Ireland Sydney

Welcome to COSAC's second annual event in Asia-Pacific, hosting the SABSA APAC Congress. For 2018, COSAC will be held in Sydney for the first time. 

Our agenda has been selected by previous COSAC participants to ensure sessions are unique, timely, cater for the participative COSAC ethos and deliver value for experienced security practitioners. 

Wednesday 5th December 2018

09:00 - 09:30 Delegate Registration & Coffee

Plenary Session

09:30 7P: SABSA and Humankind Speaker(s): Maurice Smit

Maurice Smit

Principal Consultant, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.

SABSA. You may have heard of it. You may not have heard of it. But did you know that when Security is considered to be a property of something else, this whole concept can actually be applied to anything and everything? To solve your problems! As long as there is a problem, of course. In this presentation you will see how SABSA could be used to solve problems in human life.

10:30 - 10:50 Morning Coffee

10:50 8A: Engineering; Architecture; Security: How SABSA Draws Disciplines Together Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Cyber Security Adviser, Envista (Australia)

Michael is a Cyber Security Adviser with Envista providing high level assistance on Cyber Related matters. He was formerly the CIO and CISO at the Australian Department of Finance where he had executive responsibility for ICT as well as physical security within that agency. He has previously held senior roles with government agencies including Department of Foreign Affairs. 

The roles of engineers, architects and security professionals have evolved over time as very different and task specific professions. We often see these separate entities in a competitive light – An Architect may be trying to design and deliver a particular artistic outcome; the engineer may be trying to deliver a functional product, machine or system, and the security professional may be trying to lock down and protect a system.

In focusing on their specific goals, each discipline can lose sight of the bigger picture which should be about delivering successful outcomes for the client.

Each discipline may take a different approach, look at the task from a different perspective, use different tools, engage differently and focus on different priorities but, in reality, there is no single right approach to delivering outcomes as each engagement and assignment is unique.

Each engagement and assignment needs the right, unique, approach for that engagement.

As an engineer I think I take a pragmatic, results oriented approach, that some would argue is, at times, inflexible and black and white. Engineers tend to be problem solvers, have strong technical skills and a need to work things out. They are different to architects who tend to be creative, passionate, and easier going. And different again to security professionals who are often very technical, have a deep understanding of the system vulnerabilities and weaknesses, understand where the threats are coming from but who have, historically, taken a somewhat rule driven approach.

SABSA draws strength from each of these disciples and provides a framework that blends these strengths in a pragmatic results-oriented way.

This presentation looks at a number of engineering and security projects I have been involved with over my career and the engineering tools used to approach those problems and retrospectively applies some of the SABSA logic to that approach to understand how we could have achieved a better outcome. In doing so, this presentation will discuss a number of standard approaches we take to engineering and security problems and how these can be improved through an understanding of the SABSA approach.

10:50 8B: Smart Transport: Smart Security Speaker(s): Malcolm Shore

Malcolm Shore

Cyber Security Officer, Huawei (Australia)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University.  He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.

Transport is one of the key applications for the ubiquitous connectivity which makes up the internet of things. In this presentation an overall architecture for smart transport will be presented and sample use cases for remote driving and train communications will be mapped to the architecture.

The UK and Australian Rail Industry Safety and Standards guidance on cybersecurity will be presented, and also the X.805 telecommunications security architecture. Specific threats as detailed in the NIST LTE Security Guide will be included to provide the basis of the risk model.

The Smart Transport Security Architecture will be described, and mapped to the NIST Cybersecurity Framework.

12:00 9A: Leveraging Business Value Chains in Information Risk Management Speaker(s): William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 

The challenge of integrating business drivers and business impacts into an Information Risk (or Cybersecurity) Program can be an elusive task. It is mentioned in most risk management frameworks and is a common theme from industry strategy leaders. It sounds simple enough, but the actual implementation is usually anything but. Even with a solid approach, there are challenges in getting the business to buy-in, getting the right people involved, getting the right information, and then scaling and managing the information in a reproducible way for the enterprise. In this session we will look at an organization that has recently revamped its enterprise cybersecurity program and is intentionally striving to build a foundation that engages the business to this end using value chains. We will review how the organization is leveraging SABSA Risk Management and Architecture approaches to tie in existing risk management processes and control frameworks (Including NIST and HITRUST) to a vendor introduced process that engages business leaders to identify value chains and align them to information assets and systems. We will look at some of the theory and methods behind the approach, including some of the ways we had already introduced SABSA business attributes and risk management in the organization, and will look at how the use of value chains is integrating with, and complementing them. We will look at the process around building value chains, and also discuss the systems that are being used to support these activities. Finally, we will discuss the successes that we have seen so far, as well as the obstacles that had to be overcome (some to even get started) and that we anticipate as we continue down this path.

12:00 9B: Debunking GDPR Myths Speaker(s): Ahmed ElAshmawy

Ahmed ElAshmawy

Principal Information Security Consultant, Axenic (New Zealand)

Ahmed is a Senior Consultant at Axenic Ltd. He has significant experience as a trainer, as well as being a hands-on practitioner. He is a CERT-Certified Computer Security Incident Handler (CSIH) and a SEI-Authorised Instructor. He has been previously a member of the technical team of Q-CERT, Qatar’s national Computer Emergency Response Team. 

Surprise, Surprise the world did not end on the 25th of May 2018, or GDPR day as it became known. We haven't seen any organisations hit with a fine of 4% of its global revenue or several millions of Euros for a GDPR breach.
However, a lot of Australian and New Zealand based organisations believe they don't have to comply with the GDPR just because they are not based or do not operate in the EU.

In between both extremes, a lot of fear, uncertainty and doubt around GDPR has grown to confuse decision makers and professionals alike. From "expert" opinion to social media, it is more likely they will come across a range of GDPR myths and misconceptions than factual information.

For example, the term "EU citizen" (or just "citizen") did not appear even once in the official regulation text, yet many think that EU citizens' data is what GDPR is all about.

This session will discuss some of the key myths that are commonly repeated around GDPR using the regulation text as a reference.

13:00 - 14:00 Lunch

14:00 10A: Four Years at the Coal Face Speaker(s): Glen McCauley

Glen McCauley

Business Transformation Security Architect, Dept of Inland Revenue (New Zealand)

Glen McCauley - Security Architect since 1998.  Through my career path I have been dealing with information security from a risk and architecture perspective.  Engagements and activities are primarily in the Government and Financial services sectors.  Projects have ranged from the security assessment of critical applications such as only reporting and Internet Banking through to the development of PKI systems for New Zealand's Electronic Passport solution.

Over the last 4 years I have been security architect on the project transforming the electronic processing systems for the New Zealand taxation department. This project has a mandate to re-invent the organisation from the ground up, including green fields applications and operating models.

We are investing heavily in a new PaaS based core platform, cloud based PaaS for new non-core services, SaaS cloud based solutions for back office functions and most critically, full adoption of Microsoft 365 capabilities.

As architect, I have been applying SABSA principles - well to use a Kiwi colloquialism - yeah nah! This talk will go through the journey we have been through and how SABSA has been applied, and where the shortfalls in applying SABSA have been encountered.

14:00 10B: Quantum Computing & SABSA
15:10 11A: 5G From a SABSA Viewpoint Speaker(s): Malcolm Shore

Malcolm Shore

Cyber Security Officer, Huawei (Australia)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University.  He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.

The emergence of 5G in its initial release will enable data services at up to 1.5Gb/s which will enable substantially more applications of mobile online services. 5G in this form is also known as Release 15 of LTE. However, this is just the beginning and with Release 16, the full 5G release, we will see massive machine type connections providing a next generation service for Internet of Things, and ultra low latency services will enable services such as real time control for transport, robots and remote surgery applications. There will, however, be an explosion of different applications that we cannot yet envisage. The potential of 5G has caused significant concerns in some governments to the extent that consideration is being given to ban the leading telecommunications vendors from selling 5G equipment.

In this presentation we will look at what 5G is and how it is secured. We’ll cover the new radio approach, the radio access network, and the core services. We’ll then take a look at 5G from a SABSA perspective to form a traceable and balanced risk model to enable robust decision making on security countermeasures.

15:10 11B: Dissecting Election Cyber Attacks and their Impact to Critical Information and Infrastructure Speaker(s): Gokul Srinivasan

Gokul Srinivasan

Associate Director, Control Risks (Australia)

Gokul is a cyber-security expert specialising in cyber threat intelligence, crisis management, incident response and cyber resilience. Gokul is interested in helping organisations understand the cyber implications of geo-political changes and the threats they trigger. He advocates taking a threat-led approach to building cyber resilience and incident response capabilities. Gokul has helped clients design enterprise security solutions in complex cloud and multi-tenant environments. 

There has been an exponential increase in the number and sophistication of cyber-attacks over the last few years. Nation states are increasingly using cyber as an instrument of power, and attacks on critical infrastructure can go beyond a catastrophic disruption to day-to-day business, and expose a calamitous risk to property and lives.

Sophisticated threat actors are using elections as an opportunity to cause disruption, influence voter perception, manipulate votes and shake public trust in government institutions and in the democratic process. An analysis of the elections conducted in different countries in the last 18 months reveals that there were incidents of cyber-attacks in all of them.

It is not just electoral commissions and government agencies that are being targeted. Threat actors are targeting a range of organisations including those in the supply chain directly related to the election and those who hold data on individuals who may be targeted in influence campaigns.

These cyber-attacks range from highly sophisticated nation state attacks such as breach of 90 million voter registration records of Mexican citizens to cyber activism that caused attacks on internet service providers and data centres in Iran. In some countries, misinformation campaigns on social media were run against specific organisations causing huge financial and reputational loss to them.

In this fast evolving threat landscape, organisations often struggle to comprehend the nature of the threats they face: Who the threat actors are? What are their motivations? What are the risks to my organisation? How will the threat actors initiate cyber-attacks?

This intelligence will help security professionals predict the evolving threat landscape and implement appropriate protection measures at the right places.

Through case study examples, Gokul will provide an analysis of the cyber-attacks based on study of recent elections in Malaysia, Russia, Germany and Czech Republic. The analysis will include study of the geo-political situation in these countries, attack types, the threat actors, their motivation, the assets targeted and what organisations in other countries are doing to defend against such attacks.

16:10 - 16:30 Afternoon Coffee

16:30 12A: A Night at the Museum Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.

Te Papa Tongarewa, the national museum of New Zealand, celebrated its 20 birthday this year and is in the middle of a $50 million renewal programme. The museum sector, like many sectors, believes that digital is the key to innovation and transformation. As part of the renewal programme, the CTO was charged with modernising the technology used by the museum to ensure support and enable its digital ambitions. In addition to this, he was also tasked with providing the Board with an appropriate level of assurance that the information security and privacy risks associated with Te Papa’s use of technology are effectively managed.

In this talk, we will discuss how SABSA was used to develop and implement an Enterprise Security Architecture and Security Strategy for a complex and heterogeneous environment with competing and conflicting business requirements for security (funnily enough confidentiality is not the primary attribute for most of the museum’s information). However, we will also examine some of the other significant challenges that we had to overcome, including the absence of a business or enterprise architecture, organisation culture and communication style, and ageing technology infrastructure in dire need of modernisation.

This session will provide you with some real-world practical approaches for addressing both the real and perceived roadblocks to developing an Enterprise Security Architecture and Security Strategy that delivers value by genuinely supporting and enabling the business to achieve its desired outcomes.

Won’t you join us for a night at the museum?

16:30 12B: A Different Perspective on Security Assurance - Bug Bounties Speaker(s): Martin Choluj

Martin Choluj

Director of Security, Campaign Monitor (Australia)

Martin has over a decade of technical leadership experience in a consulting and practitioner capacity. He is a Director of Security at Campaign Monitor, where he focuses on hands-on management, assurance, cloud security and DevOpsSec practices.

There are many different ways to identify bugs in your code - penetration testing, code scanning, unit and integration testing, vulnerability management - just to name a few. Different methods deliver different quality, speed and ROI.

In this session we are going to look into bug bounty programs as another method for delivering security assurance.

In his talk, Martin will offer his perspective on running bug bounty programs as the main source of security assurance and cover the good and bad of crowdsourced security.

Plenary Session

17:40 13P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.

The COSAC "rump" has for many years been a hugely popular closing session to COSAC and the SABAS World Congress. Now, making its debut in APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 5th December.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Dinner & Networking

18:45 Drinks Reception
19:15 Dinner