Ireland COSAC Connect Melbourne

Welcome to COSAC - Conferencing the way it should be!

For 27 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2021 Call for Papers is now open!

Tuesday 29th September 2020

09:00 - 09:30 Delegate Registration & Coffee

09:30 1S: A Practical Application of SABSA for Humankind Speaker(s): Chris Blunt

Chris Blunt

Security Architect, Aflac NI

Chris is a seasoned cybersecurity professional. He has recently moved to Belfast from New Zealand where he co-founded and ran a highly successful information security and privacy consultancy. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables organisations to achieve their business objectives.

In 2017, Maurice Smit presented his inspirational SABSA Master Thesis “The problem-solving framework applied to the humankind” at COSAC. In it, he set out his theory that SABSA could be used to solve any problem, including the human condition, by using Attribute as a common language for and in every phase of human existence.

In this session, I will explore a real-world application of his work as applied to my life. Presenting a brutally honest case study (would you expect anything less of me?) to explore how some of the key SABSA approaches, methodologies and techniques can truly be applied to our lives in the pursuit of happiness. Who knows it might just change your life for the better; it has mine!

09:30 1A: Reinventing the Global Research Agenda for a Modern World  Speaker(s): Dan Klein

Dan Klein

Chief Data Officer, Valtech / United Nations (UK)

Dan Klein has two roles – lead of Environmental Data for the UN Big Data Working Group and Chief Data Officer for Valtech. At the UN, he is part of the team deploying a global collaboration platform for international datasets, methods and results, to drive improvements in the 17 Sustaianble Developmernt Goals. In Valtech, he looks after all things ‘data’, delivering differentiated value to our clients. He is fascinated by how the use of data can disrupt existing business models.

The 2030 Agenda for Sustainable Development adopted by all United Nations Member States in 2015, provides a shared blueprint for peace and prosperity for people and the planet, now and into the future. At its heart are the 17 Sustainable Development Goals (SDGs), which are an urgent call for action by all countries - developed and developing - in a global partnership. They recognize that ending poverty and other deprivations must go hand-in-hand with strategies that improve health and education, reduce inequality, and spur economic growth – all while tackling climate change and working to preserve our oceans and forests.

This session looks at leveraging large datasets to deliver the UN’s 17 SDGs, taking a proof of concept with the UN to engage collaborators around the world, and changing the way we undertake science in a revolutionary way with full digital collaboration and peer review, and replacing the ‘scientific journals’ PDF approach.

We will also look at lessons learned from the UN and a review of other players in the market collaborating across datasets, methods, resources and outcomes.

09:30 1B: Santa Claus, the Easter Bunny, and Zero Trust: Are We Living in a Fantasy World? Speaker(s): Lisa Lorenzin

Lisa Lorenzin

Director, Transformation Strategy, Zscaler (USA)

Lisa is Director of Transformation Strategy at Zscaler, specializing in secure application access and digital transformation. For more than 20 years, she has worked in a variety of network and information security roles and has contributed to open standards for endpoint integrity and network security from the Trusted Computing Group (TCG) and Internet Engineering Task Force (IETF). Lisa is currently focused on helping customers achieve their security goals and create a seamless user experience...

Zero Trust is over a decade old - but what does it really mean today? Is it any more achievable than when it was first introduced? When every vendor in the enterprise security space is slapping a Zero Trust label on their marketing materials, how do you find the signal in the noise?

The original Zero Trust framework was introduced in a 2009 Forrester whitepaper, and promptly went through the classic Gartner hype cycle: inflated expectations, disillusionment, enlightenment, productivity. Millions of dollars and thousands of hours were spent chasing the Holy Grail of enterprise security - often with very little demonstrable ROI.

Forrester & Gartner resurrected the Zero Trust buzzword a couple years ago, and once again, it's on the marketing collateral of every vendor who offers enterprise security, identity, or access management. New technology offers solutions to some of the original problems; with those problems out of the way, we see additional problems that they were masking. Are we on the same roller coaster?  And if you're in the market for a zero trust solution today, how do you find signal that's relevant to you in all the noise?

This session will be a candid conversation about successes and failures in the Zero Trust arena and whether it's any more achievable today than it was ten years ago, conducted under Chatham House rules.

10:30 - 10:50 Morning Coffee

10:50 2S: SABSA in AXA Group Enterprise Security Architecture Speaker(s): Simon Griffin,

Simon Griffin

Senior Enterprise Security Architect, AXA (UK)

I’ve been working at AXA for nearly 20 years in a number of global roles including security consultancy, engineering and presently as an enterprise security architect within AXA’s Group Operations organisation. I have so far achieved SABSA SCF, attended both the A1 and A3 courses and hope to start work on my paper for Practitioner soon. I spend most of my time taking a business driven approach to security and utilising what I’ve learned from SABSA in developing our security reference model.
Bhupesh Rana,

Bhupesh Rana

Global Head of Enterprise Security Architecture and Design, AXA (UK)

John Sluiter

John Sluiter

Lead Global Enterprise Security Architect, AXA (UK)

As member of the AXA Group Enterprise Security Architecture team, John leads development of the Enterprise Security Architecture as part of the Global Target Architecture, as well as contributing to various strategic programmes and topics such as global workplace, API management and DLP. Before joining AXA early 2016, John worked as security architect for business and IT consultancies for the most part of his career, working on TOGAF and SABSA integration amongst others.

AXA Context

Explain the complexity and federated nature of the AXA organisation, the structure of the security organisation (1st and 2nd line), the GESA role and mandate plus challenges.

Describe the foreseen maturity journey of ESA in AXA and which stage we see ourselves today:

- Key reasons for using SABSA is to introduce and establish rigor and structure in strategy development process plus to make security architecture real for the practitioners, operational security teams and our leadership team.

- We have encouraged and trained members in SABSA that are not architects. For example, we have included in the training program people, risk management, security assurance and operational security teams, because we believe that more people outside the architecture teams understand AXA ESA/SABSA approach and methodology the better it is for AXA and for us. That may be a bit different approach other companies take.

Security Capability Reference Model

Describe first key deliverable GESA have produced in 2018/2019 is a Security Capability Reference Model (SCRM). It is a deep dive and security specific view of the Business Capability Reference Model managed by the Business Architecture Working Group and therefore follows the business capability structure and definitions to maximise business alignment. It defines 5 levels of capabilities covering business and IT/security services (services are renamed lower level capabilities), that are mapped to mechanisms and components, used to form a library of the as-is security capability status.

The presentation will describe and show what it is, what the expected benefits will be (supporting analysis, security requirements definition and architecture design) and how much value we have experienced to date (quick turn-around of requests for global cost savings opportunities, consistent strategic IT programme security requirements definition, etc.).

Business Attribute Profiling and SWOT Analysis

Explain how BAP and SWOT are used for security design in global technology / IT strategy development (BI strategy, network strategy, data centre strategy, DLP and EPP position papers, etc.). Explain how risk scoping is incorporated into this work to determine primary and reliance scope in risk assessments, design work, etc.

Future Steps Planned for Further ESA Maturity Improvements

Describe the currently ongoing projects and activities related to ESA:

- Linking SCRM with MITRE att&ck framework to be used for the SOC NG. Aim is to be able to have meaningful discussions with operational security and influence technology choices by talking to them in the language they understand, i.e. threats and security controls that we link with security components in SABSA.

- Improved use of data to support security capability related decision making (control effectiveness, coverage, cost) using sources such as - IS assurance framework self-assessment compliance reports and secondary assurance findings - SOC alert and incident data.

- Increased use of domain modelling for defining governance requirements in particular, but also to explain the relationships plus R&Rs. We have been experimenting with domain models but not used in practice. Early feedback is positive, so we want to expand its use.

10:50 2A: The Regulatory Death of Private Enterprise Speaker(s): G. Mark Hardy,

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is the author of over 100 articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration.
Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.

Three years ago at COSAC we examined the likely impact of the EU's General Data Protection Regulation (GDPR). Our predictions were borne out -- fines and sanctions in Art. 83 have served as a "stick" to compel -- £183m proposed fine for British Airways, £99m for Marriott International for example -- or, are they really an alternate revenue stream? Those make Google's €50m punishment look like a bargain.

As we slide into a global recession, will cash-hungry governments up the regulatory ante and feed off of industry's missteps? Earlier this year, the California Privacy Protection Act (CPPA) commenced a cascade of a cacophony of conflicting commandments certain to trip up the most careful corporation trying to sort out the tangled web of individual state laws in the United States. It's only going to get worse.

Will governments hold fines and punishments in abeyance to avoid exacerbating the downturn, essentially giving companies a bye, or will they drive businesses into oblivion when they are struggling for their survival. What does this brave new world look like, and when will we have "too much" regulation?

This presentation will provide a legal overview of the framework of what may be the latest generation of privacy laws following in the steps of breach notification laws. We'll look at what security professionally can do to reduce risk and avoid the wrath of the regulators.

10:50 2B: Threat-Based Security Engineering: a Stochastic Framework for Calculating Cybersecurity Risk Speaker(s): John Leach

John Leach

Owner, John Leach Information Security Ltd (UK)

I have been an Information Risk and Security professional for more than 30 years. I have held senior positions in the security teams of a number of organisations, including NatWest Bank, and led the security teams for the UK branches of two US boutique technical consultancies. In late 2002, I formed JLIS to enable me to provide my unique brand of Security Risk Management consultancy services independently.

Cyber security is a highly technical subject. This disguises the fact that, even today, we still practise it as a craft, not as a science. We have a series of ‘recipes’ (Best Practices and international standards) but they have been compiled over time from common responses to attacks and breaches, not designed analytically using scientific methods, data and results. These recipes provide us with an uncertain level of security no matter how carefully we follow them, we can’t readily optimise them to suit our particular situation, and they limit our ability to adapt and innovate.

It doesn't have to be this way. In this presentation I will describe some of the benefits of treating cyber security as a science, and outline how that could transform the way we conduct cyber security. We would be able to measure the amount of security protection a given practice or product provides and perform cost-benefit analyses for security improvement projects. Directors and regulators could set objective security risk targets and Risk Managers demonstrate that their security arrangements satisfy those targets. And security risk could be managed with no less a level of transparency and objectivity than any other type of business risk.

Using Threat-Based Security Engineering (TBSE) as a candidate method, I will describe what treating cyber security as a science could look like, and outline a number of ways people could give this a try to see what it can do for them.

12:00 3S: Could I Have A Little SALSA With That? A SABSA Fireside Tale Speaker(s): Peter De Gersem,

Peter De Gersem

Principal Security Management Specialist, SWIFT (Belgium)

Peter is a security management specialist at SWIFT, the world’s leading provider of secure financial messaging services. He has over 22 years of experience in information security, having covered a broad spectrum of security domains. His current role is managing the SWIFT security assessment practice, from business objectives over threat landscape to deriving the security painpoints and identifying security requirements that speak to both business as technical stakeholders.
Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.

About two years ago I found myself standing in front of the SWIFT building in La Hulpe, Belgium, for the first time. To say that I was excited is a gross understatement. I was, after all, in the birthplace of something that I hold very dear … SABSA. I was at Genesis!

Imagine my surprise when I started asking about SABSA and everyone looked at me like I was the Mad Hatter who had partaken in way too much of his own special tea. No one there recognized what I was talking about and I could just not understand why …

This is also the day that I met Peter De Gersem, one of SWIFT’s current security architects and where we got talking. The long and short of it is that some SABSA training was attended, and a project was concluded at the beginning of 2020.

In this session, we would like to tell a SABSA story that has been writing itself for 24 years together with a very special introduction by John Sherwood. Where and how it started, where it lost the way a little, and how it found its way back onto the right path in the most unexpected way. We will talk about what has changed, what has remained the same, the lessons learned, and how the method has stood the test of time in delivering innovative outcomes.

12:00 3A: Mind the Gap! GDPR and CCPA Speaker(s): Valerie Lyons

Valerie Lyons

COO & PhD Scholar, BH Consulting & DCU (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.

The privacy landscape across Europe and the US has seen significant volatility over the last number of years. In 2018 we faced the General Data Protection Regulation (GDPR) and now two years later we face the California Consumer Privacy Act (CCPA). Both laws provide consumers with insight into, and control of, their personal information. The GDPR protects and empowers EU citizens’ data privacy, whilst also impacting every organization that processes or controls EU citizens’ data, regardless of location. CCPA on the other hand applies to California-based businesses with a revenue above $25 million USD or those whose primary business is the sale of personal information.

There is a misplaced belief that if a company is GDPR compliant then it will automatically be CCPA compliant. Although there are many commonalties between these two pieces of legislation - there are also fundamental differences. Simply put, GDPR speaks one language, CCPA another. As practitioners we need to be able to talk and translate the language of both pieces of legislation and understand where the potential gaps are meeting each law. Whilst unclear yet how CCPA will interface with GDPR - it’s important for companies to be in compliance with both sets of laws if they qualify under the scope of both pieces of legislation.

This presentation positions GDPR together with CCPA, with the first half of the presentation outlining the key similarities between the two laws, and the second half outlining the key differences. The aim of the presentation is not to ‘bash’ one law against the other but to explore the strengths and weaknesses of each law and to encourage an understanding of the common denominators across both.

Key learning outcomes from this presentation are:

- Understanding CCPA and GDPR differences

- Understanding CCPA and GDPR similarities

- Knowing how CCPA does not meet GDPR compliance, and knowing how GDPR does not meet CCPA compliance

Audience: Senior roles involved in assessing data protection risk, risk management, compliance or incident response.

12:00 3B: Mission Critical Systems and the Risk Managed Approach – We Need Something Better Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect / Cyber Project Design Authority, Thales (Australia)

Alex Parkinson is a senior cybersecurity architect at Thales Australia. Alex’s qualifications include a Master of Science (Internetworking), a Graduate Diploma in Applied Finance and CISSP, CRISC and SABSA Practitioner (SCP) professional certifications. Alex has over 30 years of experience in understanding and dealing with complex systems and organisations in multiple sectors, including Defence and National Security, Trading and Financial Services and Mission Critical Engineering projects.

This paper looks at the problem of attempting to use current enterprise / IT focused approaches to cybersecurity on mission critical systems.

Most frameworks and policy standards for cybersecurity advocate, or even mandate, the use of a “Risk-Based” or “Risk Managed Approach” to the delivery of security objectives in a system. This has proven very effective in Enterprise ICT environments by forcing organisations to move away from an audit and compliance (i.e. ‘check-box’) approach to security.

Since the “Risk Managed Approach” is the de-facto standard for security policy frameworks, we are now seeing it being applied to securing mission critical systems. But, unlike Enterprise ICT environments, mission critical systems have long ‘Life-of-Type’ (often decades) and are intended to be very stable and reliable in terms of change and operation over this long time period.

A key element in the risk managed approach is understanding the threats to the system. Therefore, current risk assessment is effectively outward focused from the system on factors that change over time. Looking at threats for risk assessment works well when the time horizon being considered is relativity short; consider the rate of application change in an enterprise environment.

For mission critical systems, this means that the risk assessment is focused on factors that are beyond the scope of the system, beyond what can be affected by system architecture and design and is based on threat information that is not definitive and not stable over a time period that is comparable to the life-of-type of system.

The delivery of security outcomes for mission critical systems is therefore compromised by mismatches in time horizon; I.e. the life of type of system vs time horizon of of the threat information used in a security threat and risk assessment vs time period for the implementation of system change.

Based on the key foundational concept in “STPA for Security”, derived for modern safety engineering. This presentation explains the problem “STPA for security” is trying to solve.

13:00 - 14:00 Lunch

14:00 4S: SABSA Amid the Frameworks Hunger Games Speaker(s): Dimitrios Delivasilis

Dimitrios Delivasilis

Managing Director, Qiomos (UK)

Strong technology executive, specializing in business-driven security architectures and business risk control management. I have more than 16 years of extensive experience gained within information security consultancy firms as well as financial services and telecom organizations. During the last eight years I have been offering enterprise security strategy services to C-Level executives across Europe due to my ability to simplify complex technological issues.

The ever-increasing attention in the area of information security, cyber security and, as of lately, risk resilience is being followed by significant investments organisations make in an attempt to stay in control and consequently protect their operations. The flux of money, especially evident in the aftermath of a visible security breach in the public domain, usually results in a plethora of technical controls with very little justification and almost non-existent acknowledgment of the business context. Instead of investing time and resources to define the problem space first, security professionals hide behind numerous security frameworks, pre-built lists of controls, and best-practices.

This presentation will analyse the driving forces behind this phenomenon in an attempt to identify the root cause and then explore how SABSA can provide a credible way to alleviate, if not solve, the problem. In doing so the emphasis will be: on the need these frameworks and control repositories aim to address, its relevance to build operational resilience and meet regulatory expectations, and the prioritisation of the investment required to perform active risk management. SABSA principles and logic will be put to the test as we explore the differences between a compliance- and improvement-driven mindset.

14:00 4A: The Great Chief Security Leader Debate – 20 Questions Speaker(s): Todd Fitzgerald

Todd Fitzgerald

CISO, Cybersecurity Leadership, CISO Spotlight (USA)

Todd has built and led multiple Fortune 500/large company information security programs for 20 years across multiple industries. Todd serves as Executive In Residence and Chairman of the Cybersecurity Collaborative Executive Committee, was named 2016-17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, and named Ponemon Institute Fellow. Fitzgerald authored CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.

The information security leader has evolved much over the past 25 years, or have they? This session takes a look at the evolution of the Chief Information Security Officer (CISO) and then discusses 20 cybersecurity leadership perspectives provided by expert CISOs and security leaders of some of our largest organizations today. We will discuss – are these ideas increasing our maturity or are they moving us backwards? The questions are based upon writeups some of the top CISOs and cybersecurity leaders have provided to the presenter on different topics such as developing strategies, managing MSSPs, hiring talent, privacy, organizational structure, orchestration, use of AI/Machine Learning/Blockchain, etc – from practical experience, not theory.

For several decades, the presenter has used an innovative approach to delivering content - props, videos, sound, and audience participation to create a memorable entertaining and informative experience with actionable material. The speaker is a top-rated RSA speaker (2013-2020) and ISACA top-rated speaker.

14:00 4B: Protecting Citizens Online in The Face of a Global Epidemic Speaker(s): Martin Sivorn

Martin Sivorn

Head of Cybersecurity, Cabinet Office, UK Government (UK)

Martin built and lead the first cyber security capability for prestigious global news organisation The Financial Times for many years, building a team spanning 2 continents that plays a pivotal role in protecting FT systems and data, and the integrity of the FT's journalistic content. Having a dedicated cyber security capability has enabled the business to expand into new ventures like investigative journalism, made possible with a secure whistle-blowing platform.

The premise of my talk is keeping citizens secure online against the continuous menace of online scams, particularly at a time like this when current events and affairs like a global health crisis are being exploited to fuel new scams and fake news.

We will look at the moral dilemma of who is actually responsible when your brand is being exploited by criminals to rip off citizens, as well as a technical dive into some of the methods that we use to combat this issue.

As cybersecurity for the Cabinet Office I feel that we have a moral obligation to protect all citizens of the UK from online scams, particularly when our website ( serves as the basis for perpetuating these scams.

I will share details of our approach to combating the problem of phishing, including detection of malicious websites and how we get them taken down from the internet. The talk will cover some of the technical challenges and considerations that we struggle with when trying to action the takedown of malicious sites. I will also give an example of how current events are exploited for malicious purposes with a timeline of the malicious activity that has been detected during the current COVID-19 health situation.

15:10 5S: Deep Behind Enemy Lines with Nuthin’ but SABSA As Your Guide Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with over 20 years in multiple sectors including retail, hospitality, tertiary education, sporting and gaming multi-nationals, as well as consulting in the financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board and a Founding Member of the SABSA Institute. He is currently the CISO of the Phoenix Group.

"They are in front of us, behind us, and we are flanked on both sides by an enemy that outnumbers us 29 to 1 – they can’t get away from us now!” Lt.Gen. Lewis “Chesty” Puller, USMC

The environment is a mess. The security team is proselytizing. IT wants security to go away. Project managers are flogging the IT beast while shutting out distractions from security. The compliance team is screaming at everyone for updates. The audit team is sticking the knife in everywhere around them. The business hates the whole damn lot of you.

And there you are, the Security Architect, right in the centre of it all, with nothing more than being handed your rifle, pointed at the direction of the enemy and told to start running!

All too often, we are faced with the unenviable circumstance of being dropped into a swirling maelstrom of conflicting priorities, challenges, objectives, goals, approaches, ideas, personalities, relationships, successes and failures, and expected to start pulling rabbits out of the hat and perform miracles.

And all while the Board is watching!

If all that sounds like it’s enough to make you curl up into a foetal position wrapped in a Dettol-soaked blanket* mumbling random prose in haiku form rather than rub your hands together in mad delight at the opportunity to ply your trade, then this presentation is for you!

In this riveting and thoroughly entertaining presentation, we will show you how to dive headlong into the chaos of a real corporate environment and establish a secure beachhead that will one day become your operational theatre of war in battling the bad guys, vanquishing your foes and leading the way with security architecture! 20 years of real life experience is brought to bear to provide you with the know-how of how to face an enormously complex and challenging environment, win allies and set-up yourself up to succeed in defining and achieving your security architecture objectives. The presentation will even debut a unique capability maturity model (CMM) never seen before – the CMM of you, the Security Architect!

*Based on a true story! All will be explained if you come to the presentation…

15:10 5A: The Big Bang: Creating A Greenfield Security Program and an IT Infrastructure at the Same Time Speaker(s): Timothy Sewell,

Timothy Sewell

CIO / CISO, Reveal Risk (USA)

Tim is a lifelong technology and security enthusiast with broad experience in multiple industries. He spent over a decade at Lockheed Martin designing and deploying solutions to some of the hardest cybersecurity problems in the national security space: Cryptography, weapon systems, aircraft, satellites, critical networks, APTs, hardware security, supply chain and third-party security, anti-tamper and industrial control systems using a blend of best-of-breed from the commercial space.
Todd Wilkinson

Todd Wilkinson

Chief Information Security Architect, Elanco Animal Health (USA)

Todd Wilkinson has been in the technology Industry for 23 years and most recently is serving as the Chief Information Security Architect for Elanco Animal building their new security program as part of a divestiture and IPO. He has advised and was accountable for the technology direction and product development of solutions that Elanco offers to our animal health customers, developed innovation in disease detection, wearables, implantable and mobile imaging capabilities with Elanco.

What if I said you could build an entirely new security program from scratch in a greenfield environment? How about when that environment is a 64 year old international company going through an IPO split from it's parent? Also, you have to stand up the entire IT infrastructure at the same time, all while meeting the aggressive cost savings promised to the market? Let’s discuss the beginnings of a security program while restarting from scratch on everything.

This talk will cover every aspect of security from architecture to governance to detection and onto response, share the wins, the losses and the lessons learned along the way.

How to start small, prioritize and increase the security of your company’s future.

15:10 5B: Differences and Similarities: The Infection – The Outbreak – The Cure Speaker(s): Martin De Vries

Martin De Vries

Senior Information Security Offic, Rabobank (Netherlands)

Martin is an experienced Information Security Professional with a background in Project Management and Service Management. Recent years his focus is on innovation, both security innovation and secure innovation. In this role he scouts for security innovations, trends and technologies, and provides security advice to startups and scale-ups helping them to properly address their cyber security risks.

There is no way around the current situation. The world is under the spell of the COVID-19 virus aka Corona-virus. In parts of the world daily lives have come to a halt, social distancing is the new adage and people have died too soon.

Not long ago, we have seen a ‘Citrix – outbreak’ and we see malware and cryptoware infections on a daily basis. The Citrix vulnerability hindered critical business functions as remote access into an organizations network was no longer possible. Malware and similar viruses spread as viruses in real life.

What are the differences and similarities to the infection, the outbreak and cure of viruses in virtual and real life? This I want to address and answer in this COSAC session. With the input of the experienced COSAC audience we can all learn from each other.

16:10 - 16:30 Afternoon Tea

16:30 6S: Are Our Politicians Taking Us for A Ride? Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Director, David Lynas Consulting (Australia)

Michael has 20 years’ experience in Information Security and is a Director of David Lynas Consulting and the Chair of the SABSA Founders Bursary. He has provided high level assistance on information security related matters to a range of clients within Australia and internationally. He was formerly the Chief Information Officer and CISO at the Australian Commonwealth Department of Finance where he had executive responsibility for ICT as well as physical security.

SABSA says...........?

This presentation provides a SABSA interpretation of the success of our current political system and approach.

SABSA techniques allow us to analyse any situation utilising a series of interesting tools and techniques. As it was developed as a tool to understand Information Security, we often think of it as an IT specific, technical architectural methodology and utilise it in a relatively narrow field of endeavours.

In this presentation I will present the use of SABSA as a tool to analyse what the electorate really wants against what the electorate really gets and through this determine the current usefulness of the current political system.

Whilst the presentation will be focused on the Australian Electoral System, throughout the presentation participants will be called on to run a parallel analysis of their own countries systems utilising similar techniques, or indeed, through inventing their own!

16:30 6A: Institutionalizing Trust – How do we “Build” Trustworthy Organizations? Speaker(s): Glen Bruce,

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 45 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations.
Nick Galletto

Nick Galletto

Global Cyber Risk Lead, Deloitte (Canada)

Nick Galletto has over 30 years of experience in information technology, networking, systems management and information security management. He has accumulated extensive experience in the management, design, development and implementation of cyber risk management programs. Over the last several years Nick’s primary focus has been helping clients with the development and implementation of cyber risk management solutions both for IT and OT, making these organizations more cyber resilient.

Trust in relationships with organizations is an essential element for effective business but is becoming increasingly more difficult to maintain and support - especially in the face of increasingly sophisticated threats from a variety of forces. We are seeing a shift in business from a shareholder value only priority to a broader emphasis on: societal impact; value for customers; investing in employees; dealing fairly and ethically with suppliers; and supporting our communities, which in turn will deliver long term value to the shareholders. In speaking to clients about trust, we consistently hear that trust is an essential outcome to driving the brand promise.

The session will focus on answering, how do we operationalize trust in this era of digital complexities? What are the drivers for trust in support of the brand promise, ethics and integrity? And how do we measure trust? We will outline our research and findings on what it takes to have a trustworthy organization and the impact that adverse events have had on major organizations. We will provide methods and insight on how to move trust from a functional capability with stakeholders to building relationship trust through an integrated trust framework and supporting maturity model.

The better the impact of trust is understood and how to achieve and maintain it, the more trustworthy the organization will be.

16:30 6B: Cloud Forensic Challenges Speaker(s): Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.

In 2019, one of the biggest concerns we hear from our customers’ security teams is the lack of expertise when it comes to cloud and forensic investigations.  We’ll first cover the differences between investigating in an incident to that of a forensic investigation and then cover forensic concepts and methodologies and how we have adapted them to the cloud.  We’ll answer questions such as “How do you forensically acquire a SAN?”; “What does court worthy methodologies mean?” (that myth debunked!), “What does GDPR mean for forensic investigations?” and other esoteric questions that investigators are concerned about.

Plenary Session

17:45 7P: Stopping Houses Attacking People Speaker(s): Nick Spenceley

Nick Spenceley

Director, Primary Key Associates (UK)

Nick is an experienced technical specialist with particular subject matter expertise in the application of technology to solve complex problems in secure environments. He consults on business change, system architecture and design, legal disputes, security accreditation and engineering processes. He has over 30 years’ experience in managing significant project portfolios and programmes for BAE Systems Applied Intelligence, Detica and Logica (now CGI).

In the COSAC 2019 presentation “Did my house just attack me?” we learned of the first conviction in the UK (in May 2018) for harassment using IoT devices. An estranged husband used remote access to a smart home hub to access the video and audio from an iPad used as a wall mounted system display, as well as other compromises of the victim’s online accounts. He was sentenced to 11 months in prison.

The subsequent discussion provided some further insight into the problem of a “purposeful pattern of behaviour which takes place over time in order for one individual to exert power, control or coercion over another”, in particular where smart home installations are built into the fabric of the premises and one partner in a relationship is the single sysadmin.

Is there a suitable architecture for such devices that enable a more balanced approach to managing smart home devices in which, for example?

- A resilient and irrefutable chain of evidence is created when devices are configured and operated;

- That evidence remains protected against unauthorised access, but can be reviewed by any authorised party in the event of a pre-defined set of circumstances;

- A trust model exists that allows shared authority for managing the system;

- A mechanism exists for dispute resolution by a trusted third party.

In this talk we will outline a framework that covers these requirements and, in discussion with the delegates expand or change it as necessary to produce something that may be considered a ‘trust mark’ that manufacturers may consider worthwhile to differentiate their products in this ever-expanding market.

Networking & Dinner

19:30 Drinks Reception - Sponsored by Killashee Hotel
20:00 onwards 27th COSAC Gala Dinner & Networking - Sponsored by SABSAcourses