Ireland Melbourne

Welcome to COSAC - Conferencing the way it should be!

Call for Papers is now open for COSAC 2020!

For 27 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

Tuesday 1st October 2019

09:00 - 09:30 Delegate Registration & Coffee

09:30 1S: Using SABSA to Architect Zero-Trust Networks: Part 2 Speaker(s): Chris Blunt

Chris Blunt

Chief Strategy Officer, Axenic (New Zealand)

Chris is the Chief Strategy Officer at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 26 years of experience in the ICT industry, specialising in security and privacy for the last 14 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives.

At COSAC 2017, I presented a session discussing how to apply SABSA to architect a zero-trust network. This session explored the basic concepts of zero trust networks and showed how SABSA was used to deliver an Enterprise Security Architecture (ESA), which included a Conceptual Architecture for a zero-trust network.

But what has happened since then? Is it practical for an organisation without the resources of Microsoft, Amazon Web Service and Google to adopt these concepts? This session seeks to shed some light on this by building on the original sanitised NZ organisation case study.

This session will provide a brief overview of the zero-trust concepts, together with the pertinent details from the ESA and the Conceptual Architecture before exploring how they were used to develop and implement a solution architecture using cloud services, discussing the real-world challenges and how they were overcome.

Finally, if time and the demo gods permit there will be a demonstration of how zero-trust networks can work in the real-world using a replica of the NZ organisation’s implementation.

09:30 1A: Did my house just attack me? Speaker(s): Nick Spenceley

Nick Spenceley

Director, Primary Key Associates (UK)

Nick is an experienced technical specialist with particular subject matter expertise in the application of technology to solve complex problems in secure environments. He consults on business change, system architecture and design, legal disputes, security accreditation and engineering processes. He has over 30 years’ experience in managing significant project portfolios and programmes for BAE Systems Applied Intelligence, Detica and Logica (now CGI). He is interested in how engineering,...

As we fill our homes with more and more smart connected devices, we are exposing ourselves to more than just the classic security risks of Confidentiality, Integrity and Availability. But what if we aren’t the person who has the relationship with the supplier or service provider?

With our mantra of ‘There’s an app for that” we often focus on a single user/account/app customer model that at best defaults to one person in control and in the worst case has no mechanisms for sharing the user level functions or obtaining access to the administration level functions.

If all you’re dealing with is a single light bulb then you can get rid of the offending light bulb; but what if it’s a front door lock or central heating system that is embedded in the fabric of your house. And what if you’re dealing with the ultimate in insider threat – an abusive partner or cohabitee?

In this session I will explore how the security requirements of these systems (in their widest sense) could be specified to take into account this growing area of concern and look forward to contributions from the session participants.

09:30 1B: Have you been Troy'ed? Speaker(s): Martin De Vries

Martin De Vries

Information Security Officer, Rabobank (Netherlands)

Martin is an experienced Information Security Professional with a background in Project Management and Service Management. Recent years his focus is on innovation, both security innovation as secure innovation. In this role he scouts for security innovations, trends and technologies, and provides security advice to startups and scale-ups helping them to properly address their cyber security risks.

How to securely make use of and contribute to Open Source Software

Do you know how much Open Source Software (OSS) is used within your organization and under which license type? And when you’re using OSS are you contributing to it as well?

In this presentation I would like to share with the COSAC audience the do’s and don’ts regarding the use of and the contribution to OSS and how to prevent a ‘Troy-like story’ for your organization. I will address some publicly known examples of OSS usage and contribution gone bad. And I will indicate what measures are needed to securely use and contribute to OSS. It will provide an interesting insight to the experienced COSAC audience.

10:30 - 10:50 Morning Coffee

10:50 2S: Securing National Critical Energy Infrastructure at the Cost of.... Speaker(s): Rik van Hees,

Rik van Hees

Security Officer, Alliander (Netherlands)

Rik has been working in an ICS / SCADA environment for 10 years as an engineer, security architect and currently as a security officer for grid operator Alliander. He has strong knowledge in designing and securing ICS systems, segmenting OT environments and risk management challenges of a grid operator. He holds a BSc of Electrical Engineering with a specialization in electronics and ‘learned on the job’ security experience. In his spare time he likes to play guitar & hike with his dogs.
Marc Hullegie

Marc Hullegie

CEO, Vest Information Security (Netherlands)

Marc is founder and CEO of Vest Information Security (est. 2002). Holds BSc for both electrical engineering (Datacom) and Higher Management along with a handful of security certificates. Marc is known as a ‘people’-man, building bridges in complex, political situations. Applied his skills in a variety of roles: CISO, Security Architect, Risk Analyst, Subject Matter Expert, Teacher, Coach, Presenter. Social Media followers think he’s an outdoor chef, radio station owner, music producer or biker.

A ‘project’ with a duration of 5 years. It started by ‘abusing’ SABSA. Cowboys and Priests collapsing; The Indians where doing something else. Designing, Developing, building and migrating an infrastructure Agile (huh?). Burning hours, burning people, burning hearts. Hate red, friendship and everything in the middle…. Rik van Hees and Marc Hullegie experienced it all, since they have been in the middle of it all. Men on a mission.

In this session, call it a case study, We like to share our experiences from various viewpoints with the COSAC audience and discuss the good, bad and ugly. And get their feedback.

This sessions is about how the Dutch energy (electricity, gas, public lightning) net provider Alliander, responsible for 2/3 of the Netherlands energy net, transferred from having a vulnerable infrastructure and fragile support organization into a very secure infrastructure and improved support organization. Ready for the future: An intelligent smart energy grid. Signed, Sealed Delivered !

This session (Chatham House Rule) shows technical aspects, but focusses even more on the human aspects of transforming an organization that meanwhile was transforming itself.

10:50 2A: The Triple Helix of Cyber Defence Speaker(s): Louise Gallagher,

Louise Gallagher

Cyber Security Analysis & Response, Hewlett Packard Enterprise (Ireland)

Louise is a Risk & Compliance Analyst focusing on the transformation of a Vulnerability Management Program & remediation initiatives. She comes from a strong business background having spent years in different retail sectors. After completing a Masters in Information Systems Management, Louise became an IT Support Analyst and subsequently started her Cyber Security career in Incident Response, in a 24x7 SOC environment responsible for incident prevention, analysis and recovery.
Annie Hennelly

Annie Hennelly

Program Manager, HPE Cyber Strategy Office (Ireland)

Annie is a Program Manager focused on the ongoing implementation of a best in class Cyber Fusion Centre to ensure HPE can proactively handle current and future cyber threats. Annie has a strong IT background, holding senior Program/Project and Account Delivery Management positions in a multinational environment throughout her career. Annie has received 2 HP CIO awards for Excellence & was shortlisted for ITAG(Information Technology Association of Galway) Digital Woman of the Year Award 2017.

The Triple Helix of Cyber Defense is a new concept that explores the importance of diversity, innovation and education in the field of cybersecurity. Its use as a framework is to advocate the relationship between these key intertwining elements, in order to promote a stronger cybersecurity posture. Each strand, relies on and interacts with the other, to ensure the growth and evolution of an organizations cyber defense.

Diversity is imperative for any successful organization - in order to have the brightest and best minds, they must think, act and react differently. In a field as fluid as cybersecurity, innovation is vital. To excel at innovation, a business must look outside the ordinary and encourage diversity. Education is paramount in order to provide the best defense an enterprise needs. As is typical in a triple helix, each of these helices take up a different amount of space, as their importance relates to the situation they are presented with.

The scope of this paper is to examine the role of each helix and the implication it has on an organization. A review is presented in the context of a case study undertaken in the growth a Fortune 500 Cyber Security Center.

10:50 2B: A History of Locks from 3000BC to the Present Day Speaker(s): Bob Callard

Bob Callard

Security Consultant, Foreign & Commonwealth Office (Retired) (UK)

Bob is an independent security consultant who advises high-risk, high-profile clients with informed and insightful opinion.He trained and qualified as a locksmith within the Foreign and Commonwealth Office (FCO) and subsequently managed teams of technical and IT professionals.His roles have included lead risk advisor and head of a technical security programme. He was directly involved with UK technical security policy decision making.

Cyber security professionals (and cryptographers in particular for some reason) seem to enjoy studying locks. If you *really* want to know about them you should ask a true professional – this session is your opportunity to do just that.

12:00 3S: SABSA in Mission-Critical System Engineering Projects Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect, Thales (Australia)

Alex is a Senior Security Architect with in Thales Australia Cyber Security team with 20+ years' experience in Information & Communication Technology in the defence (national security), critical infrastructure and financial services sectors. Alex's role is to provide specialist security advice, design decisions and engineering review to enable projects and Thales' customers to devise, develop, acquire and maintain reliable, secure, accreditable and economically viable technology solutions.

The discussion of architecture frameworks and mission critical systems often misses the ‘elephant in the room’ since it excludes use system engineering practices to deliver large complex solutions. This is counter-intuitive since architecture frameworks were originally conceived to deal with complexities in delivery of systems and outcomes and often derived from system engineering principles.

Although the SABSA training content does highlight the system engineering pedigree of the SABSA framework and methodology, many SABSA trainees and practitioners are unfamiliar with the formal practice of system engineering. This often results in a great deal of misunderstanding when architects from an enterprise ICT background join an engineering organisation.

As a SABSA practitioner working in a System Engineering organisation and on large scale mission critical systems, I have developed a depth of experience and insights into the application of SABSA architectural practices and methods within the framework of system engineering and the challenges of integrating into a system engineering organisation. Often these challenges highlighted that non-technical considerations were just as important (if not more important) than purely technical considerations.

The presentation will familiarise SABSA practitioners with the practice of system engineering and its application to mission critical systems. It will provide guidance in applying SABSA methods in a system engineering context. This presentation is an example of how to apply SABSA security architecture practices even though the engineering / technical organisation has not ‘mandated’ the use of the SABSA framework.

12:00 3A: The People Process Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various roles. He currently manages an international team of security analysts for FedEx - TNT express Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.

For those of us working in InfoSec as individual contributors the cyber security skill shortage is a blessing. Unemployment is at 0% and therefore most of us have secured a position they enjoy with suitable benefits. However, those of us managing a department or function are well acquainted with the constant struggle of recruiting, developing, and maintaining staff.

People management is essential for any security capability that requires more than just a few FTE’s. Without motivated people, willing to work for you and your company, the job will not get done.

Like most of you, I am first and foremost a security professional. But these days I am undeniably a people manager as well! So as a very professional information security people manager ;-) ....

  • - How do you build environment which enables you to maintain your team, nice to work in and delivering the results needed?
  • - How do you retain your current staff?
  • - How do you recruit new staff, especially with scarce skills?
  • - Can you train instead of buy?
  • - How do you get a recruit to choose your company over the competition?

Over the past years, I spent many hours recruiting, building, training and managing various InfoSec teams. In this interactive session I will share my views and experience on team building, workforce management and recruitment with you. In return I will ask you to share your views, triumphs and challenges, so collectively we can get ahead in the people game.

12:00 3B: Security - Only Developers can make it Proactive Speaker(s): Beata Szturemska

Beata Szturemska

Java Developer, Spartez (Poland)

A java developer at Spartez, she is not devoted to any particular technology, which gives her an opportunity to makes mistakes and learn something new every day. Fluent in C++ and Java, Python's pall, queen of Jenkins pipelines. She is strongly involved in promoting science to children and youth. She loves cycling in her free time.

Whether we use high-level languages like Java, Python, C# or we dive into the world of C/C++, the lists of dependencies of our projects contain more and more external frameworks and libraries. It makes life easiest and helps us to focus on delivering business value. Do you know what vulnerabilities are known for the version you use? Are you sure you know all the tips and tricks to use the framework in a correct way? Is it good for our software to rely the security of our products on the security of these frameworks and the way we use them?

Join me during an exciting LIVE DEMO. Get to know how to weaponize known Spring Boot Data Rest library vulnerability. See how to use Remote Code Execution to actually fully compromise the server hosting an application.

Using the vulnerability in an actual attack helps us to understand the underlying mechanism and find if it is applicable to our software. It also allows us to find the detection patterns if it is attempted to be exploited on our infrastructure. And besides all of it it is fun to hack the servers! It also shows that we can do much better than just blindly upgrading components. There are examples of vulnerabilities, which are fixed not with a single patch, but rather through a series of upgrades leading to more secure solutions, so it is important to stop for a while and think about other attack paths and consequences, that can be faced. The reactive approach of simply keeping up with the latest version leaves us in a position, where we are always exposed to new vulnerabilities that are about to be discovered.

13:00 - 14:00 Lunch

14:00 4S: 100% Hotter: Getting Your SABSA Noticed for All the Right Reasons Speaker(s): Esther Schagen-van Luit

Esther Schagen-van Luit

Specialist Master, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.

“My architecture is even bigger”, said the security architect. “I needed 7 A3 posters to print it and I’ve used font size 4. Also, we have over 3000 controls in our library.”

As security architects, we tend to get caught up in our artefacts. The bigger the diagram, the better. The smaller the font, the more interesting it must be. And this is fair, as much of our work involves structuring and visualizing great quantities of information. Through professional deformation we no longer notice abhorrent color schemes, misaligned attribute boxes and heaps of lines that cross over other heaps of lines. “It is the content that really matters.” “It is not my job to make it look pretty.” But as our stakeholders squint their eyes trying to make sense of what we’ve worked on for the past two years, they wonder how to share any of this with their bosses…

This session combines the discipline of visual design with practical examples in various tools such as (e.g. Archi, PowerPoint, Excel, Visio, InDesign) to demonstrate how to re-work your big spaghetti monster diagrams to presentable and appealing security architecture artefacts. In the first part of the session we will discuss design theories, their practical implications and their value to the security architecture community. The audience will be asked to reflect on the design strategies they have used in the past and whether the suggested design strategies add to their array. The second part of the session is structured to be entertaining and educative, demonstrating the transformative power of design onto ugly or incomprehensible architecture artefacts and see how simple edits in design elements change the artefacts for the better. At the end of the session attendees will be invited to share some of their architecture artefacts in a challenge to the speaker, whom will aim to improve on the submissions and do a ‘before-after’ rump session with a selection of the submissions at the end of the conference. The audience is expected to walk with concrete pointers for how to structure information in a visually appealing and intelligible way for non-architect stakeholders and get their SABSA noticed for all the right reasons by their organizations

The speaker is required to deliver appealing visuals and comprehensive documentation as a professional and has been trained in theories and tools to structure information for senior stakeholders. Previous education in branding and marketing has strengthened the speaker’s insight in how to communicate effectively and hit the right notes with target audiences – be it organizational stakeholders or the COSAC audience. Seeing how visual design might not be a skill that comes natural to all and is not part of security architecture training, the speaker hopes to add real value by sharing this knowledge in a fun and engaging manner.

14:00 4A: Artificial Intelligence in Cybersecurity - Keep the Dream but Work with Realtiy Speaker(s): Miroslav Kis

Miroslav Kis

Director - Strategic Initiatives, TMX Group (Canada)

Dr Kis provides strategic guidance related to cybersecurity characteristics and readiness for experimental and operational use of FinTech innovative technologies including blockchain, crypto-currencies, cognitive and quantum computing, machine learning, big data, and cloud technologies. He has been providing consulting services to major Canadian, US, and UK financial institutions. Author and coauthor of more than thirty papers and presentations at national and international conferences.

Artificial intelligence capabilities have been advertised lately as important features and selling points of almost every technology and security system. Opportunities for use of AI appear to be limitless. In cybersecurity, the claims go from the promise that automated protection will make job of security professionals easier up to the extreme that the intelligent systems can entirely replace humans. But what can we expect from AI?

A realistic answer to this question is especially important in the context of cybersecurity. Overestimating the capabilities of the AI would give us false sense of security. Underestimating it, on the other hand, could leave us with inefficient cybersecurity protection. In either case our systems could be vulnerable to the attacks of those that have deeper understanding of the value of AI techniques and tools.

In this session we will analyze some key artificial intelligence techniques such as unsupervised, supervised, reinforcement, and deep learning, as well as rule-based systems. The goal is to clarify both the benefits and limitations of their use for cybersecurity protection. The second objective is to discuss how these complex, sometimes intimidating, concepts can be effectively communicated to the business so that they can make adequate investment decisions in cybersecurity.

14:00 4B: Who's Yanking My Chain? Vulnerabilities in the Software Supply Chain Speaker(s): Mike Broome

Mike Broome

Senior Software Engineer, Tanium (USA)

Mike is a Senior Software Engineer at Tanium, developing large-scale enterprise security and operations software. He spent two decades in networking and low-level embedded software, including writing code for the fastest-ramping mid-range router at Cisco. After a stint in embedded industrial control systems, he has spent the past 3 years working on a threat response solution that enables real-time monitoring of data at rest for indicators of compromise across an entire enterprise.

Modern applications rely on a panoply of frameworks and free software. As a developer, it's so easy to find some third-party software online that saves you some time, add it to your project, and have it automatically incorporated into your application. Given the crowded market of companies and software applications, it's imperative for anyone trying to enter the market or stay relevant to keep up with ever-changing software trends. The only way to do that efficiently is to build on the work of others and leverage available software components.

This talk was born from real-life experiences I've run into as an enterprise security software developer, combined with a few great hallway conversations at COSAC 2018. Together, we will continue these conversations, explore some high profile and successful hacks of the software supply chain, and try to answer the following questions: What attacks are the software supply chain vulnerable to? What risks do you and your company take on as a result? What mitigations exist or are possible for those risks – both from a developer standpoint, and from an enterprise security standpoint?

15:10 5S: Security Transformation using SABSA Speaker(s): Anton Tkachov

Anton Tkachov

Chief Security Architect, FinServ, PwC (UK)

I lead Cloud Security proposition nationally and am growing a team of 'hands-on' security architects that can assist our clients with everything from an assessment & definition of cloud security strategy to technical architecture advisory & system integration work. The primary objective of my role is to leverage a vast network of bleeding edge technology start-ups and vendors to help our clients in finding and deploying new, more effective and efficient ways to manage cyber risk.

9/10 of SABSA architects are working for a global organisation. Chances are - they have been hired by a group to make things better and, as we all know, it rarely goes according to plan...

The group has the best intentions but when the power and influence is limited, local perspectives and priorities often "torpedo" the best laid plans.

I’d like to present a real case study of solving a complex, highly political problem using SABSA techniques. I will take the audience through what at first, seemed to be a technical problem around selecting the right vendor for global security operations - something that many organizations are currently working on; and demonstrate how I've used business attribute profiling to get to the root cause of the disagreement at a business level, and flesh out the barriers to working together.

I'll then follow- up with explaining of how I adapted the defined model to create, argue and defend a solution that transcend politics and achieves a primary objective of reducing the risk to the global federated business.

The value of my presentation is in sharing the experience of applying SABSA to a problem and using methods to facilitate conversation amongst C-level executives. I'll leave the last 5-7 minutes of the presentation to facilitate a debate amongst the attendees looking for feedback to my approach.

15:10 5A: Rise of the Weird Machines Speaker(s): Lisa Lorenzin

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security.

One of the key assumptions in programming is that computers execute code that performs the function intended by the programmer. However, as programs become more complex, so do their inputs - resulting in situations where specially-crafted data can trigger unexpected computations in targets ranging from executables to OS elements to embedded hardware. These "weird machines" give rise to exploits in targets ranging from ELF metadata to X86 page handling to embedded font handlers… We'll discuss how weird machines are born, take a tour of Sergey Bratus' weird machine zoo, and talk about some of the frameworks and tools being developed to counter the rise of the weird machines.

15:10 5B: Architecting Design for Trustworthy Software (DfTS) Speaker(s): Malcolm Shore

Malcolm Shore

Chief Security Architect, David Lynas Consulting (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.

The SABSA methodology provides a framework for security design but as with other standards does not specify any specific process to use. This presentation looks at the Design for Trustworthy Software (DfTS) approach to product design, and aligns it to the SABSA Framework. DfTS incorporates the best practices and features from a number of earlier development methodologies to ensure customer-driven design, and provides a context for deploying software quality management schemes. We will conclude with some insights into translating secure design into secure code by using the relevant elements from the Correctness by Construction methodology.

16:10 - 16:30 Afternoon Tea

16:30 6S: Engineering, Architecture & Security - How SABSA Draws Together Three Disciplines Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Executive Consultant, Envista (Australia)

Michael is a Cyber Security Adviser with Envista providing high level assistance on Cyber Related matters. He was formerly the CIO and CISO at the Australian Department of Finance where he had executive responsibility for ICT as well as physical security within that agency. He has previously held senior roles with government agencies including Department of Foreign Affairs.

The roles of engineers, architects and security professionals have evolved over time as very different and task specific professions. We often see these separate entities in a competitive light – An Architect may be trying to design and deliver a particular artistic outcome; the engineer may be trying to deliver a functional product, machine or system, and the security professional may be trying to lock down and protect a system.

In focusing on their specific goals, each discipline can lose sight of the bigger picture which should be about delivering successful outcomes for the client.

Each discipline may take a different approach, look at the task from a different perspective, use different tools, engage differently and focus on different priorities but, in reality, there is no single right approach to delivering outcomes as each engagement and assignment is unique.

Each engagement and assignment needs the right, unique, approach for that engagement.

As an engineer I think I take a pragmatic, results oriented approach, that some would argue is, at times, inflexible and black and white. Engineers tend to be problem solvers, have strong technical skills and a need to work things out. They are different to architects who tend to be creative, passionate, and easier going. And different again to security professionals who are often very technical, have a deep understanding of the system vulnerabilities and weaknesses, understand where the threats are coming from but who have, historically, taken a somewhat rule driven approach.

SABSA draws strength from each of these disciples and provides a framework that blends these strengths in a pragmatic results-oriented way.

This presentation looks at a number of engineering and security projects I have been involved with over my career and the engineering tools used to approach those problems and retrospectively applies some of the SABSA logic to that approach to understand how we could have achieved a better outcome. In doing so, this presentation will discuss a number of standard approaches we take to engineering and security problems and how these can be improved through an understanding of the SABSA approach.

16:30 6A: The Reality of Data Gravity Speaker(s): Siân John MBE,

Siân John MBE

Chief Security Advisor, Microsoft (UK)

Siân John MBE is Chief Security Advisor for E MEA in the Cybersecurity Solutions Group at Microsoft. Siân leads the EMEA security advisors who work with Microsoft’s customers to help them to develop their cyber security strategy, security best practices and to understand how Microsoft’s technology and services can help support digital transformation and cloud services. Sian was awarded an MBE in the Queens New Years Honours List for 2018 for services to Cybersecurity.
Diana Kelley

Diana Kelley

Field CTO, Microsoft (USA)

Diana Kelley is the Cybersecurity Field Chief Technology Officer for Microsoft where she provides guidance to C-level executives at large, global companies. She is a Faculty Member with IANS Research, an Industry Mentor at the CyberSecurity Factory and a Guest Lecturer at Boston College’s Master of Science in Cybersecurity program. Previously, she was the Global Executive Security Advisor at IBM Security and a GM at Symantec.

The vast amounts of data we must monitor increases every day and there's no end in sight. At the same time machine learning, automation and orchestration are creating a drive to larger and larger pools of security data. Bringing all this data together into one big centralized pool has significant resource costs as we face the reality of data gravity; aggregating vast amounts of data is too costly in terms of latency and throughput to be practical. Some big data applications have managed this challenge by moving the application to the data. It is time for security to follow suit – the traditional architectural approach of aggregating all security and log information into one place simply will not scale for the future.

This session will discuss current work in progress on data architectures for security information. We’ll address questions like: What data must be aggregated for analytics? When can data be left in situ or kept separate but queried for context or insight during an investigation? We’ll discuss the concepts of hot, warm and cold data stores and how a data architecture can be put in place to support a global monitoring infrastructure across on premise and hybrid cloud environments.

16:30 6B: Agile Security at Scale Speaker(s): Martin Hopkins,

Martin Hopkins

Vice President, Aon (UK)

Martin is a Vice President at Aon's Cyber Solutions Group. He has over 25 years experience in technology, primarily in security related fields. In between delivering consultancy he leads security research and solutions innovation with a current focus on security architecture and advisory. He is a strong advocate of business driven security, security architecture and secure software development practices.
Jaco Jacobs

Jaco Jacobs

Senior Manager, Accenture (Netherlands)

Jaco is Cyber Defense domain lead for the Gallia region at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to a number of companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.

Solution development is increasingly adopting Agile and DevOps practices. What does this really mean for security, especially architecturally, and how can we deliver security in these projects at scale? Embedding security team members across the organization does not scale well, and it is near impossible to have a centralized security team that supports 50+ feature teams across a single program without impeding the agile processes.

How can we determine what activities we need in the development and CI/CD pipeline to avoid and prevent vulnerabilities from reaching production and, at the same time, minimize the cost and disruption of remedial work? Are our systems designed to support and enable incident response and digital forensics, and crucial business operations recovery after an incident? Are we providing sufficient, tangible, risk appropriate security guidance and input in an agile enough way to be valuable?

Bring your real-world experiences and join us to evaluate, and maybe debunk, best practice and discuss what has worked, what has not, and why.

Plenary Session

17:45 7P: Brace for Impact: A Structured Approach to Data Protection Impact Assessments Speaker(s): Valerie Lyons

Valerie Lyons

COO & PhD Scholar, BH Consulting & DCU (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.

Data Protection Impact Assessments (DPIAs) can be used to identify and mitigate data protection related risks (arising from a project, process or system) which may affect an organisation or the individuals it engages with. DPIAs are important tools for demonstrating compliance with the GDPR and as such DPIAs should be undertaken following a structured and consistent approach. Understanding when to undertake, and more importantly when not to undertake a DPIA, is very important for anyone providing data protection advice to clients, anyone fulfilling the Data Protection Officer role (as mandated in certain circumstances by the GDPR) or anyone working in Information Risk or Compliance. DPIAs are mandatory under GDPR for any new high-risk processing projects. ‘High risk’ is however a rather vague concept that may be open to interpretation and consequently EU guidelines have been published detailing processing that is likely to be classified as ‘high risk’. DPIAs are also not mandatory where the processing is unlikely to result in a high risk to the rights and freedoms of natural persons or when the nature, scope, context and purposes of the processing are similar to the processing for which DPIAs have already been carried out or where a processing operation has a legal basis which states that an initial DPIA does not have to be carried out.

However since the adoption of GDPR in 2018, many countries have amended Clinical and Health Research regulation to reflect GDPR, and in some cases these revisions make DPIAs mandatory for all such research projects involving the processing of personal data, regardless of the assessment of risk to the data subject (e.g. The Irish Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. No. 314/2018)). Essentially this means that certain clinical research institutions, hospitals research units and academic research centres now need to undertake a DPIA for every research project processing personal data regardless of the ‘high risk’ criteria. Combined with the DPIA requirements mandated by GDPR, this has resulted in a growing need for competency in understanding and undertaking effective DPIAs, however on a weekly basis I encounter badly designed DPIAs, inconsistent risk evaluation and a complete lack of understanding of ‘high risk’.

In response to this growing need, I developed a structured DPIA approach presented in this session that can be applied in multiple contexts, in both public sector and private sector organizations.

Key learning outcomes from this presentation are:

  • Understanding what a DPIA is
  • Becoming familiar with a structured approach to performing a DPIA
  • Knowing how to determine if and when a DPIA should/ should not be conducted
  • Knowing if a DPIA is mandatory for processing operations that existed before May 2018?
  • Awareness of who should be involved in conducting a DPIA?
  • What to do if a DPIA does not identify mitigating safeguards for residual high risks

Networking & Dinner

19:30 Craft Beer Drinks Reception - Sponsored by Killashee Hotel
20:00 onwards 26th COSAC Gala Dinner & Networking - Sponsored by SABSAcourses