Schedule

COSAC APAC 2026

Tuesday 24th February

Tuesday 24th
08:30-09:00

Registration & Coffee
Tuesday 24th
09:00-09:20

COSAC APAC 2026 Chairman's Welcome
Tuesday 24th
09:30-10:15
Implementing the SABSA NIST CSF Community Profile

Session 2A

The NIST CSF provides a collection of essential areas where cybersecurity protections are needed but the current specification of functions, categories and subcategories are far from comprehensive or sufficient for many organizations. NIST is now encouraging extensions be defined to the CSF to add the missing elements deemed important or necessary to adapt the CSF to meet the needs of specific industries, associations, regulatory bodies or legislative requirements through Community Profiles for developing use case-specific cybersecurity risk management guidance for multiple organizations.

The SABSA Institute (TSI) sponsored SABSA Enhance NIST Cybersecurity Framework (SENC) workgroup project is currently developing various tools, techniques and guidance to help your organization put the NIST CSF 2.0 to work the SABSA way. This session is a high-level view of what the SENC project has developed to date and will be developing to guide the integration of the NIST CSF into a SABSA security architecture including an initial look at the SABSA NIST CSF Community Profile.

The SENC Project Team has now finalized a library of example SABSA business attributes and attribute profiles based on the NIST CSF Categories and Subcategories. The team focus now includes defining the SABSA-specific NIST CSF Community Profile to include enhanced and additional CSF categories and subcategories aligned to the SABSA method and a collection of SABSA-specific Examples supporting the CSF subcategories aligned to the SABSA NIST CSF Community Profile. This session provides a first look at the SABSA CSF Community Profile which will provide an easier and more complete integration of the CSF into your security architecture. The SABSA NIST CSF Community Profile will be enhanced with a collection of SABSA specific Examples for implementing the CSF Subcategories providing additional insight into effectively leveraging SABSA while integrating the CSF.

Applying the NIST CSF typically focusses on the processes, technologies and controls while losing sight of the business value and risks involved. The extensions from the SABSA CSF Community Profile and the supporting Examples will provide a more complete solution for effectively managing business risk across the enterprise. This session will be a review of what the SENC Project Team has accomplished to apply and enhance the NIST CSF 2.0 to manage your organization’s business risk requirements.
Speaker(s)

Glen Bruce

Cybersecurity Consultant, GDB Cyber Security Consulting (Canada)

In his 50+ years of in-depth experience in IT and security consulting, systems management and technical implementations, Glen Bruce has focused on Security Frameworks, Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information and cybersecurity risk. He has led many information/cyber security engagements, where he has helped clients establish effective strategies, governance, architectures, frameworks, policies, PKIs and infrastructure implementations in support of a wide range of business and technical requirements. Glen is the leader of the SENC workgroup project.
From Value Chain to Prompt: AI Fast Track

Session 2B

This presentation is a walkthrough of the analysis of value chains as part of architecting AI solutions which demonstrate clear value to the business. It presents the AI Accelerator Playbook and demonstrates how AI value chains are analyzed.

It provides an insight into the steps required to identify the opportunities for AI in the business, introduces some new architectural tools, and describes reference mappings of attributes to the value chain. In addition to outlining the opportunities provided by AI, the presentation includes analysis of stakeholders and their impact on the AI initiative.
Speaker(s)

Dr Malcolm Shore

Chief Architect, David Lynas Consulting (New Zealand)

Malcolm had a career in the RNZAF before joining GSCB as the Director of Information Systems Security where he developed and managed the national information security programme for New Zealand. Subsequently as Technical Director CES Communications he was responsible for developing embedded cryptography voice and data products. As Technical Director at BAE Systems Applied Intelligence he managed the security evaluation, reverse engineering and penetration testing teams.  He has held a number of Chief Security Officer roles in the telecommunications field, including Telecom NZ, NBN Co, and Huawei Australia. As a consultant he has undertaken security architecture contracts in the UK, Australia and the Gulf region. Malcolm is currently Chief Architect at DLC and is a partner in Outpace AI, Australia.

Malcolm has represented Australia and New Zealand in cybersecurity forums internationally, has participated in the ISO and Open Group standards bodies, and has held board roles in both AISA and the SABSA Institute. He is also a partner in the Global Forum for Cyber Expertise (GFCE).

As a part time academic, Malcolm developed and lectured in the Post Graduate Diploma in Forensics and Security at Canterbury University in New Zealand and is now an adjunct PhD Supervisor at Deakin University in Melbourne.  Malcolm was instrumental in developing and launching the vocational Certificate IV in Cybersecurity throughout Australia.  He has published research in the cybersecurity field, and is the author of numerous online cybersecurity and programming courses published through Linkedin Learning and Offensive Security.
Tuesday 24th
10:20-11:05
Enterprise Security Architecture – Using SABSA to Deliver ISO 27001 the Right Way

Session 3A

Many of us who come to attend a SABSA course are well versed in ISO 27001 and/or ISO 20000 (ITIL). Most organisations (especially utilities, water, transport etc), have what is called an integrated management system which brings together standards such as ISO 9001 (Quality), ISO 45001 (Safety), ISO 14001 (Environment) under one management system. Before embarking on developing and implementing enterprise security architecture, it is important that Enterprise Security Architects understand such standards.

A key benefit of using SABSA as an Enterprise Security Architect is that SABSA can be integrated into any existing framework. Those of us who have attended the SABSA courses know that SABSA is a complete problem-solving framework that provides a variety of tools and techniques to demonstrate traceability for justification and completeness.

Grand as SABSA is, many students (including me, 15 years back) walk away from a SABSA course mesmerised with the newfound knowledge and being converted into SABSA evangelists. Many also wonder how SABSA can be implemented into an organisation. Others wonder where they can start with SABSA. What if there was a way for the security practitioner to use the SABSA tools and techniques within a familiar framework such as ISO 27001? Surely, a good CISO or a security manager would want their security to be managed against an independently certifiable standard.

This session will show you how ISO 27001 can be done the right way using most of the techniques provided by SABSA. For example, clause 4.1 of the ISO 27001 standard is about ‘understanding the context of the organisation’. This is the contextual layer of SABSA. Another example is clause 6.1.3 which requires the development of a ‘Statement of Applicability’ that provides traceability in terms of ‘justification’ and ‘completeness’. What better way is there to do this than using SABSA? As always, you will receive my slide pack filled with practical examples and notes to start your ISO 27001 journey done the right way, with SABSA.
Speaker(s)

Sarit Kannanoor

Head of Cybersecurity, Digital Frontier Partners (Australia)

Sarit is a highly accomplished security leader with experience in enterprise security architecture. Sarit has an engineering, governance and technology background and specialises in governance, risk, compliance and assurance aspects of security. Sarit is able to provide balanced advice to senior management and board by considering security from a Business Security perspective and not just from an Information Security or IT / Cyber Security perspective. Sarit has presented a paper at the COSAC 2024 on Business Trust. Sarit is a Chartered SABSA Master.
Beyond the Algorithm: Cultivating Trust in the AI Era

Session 3B

Artificial intelligence is now integral to our lives and businesses. As AI's influence expands, trust becomes paramount. We must go beyond innovation to ensure AI systems are responsible, safe, and dependable.

This discussion highlights the critical pillars for building trust while innovating with AI. We’ll explore technical guardrails, ethical considerations, robust privacy frameworks, and stringent regulatory compliance. Think of it like building a sturdy house: these elements form the solid foundation and supporting pillars of trust, transparency, ethics, and security, all unified under a regulatory roof.

The rise of AI agents—autonomous systems capable of independent action—underscores the urgency of trust. For these agents to be truly valuable, they must be meticulously engineered with these core principles. This means they must operate ethically, provide clear visibility into their actions, maintain robust data security, actively mitigate biases, and strictly adhere to all relevant regulations. When these factors are addressed, AI agents become reliable and equitable assets.

Building trust while innovating with AI isn’t just a good idea; it’s a fundamental business imperative. By prioritising Trustworthy AI, we lay a solid foundation for its widespread and beneficial deployment. These aren’t abstract concepts but crucial elements for developing AI systems that are not only advanced and effective but also inherently dependable and ethical. Through these responsible practices, we’ll unlock AI’s full potential, delivering tangible benefits and cultivating a more trustworthy digital future for all Australians.
Speaker(s)

Bharat Bajaj

Professional Development Board Member, ISACA Melbourne Chapter (Australia)

Bharat is a highly accomplished Technology Risk leader with two decades of experience navigating the complex landscapes of Artificial Intelligence, Machine Learning, Cybersecurity, and Privacy. I have partnered with three of the “Big Four” Australian banks, spearheading large-scale transformative projects and architecting robust technology risk mitigation strategies that demonstrably safeguard operations, enabling customer objectives. My approach blends deep industry expertise with incisive strategic thinking, consistently delivering tangible business value.

I am instrumental in the implementation and governance of Machine Learning, Generative AI, and AI Agentic systems. My responsibilities encompass the identification of technology risks and evolving compliance requirements, coupled with the development and implementation of comprehensive guardrails.

As a dedicated Board Director at the ISACA Melbourne Chapter, I am deeply committed to enhancing the professional capabilities of our community. I actively shape and execute the Chapter’s certification strategy and lead the delivery of ISACA certification training programs, empowering individuals to excel in their respective fields.

In previous leadership roles, I cultivated a pragmatic approach to Governance, Risk, and Compliance (GRC), consistently delivering outcome-based value in managing a broad spectrum of risks.

Reshma Devi

AI and Data Risk Leader, Transurban (Australia)

Reshma is an AI & Data Risk specialist with experience in Security and Technology. She holds a Master’s Degree in Information Technology, is a Certified Data Privacy Solutions Engineer (CDPSE), and is a Graduate of the Australian Institute of Company Directors (GAICD).

With a passion for Data, AI, and emerging technologies, Reshma brings over 20 years of experience working in Australia and New Zealand. She is deeply committed to Data Security and addressing emerging AI challenges. Currently, Reshma serves as a Director at ISACA Melbourne and sits on the Advisory Board for other not-for-profits. Additionally, she contributes as a Subject Matter Expert Reviewer for ISACA’s CDPSE Manual and regularly writes for blogs, podcasts, and security magazines.
Tuesday 24th
11:05-11:25

Morning Coffee
Tuesday 24th
11:25-12:10
When SABSA met FAIR: A Framework Dynamic Duo

Session 4A

This session will show how SABSA can incorporate FAIR (Factor Analysis of Information Risk) to increase risk rigor and security decision-making.

The real magic happens when FAIR directly promotes SABSA’s architecture by providing robust risk quantification. This formidable approach aligns with the Motivation column of the SABSA matrix, answering the critical “why” behind security decisions. While FAIR method delivers strong, reliable risk assessments, SABSA ensures these insights are seamlessly combined with other crucial pillars to optimally serve business goals.

Using FAIR to reinforce the “why” component within SABSA underscores the current, urgent demand for healthy, risk-based, and quantifiable security strategies in the face of escalating cyber threats. By combining the two frameworks, security professionals can effectively explain complex risks within a SABSA enterprise architecture. This allows for the use of simple, quantifiable terms that stakeholders and leaders can easily understand, making it easier to have meaningful conversations about security priorities and investments.

Discover a fresh and inspiring perspective at how FAIR enhances “Motivation” in SABSA – hence encouraging confidence, sharpening risk management, and supporting SABSA security architecture.
Speaker(s)

Rodney Anderson

Head of Information Security and Compliance, Barnardos Australia (Australia)

Rodney is an accomplished information security professional with more than two decades of experience across diverse industries including large corporate, telecommunications, energy, healthcare, and major financial sectors. Currently, he is dedicated to giving back to society, as the Head of Information Security & Compliance (aka CISO) at Barnardos Australia. There, he exercises thought leadership by crafting practical, risk-appropriate security visions and roadmaps through a commitment to continual improvement.
Human Crash-Test Dummies, and How AI has Taken the RED out of DREAD...

Session 4B

The modern AI world has weaponized the attackers with better and smarter tools than ever before.
The "DREAD" threat model is now trending to just "AD" (i.e. AI tools are blitzing the Reproducibility, Exploitability and Discoverability of vulns. All we can manage now is the Damage and Effected users).

This is why Digital Safety has never been more vital, to architect systems that “fail safely”.

This is brought home in two autonomous vehicle designs, one is more secure (less likely to be hacked), the other is safer (less damage when hacked).
Speaker(s)

Andy Prow

Founder, Qubit Cyber (New Zealand)

Andy is a cyber-security veteran with 30+ years of IT experience, most of which has been in cyber security. From being a software developer for global giants such as IBM, Ericsson & Vodafone, to pen testing and vulnerability research, to more recently as a tech entrepreneur founding 6 firms, including Aura InfoSec, and RedShield Security. Andy is a previous winner of the EY NZ Entrepreneur of the Year, and was inducted into the NZ InfoSec Hall of Fame 2023. His new company Qubit focuses on Digital Safety (keeping humans safe in a modern technical world), and is on the board of both NZTech and the NZITF (NZ Internet Taskforce). He’s also a parttime student, studying a PhD in Digital Safety and Cyber-Engineering.
Tuesday 24th
12:15-13:00
Optimising Information Asset Utilisation Through Co-Design and SABSA Integration

Session 5A

This paper explores the lifecycle of an information asset, tracing its evolution from a singular business process to its strategic positioning within the layers of the SABSA framework.

It examines the appropriation and manipulation of information assets to serve diverse operational, compliance, and security objectives. By leveraging principles of co-design, this study highlights methodologies for engaging both internal and external stakeholders to maximise the value of information assets while ensuring system configurations align with business and regulatory requirements.

A common pitfall in system implementation is the relegation of information asset considerations to a secondary priority, often introduced late in the development cycle. This paper advocates for an integrated approach in which co-design specification workshops with business users are conducted at the outset. By embedding information asset planning into the initial stages, organisations can optimise system functionality, enhance compliance, and derive long-term strategic benefits.
Speaker(s)

Bethany Sinclair-Giardini

Senior Business Consultant, TechnologyOne (Australia)

Dr Bethany Sinclair-Giardini has spent most of her career in Information Governance, working with information assets, ensuring their security, integrity and retention/disposal. She is a passionate advocate for ensuring data and information assets are managed coherently with adequate metadata in terms of lifecycle management. She is a leading member of her industry organisation, RIMPA Global, and has been a member of the SABSA Institute since 2024 when she first presented at COSAC APAC. She configures recordkeeping software in her day job, and crops up now and then at information security events around Melbourne.
Space Engineering Inspired Cyber Resiliency

Session 5B

Recent high-profile IT outages, like the CrowdStrike incident or the accidental wiping of the complete Google cloud service of UniSuper Australia, are a stark reminder that cybersecurity is not just about malicious threat actors, but also about issues arising from human errors with no failsafe.

This presentation explores how proven engineering practices from various fields, like space engineering, aeronautical engineering, or redundancy engineering, can be utilized for more cyber resilient architectures. These fields are renowned for their rigorous redundancy strategies, and we are going to explore how they can be adapted to fortify our security frameworks against innocuous threats.

Space systems for example are designed to operate in the most unforgiving environments, where failure is not an option. These systems achieve unparalleled reliability through the implementation of extensive redundancy measures at every level, from hardware components to software protocols. By drawing inspiration from these practices, we can develop security architectures that are not only robust but also capable of maintaining functionality in the face of sophisticated cyber threats and operational disruptions.

This presentation will delve into specific space engineering methodologies, such as:

Layered Redundancy: Implementing multiple layers of defence to ensure that if one component fails, others can take over seamlessly.

Fault Tolerance: Designing systems to continue operating properly in the event of the failure of some of its components.

Modular Design: Creating systems with interchangeable modules that can be easily replaced or upgraded without affecting the overall operation.

Rigorous Testing: Applying rigorous pre-launch testing and simulation practices to identify and mitigate potential vulnerabilities before they are exploited in real-world scenarios.

Attendees will gain insights into how these space engineering principles and others from the wider field of engineering can be translated into practical strategies for building threat-resilient security architectures. We will examine case studies and practical applications that demonstrate the efficacy of these approaches in protecting critical enterprise assets. This presentation aims to inspire a paradigm shift towards more robust, redundancy-inclusive security architectures, paving the way for a new era of cyber resilience.

Ideas covered in this presentation are not meant to be just taken and implemented but should spark a discussion on opportunities for security architects delivering more cyber resilient solutions. With this presentation we want to put a spotlight on often underrated cybersecurity threats, as witnessed in the latest incidents, and raise awareness on existing frameworks and tools addressing this space, like Mitre in their Cyber Resiliency Engineering Framework and NIST’s Special Publication 800-160 on the development of Cyber-Resilient Systems.
Speaker(s)

Chathura Abeydeera

Director, CYNQ (Australia)

Chathura is a trusted cybersecurity advisor with over 20 years of industry experience. He is also an advisory board member of the CREST Australasia. He has delivered complex technical Cyber security assessment programs and Incident Response engagements for a number of high profile Australian and global organisations.

Andreas Dannert

Director - Accenture’s Security Practice, Accenture (Singapore)

Andreas is currently a Director at Accenture Singapore, responsible for the security delivery to mostly clients in the Financial Services industry.

Previously he was working in various Enterprise Security Architecture roles at Standard Chartered Bank in Singapore. At SCB he was responsible for a core Security Architecture team that is delivering the organization’s Security Architecture Framework, Strategy, and relevant Security Capabilities.

Before this he was a Principal Enterprise Security Architect at Australia’s national broadband network (nbn), which is a government owned enterprise, providing critical infrastructure services to millions of Australians. At nbn Andreas was responsible for defining nbn’s Security Strategy and technology roadmap across the organisation.

Prior to nbn, Andreas has worked in management and security consulting for Accenture, Deloitte and HSBC in various roles, lately purely focussing on delivering Enterprise Security Architecture artefacts like Security Architecture Frameworks and Security Models, and Security Technology Roadmaps to name a few. As a consultant Andreas has served clients in various industries across Europe, Asia and Australia.

In addition to his work at SCB, Andreas held multiple positions at the ISACA Melbourne Chapter board and has been an industry advisor to various organisations, like the Victorian’s Government Box Hill Institute and the Security Architecture Working Group of the IoT Alliance Australia. Andreas is also actively involved in the security architecture community and like running monthly workshops for security architects.

Andreas holds a Master of Computer Science degree from the Technical University of Berlin/Germany, is a Certified Information Systems Auditor (CISA), GIAC Security Essentials certified (GSEC exp.), ITIL Foundation certified, and a SABSA certified (SCF) professional.
Tuesday 24th
13:00-14:00

Lunch (Sponsored by David Lynas Consulting)
Tuesday 24th
14:00-14:45
How to Influence Your Way to Cyber Budgets

Session 6A

Creating persuasive presentations for executive buy-in on cybersecurity strategies requires a fundamental shift from technical jargon to business-focused narratives. Successful cybersecurity presentations must translate complex technical risks into quantifiable business impacts, emphasizing potential financial losses, regulatory compliance failures, and reputational damage. The key lies in speaking the executive language of ROI, competitive advantage, and strategic enablement rather than focusing solely on technical vulnerabilities.

For the SABSA-inducted, being able to drill upwards from Component and Physical layers up to the Context is critical, to provide traceability and the ability to convince others of decision making and investment steps. Visual storytelling through risk matrices, cost-benefit analyses, and implementation timelines helps executives grasp both urgency and feasibility. Presenters should position cybersecurity not as a cost centre but as a business enabler that protects revenue streams and facilitates digital transformation initiatives.

Critical success factors include preparing for budget-focused questions, demonstrating clear metrics for measuring success, and presenting phased implementation approaches that show quick wins alongside long-term strategic goals. The most persuasive presentations conclude with specific resource requirements, realistic timelines, and clear accountability structures. By framing cybersecurity investments as essential business infrastructure rather than optional technical upgrades, security leaders can secure the executive support necessary for comprehensive organizational protection.
Speaker(s)

Dimitri Vedeneev

CyberCX Executive Director - Secure AI, CyberCX (Australia)

A political science nerd, that stumbled into a career in cybersecurity by accident over 14 years ago. Lucky to be selected and work with the Australian national security community within the Australian Signals Directorate, followed by several stints in software product and consulting companies across the UK, Europe and North America.

In the last few years, I’ve moved back to Australia and now work at CyberCX, the leading sovereign cyber security consultancy, solutioning and providing delivery quality assurance across cyber security deliveries on cyber strategies, operating model designs, multi-skillset engineering and integration projects and dabble in assisting penetration testing and threat intelligence integration into non-standard programs of work.

A recent SABSA convert, just beginning my security architecture career, there’s plenty more to learn and understand ahead.
Living in a World of Covert Channels

Session 6B

On 24 February 2020 Terence Michael Whall was found guilty by a unanimous verdict of the murder of 74-year-old pensioner Gerald Corrigan, who was shot outside his rural home in Anglesey on Good Friday 2019.

Whall thought he had committed the perfect murder, there was no forensic evidence, no direct eye witness to the shooting and no one saw him travelling to and from the murder scene.

During the trial the jury heard evidence of telematics data provided by Jaguar Land Rover showing the location of a suspect vehicle the day before when Whall was reconnoitring the scene of the crime, the boot being opened at 23:11:04 and closed 39 seconds later when he removed the murder weapon

Evidence provided by Sky proved that Mr Corrigan’s satellite TV system was present at 00:08 at his home on the night he was murdered, at 00:28 he stopped a pre-recorded programme and the satellite signal was no longer present. When he went outside to investigate the problem, he was shot dead

Again, telematics provided valuable evidence of vehicle movement, the opening and closing of the boot following the murder and Whall making his escape from the scene.

It is a credit to the hard work of those prosecuting this case that they were able to retrieve a body of critical evidence and present it clearly to the jury during the five-week trial.

To many people it was a revelation that such levels of technical data were transmitted to third party companies routinely and without their understanding of the full scale of the activity.

In this talk we will focus on how this example is only one of many instances of such data transfers. In new work we will detail how malicious actors might take advantage of an emerging standardised environment for vehicle to vehicle and vehicle to infrastructure communications to undermine efforts to monitor their activities.
Speaker(s)

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptology, Systems Engineering, Information Forensics and Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with more than twenty years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book and was the first recipient of the COSAC award.
Tuesday 24th
14:50-15:35
Using the SABSA Matrix with Stakeholders to Define Project Perspectives and Actions

Session 7A

The SABSA Matrix logically sets out the different layers of architectures against the perspectives of that layer. Recently when planning for a new Security Service, the SABSA Matrix was used in discussions with stakeholders for their reasoning, drivers, motivations and outcomes.

Different stakeholders each with different perspectives and needs were consulted, with a short explanation, they could understand and see value in the matrix and how it was logically set out. This also enabled a number of conversations and insights that might not have been otherwise explored. Additionally, the layers such Service Management also gave space to articulate needs in change to BAU processes, and effected teams.

There is also the intention that this can be included and extended into SABSA adoption in the enterprise. As well as adding in additional information, reasons, impacted systems and teams over the project journey.

This presentation will describe the journey, some pitfalls and success in the usage of the SABSA framework in helping to justify, deliver and articulate requirements for a Project.
Speaker(s)

Darren Skidmore

Enterprise Security Architect, Toll Group (Australia)

Darren is a Security Architect at a Global Logistics Organisation. He has worked in Security Architecture and other Security roles with major Australian and International companies and the public sector. Darren has presented at local, and International conferences as well as authored academic papers on topics from Security Architecture, Law, value in Open Source and ICT evaluation. He is an active member within the Australian Security Profession, including the SABSA working Group: Modelling SABSA in ArchiMate, and SABSA TSI APAC.
Taming the Untrusted: Zero Trust Approaches and Cross-Sector Case Studies

Session 7B

Taming the Untrusted: Zero Trust Approaches and Cross-Sector Case Studies In today’s digital world, it is no longer a question of whether an organisation will be the
subject of a cyber-attack but more of when. And as organisations rapidly transform in today’s digital-first world, the traditional security perimeter has vanished. The rise of hybrid work, cloud adoption, and increasingly sophisticated threats demand a new approach - one that doesn’t just defend, but enables cyber resilience.

An emerging paradigm for achieving Cyber Resilience is Zero Trust, which is a transformative security framework that rejects outdated notions of implicit trust and enforces continuous verification of every interaction.

As Zero Trust is not a product but an approach, this presentation will go beyond the buzz of what Zero Trust is to examine how organisations with very different missions are or can leverage Zero Trust to protect sensitive data, ensure compliance, and enable secure operations. Rather than talk purely about Zero Trust, we will look at 3 examples from different sectors, namely financial manufacturing and not-for-profit. The presentation also focuses on the approaches rather than specific products.

During this presentation, the following topics will be covered:

1.Understanding the Shift – Cyber Risk in the Digital Age

a. The changing nature of cyber threats and the inevitability of breaches
b. Legacy security models and why they are failing, and the impact of the failure to evolve

2. The Zero Trust Paradigm

a. Evolution of the concept
b. Zero Trust Myth vs Reality

3. Zero Trust in Action to Build Resilience

a. Key pillars of Zero Trust – it’s a journey, not a product
b. Not a one size fits all

4. Case Studies (each covering challenges, approach, outcome)

a. Case 1 – Financial sector
b. Case 2 – Industrial sector
c. Case 3 – Not-for-profit sector

5. From Concept to Practice

a. The Crawl-Walk-Run approach
b. ZT Enablers and business alignment

6. Final Thoughts

a. Supporting transformation across different industries
b. Cyber resilience is the goal – is Zero Trust the path to get there?
Speaker(s)

Dr. Pierre Tagle

Head of Digital Identity and Zero Trust, DXC Technology (Australia)

Dr. Pierre Tagle, is an esteemed Information Technology and Cybersecurity professional with over 20 years of experience encompassing extensive consulting, executive
management, and 24×7 operational roles across diverse sectors including government, financial services, manufacturing, not-for-profit and academia. Dr. Tagle is adept at
translating complex security concepts into actionable strategies for both business and technical stakeholders, and is recognized for his analytical acumen and innovative approach to cybersecurity. He holds a Ph.D. in Computer Science and numerous prestigious certifications such as CISA, CISM, CRISC, ISO 27001 Lead Auditor, PCIP, and CDPSE.

In his current role as DXC Technology’s Head of Digital Identity and Zero Trust for Australia and New Zealand, Dr. Tagle leads a team that expertly balances business needs with risk mitigation and cost-effective security solutions. He leads team of close to 50 SMEs covers all four of DXC’s Security service pillars. This includes Cyber Risk & Compliance, Digital Identity, Infrastructure, App & Data Protection, and Cyber Transformation & Operations. Prior roles includes leading advisory and consulting teams in Secureworks and Sense of Security (now part of CyberCX).

His own direct work spans several critical areas including security strategy and roadmap development, compliance and maturity frameworks management, IT and OT security, and business continuity planning. Dr. Tagle’s leadership not only drives the strategic direction of security practices but also fosters a culture of accountability and continuous improvement within his teams.
Tuesday 24th
15:35-15:55

Afternoon Tea
Tuesday 24th
15:55-16:40
Why Security Architectures Fail: “It is not the Architecture’s fault”

Session 8A

Suppose you had a well-defined and documented security architecture based on a comprehensive set of business risk requirements, including an extensive array of solutions and controls to manage the risk and providing traceability across all areas top to bottom. Why then, was it doomed to fail? Based on 30 years of security architecture experience, this session will outline the factors that can and have prevented security architectures from being implemented successfully.

There are many ways a security architecture can fail that have nothing to do with the architecture itself. It can be as simple as a failure to communicate, as complex as conflicting executive responsibilities or the result of overt sabotage. Sometimes choice of language and more effective communication is the solution. Sometimes clear responsibilities, authority and executive support will help. Occasionally, there may be little you can do. We will provide a few real-life examples where architectures have failed when implemented, didn’t achieve their objectives after implementation, or were doomed from the start.

This session will review real-world examples of well-defined and implemented security architectures that have failed or will fail to achieve their intended purpose. The reality is that a security architecture that successfully manages business risk depends on more than a well-defined architecture. We will outline some of the important critical success factors to recognize and manage, and what to do when confronted with some of these obstacles. This is a collection of cautionary tales of what to watch for, how to recognize and resolve specific issues and know when to “walk away”.
Speaker(s)

Glen Bruce

Cybersecurity Consultant, GDB Cyber Security Consulting (Canada)

In his 50+ years of in-depth experience in IT and security consulting, systems management and technical implementations, Glen Bruce has focused on Security Frameworks, Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information and cybersecurity risk. He has led many information/cyber security engagements, where he has helped clients establish effective strategies, governance, architectures, frameworks, policies, PKIs and infrastructure implementations in support of a wide range of business and technical requirements. Glen is the leader of the SENC workgroup project.
Mesh, Hype or Hope? Reassessing Cybersecurity Mesh Architecture (CSMA) in the Shadow of Zero Trust

Session 8B

In an industry already saturated with architecture frameworks—Zero Trust, SASE, CARTA, BeyondCorp, and more—the introduction of Cybersecurity Mesh Architecture (CSMA) by Gartner raises a compelling question: Do we truly need another one?

This session critically evaluates the purpose, promise, and practicality of CSMA in today’s cybersecurity landscape. Framed through the lens of identity security and Zero Trust adoption, we will explore whether CSMA is a transformative leap forward or a repackaged consolidation strategy born of market fatigue and vendor sprawl.

Participants will walk through the core principles of CSMA – distributed enforcement, identity fabric, composability—and contrast these with Zero Trust and other popular paradigms. The talk will use real-world use cases and architectural patterns to assess where CSMA fits (or doesn’t) within the modern enterprise stack. We’ll also examine its implications on non-human identities, hybrid infrastructure, and the elusive goal of security tool integration.

Importantly, this session is not a sales pitch for another model – but a thought-provoking dialogue on architectural fatigue, strategic overengineering, and the security leader’s dilemma: whether to adopt, adapt, or abstain from yet another framework.

Takeaway: A clear-eyed understanding of whether CSMA is the next essential evolution – or just another architectural acronym in a crowded boardroom conversation.
Speaker(s)

Abbas Kudrati

Chief Identity Security Advisor - APJ, Silverfort (Australia)

Abbas Kudrati is a highly experienced cybersecurity practitioner and CISO, currently serving as Silverfort’s Regional Chief Identity & Security Advisor. Previously, Abbas was Microsoft Asia’s Chief Cybersecurity Advisor for the Security Solutions Area. Alongside his work at Silverfort, Abbas serves as an executive advisor to multiple prestigious institutions, including LaTrobe University, HITRUST ASIA, EC Council ASIA, and various security and technology start-ups. Abbas also actively supports the wider security community by mentoring students and working with ISACA Chapters.

With extensive expertise in Identity Security, Identity and Access Management (IDM), Identity Threat Detection and Response (ITDR), and Identity Governance, Abbas has a proven track record of helping organizations strengthen their security postures and protect critical digital assets in an increasingly complex threat landscape.

As a bestselling author, Abbas has published several books that have become industry-standard references, including “Threat Hunting in the Cloud” by Wiley, “Zero Trust Journey Across the Digital Estate” by CRC Press, and “Managing Risks in Digital Transformation” by Packt. He is also the Technical Editor for two books, “Effective Crisis Management” by BPB and “IoT Security with Microsoft Defender for IoT” by Packt, he is currently authoring his latest book on the topic of “Cybersecurity Mesh Architecture – Hype or Hope”.

In addition to his writing, Abbas is a part-time Professor of Practice with LaTrobe University and a sought-after keynote speaker on topics such as Zero-Trust, Cybersecurity, Identity Security, Cloud Security, Governance, Risk, and Compliance. His extensive experience and knowledge make him a valuable asset to any organization seeking to improve its cybersecurity and identity security strategies.

https://aka.ms/abbas
Tuesday 24th
16:45-17:30
Implementing SABSA in Context: A Practical First Step

Session 9A

Let’s be honest, completing the SABSA Foundations course is one thing but knowing where to begin is another thing entirely. Great in theory… but how do I implement this within the context of my business? It’s easy to get lost in the complexity of the framework so what is needed is a manageable, low risk project to gain momentum and build confidence. The answer could be developing a Team Charter.

This session is open to all participants, regardless of prior SABSA knowledge or experience. We will go through the process of using the SABSA framework to define roles, responsibilities, and communication channels for a security team, and describe how SABSA’s architectural concepts were applied as practical steps.

We didn’t need a complete overhaul of our security program; we started small and built from there. I’ll cover the challenges we faced, the lessons we learned, and the positive impact this project had on our team’s effectiveness.

If you’re looking for a practical, low-risk way to start your SABSA implementation journey, this session aims to provide you with a starting point.
Speaker(s)

Dan Schoemaker

Information Security Manager, Phoenix HSL (Australia)

Dan has been working in the IT Infrastructure/Operations and Security fields for over the past decade. Currently running the Group Security function for a global company, he is driven to ensure security is business driven and architected properly. Being a self-driven techie, he ultimately believes in learning by doing and having a crack.
Securing Australia's Federated Future: Rethinking Access, Trust, and Compliance Across Domains

Session 9B

Australia’s digital infrastructure is becoming increasingly federated. Government departments, healthcare networks, research institutions, and private enterprises are no longer isolated systems. They now rely on shared platforms, cross-agency data flows, and multi-cloud architectures. However, most organisations continue to depend on centralised identity and access control systems that were designed for siloed environments. These outdated models are unable to handle the complexity of shared authority, distributed data governance, and jurisdictional compliance.

This session tackles a key strategic challenge: how to secure access, maintain trust, and uphold compliance in systems where control is fragmented and collaboration is essential. It introducesa modern access control framework based on Attribute-Based Access Control, enriched with privacy-preserving cryptographic techniques such as verifiable credentials and Attribute-Based schemes. This approach enables fine-grained, policy-driven access without depending on central authorities or static roles.

Drawing on real-world case studies from health and government, we will explore how these models can support secure cross-domain collaboration, reduce risk exposure, and align with national privacy reforms and cyber strategies. The session will also examine how these approaches can be implemented in practice, ensuring data sovereignty, transparency, and interoperability without compromising innovation.

Whether you are responsible for architecture, security policy, compliance, or digital service delivery, this session will provide practical insights into building access and trust frameworks that match the complexity of modern Australia’s digital landscape.
Speaker(s)

Ahmad Salehi Shahraki

Lecturer in Cybersecurity, La Trobe University (Australia)

Dr Ahmad Salehi Shahraki is a Lecturer in Cybersecurity at La Trobe University’s Department of Computer Science and Information Technology. He is a recognised expert in decentralised access control, applied cryptography, secure data systems, and blockchain security. His research focuses on privacy-preserving access control, federated trust models, and secure architectures for cloud, IoT, and digital health environments. His extensive publication record in top-tier journals and conferences is a testament to his academic prowess. He actively supervises postgraduate students working at the forefront of cybersecurity innovation, further contributing to the field.

Dr Ahmad Salehi Shahraki is a leader in industry engagement initiatives, working at the intersection of academia and industry to advance applied cybersecurity research and education. He is the driving force behind the La Trobe Cybersecurity Club, a platform that fosters student development and professional engagement. As a member of the university’s Cybersecurity Industry Advisory Board, he plays a crucial role in shaping the future of cybersecurity. His academic journey includes significant roles at La Trobe University, RMIT University, and Monash University. At RMIT, he was instrumental in the Digital CBD initiative and held esteemed research fellow positions at the Blockchain Innovation Hub and the Centre for Cyber Security Research and Innovation. He holds a PhD in Cybersecurity from Monash University and a master’s in research from QUT. Dr Ahmad is an active member of IEEE, AISA, IACR, ACM, and ACS, and is a regular reviewer for leading cybersecurity venues. His work highlights the importance of collaboration, impact, and the development of future-ready cybersecurity capability across
sectors.
Tuesday 24th
17:40-18:40
High Assurance Computing in the Commercial Sector: Niche or Necessity?

Plenary 10P

As digital transformation accelerates across industries, commercial enterprises are facing heightened exposure to sophisticated cyber threats, regulatory scrutiny, and reputational risk. High Assurance Computing (HAC), with its rigorous standards for correctness, confidentiality, integrity, and trust has been confined traditionally to the defence, aerospace, and critical national infrastructure (CNI) sectors.

With increasing understanding that CNI is substantially dependent on commercial suppliers, HAC is rapidly gaining relevance in the commercial sector.

This session explores the strategic and technical imperatives driving the adoption of high assurance principles in modern enterprise environments. It will cover key elements such as formal verification of cryptographic systems, tamper-resistant processing, secure boot chains, trustworthy key management and audit chains, illustrating how these once-esoteric practices are becoming essential safeguards for sectors like finance, healthcare, and cloud-native SaaS platforms.

As the threat landscape evolves and digital trust becomes a business differentiator, this talk will assert that the application of high assurance computing in commercial enterprise is not just relevant, it’s necessary.
Speaker(s)

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptology, Systems Engineering, Information Forensics and Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with more than twenty years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book and was the first recipient of the COSAC award.
Tuesday 24th
18:45-19:15

Drinks Reception (Sponsored by The SABSA Institute)
Tuesday 24th
19:15

Dinner (Sponsored by The SABSA Institute)

Wednesday 25th February

Wednesday 25th
09:00-09:30

Registration & Coffee
Wednesday 25th
09:30-10:15
The Pragmatist's Guide to Safely Automating the Management of Critical Infrastructure

Session 11A

How do you safely automate the management of infrastructure responsible for providing society with essential services?

Infrastructure whose failure scenarios result in catastrophic cascading failures that can lead to loss of life, extensive environmental impacts, and loss of organisational or government reputation.

In this session, we will examine the five-year journey an Australian major hazard facility embarked upon that resulted in the safe adoption of automated ways of working. You will see how a risk and business centric approach, underpinned by SABSA and functional safety engineering standards (IEC 61508/61511), increased process maturity, uplifted capability, removed people from harm’s way, reduced operational risk by a factor of 10, and modernised work management.

We will discuss use cases C-suite and plant managers care about (hint: it’s not configuration management), COTS vs. inhouse development, pre-requisite logical services required to ensure human and computer instantiated workflows remain distinguishable, the “physics” of maintenance debt and its impact on organisational change management, as well as the challenges associated with event-driven automation and extending orchestration to the physical world.

All concepts discussed will be related to a vendor neutral “just in time network administration” capability we build throughout the presentation culminating in its implementation through a live demo.
Speaker(s)

Luke Snell

OT Consultant, Ether-net (Australia)

He is an accredited Functional Safety Engineer (TÜV Rheinland, SIS) where his career has seen him work across autonomous and traditional surface and underground mining operations, ports, rail environments, utility and power (LV + HV), as well as water pipeline networks.

Since 2020 he has focused on supporting critical infrastructure and major hazard facilities; where he is solving problems related to automation, edge compute, hybrid cloud, and industrial data centers.

Luke frequently rides the Architect’s Elevator from the “engine room” to the “executive suite”, is a firm believer in solving business problems with technology instead of technical issues with products and tooling, and is quite cheeky about challenging the norm.

Outside of technology you’ll find him engaging in all sorts of creative shenanigans be that improv theatre, writing on his blog ether-net, or trying to find unsuspecting people to indoctrinate into his Dungeons & Dragons campaigns. He also co-coordinates SABSA World Perth.
Why Misinformed Teams Build Weak Security Programs

Session 11B

After spending 20 years leading security teams across government and enterprise environments, one pattern emerges: the strongest security programs are not built by teams with the biggest headcount, largest budgets or most tools, but by teams that have the best information and are driven by context and data. Misinformed teams inevitably develop weak security programs that fail when facing real-world threats.

During my CISO career I have witnessed how security teams operating without proper data context make decisions based on assumptions rather than data and evidence. They deploy controls that do not match actual risk scenarios, prioritize threats that are not present in their environments, and end up missing actual gaps they should be addressing.

The presentation examines how context transforms the effectiveness of your security program. Through case studies from other companies as well as my own teams, I will demonstrate how data driven approaches make threat modelling, incident response, risk assessments and other
security functions more efficient and impactful.

Key takeaways will include strategies for building context-driven security functions, establishing engagement channels that help your teams focus on what matters, and creating processes grounded in data rather than the industry hype.
Speaker(s)

Martin Choluj

CISO, ClickHouse (USA)

Martin Choluj is a seasoned cybersecurity executive with over 15 years of experience in the field. He currently serves as the CISO at ClickHouse, an open-source, column-oriented OLAP database management system for real time analytics, machine learning, GenAI, observability and data warehousing. In this role, he leads the company’s security, privacy, IT operations and engineering productivity initiatives.

Before joining ClickHouse, Choluj was the CISO at Campaign Monitor, where he oversaw security functions across multiple martech SaaS brands. His prior experience includes roles at the Reserve Bank of Australia, the Central Bank of Ireland and Symantec.

Choluj holds a Master’s Degree in Security and Forensic Computing from Dublin City University and a Bachelor’s Degree in Information Technology. He has earned multiple certifications, including CISSP and GIAC GSE.

In addition to his professional roles, Choluj is an advisor to venture capital firms and an angel investor. He is also a member of Silicon Valley CISO Investments (SVCI), an invite-only community of cybersecurity leaders turned investors.
Wednesday 25th
10:20-11:05
The High Rollers Table – A Case Study in Proving Your Value Using SABSA

Session 12A

When it comes to demonstrating the value you are providing to your high-roller stakeholder sitting at the table, there isn’t a lot of room for error, filibustery or flub. In any other circumstance, you might be able to lean heavily on bamboozlement at the brilliance of your diatribal eloquence, the captivatingly exquisite heights of your genre-defining diagrams and matrices, or the various bric-a-brac-esque levels of understanding inhabiting the zeitgeist of the VIPs you are presenting to.

But.

If the very most important of them, the Big Kahuna, makes it known to you that they have their complete and undivided attention on you and the answers you are giving them, then you had better make sure those answers are succinct, accurate and simple enough to pass the smell test on any concern that they are very, very much interested in, that very, very much matters to them personally, and in whose opinion they are very, very much heavily invested.

Fortunately, SABSA provides you with the very tried and true method to withstand such scrutiny when this situation befalls.

In this presentation, we will provide a real case study where the high-roller stakeholder took control of the discussion, posed employment-defining questions to the presenters, and how SABSA was deployed to seize the initiative and win the day.
Speaker(s)

Dan Schoemaker

Information Security Manager, Phoenix HSL (Australia)

Dan has been working in the IT Infrastructure/Operations and Security fields for over the past decade. Currently running the Group Security function for a global company, he is driven to ensure security is business driven and architected properly. Being a self-driven techie, he ultimately believes in learning by doing and having a crack.
See No Evil?: Visualising Security Risk

Session 12B

In an influential early book on security, [‘Secrets & Lies’: (2000)], the technologist, Bruce Schneier reflects on why, when humans generally have an intuitive, highly developed sense of risk in everyday life, (crossing a road, walking down a dark alley, etc), do we find it so difficult to analyse risk? He identified several factors with significant influence on risk perception: inability to evaluate rare events, confirmation bias in trust of IT, and the degree to which the subject feels a sense of ‘control’, is able to ‘personify’ a threat or is presented with impacts that are either novel or spectacular.

Manifesting from the digital realm, cybersecurity is rich in the traits that make risk analysis difficult. This is compounded by large, highly complex and interconnected systems characterised by multiple many-to-many relationship along the attack chain: risks – vectors – vulnerabilities – actors – controls.

These inherent issues have important consequences for how cybersecurity teams design and implement their GRC and assurance frameworks. How can we optimise our risk posture, using our limited resources, when any adjustment without triggering the ‘butterfly effect’.
In this presentation, the speakers will explore recent developments in EA tooling that promise better visualisation of cybersecurity risk. While the virtual world might never become so tangible as to be familiar, it is becoming increasingly possible to immerse and interact with the virtual world and understand it more intuitively – offering a depth of situational awareness and understanding that few can achieve from a bookshelf of traditionally documented artefacts.

The session, which will include a practical demonstration, should be of value to a wide range of delegates that would be interested in what visualisation can contribute to security management.
Speaker(s)

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is a Belgium-based independent security consultant at Cyber Enterprise Modelling (CEM) and has been a regular presenter at COSAC since 2018 on the topic of security by design through automation and modelling. He is the principal author of the SABSA Institute / Open Group paper “Modelling SABSA with ArchiMate” and chairs the associated SABSA Working Group. He holds several security, architecture and privacy certifications including SABSA Chartered Practitioner and ArchiMate.
Wednesday 25th
11:05-11:25

Morning Coffee
Wednesday 25th
11:25-12:10
The Grammar of SABSA Attributes

Session 13A

When undertaking any work as a risk professional, it behoves us to proceed with caution and choose our words wisely. Business Drivers, Attributes and the careful crafting of their definitions for the Enterprise to which they belong are foundational to the ESA toolbox. With our craft, we hope to capture complexity within plain language while remaining flexible and removing ambiguity.

This session is for those who feel that creating meaning from words is both a powerful and dangerous undertaking. These brave persons want to better would language for their work. It is also for anyone who enjoys a cheeky bit of wordplay.

Attendees will be exposed to principles and tools to help form robust attributes and demonstrate their utility for ESA. By the end of the session you will be drafting Attributes with the decisiveness of James Murray heading the Oxford Scriptorium.
Speaker(s)

Kirk Nicholls

Security Advisor, Sportsbet (Australia)

Kirk is a security architect who loves that the job is an endless source of puzzles and learning.He is an SES volunteer, SABSA Institute Board member and instigator of SABSA World Australia.

Someday the novelty will wear off, but not today.
Architecting Cyber Security Self-Assurance

Session 13B

Cyber security risk is one of the top non-financial risks for organisations. It can be present in almost any part of digital operations. The nature of the risk is both complex and broad due to the complexity of the attacks and evolving capabilities of the attackers. More often than not, the articulation of cyber risk is characterised by a high degree of subjectivity due to the innate difficulty to create a 360o view of the security posture in a timely manner, supported by actuarial data, to answer even to the most basic business requests.

This presentation will focus on how a data-driven comprehensive representation of the security fabric can drive faster and better decision-making. Using real-life case studies, we will highlight how the development of a single source of truth helps to identify actionable insights, simplify remediations actions and improve the risk position of the organisation. Most importantly, it becomes the foundation for the operationalisation of self-assurance across the estate which brings commercial benefit to the business through facilitating smooth and rapid delivery whilst also optimise the utilisation of the cyber security resources.
Speaker(s)

Dimitrios Delivasilis

CEO, Qiomos (UK)

For over twenty five years, Dimitrios has been a technology executive with a proven success record of delivering future proof information security strategies and helping organisations implement their digital transformation plans with a commensurate level of assurance. Mastering specialisation in business-driven security strategy, architecture and operational resilience, Dimitrios draws strength from the diverse experience in leadership roles, predominantly within financial services, i.e., Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC.

Driven by his vision to shift the resilience risk paradigm by challenging core beliefs and driving better decision making, in 2020, Dimitrios founded Qiomos and started providing value-driven services to guide organisations into building resilient services and products. In 2024, this extensive experience led to the launch of the innovative QnousTM solution – a single source of truth to strengthen operational resilience by modelling the organisation’s security posture and centralising security-related information into a single data model. Dimitrios is now working with organisations, across the globe, streamlining their security risk management and truly simplifying their security decision-making.
Wednesday 25th
12:15-13:00
Beyond Taxonomies A New Ontological Lens for SABSA Data Architecture

Session 14A

In a world obsessed with data - whether for insights, governance, compliance, or control—volume is often mistaken for value. But under the SABSA framework, where data begins life as a physical asset, meaningful transformation requires more than classification. Traditional tools such as the ‘business taxonomy of assets’ and ‘business attributes taxonomy’ have served us well, yet their hierarchical rigidity may no longer align with the complex, fluid nature of today’s data ecosystems.

Presenting from dual perspectives – that of a cub reporter hungry for clarity and a regional information ambassador advocating for purpose-driven stewardship – we explore how SABSA’s conceptual and contextual layers can be revitalised through ontological thinking. Together, we propose a shift in focus from static taxonomies to flexible ontologies, enabling organisations to navigate ambiguity, reinforce relevance, and transform data into embedded knowledge.

Key topics include:

Data Cleansing as Stewardship: Neglecting this foundational step is like letting an under-11s football team run riot in your newly renovated house.

Metadata’s Dual Edge: A potential gateway to insight – or a quiet amplifier of bias?

OWL as Enabler or Encumbrance: Can the Web Ontological Language evolve from overhead to guardian?

We argue that embracing ontology allows SABSA to support intuitive, gut-driven decision-making with structured insight – particularly in organisations where data is the dominant, if not sole, asset. We outline a practical ontological model for SABSA’s conceptual and contextual layers, demonstrating how it can better reflect the real-world complexity that businesses face.

By the end of the session, attendees will be invited to reconsider the relevance of ontologies for modern security architectures – and perhaps reimagine what SABSA could become when data is understood not just as resource, but as relationship.”
Speaker(s)

Bethany Sinclair-Giardini

Senior Business Consultant, TechnologyOne (Australia)

Dr Bethany Sinclair-Giardini has spent most of her career in Information Governance, working with information assets, ensuring their security, integrity and retention/disposal. She is a passionate advocate for ensuring data and information assets are managed coherently with adequate metadata in terms of lifecycle management. She is a leading member of her industry organisation, RIMPA Global, and has been a member of the SABSA Institute since 2024 when she first presented at COSAC APAC. She configures recordkeeping software in her day job, and crops up now and then at information security events around Melbourne.

Kirk Nicholls

Security Advisor, Sportsbet (Australia)

Kirk is a security architect who loves that the job is an endless source of puzzles and learning.He is an SES volunteer, SABSA Institute Board member and instigator of SABSA World Australia.

Someday the novelty will wear off, but not today.
Authorised and Compromised – The Biometric Illusion

Session 14B

Biometrics were meant to kill the password. Instead, they have become permanent keys with no revocation path. We can change your password, we cannot change our face.

This presentation unpacks the systemic risks behind the rush to adopt biometric authentication - risks baked into the technology, amplified by architecture, and overlooked by compliance. From India’s Aadhaar leaks to facial recognition hacks on commercial phones, the pattern is clear: convenience is winning, and users are losing.

Biometric authentication is being sold as progress. But beneath the promise lies a problem of permanence, precision, and power – who controls the data, who accesses it, and what happens when it’s wrong.

This presentation will examine:

Why biometric data is inherently high risk, and why most storage and transmission models don’t treat it that way

Real-world failures of biometric systems, from government IDs to commercial smartphones

How biometric spoofing and false positives are exploited, even in mature deployments

What effective biometric implementation actually looks like

Key takeaways:

Biometric data is immutable – we cannot treat it like passwords

Spoofing is practical, repeatable, and underreported

Consent and transparency in biometric systems are mostly performative

Most implementations trade off accuracy, auditability, or user rights – sometimes all three

There are ways to deploy biometrics safely, but they’re expensive, complex, and rarely done properly
Speaker(s)

Gaurav Vikash

Head of Security and Risk (APAC), Axon (Australia)

Gaurav is a cyber executive with over 16 years of experience leading security programs across global enterprises, regulated industries, and national infrastructure. His portfolio spans incident response, architecture, and governance across financial services, government, SaaS, and critical infrastructure.

He’s a seasoned keynote speaker and panel moderator, known for challenging orthodoxy, exposing systemic blind spots, and delivering hard-earned insights with clarity and conviction.

Beyond the day job, Gaurav serves as a volunteer with the State Emergency Service, mentors emerging professionals through the Australian Women in Security Network, and actively supports the next generation of cyber leaders. He also trains IRAP assessors, delivers CCSP courses, and advises peers through pragmatic, compliance-driven cyber strategy.
Wednesday 25th
13:00-14:00

Lunch (Sponsored by David Lynas Consulting)
Wednesday 25th
14:00-14:45
Architecting Stovepipes of Excellence: A Case Study on Connecting Threat Actors, TTPs, Controls, and Assurance Programs

Session 15A

This talk walks through a real-world case study showing how we managed to create security traceability around assets, threats they face and risk mitigation investment.

Instead of keeping threat intel, controls, assurance and overall security architecture in silos, we figured out how to make different parts of a modern organisation work together to provide a solid perspective on prioritised risk mitigations and improve spending on assurance activities that matter.

We started by profiling threat actors based on what they wanted, what they could do, and who they typically went after. Then we mapped their favourite tactics and techniques using MITRE ATT&CK as our guide. The interesting part came when we linked these attack patterns directly to existing security controls – suddenly we could see exactly where we had important gaps and where we were over-investing.

Weaknesses in recovery procedures, gaps in system dependencies and unclear operational resilience targets were revealed.

We could finally show leadership how specific threats connected to business risk and prove that our security investments were hitting the right targets. SABSA helped to remind us how we needed to create traceability throughout.
Speaker(s)

Dimitri Vedeneev

CyberCX Executive Director - Secure AI, CyberCX (Australia)

A political science nerd, that stumbled into a career in cybersecurity by accident over 14 years ago. Lucky to be selected and work with the Australian national security community within the Australian Signals Directorate, followed by several stints in software product and consulting companies across the UK, Europe and North America.

In the last few years, I’ve moved back to Australia and now work at CyberCX, the leading sovereign cyber security consultancy, solutioning and providing delivery quality assurance across cyber security deliveries on cyber strategies, operating model designs, multi-skillset engineering and integration projects and dabble in assisting penetration testing and threat intelligence integration into non-standard programs of work.

A recent SABSA convert, just beginning my security architecture career, there’s plenty more to learn and understand ahead.
If Socrates was a CISO or Even Worse - Your Business Stakeholder

Session 15B

The nature of the cyber security risk is both complex and broad, and present in almost any part of digital operations making it a top non-financial risk. On a daily basis stakeholders are being faced with decisions on how to proceed with the implementation of the business strategy whilst providing a commensurate level of protection against ever evolving cyber threats and ensuring critical products and services operate within the desired risk thresholds.

The accuracy, completeness and timely accessibility of the information required to determine the optimum way forward is more important than ever.

The session draws in from philosophy to illustrate how ancient wisdom can be applied to cyber security and risk management. Will illustrate how Socratic method, an interactive technique for establishing knowledge, allows us to test assumptions through honest dialogue, think differently and ultimately guide us towards better understanding the implications of decisions that needs to be made. The audience will experience how to draw strength from contrarian thought, and utilise it as a tool for both establishing ignorance and knowledge.
Speaker(s)

Dimitrios Delivasilis

CEO, Qiomos (UK)

For over twenty five years, Dimitrios has been a technology executive with a proven success record of delivering future proof information security strategies and helping organisations implement their digital transformation plans with a commensurate level of assurance. Mastering specialisation in business-driven security strategy, architecture and operational resilience, Dimitrios draws strength from the diverse experience in leadership roles, predominantly within financial services, i.e., Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC.

Driven by his vision to shift the resilience risk paradigm by challenging core beliefs and driving better decision making, in 2020, Dimitrios founded Qiomos and started providing value-driven services to guide organisations into building resilient services and products. In 2024, this extensive experience led to the launch of the innovative QnousTM solution – a single source of truth to strengthen operational resilience by modelling the organisation’s security posture and centralising security-related information into a single data model. Dimitrios is now working with organisations, across the globe, streamlining their security risk management and truly simplifying their security decision-making.
Wednesday 25th
14:50-15:35
Using Security Patterns to Protect Cloud

Session 16A

We'll begin by exploring the concept and purpose of security patterns and how these align with the SABSA framework.

While there are different definitions that exist in the industry, with a specific focus on those published by cloud providers (AWS, Azure). We'll focus on how to navigate and identify the most practical and meaningful ones

Next, we’ll delve into techniques for writing and using effective security patterns, highlighting best practices and common pitfalls to avoid.

Participants will have the opportunity to understand how security patterns can be adopted in practice.

We’ll then examine how security patterns can enhance overall security and why they offer a more practical approach compared to relying solely on security standards.

Participants will learn the core steps for writing security patterns as part of the SABSA framework.

We’ll provide practical examples of a security pattern for AWS and how this is being applied in businesses to provide design assurance.
Speaker(s)

Ken Fitzpatrick

Director, Patterned Security Consulting (Australia)

Ken Fitzpatrick: Author of securitypatterns.io, a popular website providing information and resources on how to write and apply security patterns and best practices. Director at Patterned Security Consulting, a professional services company helping organisations mature and embed Security by Design into business practices. Engaged with businesses in achieving certification to ISO 27001 and SOC2. An experienced security expert with 20 years of experience across public and private sectors.
Architecting Human Resilience: Embedding Cyber-Aware Business Simulation into Enterprise Practice

Session 16B

Cyber threats continue to evolve, but integrated business awareness training remains stagnant. In this session, we explore how enterprise/security architecture approaches can be used to embed simulation and immersive training into operational practice to uplift business resilience. Drawing from field-tested approaches across Defence, government and regulated industries, Derek Grocke presents a blueprint for integrating experiential learning methods, enterprise architecture domains and systems thinking into a unified model that embeds reinforcement learning into business as usual.

This session reframes traditional tabletop exercises, highlighting how process targeted digital twin environments, cyber ranges, and business aligned simulation models can enhance not just technical preparedness but real decision making, incident response coordination, and organisational insight. From the boardroom to the supply chain, attendees will gain insights in to how the use of real-world simulations can inform and evolve with the business to reflect enterprise priorities, regulatory obligations, and operational risks.

Designed for seasoned professionals, this session avoids prescriptive training models and focuses on reusable, strategic patterns for building human-centric resilience programs. Emphasis will be placed on architectural governance, lifecycle integration, and aligning with standards such as NIST SP 800-160, ISO 42010, and the Australian Government Protective Security Policy Framework (PSPF).
Speaker(s)

Derek Grocke

Director, Madrock Advisory (Australia)

Derek Grocke is the founder of Madrock Advisory and a senior practitioner in space, cyber, critical infrastructure and Defence systems. He has over 20 years of experience leading enterprise transformation initiatives that integrate architecture, cybersecurity, simulation, operational readiness and audit.

Derek has advised Defence, national regulators, critical infrastructure, and private sector organisations across Australia and internationally on integrating cyber resilience into business/operations and critical mission operations. Derek specialises include the critical process desktop assessments and the establishment of simulation-enhanced environments for process simulation, training, testing (ICT, operational technologies, financial processing and RF systems), cyber incident response, and business continuity.

His approach is underpinned by many years assessing, establishing alignment and managing businesses needing to align with frameworks including ISO/IEC 27001, ADF supply chain & specific engineering requirements, NIST SP 800-53/160, ISM/DSPF, AU DHS Right Fit For Risk, ZTA (corporate and OT), CISCO SAFE, CPS 232/234, US CMMC, SABSA, TOGAF and the SOCI Act. He is an active contributor to the advancement of practical, cross-disciplinary security education through cyber ranges and simulation, and an active contributor to the US led Space ISAC, NATO Cyber War Games and AU TISN.
Wednesday 25th
15:35-15:55

Afternoon Tea
Wednesday 25th
15:55-16:40
Building an Adaptive Security Architecture

Session 17A

The presentation addresses 3 trends currently challenging the cybersecurity operating model.
• Customer expectations are shifting
Digital natives think in terms of customer journeys, and they want safe but low-friction experiences along the way.
• Threats are evolving
There are now new ways to exploit human nature and decision making, using technologies like AI. Lastly,
• Regulations are fragmenting
Countries recognise the value of data and are taking a stronger, more localised, position on how to protect it.

These factors have important consequences for how cybersecurity teams design and implement their governance, risk, compliance and assurance frameworks. We will argue that the new paradigm which is decentralised, where speed and accountability for decision-making are favoured over structures of centralised authority and control.

A pre-requisite of this kind of adaptive security is for decision making at all levels of the organization, which implies effective communications based on a common ‘source of‘truth’.

In this presentation, the speakers will present their experience of establishing a security architecture that reflects these aims and principles, based on control modelling, thresholds, and real-time security data.

The session should be of value to a wide range of delegates that may be facing similar challenges and would be interested in learning what an architectural approach can contribute to the solution.

This will be original content, being presented at conference for the first time.
Speaker(s)

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is a Belgium-based independent security consultant at Cyber Enterprise Modelling (CEM) and has been a regular presenter at COSAC since 2018 on the topic of security by design through automation and modelling. He is the principal author of the SABSA Institute / Open Group paper “Modelling SABSA with ArchiMate” and chairs the associated SABSA Working Group. He holds several security, architecture and privacy certifications including SABSA Chartered Practitioner and ArchiMate.
Fear of the Dark

Session 17B

Legacy is a frequently used term in a relatively young industry, reserved for systems made of ageing: hardware, operating systems, software and applications, storage media, file formats, peripherals, connectors and so on. Typically, another term accompanies such systems, the process of ‘sweating assets’ for better or for worse. Not to mention ‘end of life’ and ‘lifecycle management’. Inevitably the word ‘risk’ makes an appearance.

Quite often left unattended these legacy systems or components may simply continue to work and that return on investment continues to pay off. Perhaps no longer with vendor support, scarce availability of parts (new or used), limited recovery methods or upgrade paths, lost expertise, or loaded with vulnerabilities with ever increasing risk (there it is again) as the environments and systems around them evolve and change. It’s a choice, and life isn’t always so simple.

There is another side to that coin. Those systems that today are considered the current norm, sometimes labelled ‘next gen’ or ‘cutting edge’. But where will they be in years or decades to come? Will they continue to work in isolation, can they be sweated as simply as those that came before? What of that lurking demon known as planned obsolescence?

When a button is pushed, or a key is turned the user expects something to happen. What happens when nothing now happens, all that presents is darkness, a blank screen, no sign of life, no change in state…this is the Fear of the Dark.

Pivoting from prior themes of a CISOs viewpoint through cinematic classics in previous COSAC presentations, your presenter delves into the societal problem that is largely being ignored in terms of longevity, resilience and risk.

This session will look at the unappreciated challenges faced by industry and society as time passes, where tech debt begins to transform into tech liability and sunken costs. At best impacting productivity, usefulness or choices, or at worst grinding operations to a halt and generating more and more waste with a material societal impact and significant financial cost.

The aim is to have a discussion with the audience on these ever-mounting issues in the short and long term, and how cyber security professionals and practitioners may manage these kinds of challenges in their own organisations, and within our broader personal lives.

In other words, can we find a way to reduce and navigate these lurking risks? Or will we keep “walking a dark road at night…a constant fear that something’s always near…fear of the dark….fear of the dark…”
Speaker(s)

Steven Kintakas

Practice Lead - Architecture, Astralas (Australia)

Steven is a cyber security professional with a career spanning over 22 years of experience across a range of industries including finance, energy & utilities, resources, transport, manufacturing, government, health, education, and telecommunications.

Practice Lead of security architects at Astralas, Steven is a practitioner and leader focused on building trust. In providing business-driven and outcome-based value to manage risk effectively, Steven has contributed to the improvement of cyber risk management across many ASX-listed companies and some of Australia’s largest organisations in fields such as security architecture & strategy, managed services, incident response, research and development, and technical solutions and controls.

Previously a Director and sector leader within Deloitte Australia’s Cyber practice, he has also held various leadership and technical positions at Computer Associates, CGI, Fujitsu Australia, Dimension Data, and Zimbani.

A Deakin University alumnus, having double-majored in computer science and information systems, Steven’s post-nominals include: SCF, CISSP, CISM, CCSP, and CDPSE.

Steven is currently the Board Secretary of the ISACA Melbourne Chapter, a return speaker to the COSAC conference having previously presented in Ireland & Melbourne, and a regular speaker at AISA’s Australian Cyber Conference.

An avid supporter and member of the Geelong Football Club, he is passionate about enjoying good food & drink (in particularly wood-fired cooking) with his family and friends.
Wednesday 25th
16:45-17:30
From Chessboard to Boardroom: A Shift in Ideology to Harness World Class Talent with SABSA

Session 18A

- Since we started leveraging SABSA methodologies to secure wins - not just on chess boards, but any Board. 😉

When people think of enterprise security architecture, they don’t often envision “talent” as a core asset. But what if talent is the very mission that needs to be secured, nurtured and future proofed to endure the test of time?

As a former junior professional chess player turned SABSA enthusiast, I invite the audience to unpack the multifaceted aspects of architecting world class (chess) talent. Inspired by the Polgar sisters’ educational experiment which famously suggests geniuses can be made, this unique session explores how SABSA can model and sustain human potential.

The unique value proposition stands in the journey to understand how to measure intangible assets such as talent!!

Finally, is talent innate, or just a bunch of meticulously engineered factors? Join me as we dissect it, learn to measure it, manage risks around it and maintain it. Drawing on a decade of experience in competitive chess, I reveal successes, failures, lessons learnt and efforts to prepare for junior world championships and meticulous planning.
Speaker(s)

Andra Cimpean

Senior Cyber Security Specialist, Department of the Premier and Cabinet - Office of Digital Government (DGov) (Australia)

Andra Cimpean works as Senior Cyber Security Specialist for Department of the Premier and Cabinet of WA, advising state government entities on their cyber maturity journey.

As a former professional chess player, she brings in a unique perspective with her strategic and problem-solving skills. She holds a Master’s in Cyber Security from Edith Cowan University and a Bachelor’s in Psychology along with accreditations such as SABSA Chartered Security Architect and ITILv4. Andra also completed the SABSA A1 Advanced Risk, Governance and Assurance Practitioner course and is currently writing the paper submission.

Andra is the Deputy Chair for the Australian Information Security Association WA Branch. Awarded “Best Volunteer” Award at the CyberCon 2023 for her efforts in organising charity and student-focused initiatives and Finalist for the “One to Watch in Protective Security” at Australian Women in Security Awards 2024, she has contributed to various publications, enjoys public speaking and has been invited as university guest lecturer for cyber students to teach about Enterprise Security.
Not Just Lean. But Lean & Mean.

Session 18B

Establishing cyber capabilities in any organisation requires an intentional approach that need to strike a balance between difference forces within an organisation.

Getting it right the first time, while not impossible, requires more than just implementing a framework or methodology. Learn how to grow beyond just being a lean organisation, to one that is both Lean & Mean – making every resource/investment count and to move from being reactive to proactive in posture.
Speaker(s)

Joshua Qwek

Director, Cyber Team One (Australia)

Joshua Qwek is a business focus, forward-thinking technology & cyber leader who has over nearly two decades of value creation experiences across different industries & sectors spanning higher education, financial services, and industrial sectors.

He brings deep expertise in Governance, Risk, and Compliance (GRC), with hands-on experience implementing and building cyber capabilities and developing architecture functions.
Wednesday 25th
17:40-18:40
The COSAC Rump Session

Plenary 19P

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• Electronic submission: Send email to the rump session chair David Lynas at [email protected]
• Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 25th February.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.
Speaker(s)

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 42nd year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.
Wednesday 25th
18:45-19:15

Drinks Reception (Sponsored by David Lynas Consulting)
Wednesday 25th
19:15

COSAC APAC 2026 Gala Dinner (Sponsored by ALC Training)

Thursday 26th February

Thursday 26th
08:00-09:30
The SABSA Institute Forum - Melbourne - AI Architecture 2026 and beyond

Registrations are now open for THE SABSA Institute Forum at COSAC APAC 2026, featuring our special guest from The SABSA Institute, SABSA Master Dr Malcolm Shore, who will discuss and answer questions on AI Architecture in 2026 and beyond.

Note: Entry to SABSA World Forum is open to the public. Entry does not provide entry to COSAC APAC 2026 Security Conference for alternative presentations.

Join us in person for an exciting dive into AI Architecture in 2026 and beyond. This forum is your chance to connect with passionate professionals, explore cutting-edge ideas, and get ahead in the AI game. Whether you’re a seasoned architect or just curious about the future, this event is packed with insights and discussions and networking you won’t want to miss.

Welcome to The SABSA Institute – SABSA World Forum – where minds meet and ideas flow! Join us in-person for a unique breakfast event at COSAC APAC 2026, that brings together experts from around the world to delve into the ever-evolving world of security architecture.

At the TSI Forum, The SABSA Institute (TSI) and the TSI Liaison Group (LG) will provide their latest updates.

Our special guest of The SABSA Institute will be SABSA Master Dr Malcolm Shore.

Dr Shore is the creator and trainer of the latest TSI-approved Security Architecture Course, “Architecting Secure AI” and an industry leader in SABSA, Cyber, Cloud and Enterprise Security Architecture.

Dr Shore has recently released a number of webinars and insights on AI Architecture and will be on hand to discuss the latest in developments and be available in an open floor session to answer your questions about Architecting Secure AI, the AI Security market evolution and latest developments, AI Training, AI Return on Investment and Securing Business Value and much more.

You can watch Dr. Malcolm Shore previously discuss AI Architecture here: https://youtu.be/5-qdiojay-s?si=lnZ6Cwatje8s_49c

Agenda:

Introduction to TSI (for non-members)

The SABSA Institute update

Guest Speaker – Dr Malcolm Shore – AI Architecture 2026 and beyond

Questions & Answers session

Networking: Meet the SABSA Institute Board of Trustees and Liaison Group Members

Date:

Thursday Feb 26th 08:00 – 09:30 – Breakfast Event

Location:

Collins Square Business and Event Centre, Level 5, Tower 2/727 Collins Street, Docklands, Victoria, 3008

Eventbrite Registration:

https://www.eventbrite.com/e/the-sabsa-institute-forum-melbourne-ai-architecture-in-2026-and-beyond-tickets-1982206728685?aff=oddtdtcreator
Speaker(s)

Gareth Watters

Director, The SABSA Institute (Australia)

Glen Bruce

Cybersecurity Consultant, GDB Cyber Security Consulting (Canada)

In his 50+ years of in-depth experience in IT and security consulting, systems management and technical implementations, Glen Bruce has focused on Security Frameworks, Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information and cybersecurity risk. He has led many information/cyber security engagements, where he has helped clients establish effective strategies, governance, architectures, frameworks, policies, PKIs and infrastructure implementations in support of a wide range of business and technical requirements. Glen is the leader of the SENC workgroup project.

Kirk Nicholls

Security Advisor, Sportsbet (Australia)

Kirk is a security architect who loves that the job is an endless source of puzzles and learning.He is an SES volunteer, SABSA Institute Board member and instigator of SABSA World Australia.

Someday the novelty will wear off, but not today.

Dr Malcolm Shore

Chief Architect, David Lynas Consulting (New Zealand)

Malcolm had a career in the RNZAF before joining GSCB as the Director of Information Systems Security where he developed and managed the national information security programme for New Zealand. Subsequently as Technical Director CES Communications he was responsible for developing embedded cryptography voice and data products. As Technical Director at BAE Systems Applied Intelligence he managed the security evaluation, reverse engineering and penetration testing teams.  He has held a number of Chief Security Officer roles in the telecommunications field, including Telecom NZ, NBN Co, and Huawei Australia. As a consultant he has undertaken security architecture contracts in the UK, Australia and the Gulf region. Malcolm is currently Chief Architect at DLC and is a partner in Outpace AI, Australia.

Malcolm has represented Australia and New Zealand in cybersecurity forums internationally, has participated in the ISO and Open Group standards bodies, and has held board roles in both AISA and the SABSA Institute. He is also a partner in the Global Forum for Cyber Expertise (GFCE).

As a part time academic, Malcolm developed and lectured in the Post Graduate Diploma in Forensics and Security at Canterbury University in New Zealand and is now an adjunct PhD Supervisor at Deakin University in Melbourne.  Malcolm was instrumental in developing and launching the vocational Certificate IV in Cybersecurity throughout Australia.  He has published research in the cybersecurity field, and is the author of numerous online cybersecurity and programming courses published through Linkedin Learning and Offensive Security.
Thursday 26th
09:30-10:00

Registration & Coffee
Thursday 26th
10:00-17:45
6th COSAC APAC Security Architecture Design-Off

Masterclass M1

Returning for a 6th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops.

Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on LinkedIn congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.
Speaker(s)

Jason Kobes

Sr. Staff Cyber Architect & Research Scientist, Northrop Grumman Corporation (USA)

Jason Kobes works as a Sr. Staff Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master’s of Science in Information Assurance (MSIA) and a Bachelor’s of Science in Computer Science from Iowa State University. Jason holds a SABSA Practitioner of Risk and Governance as well as Architecture. Jason’s areas of research include enterprise risk architecture, accountable anonymity systems and applying actionable enterprise security architecture. Jason is also an adjunct professor at Marymount University for the Criminal Justice department Cyber Crime and Digital Terrorism class.

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Center (USA)

Bill Schultz is a practicing lead security architect who has worked in the Information Technology field for over 20 years, with the majority focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill holds the SABSA Master certification. Bill has implemented security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives at Vanderbilt University Medical Center and has been leading the development of the security architecture for 15 years.
COSAC APAC International Round Table Security Forum

Masterclass M2

The 2026 session of the Forum addresses a Pandora’s box full of new information security issues in a world where older issues won’t stay buried. You’ll join a group of similarly situated professionals - experienced, dedicated, resilient, perhaps bloodied in past successes and failures – to seek realistic solutions and accommodations to the challenges facing us in 2026 and beyond.

AI, quantum computing, machine learning, security staffing, privacy, compliance, incident handling, ransomware, … the list goes on and on. Forum delegates are always learning, willing to listen to and learn from others who’ve encountered things they might not have, definitely not shy about sharing opinions, strategies and techniques, and committed to our strange and but very necessary profession.

With moderating by a not-quite-extinct security dinosaur, you and your peers will experience a full-day immersion in the COSAC APAC way. Moderator questions or comments on associated issues and related publications can produce very different reactions from the crowd. Participants cast their own light on raised topics based on constraints, objectives, tools, techniques, hidden land mines and final outcomes. We all learn from each other.

Come join us and help solve the current and maybe future information security problems of the world.
Speaker(s)

John O’Leary

President, O'Leary Management Education (USA)

John G. O’Leary, CISSP, is President of O’Leary Management Education. A computer security practitioner since 1977, he has designed, implemented, maintained, administered, broken, troubleshot, fixed, re-fixed, managed, consulted on and taught security for networks ranging from single-site to multi-national. Winner of the 2004 COSAC award, the EuroSec 2006 Prix de Fidelite and the 2011 ISC2 Lifetime Achievement Award and the first ever ISS Guardian Award in 2015, his background spans programming, systems analysis, auditing, project management, operations and quality assurance. John taught graduate school at the University of Texas at Dallas for 10 years (yes, there are universities in Texas, some of them even accredited). A few years ago he received breach notification letters from TJX and the VA in the same week. He is still waiting for OPM to reveal that the Chinese now have all his security clearance information. The Target “situation” got him new credit cards. He does not admit to knowing any Russians or CCP members. Although he completely missed out on early bitcoin gathering, the March 2023 Silicon Valley Bank failure cost him nothing. He is firmly convinced that COSAC is the absolute best information security conference on earth.
Building an AI Fast Track Agent

Masterclass M3

AI has evolved remarkably quickly from chatbot to agent, and is well on the way to delivering virtual employees. In this workshop we take a hands-on approach to understanding agentic AI, and step by step build the datasets and tools we need to augment an AI model with a modicum of SABSA expertise.

We’ll use the datasets to augment a standard Generative AI Large Language Model (LLM) and attendees will learn how to prepare the system prompts necessary to drive its operation. To conclude the workshop, attendees will prepare their augmentation dataset, select their preferred LLM, and use their AI Fast Track Agent to prepare a fast track deliverable for a project.

Attendees are encouraged to work in groups and participate hands on in each practical lab throughout the course of the workshop.
Speaker(s)

Dr Malcolm Shore

Chief Architect, David Lynas Consulting (New Zealand)

Malcolm had a career in the RNZAF before joining GSCB as the Director of Information Systems Security where he developed and managed the national information security programme for New Zealand. Subsequently as Technical Director CES Communications he was responsible for developing embedded cryptography voice and data products. As Technical Director at BAE Systems Applied Intelligence he managed the security evaluation, reverse engineering and penetration testing teams.  He has held a number of Chief Security Officer roles in the telecommunications field, including Telecom NZ, NBN Co, and Huawei Australia. As a consultant he has undertaken security architecture contracts in the UK, Australia and the Gulf region. Malcolm is currently Chief Architect at DLC and is a partner in Outpace AI, Australia.

Malcolm has represented Australia and New Zealand in cybersecurity forums internationally, has participated in the ISO and Open Group standards bodies, and has held board roles in both AISA and the SABSA Institute. He is also a partner in the Global Forum for Cyber Expertise (GFCE).

As a part time academic, Malcolm developed and lectured in the Post Graduate Diploma in Forensics and Security at Canterbury University in New Zealand and is now an adjunct PhD Supervisor at Deakin University in Melbourne.  Malcolm was instrumental in developing and launching the vocational Certificate IV in Cybersecurity throughout Australia.  He has published research in the cybersecurity field, and is the author of numerous online cybersecurity and programming courses published through Linkedin Learning and Offensive Security.
Thursday 26th
11:35-11:55

Morning Coffee
Thursday 26th
13:30-14:30

Lunch (Sponsored by David Lynas Consulting)
Thursday 26th
16:00-16:20

Afternoon Tea
Thursday 26th
18:00-18:15

Conference Close - COSAC Chairman's Closing Remarks

COSAC
Patrons

A completely new COSAC experience pushing the boundaries of cybersecurity further than ever before. Smart people, inspiring guest speakers and a ton of passion. Become a COSAC Patron and gain access like no other.

Become a patron

COSAC
2026.

27th Sept - 1st Oct: Kildare, Ireland

More Info Call for Papers

Contact

Get in contact with us by email, phone or just stay social and connect with us on LinkedIn

COSAC APAC 2026

Tuesday 24th February

Tuesday 24th 08:30-09:00

Tuesday 24th 09:00-09:20

Tuesday 24th 09:30-10:15

Implementing the SABSA NIST CSF Community Profile

Session 2A

Speaker(s)

From Value Chain to Prompt: AI Fast Track

Session 2B

Speaker(s)

Tuesday 24th 10:20-11:05

Enterprise Security Architecture – Using SABSA to Deliver ISO 27001 the Right Way

Session 3A

Speaker(s)

Beyond the Algorithm: Cultivating Trust in the AI Era

Session 3B

Speaker(s)

Tuesday 24th 11:05-11:25

Tuesday 24th 11:25-12:10

When SABSA met FAIR: A Framework Dynamic Duo

Session 4A

Speaker(s)

Human Crash-Test Dummies, and How AI has Taken the RED out of DREAD...

Session 4B

Speaker(s)

Tuesday 24th 12:15-13:00

Optimising Information Asset Utilisation Through Co-Design and SABSA Integration

Session 5A

Speaker(s)

Space Engineering Inspired Cyber Resiliency

Session 5B

Speaker(s)

Tuesday 24th 13:00-14:00

Tuesday 24th 14:00-14:45

How to Influence Your Way to Cyber Budgets

Session 6A

Speaker(s)

Living in a World of Covert Channels

Session 6B

Speaker(s)

Tuesday 24th 14:50-15:35

Using the SABSA Matrix with Stakeholders to Define Project Perspectives and Actions

Session 7A

Speaker(s)

Taming the Untrusted: Zero Trust Approaches and Cross-Sector Case Studies

Session 7B

Speaker(s)

Tuesday 24th 15:35-15:55

Tuesday 24th 15:55-16:40

Why Security Architectures Fail: “It is not the Architecture’s fault”

Session 8A

Speaker(s)

Mesh, Hype or Hope? Reassessing Cybersecurity Mesh Architecture (CSMA) in the Shadow of Zero Trust

Session 8B

Speaker(s)

Tuesday 24th 16:45-17:30

Implementing SABSA in Context: A Practical First Step

Session 9A

Speaker(s)

Securing Australia's Federated Future: Rethinking Access, Trust, and Compliance Across Domains

Session 9B

Speaker(s)

Tuesday 24th 17:40-18:40

High Assurance Computing in the Commercial Sector: Niche or Necessity?

Plenary 10P

Speaker(s)

Tuesday 24th 18:45-19:15

Tuesday 24th 19:15

Wednesday 25th February

Wednesday 25th 09:00-09:30

Wednesday 25th 09:30-10:15

The Pragmatist's Guide to Safely Automating the Management of Critical Infrastructure

Session 11A

Speaker(s)

Why Misinformed Teams Build Weak Security Programs

Session 11B

Speaker(s)

Wednesday 25th 10:20-11:05

The High Rollers Table – A Case Study in Proving Your Value Using SABSA

Tuesday 24th
08:30-09:00

Tuesday 24th
09:00-09:20

Tuesday 24th
09:30-10:15

Tuesday 24th
10:20-11:05

Tuesday 24th
11:05-11:25

Tuesday 24th
11:25-12:10

Tuesday 24th
12:15-13:00

Tuesday 24th
13:00-14:00

Tuesday 24th
14:00-14:45

Tuesday 24th
14:50-15:35

Tuesday 24th
15:35-15:55

Tuesday 24th
15:55-16:40

Tuesday 24th
16:45-17:30

Tuesday 24th
17:40-18:40

Tuesday 24th
18:45-19:15

Tuesday 24th
19:15

Wednesday 25th
09:00-09:30

Wednesday 25th
09:30-10:15

Wednesday 25th
10:20-11:05

Wednesday 25th
11:05-11:25

Wednesday 25th
11:25-12:10

Wednesday 25th
12:15-13:00

Wednesday 25th
13:00-14:00

Wednesday 25th
14:00-14:45

Wednesday 25th
14:50-15:35

Wednesday 25th
15:35-15:55

Wednesday 25th
15:55-16:40