Ireland COSAC Connect Melbourne

Welcome to COSAC - Information Security conferencing the way it should be! Join us virtually for 3 days of innovative & participative information security value.


For 27 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2021 agenda is now live and delegate registration is open.

Tuesday 28th September 2021

(ALL TIMES BST)

Chairman's Welcome

09:00 COSAC 2021 Welcome & Introduction Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X

09:20 - 09:40 BREAK

09:40 A1: The Quantum Conundrum Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information security roles. He currently manages an international team of security analyst for FedEx Express, owning and executing various GRC process for FedEx international. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
 

Quantum technology is coming. It is expected, or even know that it will break several security technologies that are currently essential to securing our business operations.

The threat hasn’t materialized yet, but when it does, it might not leave us a lot of time to respond. So how do you prepare for something that:

  1. That you do not fully understand.
  1. You do not know the full impact of.
  1. You do not know when it becomes reality.

If you wait for the risk to materialize you might be too late to the party.

This talk will not be on how quantum works, but on its predicted impact and how you can start planning mitigation now. In this interactive session we will discuss several quantum scenarios, analyse them and discuss which preparations will give you a head start when the threat materializes. We will discuss what can be done when and how your current cyber risk posture will benefit from these measures. Starting our very own quantum playbook now, and in doing so solving current day issues, whilst preparing for the future.

09:40 B1: Cloud Governance Turf Wars Speaker(s): Jim de Haas

Jim de Haas

Cloud Security Wizard, ABN AMRO Bank – Global Security Office (Netherlands)

With 15+ years in information security Jim de Haas has experience in a wide range of security topics like physical security and IT security. For the past eight years I worked for ABN AMRO in the global security office. He is specialised in cloud computing security and former secretary of the ABN AMRO cloud governance body. Currently engaged as security engineer in the banks AWS team.
X
 

When a large organisation adopts cloud computing it goes through several learning curves. Especially when during this journey a transformation towards a devops way of working is implemented. It goes through multiple growth stages. The latest stage can be characterised as one with turf wars. Not sure what will happen after that, because that is something the future will bring. A true story that reads like an Asterix and Obelix comic book.

I will tell a story of an organisation adopting both AWS and Azure cloud and while doing so drastically changes its IT strategy. As the years go by, more managers learn about cloud computing and consider themselves to be responsible for governing it. Imposing their (non cloud native) way of working on others. Leading to a debate and strong difference of opinion on going cloud native or not. Going back to Asterix and Obelix, as you turn the pages in a book, our main characters struggle with the ‘give trust’ concept of devops and how it relates to the organisations culture. Culture, as an aspect, that has a huge influence on how security is adopted within organisations. The battle continues as the address topics like secrets management, HPA management, security monitoring and release of services to devops teams. More characters from Asterix and Obelix are mentioned because the perfectly fit the story.

Is sticking to a more theoretical model for cloud governance (Arcitura) a way forward? How to move on beyond the turf wars of cloud computing governance? Does looking at it from an Organisation Sociology background add anything (my University education)?

After attending this session participants will probably recognise part of the story when they work for large organisations that are busy adopting cloud computing. It will give some pointers and ideas to bringing this forward (beyond the turf wars phase), taking into account the organisations IT strategy and culture. We will probably explore a few options for improving cloud governance models (audience participation required, that will not be a problem at Cosac).

09:40 C1: Architecting National Telecommunications Infrastructure Security Speaker(s): Malcolm Shore

Malcolm Shore

Chief Security Architect, David Lynas Consulting (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
 

Cybersecurity is a key risk for national infrastructure, particularly in the area of telecommunications. However, many telecommunications infrastructures are privately owned and operated and the relationship with government tends to be via regulatory instruments. This leaves nations potentially at an unknown level of risk. In this paper, we look develop a SABSA model of security architecture for national infrastructure, and determine how individual infrastructure components should integrate into a cohesive national infrastructure risk dashboard. A governance approach is proposed to enable an effective inter-domain relationship between the national security authority and infrastructure providers and consider the way in which regulatory compliance and risk management should interact. Challenges to its adoption in the Gulf Region are discussed.

09:40 D1: Reinventing the Global Research Agenda for a Modern World Speaker(s): Dan Klein

Dan Klein

Chief Data Officer, Valtech / United Nations (UK)

Dan Klein has two roles – lead of Environmental Data for the UN Big Data Working Group and Chief Data Officer for Valtech. At the UN, he is part of the team deploying a global collaboration platform for international datasets, methods and results, to drive improvements in the 17 Sustaianble Developmernt Goals. In Valtech, he looks after all things ‘data’, delivering differentiated value to our clients. He is fascinated by how the use of data can disrupt existing business models and revels in...
X
 

Reinventing the global research agenda for a modern world with large datasets to deliver the United Nations 17 Sustainable Development Goals https://sustainabledevelopment...

Taking a proof of concept with the UN to engage collaborators around the world, in undertaking science in a revolutionary way – full digital collaboration and peer review; replacing the ‘scientific journals’ PDF and data as appendices.

See https://marketplace.officialst...

Lessons from the UN and a review of other players in the market – how to collaborate across datasets, methods, resources and outcomes.

10:25 - 10:45 Break

10:45 A2: Is 1999 2000 2001…2021 The Year Decade Century of PKI? Speaker(s): Glen Bruce

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...
X
 

The Public Key Infrastructure (PKI) had had an enduring, if variable, impact on security the universe of computing for almost 50 years. Is it now settling into its role as journeyman support to secure the world just as it is being threatened by the advancement of quantum computing? Lately many organizations have come to discover a bit to late that they in fact use PKI when their processing infrastructure quits working due to expired certificates. PKI used to be represented as 25% technology and 75% policies, standards and processes. Is this still true? How many organizations really understand how PKI works? Is that important?

The promise of PKI – to have the ability to establish dynamic trust between two entities without an established prior trust relationship has endured for decades. It has invaded the business processing systems, sometimes by design, mostly under the covers. Why did IBM invest many millions in technology, processes, infrastructure and data centres the early 1990s to become the world certificate authority and then quietly drop those plans and walk away? The technologies supporting PKI have continuously evolved while the foundational principles over past decades have endured. We will have a look at the evolution of PKI and why it became pervasive in most organization whether they realize it or not. Will it survive the onslaught of quantum computing that will be able to “break” the foundational encryption algorithms that currently will take many years’ worth of computing power in a few hours and maybe minutes or seconds. We will outline what is being done to continue to support PKI in a post quantum computing (PQC) world. Are there more answers than questions? Note: No physicists’ are involved in this session.

10:45 B2: Cloud Forensic Challenges Speaker(s): Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
 

In 2019, one of the biggest concerns we hear from our customers’ security teams is the lack of expertise when it comes to cloud and forensic investigations.  We’ll first cover the differences between investigating in an incident to that of a forensic investigation and then cover forensic concepts and methodologies and how we have adapted them to the cloud.  We’ll answer questions such as “How do you forensically acquire a SAN?”; “What does court worthy methodologies mean?” That myth debunked!), “What does GDPR mean for forensic investigations?” and other esoteric questions that investigators are concerned about.

10:45 C2: Mission Critical Systems and the Risk Managed Approach – We Need Something Better Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect / Cyber Project Design Authority, Thales (Australia)

Alex Parkinson is a senior cybersecurity architect at Thales Australia. Qualifications include a Master of Science (Internetworking), a Graduate Diploma in Applied Finance and CISSP, CRISC and SABSA Practitioner (SCP) professional certifications. Alex has 30+ years of experience in understanding and dealing with complex systems and organisations in multiple sectors, including Defence and National Security, Trading and Financial Services and Mission Critical Engineering projects.
X
 

This paper looks at the problem of attempting to use current enterprise / IT focused approaches to cybersecurity on mission critical systems.

Most frameworks and policy standards for cybersecurity advocate, or even mandate, the use of a “Risk-Based” or “Risk Managed Approach” to the delivery of security objectives in a system. This has proven very effective in Enterprise ICT environments by forcing organisations to move away from an audit and compliance (i.e. ‘check-box’) approach to security.

Since the “Risk Managed Approach” is the de-facto standard for security policy frameworks, we are now seeing it being applied to securing mission critical systems. But, unlike Enterprise ICT environments, mission critical systems have long ‘Life-of-Type’ (often decades) and are intended to be very stable and reliable in terms of change and operation over this long time period.

A key element in the risk managed approach is understanding the threats to the system. Therefore, current risk assessment is effectively outward focused from the system on factors that change over time. Looking at threats for risk assessment works well when the time horizon being considered is relativity short; consider the rate of application change in an enterprise environment.

For mission critical systems, this means that the risk assessment is focused on factors that are beyond the scope of the system, beyond what can be affected by system architecture and design and is based on threat information that is not definitive and not stable over a time period that is comparable to the life-of-type of system.

The delivery of security outcomes for mission critical systems is therefore compromised by mismatches in time horizon; I.e. the life of type of system vs time horizon of the threat information used in a security threat and risk assessment vs time period for the implementation of system change.

Notes:

Based on the key foundational concept in “STPA for Security”, derived for modern safety engineering. This presentation explains the problem “STPA for security” is trying to solve.

References work by Prof Nancy G. Leveson in her book “Engineering a Safer World: Systems Thinking Applied to Safety”

10:45 D2: Establishing An Ethical Imperative for Enterprise Security Architecture Speaker(s): Andrew S. Townley

Andrew S. Townley

Chief Executive, Archistry (South Africa)

Andrew S. Townley helps information and cyber security leaders build more effective security programs by applying 25 years of hard-won lessons across a diverse career from starting as a Software Engineer to building Archistry from the ground-up starting in 2006. Andrew is an international speaker, published author and thought leader on Information Security, Security Architecture, SABSA, Risk Management, Enterprise Architecture, SOA and Technology Strategy, and he has extensive practical,...
X
 

If you ask most people about security architecture, they’re probably going to assume you want to talk about technology. You see, to most people, security architecture is about firewalls, identity and access management, endpoint protection and the way these are all connected together in some sort of circuit diagram you might put on your wall – framed of course – so that you could walk past it every day, confident that you’re safe from cyber attacks. Except it’s not like that at all—well, at least the ones that truly add value to your organization aren’t like that. Your organization’s security program has one job. I call it the mission and purpose of security, and that job is to enable and protect the organization to deliver its mission as quickly as possible. But it’s a job you can’t do if you limit your view of security architecture to the land of technology and security control frameworks. To be successful, security architecture must be a lot more than that. Now, as someone who believes in the value proposition of security architecture – and especially SABSA® – in making a difference in our organizations, we already know this. The problem is…we’re not the ones who need convincing. The people who need convincing are the very people who have the misguided assumptions above about security architecture lodged in their brains. And it can often end up being pretty hard to change their minds—or to demonstrate how the security architectures we want to build will actually make a difference. To be successful, security architecture must reflect the objectives and the priorities of the organization’s reason for being. It must be created as a function of understanding and responding to the risks the organization may encounter while pursuing those objectives. And your security architecture must enable the members of your executive team to make risk-based decisions about the way they choose to deliver those objectives. To be successful, your security architecture must be the backbone of your entire security program, connecting your organization’s strategy to the selection of the controls in your operational environment and the way you use the information those controls collect to drive learning and adaptation everywhere. However, there’s a problem. It’s a problem that far too many security teams face every day. A problem that erodes and undermines their credibility and trust with the organizations they’re meant to protect. That problem is an approach, a mindset and a set of behaviors that leads an otherwise well-meaning and highly motivated security team to be seen as… The Department of NO. The business says, “I’d use this application.” Security says, “No.” The business says, “I need to make this information available to our customers via the Internet.” Security says, “No.” The business says, “I need to deploy this software in production.” Security says, “No.” The reasons seem sound: it doesn’t comply with policy; we can’t be sure the information won’t be stolen; and the software has major security bugs. But to the business, it’s getting in the way of doing business. It’s delaying projects. It’s increasing the cost of deliver…and, let’s face it: It’s the business who pays the bills. If we want to build a truly business-driven and responsive security program, security needs to move beyond technology. It needs to move beyond “checklist” security control deployment. And it needs to ditch arbitrary security maturity targets that aren’t related to the real risks and business environment the organization faces. But how? How can we do that? In this session, I’ll be presenting the role of security architecture as a key enabler of organization success and digital transformation. But, more importantly, I’m going to talk about the fundamental psychological drivers within most organizations that must be identified and overcome before an enterprise security architecture program can be created. Based on 15 years of focused security architecture work around the world, I’ve discovered that there is a fundamental value clash between “the business” and “security” that invariably leads to the situation where security is seen as essentially, “the business prevention department.” This value clash is actually the result of the very ethical and moral foundations on which our whole understanding of security is based, and it’s shaped not only what we do, but the expectations of the business and those we serve—sometimes in surprising and unexpected ways. To counter this, I’ll demonstrate why security needs to adopt a different set of ethics and moral values than it often has today. I’ll also highlight the 8 values your security team will need to adopt before it can truly enable and protect your organization to the best of its ability. At the end of this session, you’ll come away with a very different view of not only the critical nature of security architecture in delivering your core business strategy, but you’ll also have a much deeper insight into the historical divide between business and security that may well be holding you back today. Using these insights, you’ll be able to begin thinking about some concrete changes you might want to make to better align your security program with the business and some thoughts on how to get started building a truly business-driven security architecture program.

11:30 - 11:50 BREAK

11:50 A3: Digital Twins - Architecture & Security Implications Speaker(s): Hugh Boyes

Hugh Boyes

Principal Engineer, University of Warwick (UK)

Hugh Boyes is a Chartered Engineer, a Fellow of the Institution of Engineering and Technology (IET) and holds the CISSP. He divides his time between working as a Principal Engineer at the University of Warwick and undertaking cyber security consultancy assignments. Hugh is a Member of the Register of Security Engineers and Specialists (RSES).
X
 

The concept of creating a digital twin of a cyber-physical entity is gaining considerable coverage, with significant hype regarding the potential benefits a digital twin can offer. This session will explore the concept and history of digital “twins”. They are not as new or novel as the media coverage suggests. However, Gartner reports that leading digital governments are exploring the concept of digital twins at the whole-of-government level.

This session will examine the information and architecture issues relating to the creation of a digital twin and the prerequisites for ensuring that in implementing the digital twin there is close alignment the reality of the physical twin’s behaviour. It will also discuss the privacy and security implications that arise from the creation and use of digital twins that are connected to operational assets. The session will conclude by identifying a set of criteria for establishing the trustworthiness of a digital twin in comparison with the real thing.

11:50 B3: Does Your Cloud Have A Toxic Lining? Speaker(s): Lisa Lorenzin

Lisa Lorenzin

Director, Transformation Strategy, Zscaler (USA)

Lisa is Director of Transformation Strategy at Zscaler, specializing in secure application access and digital transformation. For more than 20 years, she has worked in a variety of network and information security roles and has contributed to open standards for endpoint integrity and network security from the Trusted Computing Group (TCG) and Internet Engineering Task Force (IETF). Lisa is currently focused on helping customers achieve their security goals and create a seamless user experience...
X
 

We've all heard the old joke that "the cloud is just other people's computers" - but when it comes to cybersecurity, this is no laughing matter. Enterprises are moving internal applications and data to the cloud faster and faster, but the security models involved are often poorly understood and inadequately applied. AWS alone offers hundreds of tools and features to help customers meet their security objectives - an often overwhelming assortment.

One main challenge is that security OF the cloud is not the same as security IN the cloud, and there’s broad potential for a gap in between. Applications in the cloud are still subject to many of the same vulnerabilities we've been battling for years in the datacenter - and the proliferation of cloud environments adds a layer of complexity... Additionally, organizations running workloads in more than one cloud provider - as well as in the datacenter - are forced to translate a single business policy into multiple security models. The inevitable result is increased attack surface, as well as more opportunities for human error.

We'll review some of the pitfalls of the shared responsibility model and explore a few of the high-profile leaks and breaches that have resulted from poor understanding or implementation of necessary security controls in cloud environments, discuss examples from personal experience, then review what resources and tools are truly helpful - as well as what hasn't worked! - in approaching this expanded playing field for enterprise security.

11:50 C3: Cash is Dead, Long Live Cash… Keeping Cash Available, Accessible, Affordable, and Safe Speaker(s): Dennis van den Berg,

Dennis van den Berg

Security Principal, Accenture (Netherlands)

Dennis is a Security Innovation Principal within the Cyber Defence Services domain of Accenture Security in the Netherlands. Dennis joined Accenture in 2013, after he completed his MSc in Network & Information Security. Since, he worked on a multitude of cybersecurity strategy, architecture, and transformation engagements helping clients in the Netherlands and abroad become cyber resilient businesses.
X
Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

For some time now, banks in Northerland have made considerable efforts towards a cashless economy. Although there was a noticeable reduction in cash transactions, cash proved more resilient than expected and there was a realisation that some level of cash transactions will remain for the foreseeable future. Hence, a different strategy was required to reverse the increasing cost involved with cash management.

In this session, we will explore the ESA created for Galactic Inc. Cash Services, a joint venture created by the 4 largest banks in Northerland with the objectives to drive down the cost of cash operations while ensuring cash remains available, accessible, affordable, and safe for the customer. We will show how information security and physical security come together in their one of a kind Incident, Monitoring & Investigations Architecture.

11:50 D3: Architecting Highly Resilient Open Collaborative Systems Speaker(s): Timothy Parsons

Timothy Parsons

Cyber Security Consultant, QinetiQ (UK)

Working predominantly in the Defence and Security sectors, Tim’s career has focused on advanced information technology delivery, consultancy and strategy, especially aspects of Cyber security. His career has spanned the spectrum from research scientist, the management of innovative technology demonstrators, to providing strategic options to Board for Companies positioning to enter adjacent security markets.
X
 

Driven by cost reduction and the need to improve the availability and delivery of services, information systems underpinning business processes and societal organisations have evolved significantly over the last ten years. These changes include the rapid evolution of cloud services, the adoption of data-centric architectures, virtualisation, edge computing and increasing interconnectivity with a huge diversity of endpoint sensors and actuators – the so-called cyber-physical ‘Internet of Things’ (IoT).

Significant economic benefits now depend upon such systems, examples being the transport and logistics sectors and the increasing interconnectivity of ‘smart’ cities. These systems form part of an ever developing and widening Critical National Infrastructure (CNI), with the characteristic that key processes often cross more than one domain of authority. Such systems may be termed ‘open collaborative systems’, and an overarching question therefore is, “How can highly resilient critical systems be architected when key aspects of that system are open and collaborative in nature, often crossing more than one domain of authority and ownership?”

This paper argues that 'extended enterprise' resilience is emergent from a set of principles and design approaches which span organisational and process issues, enterprise architecture, technical and supply chain management. The paper identifies and discusses these principles.

12:40 - 13:25 Lunch & Networking Session

13:25 A4: Stopping Houses Attacking People Speaker(s): Nick Spenceley

Nick Spenceley

Director, Primary Key Associates (UK)

Nick is an experienced technical specialist with particular subject matter expertise in the application of technology to solve complex problems in secure environments. He consults on business change, system architecture and design, legal disputes, security accreditation and engineering processes. He has over 30 years’ experience in managing significant project portfolios and programmes for BAE Systems Applied Intelligence, Detica and Logica (now CGI).
X
 

In the COSAC 2019 presentation “Did my house just attack me?” we learned of the first conviction in the UK (in May 2018) for harassment using IoT devices. An estranged husband used remote access to a smart home hub to access the video and audio from an iPad used as a wall mounted system display, as well as other compromises of the victim’s online accounts. He was sentenced to 11 months in prison.

The subsequent discussion provided some further insight into the problem of a “purposeful pattern of behaviour which takes place over time in order for one individual to exert power, control or coercion over another”, in particular where smart home installations are built into the fabric of the premises and one partner in a relationship is the single sysadmin.

Is there a suitable architecture for such devices that enable a more balanced approach to managing smart home devices in which, for example?

  • A resilient and irrefutable chain of evidence is created when devices are configured and operated;
  • That evidence remains protected against unauthorised access, but can be reviewed by any authorised party in the event of a pre-defined set of circumstances;
  • A trust model exists that allows shared authority for managing the system;
  • A mechanism exists for dispute resolution by a trusted third party.

In this talk we will outline a framework that covers these requirements and, in discussion with the delegates expand or change it as necessary to produce something that may be considered a ‘trust mark’ that manufacturers may consider worthwhile to differentiate their products in this ever-expanding market.

13:25 B4: Application of Zero Trust Security Architecture on Amazon Web Services Speaker(s): Ernest Ngassam,

Ernest Ngassam

General Manager: Information Security Architecture and Technical Excellence, MTN Group (South Africa)

Prof. Dr. Ernest Ketcha Ngassam is currently the General Manager: Information Security Architecture & Technical Excellence at MTN Group. He is also Professor Extraordinaire of Computer Science at the School of Computing, UNISA, and holds a PhD in Computer Science from the University of Pretoria. He was the Chief Architect (Research Expert) at the SAP Innovation Centre in Pretoria and recently spent some times at Cell C as a Senior consultant in Technical Programme Management for MVNOs. He...
X
Frans Sauermann

Frans Sauermann

Security Architect, MTN Group (South Africa)

Frans Sauermann is currently the Senior manager: Information Systems Security Architecture at MTN Group. He holds 29 certifications related to information security architecture from The Open Group, SABSA, ISACA, ISC^2, AXELOS, PMI, EC-Council, Cloud security alliance and others, as well as a master’s in cyber security at CSU. He has over 15 years’ experience with information security, 12 of which spent with MTN and has been involved in multiple projects related to information security during...
X
 

This paper provides an architecture for zero trust networks and continuous adaptive risk and trust assessment mechanisms on Amazon Web Services (AWS). We take a pragmatic approach to ensure that we link the theoretical components to implementation candidates. This relies on application of graph theory to establish traceability, which we can subsequently use to verify the logical integrity of the architecture. Our literature review indicates that the first imperative is to establish a reference model that describes zero trust networking. The zero trust reference model is subsequently mapped to relevant AWS services that realizes the components. We see as part of this review that AWS is mature in its development of zero trust capabilities and that we can realize all aspects of zero trust using off-the-shelf AWS services. The correct configuration of these services however is crucial. The research is useful in providing solution architects with the logical components that can drive further stages in architecture definition.

13:25 C4: What Good Looks Like - Using KPI's and KRI's Effectively Speaker(s): Rob Campbell

Rob Campbell

Enterprise Security Architect, Secure Constitution Ltd (UK)

A Security Architect with 30 years IT experience, the last 23 in Information Security. I have been formally trained in security consultancy and architecture methodologies. These include Togaf Enterprise Architecture methodology (including Archimate) and of course SABSA. I have 10+ years in the financial/insurance sectors and another 10+ years experience in the Government sector. In that time I have developed security strategy, performed risk assessment and compliance roles as well as designed,...
X
 

In 20 plus years of working in information security for many different organisations I have yet to see control decisions based on real data using sensible metrics. Controversial maybe but it’s a real issue. A lot of money is wasted replacing perceived underperforming security technology when the reality is that the operational environment is underperforming, the technology is under-utilised or a lack of control coverage is the real culprit.

“A bad tradesman blames his tools” comes to mind. Often organisations replace controls technology because the existing product is perceived to be inadequate.

Data availability, time pressures, cost and resources with the right sort of experience all factor in to this issue but these can be overcome if you start with defining properly what good looks like. This is achieved with KRI’s and KPI’s.

SABSA itself provides a framework for KRI’s and KPI’s, but too date I have seen little evidence of successful implementation in organisations I have worked in or in conversations with industry.

This interactive session explores the importance of metrics in the decision making process, gives examples of KRI’s and KPI’s that support those decisions and attempts to challenge attendees views regarding where to start from when selecting security services and mechanisms.

13:25 D4: Cyber Resilience: Expecting the Unexpected! Speaker(s): John Budenske,

John Budenske

Cyber Security & Systems Engineering Architect, General Dynamics Mission Systems (USA)

Dr. John Budenske is a life-long renaissance technologist and entrepreneur with an interest in autonomy, cyber resiliency, robotics, & intelligent agents. He has 30+ years of R&D experience in robotics, autonomous systems, cyber security, IoT, and human-robot interactions. His M.S. and Ph.D. were accomplished at the University of Minnesota, and he holds the Certified Ethical Hacker (CEH) accreditation. He is currently employed at General Dynamics Mission Systems in Bloomington, MN, as a...
X
Lori Murray

Lori Murray

Systems Engineer, Iowa State University (USA)

Lori Murray is a Senior Advanced 3 Information Assurance Systems Engineer, currently enrolled at Iowa State University as a PhD student studying Computer Engineering. She has her Masters of Science degrees in Information Assurance and Business Analytics from Iowa State University, along with her CISSP. Lori has 15 years of experience between Systems Engineering as a Cyber Security SME building security architecture from requirements definition to design.
X
 

Incorporating resilience into security architecture must consider how a system provides resilience to complete mission objectives. Ever evolving adversaries drive the need for system architectures to protect cyber resources, but still enable operations during an attack to achieve mission objectives. According to MITRE, cyber resilience is derived on the practices of system security engineering, security operations and management, and systems engineering for performance and management. Exploring the commonality with the Sherwood Applied Business Security Architecture (SABSA) approach (that has a basis in systems engineering),and using both approaches may lead to defining an architecture that offers both security and resilience. During this talk we explore systems engineering as an approach for defining an architecture that is both secure and resilient.

14:10 - 14:30 BREAK

14:30 A5: Internet of Intelligent Things, Preventing the Attack of the Refrigerators Speaker(s): Siân John MBE,

Siân John MBE

Director SCI Business Development, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
X
Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
 

If IoT and Operational Technology (OT) are combining in Industrial IoT and OT is the hardware and software that control the processes of much of our critical national infrastructure, then how do we protect our families and our societies from attackers that do not have our best interests at heart? In the light of the recent Ekans malware attack (https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/ Feb 2020), how do we begin to broach the great divide – that between IT and OT system operators – in a world of internet connected everything, deep fake videos, massive disinformation campaigns and the potential catastrophic outcomes of compromise of safety systems? This talk will delve into some of the case studies of OT compromise, their key lessons and how we can potentially use the lessons from responding to attacks in the IT world in a way that makes sense in the OT.  During the discussion, we’ll outline the 7 properties of highly secure devices (https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf) and discuss the pros and cons of moving from preventative to reactive systems.

14:30 B5: Hey SyRI Who’s Committing Fraud? Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information security roles. He currently manages an international team of security analyst for FedEx Express, owning and executing various GRC process for FedEx international. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
 

In 2013 the Dutch parliament passed a law called ‘Fraud prevention through coupling of data files’, without a vote. This led to the development and implementation of the ‘System Risk Indication’ also known as SyRi, which combines data from several governmental data sources with the sole purpose of detecting of potential social benefit fraud.

This does not sound threatening for a normal law-abiding citizen such as myself. Any fraud must be battled, and for us Dutch, economic fraud is on top of the list. However, this system caught the eye of privacy activists and the UN rapporteur on extreme poverty and human rights. They found it to be in breach of human rights, discriminatory, dangerous and flawed. Our government was taken to court and the system was ultimately banned in February 2020.

A case like this in a developed country is both intriguing and scary and I feel there are lessons to be learned from it. Therefore, during this talk we will dive into this case and we will explore:

  • How such a surveillance system came to be in a functioning democracy?
  • Is the intent of the system ethical and just?
  • What issues where found in the design and operation of the system?
  • Could it have been designed in an ethical way?
  • Were there warning signs?
  • Do we need new safeguards to keep this from happening again, or are current laws and safeguards sufficient?
14:30 C5: Automating Security Compliance Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is a SCP with 10+ years’ experience in the SABSA methodology. He works as an independent Security Architect and develops a research interest in model-driven approaches to security architecture - a topic on which he has presented at COSAC 2018, COSAC 2019 and COSAC APAC 2019. Steven has authored a paper for The SABSA Institute on the topic of security modelling with ArchiMate which is now being developed via a joint SABSA Institute / Open Group Working Group.
X
 

Organisations increasingly operate in a multi-regulatory environment where audits are more frequent, more numerous, more stringent and subject to higher levels of scrutiny with each passing year.

Staying on top of continual compliance cycle proves to be extremely onerous. Organizations typically respond by first streamlining their operations into a single, enterprise-wide capability but still find that despite the efficiency savings, they are still left with a task of formidable scope and complexity that remains a costly, largely manual operation.

Perhaps the most significant development in this field for decades is NIST’s Open Security Controls Assessment Language (OSCAL), version 1.0 of which was published at the end of 2020. OSCAL defines a series of inter-locking data schema that progressively apply a control framework to a target system via pipeline of compliance “transforms”.

In this presentation, the speaker will present an introduction to OSCAL based on first-hand experience of using it since the early pre-release versions. The session will include practical demonstration of how OSCAL artefacts can be created and consumed, holding out the promise of end-to-end automation.

The value to the conference, will be an early awareness of an emerging technology that is set to have a major impact in highly-regulated or infrastructure-critical sectors for whom multi-regulatory compliance is a primary concern.

14:30 D5: How Sabremetrics May Influence Cyber Resiliency Speaker(s): Rob Hale

Rob Hale

Fellow, Lockheed Martin (USA)

Rob is a Lockheed Martin Fellow with over 25 years of experience in information systems and security. During his career he has been responsible for conducting and supporting information assurance and cyber security activities for federal, state and commercial organisations in the defense, law enforcement, financial services, utility and healthcare industries. Additionally, he has designed and implemented secure networks to support nuclear emergency response teams and top US banks.
X
 

This presentation is focused on describing a possible approach to measuring cyber resiliency in the future. Sabremetrics is a statistical approach to evaluating and comparing baseball players, teams and achievements from disparate eras in order to answer difficult opinion questions about the sport. For example, there is a classic argument about whether the 1927 New York Yankees are the greatest baseball team to play the game. To address this question requires not just simple measurements, such as, the team’s winning percentage, or batting average, but more complex and data intensive analysis about park factors, dead ball versus live ball, impact of expanding the leagues, etc. Sabremetrics is a system for defining, measuring and evaluating such questions, where metrics are complicated and data is massive. Evaluating the resiliency of a mission and its systems to cyber effects is a quickly emerging goal for government and defense industries.

This presentation seeks to begin a greater dialog on measuring and evaluating cyber resiliency by doing the following:

  1. Briefly describing and demonstrating how Sabremetrics is applied to baseball.
  1. Describing the cyber resiliency measurement problem.
  1. Proposing a methodology to measure cyber resiiency.
  1. Identifying gap areas in the measurement process and discussing next steps

It is my hope to engage in discussion of the viability of the methodology and to strengthen the approach. It took baseball 11 years to identify most of the data points needed to improve the statistical analysis and instrument collection of the data. Metrics in cyber security have been marginalized since the beginning of the cyber security industry. It is time to address them in a meaningful and systematic manner. The proposed methodology is a starting point, not a 100% solution, but I believe it is the best place to start.

15:15 - 15:35 BREAK

15:35 A6: A Hard Look at the Black Box of AI/ML Speaker(s): Char Sample

Char Sample

Chief Scientist Cybersecurity Cybercore, Idaho National Laboratory (USA)

Dr. Char Sample is Chief Scientist Cybersecurity at the Idaho National Laboratory and a research fellow with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
 

Artificial intelligence (AI) powered by machine learning (ML) algorithms is a disruptive technology that promises greater efficiency and accuracy in many workflows. The rush is on and organizations are applying AI/ML solutions without considering the security implications. These data and algorithmic dependent "black box" solutions require a hard look by cybersecurity researchers. This talk breaks down some of the known vulnerable areas of AI/ML, discussing attacks and proposed countering techniques or research areas that will be needed in order to make AI/ML Trustworthy.

15:35 B6: Reflections on Not Trusting Trust: How Complexity Obscures Security Speaker(s): Mike Broome,

Mike Broome

Senior Software Engineer, Tanium (USA)

Mike is a senior software engineer with a background that runs the gamut from developing large-scale enterprise IT security and IT operations software at Tanium to working on low-level embedded networking software at Cisco and IBM to wrangling industrial control systems at a startup. Throughout his career, he's been passionate about software security.
X
Lisa Lorenzin

Lisa Lorenzin

Director, Transformation Strategy, Zscaler (USA)

Lisa is Director of Transformation Strategy at Zscaler, specializing in secure application access and digital transformation. For more than 20 years, she has worked in a variety of network and information security roles and has contributed to open standards for endpoint integrity and network security from the Trusted Computing Group (TCG) and Internet Engineering Task Force (IETF). Lisa is currently focused on helping customers achieve their security goals and create a seamless user experience...
X
 

Modern software development and modern enterprise security are focused on agility, speed, and minimizing time to delivery. Pressure to innovate results in a focus on leveraging existing frameworks and not re-inventing the wheel for basic building blocks. But when those building blocks are compromised, the whole house falls down.

Using high-profile, real-world examples from both the software development world and the enterprise security space, we will explore unrecognized trust relationships, how they can fail, and the consequences of these oversights. We will examine – from both top down and bottom up — how complexity and system interdependencies lead to the inability to accurately evaluate the security of software and solutions, resulting in unexpected threat vectors ranging from authentication bypasses to software supply chain vulnerabilities and beyond. Finally, we will review related mitigations, tools, and practices (such as DevSecOps) and discuss whether they help to solve the problem and how feasible they are in the real world.

15:35 C6: Your Enterprise Security Architecture Might be Acceptable, but its Governance is a Mess Speaker(s): Andreas Dannert

Andreas Dannert

Head of Security Architecture, Standard Chartered Bank (Singapore)

Andreas is currently the interim Head of Security Architecture at Standard Chartered Bank in Singapore. At SCB he is responsible for a core Security Architecture team that is delivering the organization’s Security Architecture Framework, Strategy, and relevant Security Capabilities. Before this he was a Principal Enterprise Security Architect at Australia’s national broadband network (nbn), which is a government owned enterprise, providing critical infrastructure services to millions of...
X
 

While security architecture as a field is maturing, and medium to large organisations start to appreciate the value of hiring experienced security architects, the way security architecture artefacts are governed is often less than desirable. In many cases one could argue is is to the detriment of any security architecture investments made in the organisation. In appears counterproductive to produce great plans to only let them get lost when they are needed most, which could be compared to having building plans being commissioned and losing them before the construction of the building commences.

After working for multiple organisations as a security architect in different roles, I have made some worrying observations. Some of these are: Organizations having little or no understanding of the dependencies between security policies, security controls, and business processes; The lack of appreciation for the right tools to maintain security architecture related artefacts in an efficient way; And the development of governing processes to effectively control and align potentially conflicting interests in an organisation when it comes to security architecture.

In this session I want to provide ideas and approaches for dealing with these issues, based on the experience build of utilising different tools and strategies in achieving a more sustainable way of governing enterprise security architecture.

At the end of this session participants should be able to understand the value of establishing a robust governance for enterprise security architecture through a combination of a good enterprise security architecture delivery approach, relevant processes to govern the delivery of security architecture artefacts and tools to efficiently and effectively maintain relevant information and deliverables.

In the spirit of COSAC, this session is designed to be interactive and it will allow participants to share their experiences concerning the topic or voice their concern of this idea Where appropriate, this session will provide attendees with examples of scenarios that have benefitted medium to large enterprises in maturing their enterprise security architecture function.

15:35 D6: The Regulatory Death of Private Enterprise Speaker(s): G. Mark Hardy,

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is the author of over 100 articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration.
X
Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.
X
 

Three years ago at COSAC we examined the likely impact of the EU's General Data Protection Regulation (GDPR). Our predictions were borne out -- fines and sanctions in Art. 83 have served as a "stick" to compel -- £183m proposed fine for British Airways, £99m for Marriott International for example -- or, are they really an alternate revenue stream? Those make Google's €50m punishment look like a bargain.

As we slide into a global recession, will cash-hungry governments up the regulatory ante and feed off of industry's missteps? Earlier this year, the California Privacy Protection Act (CPPA) commenced a cascade of a cacophony of conflicting commandments certain to trip up the most careful corporation trying to sort out the tangled web of individual state laws in the United States. It's only going to get worse.

Will governments hold fines and punishments in abeyance to avoid exacerbating the downturn, essentially giving companies a bye, or will they drive businesses into oblivion when they are struggling for their survival. What does this brave new world look like, and when will we have "too much" regulation?

This presentation will provide a legal overview of the framework of what may be the latest generation of privacy laws following in the steps of breach notification laws. We'll look at what security professionally can do to reduce risk and avoid the wrath of the regulators.

16:20 - 16:40 BREAK

16:40 A7: AI in Information Security - Beyond the Hype Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.
X
 

Artificial Intelligence is the current buzzword in all areas related to computers, and computer security is no exception. This session will try to get beyond the hype and discuss the genuine applications of AI and data analytics to information security, and the limitations of the use of AI. It will discuss some of the current AI related tools, the drawbacks and advantages of AI based threat analytics, the use of AI in access control, authentication, personnel security, user behavioral analytics, automated threat detection and response, SOC automation, dDOS mitigation, and data breach impact analysis. It will also discuss the different types of AI and the drawbacks of the massive data collection and sharing requirements necessary to make AI programs effective.

16:40 B7: Institutionalizing Trust – How do we “Build” Trustworthy Organizations? Speaker(s): Glen Bruce,

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...
X
Nick Galletto

Nick Galletto

Global Cyber Risk Lead, Deloitte (Canada)

Nick Galletto has over 30 years of experience in information technology, networking, systems management and information security management. He has accumulated extensive experience in the management, design, development and implementation of cyber risk management programs. Over the last several years Nick’s primary focus has been helping clients with the development and implementation of cyber risk management solutions both for IT and OT, making these organizations more cyber resilient.
X
 

Trust in relationships with organizations is an essential element for effective business but is becoming increasingly more difficult to maintain and support - especially in the face of increasingly sophisticated threats from a variety of forces. We are seeing a shift in business from a shareholder value only priority to a broader emphasis on: societal impact; value for customers; investing in employees; dealing fairly and ethically with suppliers; and supporting our communities, which in turn will deliver long term value to the shareholders. In speaking to clients about trust, we consistently hear that trust is an essential outcome to driving the brand promise.

The session will focus on answering, how do we operationalize trust in this era of digital complexities? What are the drivers for trust in support of the brand promise, ethics and integrity? And how do we measure trust? We will outline our research and findings on what it takes to have a trustworthy organization and the impact that adverse events have had on major organizations. We will provide methods and insight on how to move trust from a functional capability with stakeholders to building relationship trust through an integrated trust framework and supporting maturity model.

The better the impact of trust is understood and how to achieve and maintain it, the more trustworthy the organization will be.

16:40 C7: Feed me More, Seymour - Freeing Your Risk Appetite Speaker(s): Martin Hopkins,

Martin Hopkins

Consultant, Attributive Security (UK)

Martin is an independent information security consultant with a current focus on security advisory to small businesses in the UK. He has over 25 years’ experience in technology, primarily in security related fields. A regular speaker on cyber security topics, he is a strong advocate of business driven security, security architecture and secure software development practices.
X
Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

In 2019 we talked about how and where to find your risk appetite. Now we’re back to go full immersion and explore risk appetite throughout the SABSA risk management framework. Can we define any reusable patterns or models? How can we reassess the organization’s appetite, apply a changing risk appetite to our existing risks, use our appetite to drive tactics and business decisions..?

Join us to ask, and answer, the difficult questions of transforming your risk management into something more dynamic and business enabling than managing a risk register.

16:40 D7: Where is My Mind? (unabridged version) Speaker(s): Chris Blunt,

Chris Blunt

Security Architect, Aflac NI (Northern Ireland)

Chris is a seasoned cybersecurity professional. He has recently moved to Belfast from New Zealand where he co-founded and ran a highly successful information security and privacy consultancy. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables organisations to achieve their business objectives.
X
Simon Harvey

Simon Harvey

Platform Manager - Identity, Suncorp Group (Australia)

Simon is a Security Professional with 25 years of Security-related Research, Business & Management experience. He is currently manages Identity at a large financial services organisation; In addition to being extremely late at submitting his SABSA Advanced exam (sorry David!), he is an accredited instructor for Mental Health First Aid Australia; and speaks widely about Mental Health in IT/InfoSec.
X
 

Mental health is becoming one of the most significant issues in our society, and the information security industry is no exception. Our industry often attracts people with certain personality traits or attributes, including technical, analytical, obsessive, dedicated, perfectionist, curious, dogmatic, unempathetic. This can lead to us being labelled nerds and geeks, which are used to dehumanise us by others.

But we are all human. We work in high stressed environments and pressures are placed upon us by ourselves, colleagues and our employers to perform with unrealistic budgets, team members and timeframes. This can be unhealthy at best, but downright dangerous at worst. Mix this with the regular ups and downs we all experience in life and it is no wonder that many people in our industry suffer from poor mental health.

In this session, will shed light on this taboo topic to raise awareness and help end the stigma that is often attached to conditions such as anxiety, depression, and bipolar. We will use a combination of medical facts and our personal stories to humanise a topic that is still treated in a very inhumane way.

We will also present and discuss some of the:

  • most common mental health conditions
  • early warning signs that someone is not okay
  • some basic approaches you can take when dealing with someone who is not okay
  • resources available to help you and your organisation help people that are suffering from poor mental health

Our objective is to have a conversation about how we can identify, support and help each other when our mental health is compromised and to determine how we can practically support each other at the community level.

17:25 - 17:45 BREAK

Day 1 Keynote

17:45 Something Sinister Below the Horizon Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
 

In April 2021, judges in the UK Court of Appeal quashed the criminal convictions of 39 former postmasters in what has been described as “the UK's most widespread miscarriage of justice”. Each had been convicted of theft, fraud and/or false accounting.

Some had been imprisoned, all had their lives turned upside down through no fault of their own. Some lost their homes, were forced to pay back large sums from their own pocket and were unable to get work because of their convictions. Some were forced into bankruptcy.

Those convictions relied on evidence derived from a computer system used by the UK Post Office known as Horizon. Introduced in 1999 it was rapidly rolled out to Post Office branches and by 2013 was operating in over 11,500 branches and processing some six million transactions per day.

Problems with Horizon were first reported in 2000 but were dismissed by the Post Office who consistently said that Horizon was “robust and reliable”,

I have personal experience of Horizon, having been retained by a firm of solicitors as an expert witness in a criminal case relating to accusations made against a sub-postmaster based on Horizon evidence.

I accompanied the instructing solicitor on a visit to see the Horizon system in action at a Post Office Training Centre. Within a matter of one hour, it was clear to me that there were sufficient significant issues with the design and implementation of that system to bring the integrity and quality of digital evidence into question, for example the accuracy of timestamping and the potential for undetected modification of transaction data.

The solicitor made our observations known to the prosecution and the case was dropped. Sadly, many others proceeded using unreliable evidence from Horizon that was not challenged successfully.

More than ten years after I made that visit, speaking after announcing the Appeal Court’s ruling Lord Justice Holroyde said the Post Office "knew there were serious issues about the reliability of Horizon" and had a "clear duty to investigate" the system's defects.

But the Post Office "consistently asserted that Horizon was robust and reliable" and "effectively steamrolled over any sub-postmaster who sought to challenge its accuracy", the judge added.

This talk:

The Horizon scandal is a shocking example of failures of design, implementation, management and governance. The impact on the sub postmasters convicted based solely on unreliable evidence is horrendous.

In this talk I will unpick some of the details of the Horizon system that led to its technical failures. I won’t explore the behaviours of individuals who, despite knowing of the failures, proceeded with prosecution of potentially innocent people, but I will encourage the audience to reflect on our responsibilities as designers, implementers or operators of information systems.

I will explore how we might ensure that they capture all the system business requirements and, in the digitally dependent age in which we live, how those may well include system data being of sufficient evidential quality to be used in the investigation of crime.

Two matters are clear:

  • Relying solely on digital evidence in any prosecution means that system design, implementation, operation and maintenance will come under scrutiny - how many systems have adequate through life documentation, and how many have been designed with the expectation that their data will be used in evidence?
  • Evidential quality must be tested rigorously if we are to avoid miscarriages of justice - where individuals have not had the proper resources available to them to question such evidential quality they may have been improperly convicted - and that is inexcusable.

Networking

18:30 Day 1 - Networking Session