COSAC 2023 COSAC Connect COSAC APAC 2023

Welcome to COSAC - Information Security conferencing the way it should be! Join us in Ireland this October for 4 days of innovative & participative information security value celebrating 30 years fo COSAC Security Conference.

For 30 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2023 Call for Papers is now open!

Tuesday 4th October 2022

09:00 - 09:30 Registration & Coffee

09:30 1A: Top 10 Privacy Challenges of the Hybrid Workplace Model Speaker(s): Valerie Lyons

Valerie Lyons

COO, BH Consulting (Ireland)

Recently included as one of Europe's top 100 women in cybersecurity, Dr. Valerie Lyons is a highly experienced senior cybersecurity and privacy professional. Currently COO of BH Consulting (a data protection and cybersecurity firm based in Ireland), Valerie is also a subject matter expert in European data protection and privacy. She recently completed an award-winning PhD, researching organisational approches to Information Privacy. She lectures on the topic of cybersecurity, privacy and ethics...

Pre-pandemic, the common model of work was primarily the on-site working model, where the remote working model was less common. During the pandemic however many organisations pivoted to embrace the remote working model in response to strict lockdown and mandated office closures. As we emerge from the pandemic, organisations are now operating variations of work models, ranging from fully onsite to fully remote. However many organizations now offer a combination of the two, where employees can work part of the time remote/part of the time on site, or where some employees can work onsite full-time while others work remotely full-time. This new model is referred to as the Hybrid Workplace Model (HWM). Instead of structuring work around desks in a physical office space, the HWM introduces a set of privacy challenges associated with data protection, consumer protection, child protection, employee health and safety, and many other pieces of legislation.

This session will share 10 key privacy challenges that this post-pandemic HWM introduces - such as the challenges associated with employee surveillance, health and safety, awareness training, auditing remote workspaces and auditing remote privacy practices.

Key Learning Outcomes:

  • - An understanding of the key privacy challenges associated with the HWM
  • - An overview of the possible ways to address those challenges
  • - An understanding of how to build privacy into the culture of the hybrid workforce
09:30 1B: How Security Architecture Completely Changes the Game of 3rd-Party Risk Management Speaker(s): Andrew S. Townley

Andrew S. Townley

Chief Executive, Archistry (South Africa)

Andrew S. Townley helps information and cyber security leaders build more effective security programs by applying 25 years of hard-won lessons across a diverse career from starting as a Software Engineer to building Archistry from the ground-up starting in 2006. Andrew is an international speaker, published author and thought leader on Information Security, Security Architecture, SABSA, Risk Management, Enterprise Architecture, SOA and Technology Strategy, and he has extensive practical,...

The prominent security breach headlines recently - from SolarWinds to Log4j - have certainly brought a more intense awareness of 3rd Party Risk Management (TPRM) to just about everybody. However, despite a whole lot more attention, eyeballs and even money thrown at rapidly rolling out vendor solutions, it hasn’t really done much to find practical answers to the problem. In fact, according to a recent survey Ponemon of 600 IT professionals:

  • Over 60% of them say the processes they use for conducting 3rd-party risk assessments aren’t effective;
  • Over 50% of them say the assessments don’t really reflect their actual security posture; and
  • Less than 8% of the assessments performed – with an average cost of $1.9 million per year – result in any kind of remedial action being taken.

Not only do these statistics paint a pretty bleak picture of the current “state of the art”, many of the vendor solutions supposedly addressing this problem are simply reducing the time and effort to perform the assessments. In fact, they're basically automating the same, traditional, ineffective approach.

In practice, the true state of TPRM in most organizations is a mess. And it’s a mess not because of the 3rd-parties themselves. It’s a mess because many organizations don’t treat TPRM as an integrated part of their overall cybersecurity program. Unfortunately, a lot of these issues aren’t really apparent until the organization is knee-deep in some kind of security problem-solving exercise, proving once again that security was involved far too late in the process.

In this session, I’m going to use the case study of a fairly common security problem to back into the limitations of the standard approach to TPRM used by many organizations. I’m then going to show how you can get out in front of the problem once and for all if you have the grit and determination required to fight a few organizational political battles and make sure that security is considered from an enterprise perspective for every business project.

Once we’ve exposed the common issues preventing effective integration of TPRM into security, and we’ve identified an architectural approach that can solve the problem, I’m then going to dive deeper into how supplier and 3rd-party risk management really works. Once there, you’ll discover why the way we often try to solve the problem will never really get the results our organizations need. When the full scope of the problem has been unearthed, I’ll present a better, architecture-driven approach to identify and manage your organization’s 3rd-party and supplier risk exposure.

Once we’ve exposed the common issues preventing effective integration of TPRM into security, and we’ve identified an architectural approach that can solve the problem, I’m then going to dive deeper into how supplier and 3rd-party risk management really works. Once there, you’ll discover why the way we often try to solve the problem will never really get the results our organizations need. When the full scope of the problem has been unearthed, I’ll present a better, architecture-driven approach to identify and manage your organization’s 3rd-party and supplier risk exposure.

09:30 1S: Applying SABSA to Digital Twins and Cyber-Physical Infrastructure Speaker(s): Hugh Boyes

Hugh Boyes

Principal Engineer, University of Warwick (UK)

Hugh Boyes is a Chartered Engineer, a Fellow of the Institution of Engineering and Technology (IET) and holds the CISSP. He divides his time between working as a Principal Engineer at the University of Warwick and undertaking cyber security consultancy assignments. Hugh is a Member of the Register of Security Engineers and Specialists (RSES).

Concepts such as digital twins and cyber—physical infrastructure (CPI) are receiving increasing attention, with promotional coverage in technology focussed media, accompanied by consultations and investment by governments. There is significant hype around these concepts with little discussion of what they represent in terms of functionality and any associated security risks. For example, the proposed interaction between physical entities and their digital twins presents significant security and safety challenges, with potential conflicts between the measures typically deployed by safety and security professionals.

This session will explore the functional components and conceptual architecture typically required to create a realistic digital representation of a physical entity. It will highlight how differing security and assurance practices may affect the integration of a physical entity with its digital twin, and their subsequent operation. Then, building on the functional and conceptual models, it will explore how SABSA may be used to engineer a safe and secure approach to the digitalisation of the physical world. This session may cause you to think differently about security risks associated with cyber-physical systems. It will provide a better understanding of the potential for unforeseen outcomes arising from adoption and integration of sometimes-immature digital technologies in our physical world.

10:30 - 10:50 Morning Coffee

10:50 2A: Breaching The Security Behaviour Ceiling Speaker(s): Martin Hopkins

Martin Hopkins

Consultant, Attributive Security (UK)

Martin is an independent information security consultant with a current focus on security advisory to small businesses in the UK. He has over 25 years’ experience in technology, primarily in security related fields. A regular speaker on cyber security topics, he is a strong advocate of business driven security, security architecture and secure software development practices.

Despite huge investments cyber security continues to hit the headlines for all the wrong reasons. Report after report claims that human fallibility contributes to most security incidents. Vendors tell you that your people are the weakest link, and then try to sell you some technology to fix the problem. Technology will not save you. People are not the weakest link; they’re involved in just about every link somehow.

“Ok,” you say, “we get it. We’ve got a mature security awareness programme, we’ve abandoned dull CBT, our training is engaging and gamified.” But you’ve reached a plateau with progress slowing to a crawl or stopping entirely. Whatever you do to increase knowledge and understanding, behaviour change stubbornly fails to materialise. Those strange people that don’t align to our expectations, that don’t behave correctly; they’re not irrational or uneducated, they just have different perspectives, and we’re working against them not with them.

In this session we’ll discuss security culture: what it is, how to find the one you already have, how to approach measuring it, the wider culture factors that influence it, and explore the gap between knowledge and behavioural norms.

10:50 2B: When Third Parties Come First: A Case Study on Russia/Ukraine and the Importance of Holistic Third-party Management Speaker(s): Timothy Sewell,

Timothy Sewell

CIO / CISO, Reveal Risk (USA)

Tim is a lifelong technology and security enthusiast with broad experience in multiple industries. He spent over a decade at Lockheed Martin designing and deploying solutions to some of the hardest cybersecurity problems in the national security space: Cryptography, weapon systems, aircraft, satellites, critical networks, APTs, hardware security, supply chain and third-party security, anti-tamper and industrial control systems using a blend of best-of-breed from the commercial space, coupled...
Todd Wilkinson

Todd Wilkinson

Chief Information Security Architect, Elanco Animal Health (USA)

Todd Wilkinson has been in the technology Industry for 23 years and most recently is serving as the Chief Information Security Architect for Elanco Animal building their new security program as part of a divestiture and IPO. He has advised and was accountable for the technology direction and product development of solutions that Elanco offers to our animal health customers, developed innovation in disease detection, wearables, implantable and mobile imaging capabilities with Elanco.

This two-part presentation explores some unexpected impacts from the Russia / Ukraine conflict on global operations where vendors are moving to protect their assets first more quickly and the importance of including third-party risk management in organizational security architecture.

  • When your vendor makes decisions that impact you and informs you later.
  • The importance of actrively managing your third parties
  • Why real backup plans matter – you can’t rely on “IT will fix it”
  • How to build a third-party management program that actually manages your third-party risk

Highlights will include a global manufacturing company with office in Russia, Ukraine, and eastern Europe, a small manufacturer that is dependent on Russian suppliers, a biotech company with a heavy Russian developer population, and other real world examples.

10:50 2S: The Chicken and Egg Problem or How to Implement Enterprise Security Architecture Without Architects Speaker(s): Dr. Silvia Knittl

Dr. Silvia Knittl

Director Cyber & Privacy, PwC (Germany)

Dr. Silvia Knittl is focused on Enterprise Security Architecture and supporting public and business clients in enabling their cyber capabilities. She manages security transformation projects and has led many cyber engagements helping organizations to improve on governance, processes, or tooling in the domains like IAM, SIEM/SOC or network. Sie is Director at PwC Germany in the Cyber & Privacy practice and has over 15 years of experience working in Cyber.

Companies often ask us to improve their cyber security. Even more frequently, many of the organizations cannot answer the question of where they stand with their security today. Many of the organizations have grown in the past without architectural support and have not yet established an enterprise architect or security architects. Quite often, cyber is organized somewhere in the IT department and the various security domains with their experts and their respective tooling needs are very often located in distinct silos.

In this session I will report on how to introduce an enterprise security architecture (ESA) capability without all the relevant prerequisites, such as an architect position, already being in place in the company.

Our framework of cyber capabilities, which comprises domains, subdomains, and their capabilities, serves as the foundation. It encompasses domains such as Incident Recognition and Response and Security Orchestration, as well as the ESA domain. This framework is used to construct specific scenario reports swiftly and efficiently. These reports feature traditional maturity level representations, which help the organization to make well-informed decisions on the appropriate and further development of their ESA capabilities.

For the situational pictures, we methodically use classic architecture visualization patterns. Here I demonstrate what value classical EA tools add to the development of the ESA capability.

The session is interactive, and all the participants are invited to share their experiences concerning this topic.

12:00 3A: Artificial (un)Intelligence: Risks and Opportunities of AI Speaker(s): Ashling Lupiani

Ashling Lupiani

Cognitive Solutions Developer, Cancer Treatment Centers of America (USA)

Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...

This unique discussion will address the structural limits of artificial intelligence such as machine learning in comparison to human intelligence. We will also consider the dangers posed by overestimating these systems and the responsibilities of professionals and organizations to manage expectations for their performance and monitor their function.

This session is timely because of the accelerating use of AI systems to determine everything from who to employ to how to treat diseases. While these systems’ decisions have increasingly impactful consequences, scrutiny of their structure and inputs has lagged behind. AI processes are unintelligible to the average IT practitioner or citizen, so it is increasingly important that those with the background and experience to understand its hazards prevent misconceptions, correct misinformation, and ensure responsible use.

The approach will be to outline the current state and direction of artificial intelligence systems in comparison to their fleshy counterparts, suggest actions that individuals and groups can take to mitigate the risks that their operation and perceptions of their operation can pose, and open the floor for discussion of these topics.

The value of this session is in presenting a scientific comparison of the differences between artificial and human intelligence and using that comparison to determine risk and suggest next steps.

12:00 3B: Managing the Software Supply Chain: Are we Kidding Ourselves? Speaker(s): Todd Fitzgerald

Todd Fitzgerald

Vice President, Cybersecurity Strategy, Cybersecurity Collaborative (USA)

Todd Fitzgerald promotes cybersecurity leadership collaboration and serves as VP, Cybersecurity Strategy and Chairman of the Cybersecurity Collaborative Executive Committee. Todd authored 4 books including #1 Best Selling and 2020 CANON Cybersecurity Hall of Fame Winner CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers (2019) and ground-breaking CISO Leadership: Essential Principles for Success. Todd also hosts the popular SecurityWeekly CISO STORIES...

The past 2 years have seen several high-profile examples of where information technology products we have purchased have exposed our systems to bad actors. How do we get ahead of this? Is this even possible? We may hire SABSA Architects within our organizations, only to discover that the smaller (and larger!) companies have not exercised the same level of due diligence. This session consists of positing some ideas for getting ahead of these supply chain issues and discussing where they may be useful and their flaws in actual practice. Our environments are no longer inside our walls, or our systems in the cloud, but rather need to include those systems and processes we generally have regarded as external in the past.

The session will be interactive, visual, and use audio/video, props and interactive discussion to discuss an issue that is top of mind for many in 2022. This is a complex issue that will leverage the experienced minds of COSAC.

12:00 3S: It Takes More Than SABSA: Building A Greenfield ESA Practice Speaker(s): Richard Morgan

Richard Morgan

Chief Architect, Verizon Communications (USA)

Richard Morgan is the director of Enterprise Security Architecture and Chief Architect at Verizon Communications, a US-based telecommunications firm. Mr. Morgan was previously the Sr. Director of Strategy & Execution at the Verizon Media Group, and spent about 14 years in varying roles at AOL before that. He has a background that includes work in the Open Source and Linux communities back to the 1990s and feels the same sort of positive energy and camaraderie in the COSAC community.

In the COSAC world, we talk a lot about the SABSA framework and how useful and flexible it is. While that is true, there’s an entire set of other concepts, structures, and practices that are required to build a functioning Enterprise Security Architecture practice.

In early 2021, Richard Morgan had the opportunity (and funding) to build, from the proverbial ground floor, an ESA practice for a Fortune 20 company.

This session will cover the conceptual basis and metamodels that underlie the practice and the practical aspects of operationalizing the capabilities, functions, and principles to create something new and innovative. The work included lots of training, many, many presentations, and the inevitable challenges and lessons learned in showing the value of security architecture work. And for the COSAC audience, we offer credit and thanks for the concepts and experience gleaned from the community since 2018.

13:00 - 14:00 Lunch

14:00 4A: Are You Talking to Me? Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a team of security analyst with a global remit at FedEx, owning implementing and executing various GRC processes. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.

As cyber security professionals, we see lots of issues all the time, but we have only limited time and resources to address them. By reporting we get exposure to executive leadership and therefore an opportunity to ask for resources, support, and prioritization. However, reporting is often limited to just a few slides a month. Futher more we can’t over ask, we can’t cry wolve to often and we can’t bring them problems management cannot solve.

Then what can we ask? How can we getexecutive leadership to support our plans, while all we have is 5 minutes and a few slides in the lime lite each quarter?

Those slides can be much more than just a table with the colours red, amber, and green. If you know your audience, you can make the presentation work for you. This to ensure your messages is delivered loud and clear.

In this talk, I dissect several strategies I use to push my agenda for support and buy in towards senior leadership. I’ll share what works for me and what doesn’t. I encourage participation of the attendees, to share their experiences, successes and failures, this in order to expand our collective knowledge.

14:00 4B: Chaos Monkey Comes to Threat Modeling Speaker(s): Jason Kobes

Jason Kobes

Architect, Research Scientist, Professor, Northrop Grumman (USA)

Jason Kobes works as Tech Fellow Senior Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason also is an adjunct professor for Marymount University teaching Cyber Crime and Digital Terrorism. Jason has over 24 years of experience concentrated in cyber digital transformation, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's...

Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the method of the Chaos Monkey.

  • What are the reasons we often discount certain threats, methods, and outcomes as unreasonable, unlikely, or even crazy?
  • Are we working with blinders, unable to understand systemic risk around us which may contribute to the motivation and outcome in our threat model?
  • Do our countermeasures create opportunities?
  • Can we truly understand how the adversaries’ objectives may be different from our perspective?
  • How do we adapt to rapid changes in our understanding due to observed or experienced events?

The session will start by exploring what we know and what processes exist to help us unfold this difficult topic. We will then move into a group discussion where we will explore how we can leverage each other’s perspectives and ideas.

14:00 4S: Raiders of the Lost Attributes Speaker(s): Robert Laurie

Robert Laurie

Enterprise Security Architect, David Lynas Consulting (Australia)

Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.

SABSA measures the impact of risk on attribute performance targets within a domain and we use these measures in decision support for our control objectives. This SABSA domain model paints a tropical canvas of business attributes isolated deep in a domain jungle with the where-abouts known only to the domain owner. Forging into this domain we might take care to draw upon multi-tiered attributes to describe how risk is systemically transferred from one attribute to another - but can an attribute directly support another attribute or are we searching for the missing link in this view?

In this presentation I will detail all the missing elements needed to properly excavate a multi-tiered attribute view. I’ll demonstrate how systemic risk is really transferred between elements in a multi-tiered attribute view and how this missing link is actually part of the powerhouse that drives the implementation of SABSA in the real world. Attendees will emerge from this domain jungle with a solid gold view of what the multi-tiered attributes view really represents and how it can be used to delegate risk successfully in your next expedition.

15:10 5A: Telling Better Cyber Stories Speaker(s): Siân John MBE,

Siân John MBE

Director SCI Business Development, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
Genevieve Liveley

Genevieve Liveley

Professor of Classics, University of Bristol (UK)

Genevieve is Professor of Classics, RISCS Fellow, and Turing Fellow at the University of Bristol. As a narratologist, she has particular research interests in stories and their impact on futures thinking – especially in the context of emerging technologies and cyber security. She leads the Futures strand for the UKRI’s Digital Security by Design (DSbD) programme, and as RISCS Fellow, heads the ‘Anticipation and Futures Literacy’ research theme.

The stories we tell about Cyber security often fail to land with the wider community. It is difficult to share stories that allow the cyber risk and security advise to be shared with appropriate nuance and senstitivity. Too often we end up with “scare stories” and “disaster movie tropes and plotlines” that spread “Fear, Uncertainty and Doubt”. This makes it harder to share insights that resonate and have impact on customers. What can we learn from other story telling and narratology techniques to allow us to build communications that resonate more formally. This probably means shifting from some of the disaster and militaristic terminology to others that relate to public health and the way in which people work. This session will explore some of these issues and propose ways in which we could communicate using traditional story telling methods to get business leaders to understand the nuanced aspects of cyber risk and resilience.

15:10 5B: Using OSCAL to Manage and Assess Security Controls Across International Standards Speaker(s): Phil Bridgham,

Phil Bridgham

Cyber Architect, Northrop Grumman (USA)

Dr. Phillip Bridgham is a Cyber Architect and researcher for Northrop Grumman and applies AI, Machine Learning, and Information Fusion techniques to achieve advanced automation and risk management. Dr. Bridgham brings 25 years of software engineering and technical leadership experience across a wide range of industries, including: Aerospace, Industrial Controls, Robotics, Banking and Finance, Medical Devices, Fraud Detection, Risk Analysis, and more.
Thomas Clevely

Thomas Clevely

Product Cyber Security Specialist, Rolls-Royce (UK)

I am a product cyber security specialist at Rolls Royce in the UK with 15 years’ experience working a broad spectrum of cyber security roles, including Supply chain integration and risk management, Enterprise network security, Industrial controls systems security and most recently product cyber security. Product cyber security, or the security of safety/mission critical embedded systems is a fast paced and fascinating challenge. I feel privileged to be part of a global team and global community...

This session introduces NIST’s (National Institute of Standards and Technology) newly released standard called Open Security Control Assessment Language or OSCAL.In this session we will survey the three layers and nine models that make the OSCAL standard.  This session will present and discuss examples of how OSCAL helps with defining security control catalogs, management of security profiles (or baselines), and definition of security plans.We will also examine how OSCAL can help to specify security assessment plans, capture assessment results, and help produce Plan of Actions & Milestones (POA&M) reports.

This session will provide hands-on insight into how OSCAL is used and helps to integrate standards and provide opportunities for security control management automation. This session wraps-up with Q&A and a thought-provoking discussion about this new standard and the opportunities it presents.

15:10 5S: Culture Eats Innovation for Breakfast, Disruption for Lunch and Agility for Dinner Speaker(s): Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.

Agile methodology is driving how businesses innovate, develop products and services, and take them to market. Hyper-personalization is the key ingredient in this recipe that is called success. Security is having a hard time, playing a perpetual game of catch-up and perceived as the blocker for doing business by increasing costs and overcomplicating almost everything it touches. It is essential that security, trust and transparency are adopted as CORE business values at the very top of the organization and is deeply embedded into the DNA of the business through an uncompromising cultural shift that will allow all employees throughout the business to make wise decisions about security.

In this talk we will look at the importance of effecting large-scale cultural change to allow our beneficiaries to use the architectural artefacts that we create for them for the benefit of the business and how SABSA can help us achieve this monumental task.

16:10 - 16:30 Afternoon Tea

16:30 6A: The Art of Communicating Bad News Speaker(s): John Ceraolo

John Ceraolo

Head of Information Security, Skilljar, Inc. (USA)

Mr. Ceraolo has been an information security professional for over 25 years in industries ranging from publishing, software, automotive, mobile technology and now healthcare analytics. He has frequently spoken at COSAC and other US-based security conferences. He holds his CISM, CISSP, and CISA as well as his Masters in Information Assurance from Norwich University.

Ransomware attacks, outages, general failure of your products – how much thought is going into your communications to your customers? Is it fully vetted by your legal counsel – and you aren’t making statements that are untrue or incomplete? How critical is timing? This session addresses the need for establishing a communication protocol in advance and walks through some of the good, the bad and ugly from past incidents. Takeaways will be ideas on what to include, what to avoid, how quickly to communicate and making crisis communication a critical part of your incident response.

16:30 6B: Dogma: Perfection is the Enemy of Good – Stop Thinking in Terms of Absolutes Speaker(s): Siân John MBE,

Siân John MBE

Director SCI Business Development, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.

“Perfect is the enemy of the good” is usually interpreted in the workplace to mean “better done than perfect”.  But what is good enough in cybersecurity?  Considering the NCSC’s recent blog post on Not perfect, but better, we will explore the arguments and counterarguments for better security.

16:30 6S: There is a Time and Place for Everything – Bringing SABSA to Small and Medium Sized Business Speaker(s): Kathleen Mullin

Kathleen Mullin

CISO, Cancer Treatment Centers of America (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...

This new and timely presentation focuses on the gap in guidance for new CISO’s. Current information focuses on the first 90 or 100 days in large organizations where the CISO role is well established or where the CISO is coming in after a breach or other serious cyber security incident.

This is focused on those small and medium sized organizations that do not have the budgets and controls in place that are assumed by the vendors and consultants creating these guides.

This presentation focuses on using an approach using SABSA and layering in controls based on business needs, then gradually growing information security focusing on leveraging SABSA for new projects and the highest risk areas within Information Security itself. This allows the CISO to address the most egregious risks while establishing or reestablishing a security program where information security has been a checkbox driven by vendor promises or compliance requirements.

IT and Information security have in many ways failed everyday users as well as smaller and medium size businesses creating tools that are complex and expensive. This session’s value is in providing guidance that helps new CISO’s, and any small or medium sized business that hires them, to succeed.

Tony Sale Memorial Lecture

17:45 7P: Living in a World of Covert Channels Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.

On 24 February 2020 Terence Michael Whall was found guilty by a unanimous verdict of the murder of 74-year-old pensioner Gerald Corrigan, who was shot outside his rural home in Anglesey on Good Friday 2019.

Whall thought he had committed the perfect murder, there was no forensic evidence, no direct eye witness to the shooting and no one saw him travelling to and from the murder scene.

During the trial the jury heard evidence of telematics data provided by Jaguar Land Rover showing the location of a suspect vehicle the day before when Whall was reconnoitring the scene of the crime, the boot being opened at 23:11:04 and closed 39 seconds later when he removed the murder weapon.

Evidence provided by Sky proved that Mr Corrigan’s satellite TV system was present at 00:08 at his home on the night he was murdered, at 00:28 he stopped a pre-recorded programme and the satellite signal was no longer present. When he went outside to investigate the problem, he was shot dead.

Again, telematics provided valuable evidence of vehicle movement, the opening and closing of the boot following the murder and Whall making his escape from the scene.

It is a credit to the hard work of those prosecuting this case that they were able to retrieve a body of critical evidence and present it clearly to the jury during the five-week trial.

To many people it was a revelation that such levels of technical data were transmitted to third party companies routinely and without their understanding of the full scale of the activity.

In this talk we will focus on how this example is only one of many instances of such data transfers. In new work we will detail how malicious actors might take advantage of an emerging standardised environment for vehicle to vehicle and vehicle to infrastructure communications to undermine efforts to monitor their activities.

COSAC 2022 Gala Dinner

19:30 Drinks Reception
20:00 COSAC 2022 Gala Dinner & Networking sponsored by SABSAcourses