, to a lock on a key cabinet – none of which are such an intuitive fit. indeed, they call for a fair amount of contortion and contrivance to be implemented by Security-as-a-Service. So what is going on here? How can we resolve this friction between theory and pragmatism? Are they truly in conflict or merely misaligned? Or is there an underlying truth that allows both paradigms to be simultaneously valid, depending on the analyst’s perspective? In this presentation, we will probe the fault lines of this conundrum, illustrated through the use of modelling examples and security patterns. The session should be of value to a wide range of delegates: from architectural ‘philosophers’ to practising SABSA devotees, with both presentation and debate leading to clearer insight and deeper understanding. This will be original content, being presented at conference for the first time. |
14:55 |
6A: The Secret Life of Data: Imagining Digital Security by Design through Storytelling
Speaker(s):
Lizzie Coles-Kemp, Lizzie Coles-Kemp Professor in Information Security,Royal Holloway, University of London (UK) Lizzie is a qualitative researcher who uses creative engagement methods to explore everyday practices of information production, protection, circulation, curation and consumption within and between communities. She took up a full-time academic post in 2008 and prior to joining Royal Holloway University of London she worked for 18 years as an information security practitioner. Lizzie’s focus is the intersection between perceptions and narratives of individual and community security and...
X
Genevieve Liveley Professor of Classics,University of Bristol (UK) Genevieve is Professor of Classics, RISCS Fellow, and Turing Fellow at the University of Bristol. As a narratologist, she has particular research interests in stories and their impact on futures thinking – especially in the context of emerging technologies and cyber security. She leads the Futures strand for the UKRI’s Digital Security by Design (DSbD) programme, and as RISCS Fellow, heads the ‘Anticipation and Futures Literacy’ research theme.
X
|
As part of a project funded through the UK’s ESRC’s Digital Security by Design (Discribe) Hub+ in 2022, creative writers worldwide were invited to tell stories that would bring to life ‘the secret life of data’ – imagining this life as a journey, a quest, a romance, or a tragedy; thinking of a computer’s internal architecture as a house, a jungle, a zoo, or a city; and data as characters facing danger in the form of various digital threats and vulnerabilities. The question the research team wanted to explore was this: could such stories help us to think more creatively about the movement of data through the new computer chip architectures that will form the cornerstone of a digital security by design approach? This session will share a selection of the best stories from this project and explore the value of storytelling and imagination as part of research and development in cyber security. Can storytelling help build stronger foundations for innovation and help the technical community as it imagines the next generation of security hardware technologies? We’ll share hints and tips on ways to design competitions and commission writing to help cyber security practitioners bring impactful stories and storytelling into their work. |
14:55 |
6B: Here We Are. What’s Next?
Speaker(s):
Mike Corby Mike Corby Consulting Director,M Corby & Associates (USA) Michael Corby has been a technology contributor since 1968. Starting as a data center technician, he held many technical, supervisory and executive positions for private and public organizations, including founding and enhancing consulting practices for several organizations including Gartner, Marsh & McLennan, Netigy, QinetiQ and his own practice.Mr. Corby has been a speaker for many years at COSAC and other global conferences as well as private corporate seminars.
X
|
This session will provide an overview of the presenter’s over 50 years of technology experience, from initial technical challenges to creative solutions that have been instrumental in defining the global cybersecurity environment in place at many successful and responsive public and private organizations. Content will be focused on using historic trends and patterns to project scenarios that can be considered for next stage tactics and strategies. This will NOT be a technical presentation but will focus on an executive approach to establishing a meaningful and rewarding plan for the industry, the enterprise, and most importantly, the professional. Participation is invited and encouraged with a plan for offering options to consider in exploring:
|
14:55 |
6S: SABSA By Sea; Smooth Seas Do Not A Good Architect Make
Speaker(s):
Robert Laurie Robert Laurie Deputy CISO / Enterprise Security Architect,David Lynas Consulting (Australia) Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.
X
|
Sailors will tell you that you want to sail as close to the wind as possible to maximise your speed and this risk concept, while oft miss-used by the non-nautical, is a great analogy for maximising your performance in a risky environment. The often-tragic events in humanity’s conquest of the great oceans, demonstrates the severity of negative outcomes in sea of ever changing risks. In this SABSA presentation we take a deep dive into managing risk with SABSA, demonstrating clearly, using maritime success and disasters, how doing business means taking risk. We ask how much risk is enough and how much risk is too much? We will get our feet wet answering the question - In the deep blue do we always want to operate in the green? We will plumb the depths of SABSA attribute performance targets and suggest raft of extensions to buoy our ability to manage risk within appetite, helping us sail closer to the wind to rapidly meet our goals. Attendees will take away new findings regarding SABSA performance targets, for both positive and negative risk and systemic risk interactions, helping them and their organisations plot a course through the uncertain business risk environment. This session is recommended for anyone interested in measuring risk and would serve as a ship load of ideas for a SABSA Masters’ thesis, telescoping suggested extensions to the framework to provide additional guidance to captains of change. |
15:45 - 16:05 Afternoon Tea
16:05 |
7A: Deception As A Service 1991-2023
Speaker(s):
Chris Blunt, Chris Blunt Enterprise Security Architect,ESO (Northern Ireland) Chris is the Enterprise Security Architect for a SaaS provider specialising in software and data analytics for health and fire services.
He is a seasoned cybersecurity professional and is passionate about business-driven security and delivering pragmatic advice that enables organisations to achieve their business objectives.
X
Andy Clark Director,Primary Key Associates (UK) Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
|
In February 2023, a consortium of journalists made up of reporters from 30 outlets, including the Guardian, Le Monde, Der Spiegel and El Pais newspapers, exposed the operations of a team of Israeli contractors who claim to have manipulated more than 30 elections around the world using hacking, sabotage and disinformation on social media. "Team Jorge" appears to have been working under the radar in elections in various countries for more than two decades, providing its services to intelligence agencies, political campaigns and private companies that wanted to secretly manipulate public opinion. Tal Hanan, head of Team Jorge said their services had been used across Africa, South and Central America, the US and Europe. He also said “I deny any wrongdoing”. Deception has been a cornerstone of military and intelligence operations at least since the 5th Century BC when Sun Tzu wrote: “All warfare is based on deception. Hence, when able to attack, we must seem unable, when using our forces. we must seem inactive. When we are near, we must make the enemy believe we are far away, when far away, we must make him believe we are near.” Until Tim Berners-Lee’s invention of the World Wide Web in late 1990 the ability to execute highly organised, large-scale deception was generally limited to governments and the military. As the Web developed further a whole new attack surface emerged and in 1993 Peter Steiner’s cartoon in the New Yorker highlighted the problem of trust with its caption "On the Internet, nobody knows you're a dog". With the advent of social media in 2004, the opportunity for deception moved firmly out of the realms of government and military into the hands of legitimate and criminal enterprises. Ironically, the techniques cyber security companies use today to generate advanced synthetic computing surfaces to detect and repel cyber attackers (including creating fake documents, websites, databases, network services, user profiles and user activity) are equally useful to those creating the attacks and are now available for purchase as (DaaS) services from a variety of suppliers. Unlike common attacks like ransomware, the threat actor can now use much more subtle techniques to influence their target by mounting highly effective social media campaigns to, for example, destroy public confidence in a company’s brand or management thereby causing such reputational damage that the company becomes the subject of a hostile takeover. In undertaking these attacks the threat actor does not need to gain a foothold inside the target’s infrastructure. DaaS attacks remain outside the protected IT perimeter which is generally the focus of security professionals within the target enterprise. Deception attacks can be difficult to detect before their effects avalanche and it’s too late. The emergence of DaaS and the exposure of Team Jorge highlights the importance of looking further than the perimeter of the enterprise and developing balanced responses to DaaS attacks. In this talk we will look at some examples of how DaaS has emerged by discussing publications from individuals such as Simon ‘Bogan’ Howard and his experience of “Influencing Meat Puppets Through Memes” and companies such as the now defunct Cambridge Analytica who turned Facebook ‘likes’ into a lucrative political tool by using data from users who took a ‘personality test’ but unwittingly exposed not only their own data but those of their Facebook ‘friends’ too. |
16:05 |
7B: Architecting A New Approach to Cyber Workforce Teambuilding
Speaker(s):
Rosanna Kurrer, Rosanna Kurrer Educator,CyberWayFinder (Belgium) Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas, Salesforce.com, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.
X
Patrick Wheeler Security Architect,CyberWayFinder (Luxembourg) Leader of Transformative Security Initiatives: Patrick Wheeler is a specialist in combatting cybercrime and has been involved in IT consulting, business and security for over 20 years. Originally from California’s Silicon Valley and San Francisco, and now as a naturalized Belgian he focuses on the European Financial sector (e.g. SWIFT, Euroclear, BNP Paribas) specializing in security, compliance and innovation with rubric of ‘Cybrepreneurship’ which he defines as including opportunistic...
X
|
...the measurable benefits of onboarding diverse profiles to different security teams This presentation is a follow-up to the presentation made in COSAC 2021 on ‘Measuring the Power of Diversity in Cybersecurity Teams’ where we presented research of diversity academics demonstrating a business case for cognitive diverse teams. This time we investigate three case studies based on real-life career transition stories of three diverse profiles who, after successfully completing a reskilling program, are onboarded into security roles in three different teams. Complexity and Diversity: Complexity is in the nature of the problem (challenges in securing an organisation), in the complex tasks needed to address them (high-dimensionality and difficult to decompose), as well as in the tools of the team and the combination of tools between members of a team (cognitive repertoire). The challenges facing security teams change at an incredible pace and increase in complexity as new information and technologies are created, i.e., there is a need to be agile, flexible and adaptive, and a need for both broad and deep knowledge base of various domains. How do we face complex challenges with a limited team budget for human resources and the seemingly small talent pool? Promoting Reskilling: Could promoting cognitive diversity - reskilling diverse profiles with transferable skills - be one of the answers to address these complexities while addressing the skills gap problem in the industry? Case Studies: In this presentation we will discuss three ‘diversity bonus’ case studies based on diverse profiles onboarded into the following cybersecurity teams: 1. Incident Response team (in a public sector organisation), 2. Cryptographic Key and Certificate Management team (financial services sector), 3. CISO team (health care sector). In these case studies we will identify the benefits of diversity bonuses to the teams by:
Conclusion: Questions we attempt to answer: When does diversity make business sense, and what are the steps to ensure an optimal ‘quality of hire’ based on the gap in the skill set of a team? When does diversity improve team output and performance? What are the benefits of reskilling and how do you identify potential candidates? |
16:05 |
7S: Practice What We Preach?
Speaker(s):
Simon Cross Simon Cross Head of Enterprise Security Direction,Lloyds Banking Group (UK) As a security leader, I pride myself as being forward thinking, open, trusted, inclusive and accountable. Currently working as product owner for enterprise security design at Lloyds Banking Group. My team is challenging traditional norms to achieve an enterprise security system equipped to deal with the an expected turbulent future. There is life outside of working, surfing is my thing.
X
|
Security should enable the business, a business driven security architecture. We know alignment to the business is essential, yet is often, challenging to make real. It shouldn't be! Security teams often find themselves out on a little bit of a limb from the rest of the business. Statements such as 'the dark art of cyber security' remain frequently used, even in 2023. This sentiment is often reflected in the practices of enterprise, solution and security architecture. The enterprise architect lives with the CIO or CTO, solution architect within business units and the security architect with the CISO. Security enabling the Business immediately becomes only a distant dream when a bunch of organisational barriers or silos stand in the path of success. Is uniting and digitalising the practice of all architecture in the enterprise possible? Would this doing so allow security architecture to thrive and deliver its true potential? This talk will present a security architecture view point on uniting and digitalising the practice of architecture in the enterprise. It will explore what could be possible but more importantly what is likely to be possible, and, what probably will never be achieved. The aim will be to define a vision for the Digitalisation of Security Architecture. This talk will be of interest to any security architect. Both those with a grand vision of the future and great expectations, but, also the cynics and pessimists. Together, lets create a vision routed in reality, thought provoking and radical. |
17:00 |
8A: Tackling The Internet Puppet Masters
Speaker(s):
Siân John MBE, Siân John MBE Chief Technology Officer,NCC Group (UK) Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption.
Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology.
Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
X
Lesley Kipling Chief Security Advisor,Microsoft (UK) Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
|
Disinformation and deep fakes are becoming increasingly prevalent in today’s digital world. They can be used to spread false information, manipulate public opinion, and even influence elections. Tackling disinformation and deep fakes is therefore a critical challenge for governments, organizations, and individuals alike. This talk will explore the challenges of tackling disinformation and deep fakes and discuss some of the strategies that can be used to combat them. We will look at the role of technology in detecting and preventing disinformation and deep fakes, including the use of machine learning and artificial intelligence. We will also discuss the importance of media literacy and critical thinking in combating disinformation and deep fakes. Finally, we will discuss some of the ethical and legal issues surrounding the use of disinformation and deep fakes, including the need for transparency and accountability |
17:00 |
8B: Other Experience Required
Speaker(s):
Karel Koster Karel Koster Manager IT - Information Security,FedEx Express Int (Netherlands) Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a team of security analyst with a global remit at FedEx, owning implementing and executing various GRC processes.
Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
|
As we know Cybersecurity has evolved from a peripheral function to a core capability essential for most modern organizations. The growing job opportunities and remit have made cybersecurity an attractive field to work in. However, there is a shortage of skilled cybersecurity staff, which leads to recruitment and retention challenges. As a result of this shortage, I have hired people on several occasions who did not have the required cybersecurity experience but had other critical skills that would benefit the team. These lateral entrants contribute to the team objectives from day one by utilizing skills they brought with them, while receiving cybersecurity training on the job. They have proven to be key contributors to the team’s success, and I believe that a mix of cybersecurity-trained and professionals with a different background is a great enabler of success. We all know that diverse teams are more successful, but our hiring practices do not often reflect this. I would not go back to only hiring cybersecurity-trained professionals, and in this session, I will share my views and lessons learned on skills that complement the team, which candidates to consider and where to find them, how to utilize the skills they bring with them, and the ratio of cybersecurity-trained vs. untrained professionals. By adopting this approach, we can bring diversity into our teams, offer a rewarding career in cybersecurity to more wonderful people and close the skill gap. |
17:00 |
8S: Identifying the Pressures on Privacy
Speaker(s):
Marten Gerssen Marten Gerssen Independent IAM Consultant,unConceptual (Netherlands) After graduating in Control Engineering, Marten started his professional career in Telecom Network Management at Alcatel in 1996, holding various pre-sales and marketing positions. In 2010, Marten founded unConceptual as an independent consulting company, growing from IT project management into IT Security. Customers include energy, telecom, government and banking sector. In those 10 years, the focus evolved to Identity and Access Management with projects in IAM overhaul, Privileged Access...
X
|
As the SABSA matrix states, identities are mere components, such as license plates. If sticking to the component view, privacy would be evident. In reality, privacy is anything but evident. Triggered by a column by Jan-Werner Müller in the Guardian on December 24th, 2022, privacy is the right to appear to others as stranger. But there are many pressures on that privacy. Those pressures are usually contextual in nature: (MRF)2: Marketing Madness, Reward Requirements and Forensic Frenzy . Starting with a chess game, it then discusses the nature of identities as attribution conduits – a label to get deliveries at the rightful “destination”. It then shows privacy by design in areas such as telecommunications (data moves between phone numbers or IP addresses as pseudonymous identities). It also points to areas where privacy by design may be problematic (Amazon’s order fulfillment adds personal address data early in the process). It reports on the investigation into research done by others such as Practice of Enterprise Modeling that works on this type of problems. That is then projected back on the SABSA Matrix. The value is to bring attention to the topic of privacy and design and bring research to COSAC that not everybody may be aware of – in full interactivity of course. |
17:50 - 18:10 Refreshments
Plenary Session
18:10 | 9P: The Law - 2000AD and Why You Should Never Underestimate A Droid |
How are the courts and tribunals in the UK addressing the challenge of using a 20th century data protection law to meet 21st century technology? This session will consider how the UK courts and tribunals are responding to the changing demands of the regulation and control of data in a world that is evolving faster than the letter of the law is able. The session will seek to answer the following questions with direct reference to the case law being generated by the UK courts and the First Tier Tribunal for Information Rights
|
COSAC 2023 Gala Dinner & Race Night
19:15 | Drinks Reception |
19:45 | COSAC 2023 Gala Dinner & Race Night |