Ireland Sydney

Welcome to COSAC's second annual event in Asia-Pacific, hosting the SABSA APAC Congress. For 2018, COSAC will be held in Sydney for the first time. 

Our agenda has been selected by previous COSAC participants to ensure sessions are unique, timely, cater for the participative COSAC ethos and deliver value for experienced security practitioners. 

Tuesday 4th December 2018

09:30 - 10:00 Delegate Registration & Coffee

Plenary Session

10:00 1P: Welcome to COSAC - Premium Value : Exceptional Trust Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.

Welcome to a unique and special event that is destined to become APAC’s premium annual forum for elite professionals.

This brief introductory session sets expectations for the week: it describes the COSAC ethos and trust culture, and sets the tone through interaction and participation.

We will also discuss the rules and conventions for sessions and discussions held under Chatham House Rule or subject to full Non-Disclosure.

10:40 - 11:00 Morning Coffee

11:00 2A: Engineering Resilience through Attribute-based Dependency Modelling Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Andy Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics and Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984.He is a registered expert witness with more than twenty years’ experience of forensically analysing and presenting computer and information systems evidence in a wide range of cases in both criminal and civil matters. He is a co-author of the book of SABSA...

Dependency modelling is a way of analysing risks to an enterprise. It uses a variety of different approaches to describe and predict how different systems components interact and interdepend with each other. Typically it provides graphical representations of these relationships that help systems engineers design and implement resilient systems.

A dependency model is based on goals and objectives and the prerequisites to satisfy these goals. It is a positivist, top down approach that contrasts with other models that focus on faults, disasters and failures.

I first learned of Dependency modelling many years ago having been introduced to the subject by Professor John Gordon. He had developed a toolset specifically designed to help systems engineers, among other things, model risks to critical infrastructure. I was particularly interested in how his techniques were based on 'good' things - goals that he called 'paragons' and the Bayesian engine he developed that enabled you to build a dependency model and then 'drive it in reverse' to infer the most likely elements to cause compromise of each paragon. It occurred to me at the time that there were great similarities between paragons and SABSA Business Attributes and that, when I had time, I would explore that further. I still have not made the time to do anything other than scratch the surface of how Attribute-based Dependency Modelling might fit in the toolkit of SABSA practitioners. Most recently I discussed it with another Professor in UK academia who was surprised there had not been much academic study of how that might work and who encouraged me to take a further look at it - she implied there's probably a PhD waiting there for someone.

In true COSAC style I expect this session to be more of a workshop than a lecture. I shall outline John Gordon's excellent work and use some examples to highlight how it can be applied to SABSA Business Attribute-based Dependency Modelling. I welcome participation from delegates who are expert in the field and others to whom it is new - I hope that between us all we might just produce a catalyst for some of us to work together to produce techniques and approaches that will make the design of resilient business systems easier.

11:00 2B: Betsy, Fluffy and Herd 51 Speaker(s): William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 

IT Practices are changing at a rapid pace and are impacting the way we need to look at information security. A few of the hot topics like cloud computing, Dev Ops, zero boundary systems, are perfect examples of this. In some ways we are doing the same old thing, but in a way that doesn’t look exactly familiar. Recently in a conversation with a cloud vendor engineer it was implied that my question regarding configuration management was, well, old fashioned. Why would we treat our application like a pet, which needs a high degree of care and maintenance, rather than as cattle that are maintained in large quantities, and according to the metaphor, individuals can be removed from the herd and replaced with no noticeable impact? (No animals were harmed in the making of this session) After a bit of research, it was clear that this analogy has been around for a little while, but more in the context of servers and now more recently for applications. In this session we will look at a use case of a cloud implementation where several of these concepts came together and were put under a high level of security and compliance scrutiny. We will look at some of the successes as well as the lessons learned throughout this engagement. Finally, we will have group discussion regarding how we as security professionals can embrace, or at least keep up with the progression of IT practices.

12:20 3A: Using SABSA for Cyber Resilience Speaker(s): Paul Blowers

Paul Blowers

CISO & Director, New Zealand Police & Hi-Spec Security (New Zealand)

Paul Blowers has more than  30 years experience  in the Intelligence, Law Enforcement, Defence and Border Security environments and approaching almost 10 as a SABSA® practitioner. He has spent the last 14 years in New Zealand having worked in the USA, the UK and mainland Europe. Currently, head of security for New Zealand Police he also runs his own small company, Hi-Spec Security Limited providing high-end consultation services. 

Security Operations Centre manage cyber security incidents effectively every day.....right? But what about those that occur on a grandiose global scale. How do you plan for the next Wannacry or the future NotPetya? They are almost impossible to predict but not impossible to plan for.

With the intensity of cyber security events increasing the need for a consistent approach cyber security incident response is non-negotiable. Underpinned by skilled staff, a good budget and the right technologies, a Cyber Security Incident Response Plan will lead to a stronger security posture and better overall cyber resilience provided it is tested and exercised against real-world scenarios.

My presentation will demonstrate how SABSA can help with cyber security incident exercise planning contextually and conceptually in support of detect, response and recovery activities at the operational layer.

Based partly on international research and planning for such an event, I aim to use SABSA to answer key operational exercise planning questions such as: What assets are required? Why are exercises necessary? How will security exercise management services be deployed? Who will be involved? Which locations will be impacted? When will the event occur?

12:20 3B: The Journey to Artificial Intelligence Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the  Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in  shaping the information security practice as  a transformative business driven and risk oriented discipline. 

Advances in technology have made artificial intelligence(AI) now a reality. This session will provide a cursory overview of Artificial Intelligence explaining what Artificial Intelligence is though the various dimensions , its types and categories of applications. The session will briefly cover some use cases as well as some considerations in selecting the relevant AI solution approach. In addition we will look at aspects on how AI can be used as an adversary , and the emerging cyber threats targeting Artificial Intelligence

13:30 - 14:30 Lunch

14:30 4A: In Search of the Elusive Securiton Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Cyber Security Adviser, Envista (Australia)

Michael is a Cyber Security Adviser with Envista providing high level assistance on Cyber Related matters. He was formerly the CIO and CISO at the Australian Department of Finance where he had executive responsibility for ICT as well as physical security within that agency. He has previously held senior roles with government agencies including Department of Foreign Affairs. 

Early in my career, around 2001, I first heard the term “Securiton” used in the context of measuring effective return on investment for ICT Security Projects. “Securiton” was used, in a humorous way, as a fictitious measure of the outcomes of computer security projects to illustrate what we knew the executive wanted to hear to approve business cases for our projects.

We dreamed of being able to say:

“This project will make us 37 Securitons more secure at a cost of only $370,000 – a bargain at only $10,000 per securiton!”

Mark Twain has been quoted as saying “Humor is the good natured side of a truth.” And there is more than a grain of truth in the use of “Securiton”. We, as an industry, long for an objective measure that can help us explain what our complex and technical subject to the executive in a meaningful way.

As Peter Drucker said: “What gets measured gets managed.” and it is time that we started building effective and objective measures within security.

This workshop will interactively explore the possibility of building such an objective measure for risk in our industry.

We will start with a look at how people, in general, approach the consideration of ordinary risks in a very subjective way.

We will then look at real known risks and threats in our industry and discuss how organisations measure likelihood and consequences, both subjectively and objectively, to determine “risk”.

We will then workshop the possibility of building a standard subjective measure for various known cyber security risks considering a range of factors that might increase these risks in particular industries and organisations impacting.

This session will be run as a workshop.

14:30 4B: The Missing Link - A Universal Security Capability Model Speaker(s): Andreas Dannert

Andreas Dannert

Enterprise Security Architect, NBN Co (Australia)

Andreas is an Enterprise Security Architect for Australia’s national broadband network (NBN Co). At nbn he is responsible for defining Security Strategy and Roadmap across the organisation. Prior to nbn, Andreas has worked for Deloitte and HSBC in the role of Enterprise Security Architect, developing Enterprise Security Architecture Frameworks and solutions. Andreas is currently the Research Director on the ISACA Melbourne Chapter board and an industry advisor to various organisations.

Most organisations have a consistent need for adjusting to changing market conditions and new customer demands if they want to survive in the long run. As business objectives and priorities are being adjusted as in response to the market, organisations need to adapt and fine tune their business capabilities, including their security services. Security service gaps need to be identified and immature services need to be optimised, in order to survive the constant battle for supremacy.

From a security perspective, one of the challenges for organisations often appears to be that they have immature processes in place to quickly adjust their business, including their security services. While SABSA provides a mature methodology for the delivery of security architecture, organisations often struggle to implement a framework around it that optimises the delivery process itself. Further tools and processes need to be developed to address this issue and assist organisations in maturing and adjusting their security services faster and in a more efficient way. One of these tools could be security capability model that complements the idea of a security service catalogue by providing a pre-defined security service taxonomy through the definition of meaningful security capability domains.

In this session we will be looking at a an organisation independent security capability model that defines a well-structured set of security capability domains and associated security capabilities. This model, as part of an Enterprise Security Architecture Framework, can assist larger organisations in more systematically assessing, communicating and transforming their security services landscape. The presented security capability model is based on experience gained through the implementation of similar models at various organisations across different industries. It has also been analysed against various control frameworks and their grouping of controls, which we also touch on.

At the end of this session, participants should be able to understand the value of such a reference model and how it can be utilised within an organisation.

The key takeaway from this session will hopefully be a new viewpoint of looking at the importance of security governing structures when faced with the challenge of more systematically and efficiently maturing an organisations security architecture service landscape.

In the spirit of COSAC, this session is designed to be interactive and it will allow participants to share their experiences in similar circumstances, governing and maturing the process of continuous security architecture solution delivery in an organisation. This session will provide attendees with an insight into some issues that were encountered during the development of the model and the introduction into other organisations with a less mature security architecture framework in place.

15:40 - 16:00 Afternoon Coffee

16:00 5A: Enterprise Security Architecture: The Broker Between Strategy and Delivery Speaker(s): Ross MacKenzie

Ross MacKenzie

Head of Security Architecture & Design, Westpac (Australia)

Ross MacKenzie is the Head of Security Architecture & Design at Westpac Banking Group, and is responsible Globally for the delivery of security architecture, design and security capabilities. Ross has over 15 years of experience in the information security field, and is based in Sydney, Australia. He is also SCF & SCP certified.

An insight into the application of SABSA aligned Enterprise Security Architecture to create an organizational engagement model that delivers consistent security outcomes across the enterprise.

16:00 5B: Security Culture is Broken: Let's Fix it Speaker(s): Andrew Stephen

Andrew Stephen

All of Govt Enterprise Architect, Dept of Internal Affairs (New Zealand)

Over the past three decades Andrew has worked across many aspects of the information and technology industry, from deeply technical to security management and architecture. Today Andrew has a focus on improving security practice and the relationships between security functions and their organisations. His current work contributes to development of New Zealand government digital strategy and nationally significant digital service. 

At MIT in 1961 they had a problem. Their new operating system, the Compatible Time-Sharing System (CTSS), had many users sharing the same resources, and people were having trouble keeping their files seperate from everybody else’s. To address this they implemented a new feature - passwords. A few months later a graduate student in need of additional computer time found a novel solution; he submitted an off-line print job to print the entire password file and simply started using other people’s accounts. Passwords have been a failed access control ever since.

For decades the security profession has been recommending security controls and practices that are impractical, unjustified, and often ineffective. We have inadvertently forced people to work around the very controls that we hoped would protect them just so they can do their jobs. We have based our advice on “best practice” mythology, and we have driven a cultural wedge between our profession and the organisations we are supposed to serve.

In this talk Andrew brings together 20 years of observation and contemplation of security practice and culture into a human-centric view of security that he hopes can re-shape how we think about security, help us to repair the damage, and deliver real value from our skills and knowledge.

17:20 6A: Bones, Nutshells & Breadcrumbs Speaker(s): Maurice Smit

Maurice Smit

Principal Consultant, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.

In this session I will take up the challenge to model a business requirement from the audience on the fly…..with of course the appropriate input from the audience.

While doing so I will draw and populate the SABSA matrix in the order of our needs for the solution to fulfil the given requirement – SABSA in a ‘Nutshell’. As we go through the process of populating the ‘Bones’ of the solution I will discuss and share a few ‘Breadcrumbs’ (challenges, questions) that have come to light while presenting SABSA Foundation Courses around the World.

In keeping with COSAC ethos and tradition, this session anticipates a high-degree of participation and interaction.

17:20 6B: Are We Just Snake Oil Salespeople? Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.

“We cannot solve our problems with the same thinking we used when we created them.” - Albert Einstein

Join me for a rant; I mean discussion, about the potentially damaging approach we continue to take to address the information security problems we face.
Information Security is not a science, in fact, I'd argue it doesn't even qualify as art. So, what is it then? The closest thing I can find to equate it to is folklore. Security solutions have been handed down from generation to generation, either as oral histories or enshrined in texts as 'best practices'. As a result, we employ the same control or combination of controls over and over again to address a particular security problem and expect different results, which as the old saying states is the very definition of madness.

I’ll discuss some standard information security practices and solutions, explore their origins before looking at whether they are even designed to solve the problems they are applied to.

I’ll then discuss why we need to abandon the status quo and refocus on our efforts on understanding the problems we are trying to solve or be condemned forever to be perceived as snake oil salespeople.

Networking & Dinner

18:30 Drinks Reception
19:00 Dinner