Schedule - COSAC

COSAC APAC 2025

Tuesday 25th February

Tuesday 25th
08:30-09:00

Registration & Coffee
Tuesday 25th
0900:-09:20

COSAC APAC 2025 Chairman's Welcome
Tuesday 25th
09:30-10:15

Security Architect to CISO – How SABSA Saved My Bacon

Session 2A

A personal reflection of the key take aways from undertaking several SABSA trainings and how it has allowed for a successful journey from Security Architect to Chief Information Security Officer for a large enterprise organisation.

The discussion will highlight the experiences – pitfalls and wins – whilst developing security strategy, security programs, security catalogue, and security teams across 3 different organisations, a retail & manufacturing organisation, a professional membership organisation, and a large enterprise retail organisation. This will be done with reflection on the various learnings from SABSA that have contributed to successful CISO work.

As this is an experience sharing session, it will also touch on the importance of the need for self-care in our profession and the importance of establishing your tribe, and how this played an important part in keeping the speaker energized during the 2020-2023 period.

Speaker(s)

Nigel Hedges

Quantum Computing Demystified

Session 2B

Since the mid 1990’s the open cryptographic community has been considering the possibility that advanced computing capability would. at some point, undermine the security of the standard cryptographic processes used routinely throughout our daily lives. Of particular relevance was Peter Schor’s development in 1994 of the first quantum algorithm (now known as Shor’s algorithm) to efficiently factorise large numbers such as those used by Public Key Cryptographic schemes.

Shor’s work and that of others had a profound impact on the development of quantum computers – the hardware and software systems necessary to realise the true benefits of quantum algorithms.

Developing a practical, reliable quantum computer requires significant research and specialist engineering capability. There are now many companies operating in this area having seen significant investment from government, academia and private funds. They range in scale but include household names such as IBM, Microsoft, Amazon and Google.

In 2015, when Michele Mosca used the term “Q-Day” to refer to the (theoretical) future date when quantum computers would become powerful enough to break existing cryptographic systems, quantum computing became newsworthy outside the scientific field.

In this talk we will discuss the state of quantum computing relating to security with particular reference to its impact on cryptographic systems and what we are currently doing and should continue to do the mitigate the emerging threats.

Speaker(s)

Andy Clark
Tuesday 25th
10:20-11:05

The High Rollers Table - A Case Study in Proving Your Value Using SABSA

Session 3A

When it comes to demonstrating the value you are providing to your high-roller stakeholder sitting at the table, there isn’t a lot of room for error, filibustery or flub. In any other circumstance, you might be able to lean heavily on bamboozlement at the brilliance of your diatribal eloquence, the captivatingly exquisite heights of your genre-defining diagrams and matrices, or the various bric-a-brac-esque levels of understanding inhabiting the zeitgeist of the VIPs you are presenting to.

But.

If the very most important of them, the Big Kahuna, makes it known to you that they have their complete and undivided attention on you and the answers you are giving them, then you had better make sure those answers are succinct, accurate and simple enough to pass the smell test on any concern that they are very, very much interested in, that very, very much matters to them personally, and in whose opinion they are very, very much heavily invested.

Fortunately, SABSA provides you with the very tried and true method to withstand such scrutiny when this situation befalls.

In this presentation, we will provide a real case study where the high-roller stakeholder took control of the discussion, posed employment-defining questions to the presenters, and how SABSA was deployed to seize the initiative and win the day.

Speaker(s)

Harley Aw
Dan Schoemaker

AI - Your New Partner in Capability Uplift

Session 3B

For over 50 years, IT professionals have been using frameworks and standards to underpin capabilities. We’ve been on an endless quest to support our businesses in leveraging technology for business value whilst maintaining compliance and managing risk.

It hasn’t been easy for those of us in the thick of constant capability uplift projects, treating audit findings and coping with relentless context shifting. Sometimes it feels like we’re pushing shit uphill just to satisfy all the basic controls and keep our license to be in business!

So, with AI finally getting traction and GenAI showing it can demonstrable business value, we should ask, “is there anything in this AI wave for us?”.

How might IT professionals leverage AI to assist with the continuous improvement of our business and IT organisations?

In this presentation, IT industry veteran David Favelle will propose how AI can be leveraged to accelerate capability uplift, increase transparency and improve control. In effect, AI can act as a force multiplier wielded by experienced IT practitioners, governance professionals and their suppliers. The key is to have humans who understand the Why and the What and can leverage AI to do the heavy lifting…all that docco isn’t going to write itself…or is it? Of course, all of this also relates to the peak bodies charged with maintaining the frameworks and standards as well.

Let’s see if AI is the accelerant we need to get ahead of the game!

Speaker(s)

Dave Favelle
Tuesday 25th
11:05-11:25

Morning Coffee
Tuesday 25th
11:25-12:10
Building An Explanatory SABSA Matrix Bottom Up

Session 4A

SABSA works from the Attributes, building down from them through the Contextual Architecture into and across the Matrix. This can make it difficult for people to visualise and engage, with the matrix, it also requires commitment. This session will build an example of the matrix across and up from the Component Architecture.

The intention is not to complete the matrix but to make it accessible by example and show the traceability from the perspective stating with actual Components and Assets. Another benefit is that this can also be a starting place for people to introduce the SABSA Matrix into an organisation, to show value, gain support, and help collaborators to see they can help build and contribute to the architecture, and their organisation role is very much present.

Enterprise Architecture needs commitment, help and buy in by different teams, and skill levels to realise the value of SABSA including continual currency. Building an example from the bottom can help others see themselves, skills and organisational role and how they have value to contribute.

Attributes and Contextual Architecture are vital, this is the realm and lingua franca of Enterprise Architecture. The vernacular, however, perhaps could just start with the example of a simple firewall.

Speaker(s)

Darren Skidmore
AI & Quantum Computing - A Double-Edged Sword for Cybersecurity

Session 4B

In the era of AI and Quantum computing the need for a robust Cyber Security strategy and program have become more essential to ensure that organizations are adequately prepared to both deal with the unintended outcomes and potential benefits.

During this session we will explore the following key points with the aim of unpacking what AI and Quantum computing will mean for the Cyber Security industry going forward.

Brief overview of AI and its current applications in cybersecurity (e.g., threat detection,incident response, fraud prevention)

Introduction to quantum computing and its potential to revolutionize computing power

The session is structured in an engaging way that the participants are not lost in the multiple topics being discussed. Each focus area will be unpacked in detail in the following order and opportunities available for participants interactions.

AI: A Cybersecurity Double-Edged Sword

Benefits of AI in cybersecurity:

Enhanced threat detection and response capabilities

Improved incident response automation

Advanced threat hunting and intelligence

Risks associated with AI:

Potential for adversarial AI to launch sophisticated attacks – What are key strategies that Cyber Security professional can explore to minimize the potential for a Cyber may-day.

AI bias, discrimination and Political implication concerns.

Dependence on AI systems and potential vulnerabilities.

Quantum Computing: The Looming Threat

Explain the concept of quantum supremacy and its implications for cybersecurity.

Discuss the potential impact on encryption algorithms (e.g., breaking RSA).

Highlight the timeline for quantum computing to pose a significant threat.

The Intersection of AI and Quantum Computing

Explore the potential of AI to develop quantum-resistant algorithms.

Discuss the use of quantum computing to enhance AI capabilities (e.g., quantum machine
learning).

Address the challenges and opportunities of this intersection.

Conclusion
Speaker(s)

Sammy Chuks
Tuesday 25th
12:15-13:00

Transforming Enterprise Security Architecture from Theory to Practice

Session 5A

Is having a comprehensive Enterprise Security Architecture (ESA) document enough to meet business needs? We developed an ESA using the SABSA framework, which provided a thorough vision of our desired future state. However, its academic tone and complex structure made it difficult for architects and stakeholders to translate theory into actionable steps. Consequently, it was primarily utilised only by the Cyber Security Architect.

Our objective was to simplify the ESA, ensuring it was accessible and useful for various stakeholders across the business—from the architecture team to IT and OT operational teams. This approach empowers them to make informed decisions aligned with security best practices, thereby reducing reliance on our small cyber team.

In this presentation, we will share our journey to operationalise our ESA. We will highlight the importance of early stakeholder engagement, continuous feedback, and practical implementation. Join us to learn how we are transforming our ESA into a dynamic framework that drives both security and business alignment.

Speaker(s)

Mai Tran
Paul Karan

AI Governance and Risk: Navigating ISO 42001 and ISO 23894

Session 5B

Navigating the complexities of AI governance and risk management requires a solid understanding of relevant standards. This session will guide you through ISO 42001 and ISO 23894, highlighting the importance in establishing robust AI governance frameworks and managing risks effectively.

Audience will takeaway:

Comprehensive understanding of ISO 42001 and ISO 23894. How to establish and maintain AI governance frameworks. Techniques for effective AI risk management. Understand the role of these standards in ensuring ethical AI practices. Practical insights from case studies and real-world applications.

Speaker(s)

Bharat Bajaj
Reshma Devi
Tuesday 25th
13:00-14:00

Lunch
Tuesday 25th
14:00-14:45
Implementing the NIST CSF 2.0 the SABSA Way Cybersecurity Framework

Session 6A

How should you implement the NIST Cybersecurity Framework (CSF) 2.0 when developing or updating a security architecture using SABSA? With the addition of the Govern Function, the NIST CSF 2.0 is a significant upgrade to the de-facto global framework for managing cybersecurity risks but does not have everything you need to effectively manage your enterprise cybersecurity risk.

The SABSA Institute (TSI) sponsored SABSA Enhance NIST Cybersecurity Framework (SENC) workgroup project is currently developing various tools, techniques and guidance to help your organization put the NIST CSF 2.0 to work the SABSA way.

This session is a high-level view of the new approach taken by the updated NIST CSF 2.0, and what the SENC project is delivering to enhance implementation of the CSF. The SENC project is defining SABSA-specific guidance for leveraging the NIST CSF 2.0 including: a collection of SABSA business attributes and the attribute profiling process to provide effective business risk management and traceability; defining a SABSA-specific NIST CSF 2.0 Profile to include enhanced and additional CSF categories and subcategories aligned to the SABSA method; SABSA NIST CSF 2.0 Informative References that map the SABSA NIST CSF 2.0 Profile to the SABSA matrix; and a collection of SABSA-specific Examples supporting the CSF subcategories aligned to the SABSA NIST CSF 2.0 Profile.

The application of the NIST CSF often focusses on the processes, technologies and controls while losing sight of managing the business value and risks involved. We will outline the content from the SENC project deliverables and what will be available to the SABSA community when the project is completed. The SENC project will provide specific recommendations for leveraging SABSA to apply and enhance the NIST Cybersecurity Framework 2.0 to help manage your organization’s business risk requirements.

Speaker(s)

Glen Bruce
RegTech: The Evolution of Cyber Financial Crime Solutions

Session 6B

Regulatory Technology (RegTech) revolutionises the financial sector by providing innovative solutions for compliance and crime prevention. This presentation delves into RegTech’s pivotal role in combatting financial crime, spotlighting its intersection with cybersecurity through case studies and practical applications.

Key topics and take aways:

RegTech Introductions and Examples

Purpose, evolution, and adoption of RegTech solutions

Examples such as Compliance Monitoring Platforms, KYC Solutions, Transaction Reporting Systems, Regulatory Reporting Solutions, Blockchain-Based Compliance Solutions, etc.

Case Studies

HSBC’s utilisation of AI-enhanced transaction monitoring demonstrates a drastic reduction in false positives, enhancing suspicious activity detection

Citi leverages blockchain technology to streamline compliance processes, ensuring transparency and traceability for better regulatory reporting

Evolving Solutions

AI-Powered Regulatory Intelligence Platforms

Machine Learning in Fraud Detection

Regulatory Sandboxes

Behavioral Analytics for Compliance

Privacy Compliance Solutions

RegTech Marketplaces

Strategic RegTech Integration

Best practices for integrating RegTech solutions with existing systems are discussed, exemplified by a multinational bank’s unified compliance tools strategy

Benefits of RegTech:

Increased efficiency and cost savings in compliance operations

Enhanced adaptability to regulatory changes

Strengthened security against financial crime through advanced compliance measures

Conclusion:

This presentation equips financial institutions with strategic insights into RegTech implementation, supported by real-world case studies, empowering them to leverage these technologies effectively for robust and proactive compliance in today’s complex regulatory landscape.
Speaker(s)

Guarav Vikash
Tuesday 25th
14:50-15:35

The ISM, E8 & SABSA

Session 7A

The Information Security Manual (ISM) is the Australian Signals Directorate’s opus on all thing’s information security. This evolutionary document is mandated in high level government policy (the PSPF) as the control library for information systems in Australian Federal Government entities.

There is a subset of this library called the Essential 8 (E8). The E8 is meant to improve your security posture through maturity modelling. While also designed for Australian Federal Government entities it is now influencing state governments who are citing ISM and E8 requirements in their requests to business, and businesses are starting to measure themselves against these models.

Given that E8 is a subset of the ISM, why is it required? I think it is because they are referenced in two separate policy instruments within the PSPF that drive different outcomes. Because of this there are different compliance and reporting requirements which allows confusion to reign. Should I measure my system against the ISM? Yes! Should it be E8 compliant! Yes! Which do I do first? Yes! Isn’t this supposed to be about risk now? Yes! Then why the drive for compliance? Yes!

Can SABSA assist us in making sense of this? Given the ISM is a control library, can it drop wholly into the Component layer of the Why? But what to do with the parts of the ISM that dictate the how, the where, and the who?

By demonstrating that the E8 has become a misguided subset of the ISM I will provide an overview of some of the problems I have seen when organisations try to meet both sets of requirements. Then by using an alignment activity between SABSA and the ISM I will show how using SABSA allows for a more complete use of the ISM and allows the ISM to be used in the way I think it was intended while addressing E8 concerns.

Speaker(s)

Kirren Hartas

Architecting Cybersecurity Self-Assurance

Session 7B

Cyber security risk is one of the top non-financial risks for organisations. It can be present in almost any part of digital operations. The nature of the risk is both complex and broad due to the complexity of the attacks and evolving capabilities of the attackers.

More often than not, the articulation of cyber risk is characterised by a high degree of subjectivity due to the innate difficulty to create a 360^o view of the security posture in a timely manner, supported by actuarial data, to answer even to the most basic business requests.

This presentation will focus on how a data-driven comprehensive representation of the security fabric can drive faster and better decision-making. Using real-life case studies, we will highlight how the development of a single source of truth helps to identify actionable insights, simplify remediations actions and improve the risk position of the organisation. Most importantly, it becomes the foundation for the operationalisation of self-assurance across the estate which brings commercial benefit to the business through facilitating smooth and rapid delivery whilst also optimise the utilisation of the cyber security resources.

Speaker(s)

Dimitrios Delivasilis
Tuesday 25th
15:35-15:55

Afternoon Tea
Tuesday 25th
15:55-16:40
SABSA, Security Metrics and Compliance (The Good, The Bad and The Ugly)

Session 8A

Data, data, data – is too much data really a thing? Is too much data overwhelming you and creating too much unwanted noise? What are the dangers of too much data?

Big Data, Data Lakes, Data Warehouses, Large language models and Artificial Intelligence – decision making has never been as easy…..or has it? Are you looking at the right data in the right place, at the right time? Maybe you are but more likely maybe you are not.

My case study is based on achieving NIST Cyber security Framework compliance by showing how data-driven evidence can make the near impossible possible. Tediously challenging, this was too good an opportunity to miss: shaping and maturing security from the Boardroom down.

With reference to the SABSA® framework principles, I will demonstrate the unique advantages of using near real-time security analytics, combined with the basic fundamentals of information life cycle management, and supported by operational statistical data to deliver an achievable programme of compliance related business outcomes and safeguarding the firms’ brand.

187 individual requirements to be met with only 9 months to achieve 90% compliance. The business and brand was truly at high risk. Miss the mark, lose the brand – it was that simple!

My uniquely developed architecture model will show how taking a balanced scorecard approach and using operationally available security metrics can realistically deliver better business outcomes.

Speaker(s)

Paul Blowers
Communicating Cyber with Pretty Pictures: A Guide for Technical People

Session 8B

Effective communication has always been crucial for security managers, security architects, and CISOs. Data visualisation plays a key role in this communication, yet it often falls outside the typical skill set of tech and security professionals.

This session addresses the challenge of translating technical and risk data into business-friendly language through designing impactful graphic visualisation. It explores strategies for presenting cyber data in a clear and compelling manner whether it’s a presentation, dashboard, or a multi-page report with emphasis on visual aspects.

Key topics include:

Identifying essential data and metrics, distinguishing between operational, tactical, and strategic information.

Aligning data visualisation with the diverse needs of business users, from executives to middle managers.

Assessing organisational security through compliance metrics, moving from operational and tactical data to business process descriptions and needs, capability maturity assessments, and risk-based evaluations.

Exploring different types of visualisations, such as dashboards, applications, presentations, and reports, and their applicability to business users.

Involving non-cyber specialists in the design of cyber data visualisations.

This session aims to bridge the gap between cybersecurity initiatives and business objectives with data visualisation, enabling attendees to effectively communicate the significance of cybersecurity efforts in achieving business goals.
Speaker(s)

Rustam Teregulov
Tuesday 25th
16:45-17:30
The Mystery of Business Attributes - An Interrogation of Kipling's Six Honest Men

Session 9A

Business Attributes are the central, single most defining concept of concept in SABSA.

Using the SABSA lifecycle and matrix, we will look at Business Attributes in terms of:

What the drivers for Business Attributes are? What are the requirements for Business drivers?

Why is it required? What are the risks associated with implementing and managing Business Attributes?

How do you create Business Attributes? How do you use Business Attributes? How can they be implemented? How can they be managed across their life?

Who creates Business Attributes? Who is impacted by them? Who implements them? Who owns them? Who manages them?

Where do you find Business Attributes? Where do you use them?

When do you use the Business Attributes? What are the metrics that you can use to measure its effectiveness?
Speaker(s)

Sarit Kannanoor
Metrics That Matter

Session 9B

Two seasoned governance, risk, and compliance professionals share unique insights in a thought-provoking discussion about what metrics matter and why some don’t.

We’ll consider how security and compliance goals can be built into business goals, and how to identify appropriate metrics while considering the culture, maturity, size, and type of business. This is about effectively guiding the managing of risks that are not important to the business objectives, while addressing risks based on meaningful metrics. How do we reach the goal of metrics that matter? Can those metrics drive change and the achievement of business goals?

Who do we involve in measuring performance towards goals that are linked to business objectives, possibly leveraging or morphing existing organizational measurements?

We will explore an always-timely approach, including considering which metrics are relevant to different levels of management based on the most current practices. We will define what matters to the business and what tools we are using, which may include SABSA, Business Impact Analysis, and various regulations. Throughout the discussion we will thread in the importance of context, timeliness, and relevance.

Speaker(s)

Kathleen Mullin
Johan Lidros
Tuesday 25th
17:40-18:40

The Increasing Importance of Technical Surveillance Countermeasures (TSCM) in the Era of IoT and Mobile Devices

Plenary 10P

As IoT and mobile devices have become ubiquitous in both personal and professional environments, the landscape of information security has undergone significant transformations. These technologies, while enhancing connectivity and operational efficiency, have introduced new vulnerabilities that are increasingly exploited by adversaries.

The rapid proliferation of interconnected devices has significantly expanded the attack surface, making organisations more susceptible to unauthorised surveillance and data breaches.

This presentation will explore the growing importance of Technical Surveillance Countermeasures (TSCM) in safeguarding information security in the age of ubiquitous IoT and mobile technologies. It will examine how traditional TSCM practices have evolved to address the unique challenges posed by modern digital ecosystems.

We will discuss the integration of TSCM strategies with contemporary cybersecurity frameworks, highlighting the need for advanced detection methods, continuous monitoring, and real-time threat intelligence to protect against sophisticated surveillance tactics in a world where the boundaries between physical and digital security are increasingly blurred.

Speaker(s)

Andy Clark
Tuesday 25th
18:45-19:15

Drinks Reception (sponsored by The SABSA Institute)
Tuesday 25th
19:15

Dinner (sponsored by The SABSA Institute)

Wednesday 26th February

Wednesday 26th
09:00-09:30

Registration & Coffee
Wednesday 26th
09:30-10:15

An Analysis of the Integration of SABSA and Mitre Projects

Session 11A

Everyone knows MITRE ATT&CK, but what about other MITRE projects like TRAM, D3FEND, EMB3D, CAPEC or ATLAS.

A core design principle of SABSA is that it can and should integrate with other security frameworks, in this presentation Bruce will walk through the different stages in the SABSA development Lifecycle and appropriate MITRE projects that can be integrated. Bruce is also interested to hear how other people apply MITRE projects and to build a group to develop a white paper on the subject for the TSI.

Speaker(s)

Bruce Large

Exploring Dora

Session 11B

Dora is an explorer, and in the presentation we’re going to explore the wonderful world of Digital Operational Resilience Amigo! Yes, it’s the EU’s DORA which is due to become a regulatory demand in banking and likely beyond.

The Digital Operational Resilience Act is an extensive set of requirements across five main pillars: ICT Management, ICT Incident Reporting, Digital Operational Resilience Testing, Third Party Risk, and Information Sharing Agreements. In support of the Act, a number of technical standards have been released for consultation. In this presentation, we explore the demands that DORA will put on the security team, and the current thinking in how they can be satisfied.

Speaker(s)

Malcolm Shore
Wednesday 26th
10:20-11:05
The Intersection of Digital Archiving Principles and SABSA Framework

Session 12A

In an era of ever-expanding digital footprints, organisations grapple with the dual challenge of securing sensitive information while preserving its business and historical context. Enter the information archivist—the custodian of organisational memory. Nowadays digital archivists navigate the digital realm, safeguarding records, emails, and data flows. But what happens when archival principles intersect with a comprehensive security framework like SABSA?

This paper embarks on an exploration of that intersection. We delve into how archiving strategies can enhance security, ensure compliance, and bridge the gap between business context and security architecture. Specifically, we focus on the Conceptual Layer and the Contextual Layer of the SABSA framework.

Key Themes:

Conceptual Layer and Archival Principles: We analyse how the Conceptual Layer of SABSA aligns with archival principles, to define how archivists can contribute to a robust security foundation.

Contextual Layer and Business Context: The Contextual Layer of SABSA considers business imperatives, and we explore how archival practices can provide context for security decisions around data governance, compliance, and risk mitigation.
Speaker(s)

Bethany Sinclaire-Giardini
Co-design As A Framework for Cyber Strategies

Session 12B

Cybersecurity remains a significant challenge for organisations, with teams often operating with limited resources. To address this issue, an alternative method involving the engagement of non-cyber stakeholders in the cybersecurity process is proposed utilising the co-design framework.

As cyber threats become increasingly sophisticated, the need for adaptive security strategies is more critical than ever. This presentation will explore the concept of co-design for cybersecurity professionals. In short co-design can be defined as: “Co-design involves collaborating with a diverse team to identify and understand problems, develop solutions, and test their implementation to improve outcomes and experiences.”

A co-design framework that integrates technical expertise with human dynamics will be introduced. Co-design is creating with, not for. It brings together different stakeholders to foster sustainable practices and robust solutions that between technical and non-technical teams is important to craft effective organisational cybersecurity strategies. The intent is to help create non-cyber organisational stakeholders to can become agents of change, and that collaborative knowledge sharing among diverse stakeholders becomes essential.

A case study demonstrating how co-design framework can be used for implementing a simple yet complex issue that is password policy for an enterprise organisation who has different stakeholder requirements (eg a developer, non-technical end user, CISO, Legal and HR personnel), technical necessities (architecture, technical integrations etc)and conflicting technical controls (eg NIST, ISO27001k, CIS Controls, PCI DSS) through the phases of

pre-design: understand people’s experiences in the context of their lives: past, present, and future

generative: produce ideas, insights, and concepts that may then be designed and developed

evaluative: assess, formatively or summatively, the effect or the effectiveness of products, spaces, systems, or services

post design: Investigate how people actually experience the product, service, or space

The presentation will cover practical strategies for implementing co-design in cybersecurity, addressing both technological and organisational challenges. This framework aims to offer actionable strategies for effectively incorporating a co-design approach into cybersecurity policy, procedures and practices.
Speaker(s)

Lynore Close
Wednesday 26th
11:05-11:25

Morning Coffee
Wednesday 26th
11:25-12:10
Mishaps & Meltdowns - Using SABSA to Diagnose Failures in Complex Systems

Session 13A

In 1991 The U.S.S.R. was the largest country in the world, covering over 1/6th of the land on earth, but within a year the Soviet Union had ceased to exist.

While there are several contributing factors to the decline of the Soviet Union, perhaps the most significant was that of Chernobyl meltdown, confirmed when Gorbachev remarked that it “was perhaps the real cause of the collapse of the Soviet Union.”

In this SABSA presentation we will use SABSA framework and supporting methodologies to explore the people, process and technology failures that lead to the release of 400 times more radiation than that of the Hiroshima atomic bomb.

We will use this and other international nuclear near misses such as Three Mile Island and the UK Windscale fire as a rich canvas to explore common cyber security architecture failures and successes, highlighting systemic risk transfer across enterprises and government and focusing on some of the opportunities that have since manifested.

The presentation demonstrates SABSA techniques including domain modelling, trust modelling and risk modelling to decompose complex interactions and unpack the architectural failures that ultimately lead to the decline of the Soviet Union.

Speaker(s)

Robert Laurie
Let's Co-Design A Secure Business Transformation

Session 13B

With over 90% of businesses undertaking transformations to take advantage of new technologies, changing customer demands and responding to economic pressures. The new and heightened security risks combined with the changing threat landscape are requiring a co-design and co-collaboration amongst with CRO and CISO with the business.

In this session, we will discuss via an interactive session:

The top challenges and issues faced with business transformation

7 things that companies who are getting this right are doing

Together co-design your organistion’s approach

The audience will walk away with practical actionable steps in their own co-designed approach to securing their business transformation, whilst hearing of common challenges and practical approaches other organisations are taking.
Speaker(s)

Anu Kukar
Wednesday 26th
12:15-13:00

You Can Fix Stupid: Automating to Reduce Risk and Reducing Risk in Automation

Session 14A

In a world where cyber threats are evolving at an alarming rate, organizations are expected to do more with less, employees are given ever increasing workloads, and human error remains a significant contributor to data errors and security breaches, automation emerges as a crucial solution.

Businesses are increasingly looking toward automation to streamline processes, improve productivity, and “enhance operational efficiency”. A naïve security team might be afraid of the risk that automation poses. But, using a SABSA perspective, we can see that risk from a different angle and recognize it as an opportunity: both to focus on what is important to the business and to reduce the exposure of systems to the human factor.

Through real-world examples, we will illustrate how automation can enhance security posture and minimize the impact of human errors on an organization. We’ll also explore the various ways automation can support security risk assessment, such as enhancing anomaly detection and fortifying defense mechanisms. We’ll also discuss the importance of controls to ensure that automation doesn’t fail. Facilitated by a member of your friendly neighborhood automation team, participants can expect to discuss the best ways to communicate and partner with groups modifying their processes so that security can take advantage of a rare chance to course-correct across their organization.

Speaker(s)

Ashling Lupiani

Honey or Vinegar? Leveraging Human Psychology to deliver positive security outcomes at scale

Session 14B

As the old saying goes – “you catch more flies with honey than vinegar”. The question then follows, how might this saying change the way we approach embedding cybersecurity into the thinking of each and every one within your organisation? And if we did – what might the outcomes be?

This session will explore the researched and proven methods in behavioural psychology and look to propose an approach using what we know about human psychology to increase the care, and positive outcomes from each touchpoint with our organisations to embed cybersecurity at scale.

Building on the foundational tenets of from frameworks such as SABSA, we will dive into practical approaches to improve the way cybersecurity teams incentivise and reward positive cybersecurity behaviours, leading to better security outcomes for the organisation.

Attendees will leave the session with a fresh take and practical next steps on how research-backed behavioural psychology methods in communication and recognition can meaningfully contribute to furthering our goal of securing our organisations. Dialling up the honey and tempering the vinegar to a palatable portion.

Speaker(s)

Ben Ley
Wednesday 26th
13:00-14:00

Lunch
Wednesday 26th
14:00-14:45

Unified Security Culture Programs: Impermanence, imperfection and iteration

Session 15A

This session is the story of an organisation like many others, which assembled a clever and capable security team. After establishing their fundamentals, the team developed security education, outreach and champion programs over time to build security culture. While these programs were individually excellent the team realised they could win even more with a unified game plan.

Using elements of the SABSA security architecture toolbox the needs of the organisation and team were assessed, language was normalised and helpful explanatory diagrams were drafted. This foundation allowed the team to have a shared view of program goals, terms of success and how to mutually support each other to great effect.

This is not a story of a perfect enterprise implementation of SABSA within an organisation. That would be a tall tale and COSAC doesn’t tolerate those kindly.

This is a story of thoughtful experimentation, iteration, growing at the pace of trust and a ‘wabi sabi’ mindset. It is a story of successes and the practical lessons learned over time. And yeah, it features a few novel SABSA models.

Speaker(s)

Kirk Nicholls

Apocalypse CISO

Session 15B

Continuing the theme from COSAC Naas 2024 of posing challenges faced by CISOs from the viewpoint of cinematic classics, your presenter delves into his past, because like so many things in life, what is old is new again…”the horror”.

It is September 1^st 2006, and a content update has been published by a then global security vendor, an enterprise software powerhouse, no different than most times of the day each day. Only this time this latest ‘virus signature’ contains a particularly unfortunate false positive, an erroneous detection that will detect a critical system file of the world’s most-used server operating system as malware. Within eight hours a new replacement signature is released, yet a further eight days passes before the resolution of the second-waive of consequence is achieved, that at first went unnoticed. Sound familiar?

To quote the then Vice President in charge of this research & development lab: “We play with bombs, sometimes…well, eventually you expect one will explode in your face”. In those days it did make the global tech news, even some business news, but went unnoticed by the mainstream or general public.

On July 19^th 2024 something similar occurred with a current global security vendor, however this time in a cloud-based, as-a-Service, IoT-world the impact and reach was fast, heard and felt by millions from Fortune-100s to everyday members of society trying to buy groceries on a Friday evening.

The media began their coverage with much of it pointing the blame at the wrong party, or where more accurate they still filled in the unknowns and gaps with speculation or poor “techie jargon” jokes. Meanwhile impacted organisations began looking to their CISOs and heads of cyber security for a solution…to make it go away, to “terminate with extreme prejudice”.

Speaker(s)

Steven Kintakas
Wednesday 26th
14:50 15:35

Seamlessly Traversing Shifting Boundaries

Session 16A

The ability to cross boundaries is one of the most natural human behaviours, in fact, it is so natural and normal that we don’t even give it a second thought.

Whether we walk out of our houses into public or walk into a bank or store from the street, we don’t even consciously think of the fact that we are crossing a boundary or that each boundary that we cross is beholden to a set of rules that we learn to follow from a young age. One can even go so far as to say that each of these boundaries defines and protects a zone. The Oxford dictionary defines a zone as “an area or stretch of land having a particular characteristic, purpose, or use, or subject to particular restrictions”. Why is it then that we make it so incredibly difficult for ourselves to define and traverse zones in modern business environments? In this session we will explore how we can use an adapted version of SABSA domain modelling to define and manage zones within a modern enterprise and use these zones to create and communicate security information flows and controls to stakeholders concisely and consistently.

Speaker(s)

Jaco Jacobs

Leveraging Cyber Threat Intelligence to Elevate Communication with Executives

Session 16B

Cyber Security is a critical topic in Boardrooms across the world. This is driven by increasing reliance on technology to deliver business outcomes along with the rapidly evolving cyber threat landscape and regulatory actions. These changes require CISOs and cyber leaders to develop effective communication strategies that bridge the gap between technical jargon and business acumen.

This session will explore how leveraging threat intelligence can enhance boardroom engagements, ensuring that board members grasp the implications of cyber risks and make informed decisions.

Audience will gain insights into selecting and tailoring key metrics that resonate with board members, aiding in strategic planning and risk management. The discussion will cover the integration of threat intelligence into boardroom conversations to enhance situational awareness, improve incident response readiness, and inform cyber risk governance.

The session will also contain a case study, leveraging public data from prominent regulatory activity in Australia to illustrate what constitutes reasonable and proportionate control measures. These enable defensible postures and promote prudent investment prioritisation discussions with Board and Executives.

The session will be delivered by two seasoned and highly respected cyber leaders in Australia who will bring real-world learnings from across a wide range of industries.

Speaker(s)

Chirag Joshi
Chatura Abedyeera
Wednesday 26th
15:35-15:55

Afternoon Tea
Wednesday 26th
15:55-16:40

It is More About the Business Strategy & Less About the Technology

Session 17A

Organisational cyber strategies typically include implementing new tools and hiring more people. A consistent gap, is linking cyber strategies to protecting and enabling business strategies.

Some of these can be about putting capability in place to prevent risks occurring or monitoring movement in known risks. Roy Hill took a different approach for its FY25+ Cybersecurity Strategy by using concepts around traceability and other SABSA principles to build a strategy directly linked to organisational strategy and business priorities.

Speaker(s)

Paul Karan

FANTASTIC BEASTS AND HOW TO TAME THEM: Operationalising Vulnerability Governance

Session 17B

In this session, we will delve into the intricacies of Vulnerability Management and Governance and provide a clearer understanding of their respective roles. Through her extensive experience, the featured speaker, Stephanie, will share a range of effective methodologies that can be deployed to operationalise vulnerability governance.

She will also outline how these frameworks can be customised to meet the unique needs of any organisation.

The session is designed to benefit all participants, as the insights and tips shared can be applied across all different types of organisations with tangible improvements to governance and management practices.

Speaker(s)

Stephanie Park
Wednesday 26th
16:45-17:30

Security Architecture is a Team Sport

Session 18A

Enterprise security architects occupy a strange and sometimes inscrutable place within the team. They talk to business as well as technical staff, ask odd questions, build layered models and feel strongly about something called traceability. Through their efforts plans, designs and roadmaps are created which guide us forward in a sustainable and balanced way.

As SABSA architects we are taught to approach this work with a high degree of consultation, concern for shared understanding and need for logical consistency. This is best done as a team, because we can only win together.

Sarit and Kirk will share experiences collected from architects who had different degrees of success working with teams. These case studies will be used to discuss the importance of a collaborative team-based approach to the work of the enterprise security architect.

Speaker(s)

Kirk Nicholls
Sarit Kannanoor

On The Art of Game Theory & Threat Modelling

Session 18B

It was asked at the 2024 COSAC APAC, “But we don’t have unlimited resources, how do we threat model and consider the costs?”, this presentation aims to help answer that question.

Game Theory started with von Neumann’s On the Theory of Games Strategy paper in 1928 and the theory and was extended in the 1950s to consider its application to Nuclear Strategy by the RAND corporation.

In this presentation Bruce will discuss the background of Game Theory, how it has evolved and how it can be applied to cyber security threat modelling activities. The session will then open up to the room to discuss people’s experiences using Game Theory in their threat modelling activities. The session will close with resources and an approach people can take back to their workplaces.

Speaker(s)

Bruce Large
Wednesday 26th
17:40-18:40

The COSAC Rump Session

Plenary 19P

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• Electronic submission: Send email to the rump session chair David Lynas at [email protected]
• Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 26th February.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Speaker(s)

David Lynas
Wednesday 26th
15:45-19:15

Drinks Reception
Wednesday 26th
19:15

Dinner

Thursday 27th February

Thursday 27th
09:00-09:30

Registration & Coffee
Thursday 27th
09:30-13:00

COSAC Workshops are half-day, 09:30 - 13:00 & 14:00 - 17:30
Thursday 27th
09:30-13:00
5th COSAC APAC Security Architecture Design-Off

Workshop W1

Returning for a 5th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment.

This is a unique competition format that uses real client scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Speaker(s)

Bill Schultz
Jason Kobes
Making Better Risk Decisions with Open FAIR

Workshop W2

Cybersecurity risk quantification has gained popularity in recent years in sectors like banking, insurance, and pharmaceuticals.

Wider adoption is still lagging, however, with a number of commonly cited arguments against its use:

Qualitative methods (risk matrices) aren’t perfect, but they’re good enough

We couldn’t possibly have enough data to quantify cyber risk

Statistical modelling is too difficult; our stakeholders won’t understand it

In this workshop, we aim to debunk some of the common misconceptions surrounding quantitative methods. Participants will:

Learn about statistical loss modelling and cyber risk quantification techniques.

Use the Open FAIR^TM framework to model cyber losses.

Understand the limitations of using Open FAIR^TM with SABSA-based architectures.

Participate in hands-on modelling activities with enterprise quantitative tools.

Apply these concepts to real-world case studies.
Speaker(s)

Patrick Dunstan
Wargames: Tabletop Crisis Simulation

Workshop W3

Tabletop exercises are an essential tool for testing the preparedness of organizations in responding to crisis situations. However, traditional tabletop exercises often lack the element of unpredictability that can make real-life crises so challenging. This is where the Dungeons & Dragons (D&D) 5e tabletop role-playing game (TTRPG) system can be a valuable addition to cybersecurity crisis simulations.

By using the D&D 5e TTRPG system, cybersecurity tabletop exercises can be gamified, adding an element of randomness, unpredictability and fun to the simulations. Participants can take on roles, such as security analysts or executives, and work together to solve challenges that are presented in the game. This approach not only makes the simulations more engaging but also provides an opportunity for participants to practice decision-making under pressure.

The D&D 5e system is well-suited for this purpose due to its flexibility and versatility. It allows for a wide range of cybersecurity scenarios and challenges to be created and can accommodate varying levels of experience and skill among participants.

Come and join us for a game of Hackers & Crackers (H&C) where we will be using the D&D 5e TTRPG system in a cybersecurity tabletop crisis simulation.

Speaker(s)

Jaco Jacobs
Thursday 27th
11:05-11:25

Morning Coffee
Thursday 27th
13:00-14:00

Lunch
Thursday 27th
14:00-17:30
This is the Way! Using SABSA to Transform A Global Managed Security Services Provider

Workshop W4

In late 2022 I was assigned to lead a team mandated with creating and implementing a strategy to transform the Managed Security Services business of a global organization that provides end-to-end security services. This organization operates more than twenty delivery centres globally and has grown, organically and through acquisition, to more than 3000 delivery centre employees.

Due to the rapid growth, many of the delivery centres were operating in their own bubbles and using their own operating models, service definitions, delivery processes, playbooks, runbooks, people management processes, SLAs, metrics and technology stacks. This caused a high degree of inconsistency in the quality, delivery methods and collaboration between the centres, especially when providing services to clients with global footprints.

In this session we will look at how SABSA was used in this transformation journey and the value and impact that it has had on the organization.

Part 1: Context – Setting the context of the requirements and putting the necessary governance in place (Program Governance Model)

Part 2: Setting the baseline – Creating a way to consistently communicate priority and value through language and terminology (Business Attributes & Glossary)

Part 3: Organization – Creating a repeatable organization model based on priorities, requirements, skills and technology (Domain Model & Talent Program)

Part 4: Performance Targets – Creating internal and external facing KPIs and SLAs to measure performance

Part 5: Processes – Creating repeatable operational processes

Part 6: Delivery Method – Updating existing mandated delivery methods to reflect and implement changes

Speaker(s)

Jaco Jacobs
Redefining Digital Identity for A Seamless & Secure Future

Workshop W5

In an era where digital transformation drives the global economy, the concept of Digital Identity has emerged as a cornerstone of secure, consumer-friendly interactions. This Masterclass at COSAC APAC 2025 will delve into the intricate process of designing a robust digital identity strategy and its implementation through technology.

Through the lens of a real-world case study, we will explore the strategic, customer-centric, and technological dimensions of this critical aspect of modern business. Participants will gain invaluable insights into:

Strategic Business Approach that aligns vision with Identity

The Customer Journey: Designing for Trust and Convenience

Technology Implementation: Architecture and Integration

Lessons Learned: Navigating Challenges and Achieving Success

The Road Ahead: Future Initiatives and Emerging Trends

The Masterclass will conclude with an open forum for participants to ask questions, share experiences, and discuss potential collaborations. Attendees will leave with a comprehensive understanding of an industrialized Digital Identity implementation and will be primed to embark on their own transformative Digital Identity journeys.
Speaker(s)

MZ Omarjee
The COSAC Risk Workshop Series - Challenges with Risk Aggregation & Compound Risk

Workshop W6

The purpose of the risk workshop is to explore the hard parts of understanding risk. We have previously conducted workshops in Ireland and Australia on how to understand and model risk, how to explain and display risk to stakeholders, and how to think like our adversaries to identify threats that we would otherwise miss.

In this workshop we will begin to explore the challenge of how to aggregate risk in a complex environment to help determine which mission objectives are most at risk. We understand single weaknesses and single risks well, but once things get complex it becomes complicated to understand how the risk compounds. Averages don’t do the trick; neither does plotting all the risk on a graph. Actuarial science has solutions, but these solutions require years of data we don’t have. This collaborative workshop will dive into this risk problem to discuss the specific challenges and collectively try to uncover a path forward.

Speaker(s)

Bill Schultz
Jason Kobes
Thursday 27th
15:40-16:00

Afternoon Tea
Thursday 27th
17:30-17:45

Conference Close - COSAC Chairman's Closing Remarks
Thursday 27th
17:45-19:45
The SABSA Institute Forum

The SABSA Institute (TSI) and the TSI Liaison Group (LG) update. The TSI Forum includes a question-and-answer session and an opportunity to meet and interact with The SABSA Institute Board of Trustees (Directors) and LG members.

Separate Registration is required: Register

At the TSI Forum, The SABSA Institute (TSI) and the TSI Liaison Group (LG) will provide their latest updates.

The TSI Forum also includes a question-and-answer session, and an opportunity to meet and interact with The SABSA Institute Board of Trustees (Directors) and LG members.

Agenda:

Introduction to TSI (for non-members)

The SABSA Institute update

Liaison Group EMEA & North America update

Liaison Group APAC update

Questions & Answers session

Networking: Meet the SABSA Institute Board of Trustees and Liaison Group Members

Speakers:

Gareth Watters – TSI Board Trustee

Kirk Nicholls – TSI Board Trustee – Chair APAC Liaison Group
Speaker(s)

Gareth Watters
Kirk Nicholls
Kate Mullin
Glen Bruce

COSAC
Patrons

A completely new COSAC experience pushing the boundaries of cybersecurity further than ever before. Smart people, inspiring guest speakers and a ton of passion. Become a COSAC Patron and gain access like no other.

Become a patron

COSAC
2024.

29th Sept - 3rd Oct: Kildare, Ireland

More Info Register

Contact

Get in contact with us by email, phone or just stay social and connect with us on LinkedIn & Twitter

COSAC APAC 2025

Tuesday 25th February

Tuesday 25th 08:30-09:00

Tuesday 25th 0900:-09:20

Tuesday 25th 09:30-10:15

Security Architect to CISO – How SABSA Saved My Bacon

Session 2A

Speaker(s)

Quantum Computing Demystified

Session 2B

Speaker(s)

Tuesday 25th 10:20-11:05

The High Rollers Table - A Case Study in Proving Your Value Using SABSA

Session 3A

Speaker(s)

AI - Your New Partner in Capability Uplift

Session 3B

Speaker(s)

Tuesday 25th 11:05-11:25

Tuesday 25th 11:25-12:10

Building An Explanatory SABSA Matrix Bottom Up

Session 4A

Speaker(s)

AI & Quantum Computing - A Double-Edged Sword for Cybersecurity

Session 4B

Speaker(s)

Tuesday 25th 12:15-13:00

Transforming Enterprise Security Architecture from Theory to Practice

Session 5A

Speaker(s)

AI Governance and Risk: Navigating ISO 42001 and ISO 23894

Session 5B

Speaker(s)

Tuesday 25th 13:00-14:00

Tuesday 25th 14:00-14:45

Implementing the NIST CSF 2.0 the SABSA Way Cybersecurity Framework

Session 6A

Speaker(s)

RegTech: The Evolution of Cyber Financial Crime Solutions

Session 6B

Speaker(s)

Tuesday 25th 14:50-15:35

The ISM, E8 & SABSA

Session 7A

Speaker(s)

Architecting Cybersecurity Self-Assurance

Session 7B

Speaker(s)

Tuesday 25th 15:35-15:55

Tuesday 25th 15:55-16:40

SABSA, Security Metrics and Compliance (The Good, The Bad and The Ugly)

Session 8A

Speaker(s)

Communicating Cyber with Pretty Pictures: A Guide for Technical People

Session 8B

Speaker(s)

Tuesday 25th 16:45-17:30

The Mystery of Business Attributes - An Interrogation of Kipling's Six Honest Men

Session 9A

Speaker(s)

Metrics That Matter

Session 9B

Speaker(s)

Tuesday 25th 17:40-18:40

The Increasing Importance of Technical Surveillance Countermeasures (TSCM) in the Era of IoT and Mobile Devices

Plenary 10P

Speaker(s)

Tuesday 25th 18:45-19:15

Tuesday 25th 19:15

Wednesday 26th February

Wednesday 26th 09:00-09:30

Wednesday 26th 09:30-10:15

An Analysis of the Integration of SABSA and Mitre Projects

Session 11A

Speaker(s)

Exploring Dora

Session 11B

Speaker(s)

Wednesday 26th 10:20-11:05

The Intersection of Digital Archiving Principles and SABSA Framework

Tuesday 25th
08:30-09:00

Tuesday 25th
0900:-09:20

Tuesday 25th
09:30-10:15

Tuesday 25th
10:20-11:05

Tuesday 25th
11:05-11:25

Tuesday 25th
11:25-12:10

Tuesday 25th
12:15-13:00

Tuesday 25th
13:00-14:00

Tuesday 25th
14:00-14:45

Tuesday 25th
14:50-15:35

Tuesday 25th
15:35-15:55

Tuesday 25th
15:55-16:40

Tuesday 25th
16:45-17:30

Tuesday 25th
17:40-18:40

Tuesday 25th
18:45-19:15

Tuesday 25th
19:15

Wednesday 26th
09:00-09:30

Wednesday 26th
09:30-10:15

Wednesday 26th
10:20-11:05

Wednesday 26th
11:05-11:25

Wednesday 26th
11:25-12:10

Wednesday 26th
12:15-13:00

Wednesday 26th
13:00-14:00

Wednesday 26th
14:00-14:45

Wednesday 26th
14:50 15:35

Wednesday 26th
15:35-15:55

Wednesday 26th
15:55-16:40

Wednesday 26th
16:45-17:30

Wednesday 26th
17:40-18:40

Wednesday 26th
15:45-19:15

Wednesday 26th
19:15

Thursday 27th
09:00-09:30

Thursday 27th
09:30-13:00

Thursday 27th
09:30-13:00