Schedule - COSAC

COSAC APAC 2026

Tuesday 24th February

Tuesday 24th
08:30-09:00

Registration & Coffee
Tuesday 24th
09:00-09:20

COSAC APAC 2026 Chairman's Welcome
Tuesday 24th
09:30-10:15
Implementing the SABSA NIST CSF Community Profile

Session 2A

The NIST CSF provides a collection of essential areas where cybersecurity protections are needed but the current specification of functions, categories and subcategories are far from comprehensive or sufficient for many organizations. NIST is now encouraging extensions be defined to the CSF to add the missing elements deemed important or necessary to adapt the CSF to meet the needs of specific industries, associations, regulatory bodies or legislative requirements through Community Profiles for developing use case-specific cybersecurity risk management guidance for multiple organizations.

The SABSA Institute (TSI) sponsored SABSA Enhance NIST Cybersecurity Framework (SENC) workgroup project is currently developing various tools, techniques and guidance to help your organization put the NIST CSF 2.0 to work the SABSA way. This session is a high-level view of what the SENC project has developed to date and will be developing to guide the integration of the NIST CSF into a SABSA security architecture including an initial look at the SABSA NIST CSF Community Profile.

The SENC Project Team has now finalized a library of example SABSA business attributes and attribute profiles based on the NIST CSF Categories and Subcategories. The team focus now includes defining the SABSA-specific NIST CSF Community Profile to include enhanced and additional CSF categories and subcategories aligned to the SABSA method and a collection of SABSA-specific Examples supporting the CSF subcategories aligned to the SABSA NIST CSF Community Profile. This session provides a first look at the SABSA CSF Community Profile which will provide an easier and more complete integration of the CSF into your security architecture. The SABSA NIST CSF Community Profile will be enhanced with a collection of SABSA specific Examples for implementing the CSF Subcategories providing additional insight into effectively leveraging SABSA while integrating the CSF.

Applying the NIST CSF typically focusses on the processes, technologies and controls while losing sight of the business value and risks involved. The extensions from the SABSA CSF Community Profile and the supporting Examples will provide a more complete solution for effectively managing business risk across the enterprise. This session will be a review of what the SENC Project Team has accomplished to apply and enhance the NIST CSF 2.0 to manage your organization’s business risk requirements.
Speaker(s)

Glen Bruce

Cybersecurity Consultant, GDB Cyber Security Consulting (Canada)

In his 50+ years of in-depth experience in IT and security consulting, systems management and technical implementations, Glen Bruce has focused on Security Frameworks, Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information and cybersecurity risk. He has led many information/cyber security engagements, where he has helped clients establish effective strategies, governance, architectures, frameworks, policies, PKIs and infrastructure implementations in support of a wide range of business and technical requirements. Glen is the leader of the SENC workgroup project.
From Value Chain to Prompt: AI Fast Track

Session 2B

This presentation is a walkthrough of an AI Fast Track playbook designed for architecting AI solutions which demonstrate clear value to the business. It provides an insight into the steps required to identify the opportunities for AI in the business, and describes reference mappings of attributes to various AI standards, guidelines, and regulations.

In addition to outlining the opportunities provided by AI, the presentation will include demonstrations of AI threats and their impact on business value, and propose an integrated controls library that will support enablement and mitigation. The presentation describes the working templates which are required to support an AI Fast Track, and will demonstrate the use of an AI Fast Track agent.
Speaker(s)

Dr Malcolm Shore

Chief Architect, David Lynas Consulting (New Zealand)

Malcolm had a career in the RNZAF before joining GSCB as the Director of Information Systems Security where he developed and managed the national information security programme for New Zealand. Subsequently as Technical Director CES Communications he was responsible for developing embedded cryptography voice and data products. As Technical Director at BAE Systems Applied Intelligence he managed the security evaluation, reverse engineering and penetration testing teams.  He has held a number of Chief Security Officer roles in the telecommunications field, including Telecom NZ, NBN Co, and Huawei Australia. As a consultant he has undertaken security architecture contracts in the UK, Australia and the Gulf region. Malcolm is currently Chief Architect at DLC and is a partner in Outpace AI, Australia.

Malcolm has represented Australia and New Zealand in cybersecurity forums internationally, has participated in the ISO and Open Group standards bodies, and has held board roles in both AISA and the SABSA Institute. He is also a partner in the Global Forum for Cyber Expertise (GFCE).

As a part time academic, Malcolm developed and lectured in the Post Graduate Diploma in Forensics and Security at Canterbury University in New Zealand and is now an adjunct PhD Supervisor at Deakin University in Melbourne.  Malcolm was instrumental in developing and launching the vocational Certificate IV in Cybersecurity throughout Australia.  He has published research in the cybersecurity field, and is the author of numerous online cybersecurity and programming courses published through Linkedin Learning and Offensive Security.
Tuesday 24th
10:20-11:05
Enterprise Security Architecture – Using SABSA to Deliver ISO 27001 the Right Way

Session 3A

Many of us who come to attend a SABSA course are well versed in ISO 27001 and/or ISO 20000 (ITIL). Most organisations (especially utilities, water, transport etc), have what is called an integrated management system which brings together standards such as ISO 9001 (Quality), ISO 45001 (Safety), ISO 14001 (Environment) under one management system. Before embarking on developing and implementing enterprise security architecture, it is important that Enterprise Security Architects understand such standards.

A key benefit of using SABSA as an Enterprise Security Architect is that SABSA can be integrated into any existing framework. Those of us who have attended the SABSA courses know that SABSA is a complete problem-solving framework that provides a variety of tools and techniques to demonstrate traceability for justification and completeness.

Grand as SABSA is, many students (including me, 15 years back) walk away from a SABSA course mesmerised with the newfound knowledge and being converted into SABSA evangelists. Many also wonder how SABSA can be implemented into an organisation. Others wonder where they can start with SABSA. What if there was a way for the security practitioner to use the SABSA tools and techniques within a familiar framework such as ISO 27001? Surely, a good CISO or a security manager would want their security to be managed against an independently certifiable standard.

This session will show you how ISO 27001 can be done the right way using most of the techniques provided by SABSA. For example, clause 4.1 of the ISO 27001 standard is about ‘understanding the context of the organisation’. This is the contextual layer of SABSA. Another example is clause 6.1.3 which requires the development of a ‘Statement of Applicability’ that provides traceability in terms of ‘justification’ and ‘completeness’. What better way is there to do this than using SABSA? As always, you will receive my slide pack filled with practical examples and notes to start your ISO 27001 journey done the right way, with SABSA.
Speaker(s)

Sarit Kannanoor

Head of Cybersecurity, Digital Frontier Partners (Australia)

Sarit is a highly accomplished security leader with experience in enterprise security architecture. Sarit has an engineering, governance and technology background and specialises in governance, risk, compliance and assurance aspects of security. Sarit is able to provide balanced advice to senior management and board by considering security from a Business Security perspective and not just from an Information Security or IT / Cyber Security perspective. Sarit has presented a paper at the COSAC 2024 on Business Trust. Sarit is a Chartered SABSA Master.
Beyond the Algorithm: Cultivating Trust in the AI Era

Session 3B

Artificial intelligence is now integral to our lives and businesses. As AI's influence expands, trust becomes paramount. We must go beyond innovation to ensure AI systems are responsible, safe, and dependable.

This discussion highlights the critical pillars for building trust while innovating with AI. We’ll explore technical guardrails, ethical considerations, robust privacy frameworks, and stringent regulatory compliance. Think of it like building a sturdy house: these elements form the solid foundation and supporting pillars of trust, transparency, ethics, and security, all unified under a regulatory roof.

The rise of AI agents—autonomous systems capable of independent action—underscores the urgency of trust. For these agents to be truly valuable, they must be meticulously engineered with these core principles. This means they must operate ethically, provide clear visibility into their actions, maintain robust data security, actively mitigate biases, and strictly adhere to all relevant regulations. When these factors are addressed, AI agents become reliable and equitable assets.

Building trust while innovating with AI isn’t just a good idea; it’s a fundamental business imperative. By prioritising Trustworthy AI, we lay a solid foundation for its widespread and beneficial deployment. These aren’t abstract concepts but crucial elements for developing AI systems that are not only advanced and effective but also inherently dependable and ethical. Through these responsible practices, we’ll unlock AI’s full potential, delivering tangible benefits and cultivating a more trustworthy digital future for all Australians.
Speaker(s)

Bharat Bajaj

Professional Development Board Member, ISACA Melbourne Chapter (Australia)

Bharat is a highly accomplished Technology Risk leader with two decades of experience navigating the complex landscapes of Artificial Intelligence, Machine Learning, Cybersecurity, and Privacy. I have partnered with three of the “Big Four” Australian banks, spearheading large-scale transformative projects and architecting robust technology risk mitigation strategies that demonstrably safeguard operations, enabling customer objectives. My approach blends deep industry expertise with incisive strategic thinking, consistently delivering tangible business value.

I am instrumental in the implementation and governance of Machine Learning, Generative AI, and AI Agentic systems. My responsibilities encompass the identification of technology risks and evolving compliance requirements, coupled with the development and implementation of comprehensive guardrails.

As a dedicated Board Director at the ISACA Melbourne Chapter, I am deeply committed to enhancing the professional capabilities of our community. I actively shape and execute the Chapter’s certification strategy and lead the delivery of ISACA certification training programs, empowering individuals to excel in their respective fields.

In previous leadership roles, I cultivated a pragmatic approach to Governance, Risk, and Compliance (GRC), consistently delivering outcome-based value in managing a broad spectrum of risks.

Reshma Devi

AI and Data Risk Leader, Transurban (Australia)

Reshma is an AI & Data Risk specialist with experience in Security and Technology. She holds a Master’s Degree in Information Technology, is a Certified Data Privacy Solutions Engineer (CDPSE), and is a Graduate of the Australian Institute of Company Directors (GAICD).

With a passion for Data, AI, and emerging technologies, Reshma brings over 20 years of experience working in Australia and New Zealand. She is deeply committed to Data Security and addressing emerging AI challenges. Currently, Reshma serves as a Director at ISACA Melbourne and sits on the Advisory Board for other not-for-profits. Additionally, she contributes as a Subject Matter Expert Reviewer for ISACA’s CDPSE Manual and regularly writes for blogs, podcasts, and security magazines.
Tuesday 24th
11:05-11:25

Morning Coffee
Tuesday 24th
11:25-12:10
When SABSA met FAIR: A Framework Dynamic Duo

Session 4A

This session will show how SABSA can incorporate FAIR (Factor Analysis of Information Risk) to increase risk rigor and security decision-making.

The real magic happens when FAIR directly promotes SABSA’s architecture by providing robust risk quantification. This formidable approach aligns with the Motivation column of the SABSA matrix, answering the critical “why” behind security decisions. While FAIR method delivers strong, reliable risk assessments, SABSA ensures these insights are seamlessly combined with other crucial pillars to optimally serve business goals.

Using FAIR to reinforce the “why” component within SABSA underscores the current, urgent demand for healthy, risk-based, and quantifiable security strategies in the face of escalating cyber threats. By combining the two frameworks, security professionals can effectively explain complex risks within a SABSA enterprise architecture. This allows for the use of simple, quantifiable terms that stakeholders and leaders can easily understand, making it easier to have meaningful conversations about security priorities and investments.

Discover a fresh and inspiring perspective at how FAIR enhances “Motivation” in SABSA – hence encouraging confidence, sharpening risk management, and supporting SABSA security architecture.
Speaker(s)

Rodney Anderson

Head of Information Security and Compliance, Banardos Australia (Australia)

Rodney is an accomplished information security professional with more than two decades of experience across diverse industries including large corporate, telecommunications, energy, healthcare, and major financial sectors. Currently, he is dedicated to giving back to society, as the Head of Information Security & Compliance (aka CISO) at Barnardos Australia. There, he exercises thought leadership by crafting practical, risk-appropriate security visions and roadmaps through a commitment to continual improvement.
Human Crash-Test Dummies, and How AI has Taken the RED out of DREAD...

Session 4B

The modern AI world has weaponized the attackers with better and smarter tools than ever before.
The "DREAD" threat model is now trending to just "AD" (i.e. AI tools are blitzing the Reproducibility, Exploitability and Discoverability of vulns. All we can manage now is the Damage and Effected users).

This is why Digital Safety has never been more vital, to architect systems that “fail safely”.

This is brought home in two autonomous vehicle designs, one is more secure (less likely to be hacked), the other is safer (less damage when hacked).

Happy to tune or do anything else…

Been doing a lot of work on the training side of life too, for Digital Safety.

FYI – the “autonomous bus” really brings home the difference.

– Bus A and B are fully autonomous with insane amounts of tech.

– Bus A has ZERO vulns

– Bus B has 100 vulns and security flaws. Therefore the audience chooses Bus A.

But, in testing, when we DO find a vuln:

– Bus A’s software crashes and the vehicle is out of control.

– Bus B’s software fails safely, and even though it’s more hackable, it remains SAFE in all scenarios.

– Therefore audience chooses Bus B, as Bus A is more secure NOW, but will kill you IF a new vuln is discovered, whereas Bus B is SAFE no matter how many vulns are found.

Drills into architectures that include:

– defence in depth

– fail-safe design and redundancy

– security vs resiliency

– Fault tolerance and DFMA (Design Failure Mode Analysis)
Speaker(s)

Andy Prow

Founder, Qubit Cyber (New Zealand)

Andy is a cyber-security veteran with 30+ years of IT experience, most of which has been in cyber security. From being a software developer for global giants such as IBM, Ericsson & Vodafone, to pen testing and vulnerability research, to more recently as a tech entrepreneur founding 6 firms, including Aura InfoSec, and RedShield Security. Andy is a previous winner of the EY NZ Entrepreneur of the Year, and was inducted into the NZ InfoSec Hall of Fame 2023. His new company Qubit focuses on Digital Safety (keeping humans safe in a modern technical world), and is on the board of both NZTech and the NZITF (NZ Internet Taskforce). He’s also a parttime student, studying a PhD in Digital Safety and Cyber-Engineering.
Tuesday 24th
12:15-13:00
Optimising Information Asset Utilisation Through Co-Design and SABSA Integration

Session 5A

This paper explores the lifecycle of an information asset, tracing its evolution from a singular business process to its strategic positioning within the layers of the SABSA framework.

It examines the appropriation and manipulation of information assets to serve diverse operational, compliance, and security objectives. By leveraging principles of co-design, this study highlights methodologies for engaging both internal and external stakeholders to maximise the value of information assets while ensuring system configurations align with business and regulatory requirements.

A common pitfall in system implementation is the relegation of information asset considerations to a secondary priority, often introduced late in the development cycle. This paper advocates for an integrated approach in which co-design specification workshops with business users are conducted at the outset. By embedding information asset planning into the initial stages, organisations can optimise system functionality, enhance compliance, and derive long-term strategic benefits.
Speaker(s)

Bethany Sinclair-Giardini

Senior Business Consultant, TechnologyOne (Australia)

Dr Bethany Sinclair-Giardini has spent most of her career in Information Governance, working with information assets, ensuring their security, integrity and retention/disposal. She is a passionate advocate for ensuring data and information assets are managed coherently with adequate metadata in terms of lifecycle management. She is a leading member of her industry organisation, RIMPA Global, and has been a member of the SABSA Institute since 2024 when she first presented at COSAC APAC. She configures recordkeeping software in her day job, and crops up now and then at information security events around Melbourne.
Space Engineering Inspired Cyber Resiliency

Session 5B

Recent high-profile IT outages, like the CrowdStrike incident or the accidental wiping of the complete Google cloud service of UniSuper Australia, are a stark reminder that cybersecurity is not just about malicious threat actors, but also about issues arising from human errors with no failsafe.

This presentation explores how proven engineering practices from various fields, like space engineering, aeronautical engineering, or redundancy engineering, can be utilized for more cyber resilient architectures. These fields are renowned for their rigorous redundancy strategies, and we are going to explore how they can be adapted to fortify our security frameworks against innocuous threats.

Space systems for example are designed to operate in the most unforgiving environments, where failure is not an option. These systems achieve unparalleled reliability through the implementation of extensive redundancy measures at every level, from hardware components to software protocols. By drawing inspiration from these practices, we can develop security architectures that are not only robust but also capable of maintaining functionality in the face of sophisticated cyber threats and operational disruptions.

This presentation will delve into specific space engineering methodologies, such as:

Layered Redundancy: Implementing multiple layers of defence to ensure that if one component fails, others can take over seamlessly.

Fault Tolerance: Designing systems to continue operating properly in the event of the failure of some of its components.

Modular Design: Creating systems with interchangeable modules that can be easily replaced or upgraded without affecting the overall operation.

Rigorous Testing: Applying rigorous pre-launch testing and simulation practices to identify and mitigate potential vulnerabilities before they are exploited in real-world scenarios.

Attendees will gain insights into how these space engineering principles and others from the wider field of engineering can be translated into practical strategies for building threat-resilient security architectures. We will examine case studies and practical applications that demonstrate the efficacy of these approaches in protecting critical enterprise assets. This presentation aims to inspire a paradigm shift towards more robust, redundancy-inclusive security architectures, paving the way for a new era of cyber resilience.

Ideas covered in this presentation are not meant to be just taken and implemented but should spark a discussion on opportunities for security architects delivering more cyber resilient solutions. With this presentation we want to put a spotlight on often underrated cybersecurity threats, as witnessed in the latest incidents, and raise awareness on existing frameworks and tools addressing this space, like Mitre in their Cyber Resiliency Engineering Framework and NIST’s Special Publication 800-160 on the development of Cyber-Resilient Systems.
Speaker(s)

Chathura Abeydeera

Director, CYNQ (Australia)

Chathura is a trusted cybersecurity advisor with over 20 years of industry experience. He is also an advisory board member of the CREST Australasia. He has delivered complex technical Cyber security assessment programs and Incident Response engagements for a number of high profile Australian and global organisations.

Andreas Dannert

Director - Accenture’s Security Practice, Accenture (Singapore)

Andreas is currently a Director at Accenture Singapore, responsible for the security delivery to mostly clients in the Financial Services industry.

Previously he was working in various Enterprise Security Architecture roles at Standard Chartered Bank in Singapore. At SCB he was responsible for a core Security Architecture team that is delivering the organization’s Security Architecture Framework, Strategy, and relevant Security Capabilities.

Before this he was a Principal Enterprise Security Architect at Australia’s national broadband network (nbn), which is a government owned enterprise, providing critical infrastructure services to millions of Australians. At nbn Andreas was responsible for defining nbn’s Security Strategy and technology roadmap across the organisation.

Prior to nbn, Andreas has worked in management and security consulting for Accenture, Deloitte and HSBC in various roles, lately purely focussing on delivering Enterprise Security Architecture artefacts like Security Architecture Frameworks and Security Models, and Security Technology Roadmaps to name a few. As a consultant Andreas has served clients in various industries across Europe, Asia and Australia.

In addition to his work at SCB, Andreas held multiple positions at the ISACA Melbourne Chapter board and has been an industry advisor to various organisations, like the Victorian’s Government Box Hill Institute and the Security Architecture Working Group of the IoT Alliance Australia. Andreas is also actively involved in the security architecture community and like running monthly workshops for security architects.

Andreas holds a Master of Computer Science degree from the Technical University of Berlin/Germany, is a Certified Information Systems Auditor (CISA), GIAC Security Essentials certified (GSEC exp.), ITIL Foundation certified, and a SABSA certified (SCF) professional.
Tuesday 24th
13:00-14:00

Lunch
Tuesday 24th
14:00-14:45
How to Influence Your Way to Cyber Budgets

Session 6A

Creating persuasive presentations for executive buy-in on cybersecurity strategies requires a fundamental shift from technical jargon to business-focused narratives. Successful cybersecurity presentations must translate complex technical risks into quantifiable business impacts, emphasizing potential financial losses, regulatory compliance failures, and reputational damage. The key lies in speaking the executive language of ROI, competitive advantage, and strategic enablement rather than focusing solely on technical vulnerabilities.

For the SABSA-inducted, being able to drill upwards from Component and Physical layers up to the Context is critical, to provide traceability and the ability to convince others of decision making and investment steps. Visual storytelling through risk matrices, cost-benefit analyses, and implementation timelines helps executives grasp both urgency and feasibility. Presenters should position cybersecurity not as a cost centre but as a business enabler that protects revenue streams and facilitates digital transformation initiatives.

Critical success factors include preparing for budget-focused questions, demonstrating clear metrics for measuring success, and presenting phased implementation approaches that show quick wins alongside long-term strategic goals. The most persuasive presentations conclude with specific resource requirements, realistic timelines, and clear accountability structures. By framing cybersecurity investments as essential business infrastructure rather than optional technical upgrades, security leaders can secure the executive support necessary for comprehensive organizational protection.
Speaker(s)

Dimitri Vedeneev

Director, CyberCX (Australia)

A political science nerd, that stumbled into a career in cybersecurity by accident over 14 years ago. Lucky to be selected and work with the Australian national security community within the Australian Signals Directorate, followed by several stints in software product and consulting companies across the UK, Europe and North America.

In the last few years, I’ve moved back to Australia and now work at CyberCX, the leading sovereign cyber security consultancy, solutioning and providing delivery quality assurance across cyber security deliveries on cyber strategies, operating model designs, multi-skillset engineering and integration projects and dabble in assisting penetration testing and threat intelligence integration into non-standard programs of work.

A recent SABSA convert, just beginning my security architecture career, there’s plenty more to learn and understand ahead.

Lienke Urbas

Manager, CyberCX (Australia)

Lienke Urbas is a cyber security professional with over 5 years of experience across cyber and national security roles. In her current capacity as a Manager within CyberCX’s Strategy and Consulting practice, Lienke leads cross functional teams to solve complex cyber security challenges with clients across multiple sectors including financial services, telecommunications, higher education, retail, energy, health and utilities. Lienke holds a Masters in National Security Policy from the Australian National University. She is passionate about the intersection between policy and national security, and has a strong interest in the changing regulatory landscape and its implications on Australia’s critical infrastructure.
Beyond Chatbots: Building Semantic Intelligence for Next-Generation GRC Automation

Session 6B

While large language models dominate headlines, the real revolution in governance, risk, and compliance (GRC) automation lies in semantic technologies that deliver deterministic, auditable outcomes. This presentation explores how knowledge graphs, ontologies, and policy-as-code are transforming cybersecurity governance from reactive compliance theatre into proactive, intelligent defence.

Traditional GRC approaches fail under the weight of modern regulatory complexity. Security teams spend 60% of their time on manual compliance tasks, while regulatory frameworks evolve faster than human-speed adaptation allows. This talk demonstrates how semantic technologies provide the missing link—understanding relationships between requirements, not just matching keywords.

Attendees will learn how to implement semantic GRC architectures combining:

Knowledge graphs (Neo4j, RDF) that map regulatory relationships and control dependencies

Ontology engineering using OWL and SPARQL for machine-readable compliance logic

Policy-as-code frameworks that version, test, and deploy security policies like software

Deterministic automation that provides 100% traceable decisions without AI hallucination risks

It’s about amplifying security teams’ capabilities through intelligent automation. By building semantic foundations today, organisations can future-proof their GRC programmes for whatever regulatory complexity tomorrow brings.
Key Takeaways:

Understand why semantic technologies outperform traditional keyword-based GRC tools

Learn practical patterns for implementing knowledge graphs in security contexts

Discover how policy-as-code transforms static documents into living governance

Gain insights into building vendor-agnostic, extensible GRC automation platforms
Speaker(s)

Ben Kereopa-Yorke

Senior Security Consultant - AI, nbn (Australia)

Ben Kereopa-Yorke is fascinated by the beautiful complexity that emerges when artificial intelligence meets security. As a Senior Security Consultant – AI at nbn, and an AI and security teacher, mentor, and researcher, he approaches complex security challenges with the same curiosity that drives particle physicists to smash atoms – breaking big problems into understandable pieces and rebuilding them into elegant solutions.

A 2024 AISA Researcher of the Year finalist and co-lead of the OWASP Machine Learning Security Top 10, Ben splits his time between developing practical security frameworks and pushing the boundaries of AI security research as an Associate Editor of IEEE Transactions on Technology and Society. His recent work on AI-enhanced cybersecurity for SMEs and the ClausewitzGPT framework demonstrates his knack for making complex concepts surprisingly simple (and simple concepts surprisingly complex).

When he’s not publishing papers or mentoring the next generation of security professionals, you’ll find him explaining why AI security is fundamentally a human challenge – just with more math and better tools. His collection of certifications (including AWS Machine Learning Specialty and IAPP’s AI Governance Professional) and pursuit of a second Master’s degree from UNSW Canberra are really just symptoms of an uncontrollable urge to understand how things work and then make them work better.

Ben’s committed to helping the Australian cybersecurity community understand and tackle emerging AI security challenges. After all, as he often says, the best security solutions are like good science – elegant in theory and practical in application.
Tuesday 24th
14:50-15:35
Using the SABSA Matrix with Stakeholders to Define Project Perspectives and Actions

Session 7A

The SABSA Matrix logically sets out the different layers of architectures against the perspectives of that layer. Recently when planning for a new Security Service, the SABSA Matrix was used in discussions with stakeholders for their reasoning, drivers, motivations and outcomes.

Different stakeholders each with different perspectives and needs were consulted, with a short explanation, they could understand and see value in the matrix and how it was logically set out. This also enabled a number of conversations and insights that might not have been otherwise explored. Additionally, the layers such Service Management also gave space to articulate needs in change to BAU processes, and effected teams.

There is also the intention that this can be included and extended into SABSA adoption in the enterprise. As well as adding in additional information, reasons, impacted systems and teams over the project journey.

This presentation will describe the journey, some pitfalls and success in the usage of the SABSA framework in helping to justify, deliver and articulate requirements for a Project.
Speaker(s)

Darren Skidmore

Enterprise Security Architect, Toll Group (Australia)

Darren is a Security Architect at a Global Logistics Organisation. He has worked in Security Architecture and other Security roles with major Australian and International companies and the public sector. Darren has presented at local, and International conferences as well as authored academic papers on topics from Security Architecture, Law, value in Open Source and ICT evaluation. He is an active member within the Australian Security Profession, including the SABSA working Group: Modelling SABSA in ArchiMate, and SABSA TSI APAC.
Taming the Untrusted: Zero Trust Approaches and Cross-Sector Case Studies

Session 7B

Taming the Untrusted: Zero Trust Approaches and Cross-Sector Case Studies In today’s digital world, it is no longer a question of whether an organisation will be the
subject of a cyber-attack but more of when. And as organisations rapidly transform in today’s digital-first world, the traditional security perimeter has vanished. The rise of hybrid work, cloud adoption, and increasingly sophisticated threats demand a new approach - one that doesn’t just defend, but enables cyber resilience.

An emerging paradigm for achieving Cyber Resilience is Zero Trust, which is a transformative security framework that rejects outdated notions of implicit trust and enforces continuous verification of every interaction.

As Zero Trust is not a product but an approach, this presentation will go beyond the buzz of what Zero Trust is to examine how organisations with very different missions are or can leverage Zero Trust to protect sensitive data, ensure compliance, and enable secure operations. Rather than talk purely about Zero Trust, we will look at 3 examples from different sectors, namely financial manufacturing and not-for-profit. The presentation also focuses on the approaches rather than specific products.

During this presentation, the following topics will be covered:

1.Understanding the Shift – Cyber Risk in the Digital Age

a. The changing nature of cyber threats and the inevitability of breaches
b. Legacy security models and why they are failing, and the impact of the failure to evolve

2. The Zero Trust Paradigm

a. Evolution of the concept
b. Zero Trust Myth vs Reality

3. Zero Trust in Action to Build Resilience

a. Key pillars of Zero Trust – it’s a journey, not a product
b. Not a one size fits all

4. Case Studies (each covering challenges, approach, outcome)

a. Case 1 – Financial sector
b. Case 2 – Industrial sector
c. Case 3 – Not-for-profit sector

5. From Concept to Practice

a. The Crawl-Walk-Run approach
b. ZT Enablers and business alignment

6. Final Thoughts

a. Supporting transformation across different industries
b. Cyber resilience is the goal – is Zero Trust the path to get there?
Speaker(s)

Pierre Tagle

Head of Digital Identity and Zero Trust, DXC Technology (Australia)

Pierre Tagle, Ph.D., is an esteemed Information Technology and Cybersecurity professional with over 20 years of experience encompassing extensive consulting, executive
management, and 24×7 operational roles across diverse sectors including government, financial services, manufacturing, not-for-profit and academia. Dr. Tagle is adept at
translating complex security concepts into actionable strategies for both business and technical stakeholders, and is recognized for his analytical acumen and innovative approach to cybersecurity. He holds a Ph.D. in Computer Science and numerous prestigious certifications such as CISA, CISM, CRISC, ISO 27001 Lead Auditor, PCIP, and CDPSE.

In his current role as DXC Technology’s Head of Digital Identity and Zero Trust for Australia and New Zealand, Dr. Tagle leads a team that expertly balances business needs with risk mitigation and cost-effective security solutions. He leads team of close to 50 SMEs covers all four of DXC’s Security service pillars. This includes Cyber Risk & Compliance, Digital Identity, Infrastructure, App & Data Protection, and Cyber Transformation & Operations. Prior roles includes leading advisory and consulting teams in Secureworks and Sense of Security (now part of CyberCX).

His own direct work spans several critical areas including security strategy and roadmap development, compliance and maturity frameworks management, IT and OT security, and business continuity planning. Dr. Tagle’s leadership not only drives the strategic direction of security practices but also fosters a culture of accountability and continuous improvement within his teams.
Tuesday 24th
15:35-15:55

Afternoon Tea
Tuesday 24th
15:55-16:40
The Needs of the Many Outweigh the Needs of the Few, or the One - Spock

Session 8A

It is an accepted adage in SABSA that

‘For want of a nail the shoe was lost; … all for want of care about a horse-shoe nail.’

Is a good example of the consequence of miscommunicating risks, issues and opportunities ‘up’ the chain.

SABSA uses the concept of business risk to describe the threats to the business. Risks associated with communicating business imperatives are very often mitigated by using communication specialists.

In Australia, State and Territory governments as well as the Federal Government are adopting the SABSA approach, but can all the principles be read across? In this presentation we consider the impact that ‘pursuing the common good which could conflict with conventional or private morality’ has on the enunciation of threats and risk.

Is it as simple as ‘find and replace’, government department for business or does Machiavelli’s 1513 advice to the Prince to “… learn ‘how not to be good’ to protect the state and keep it intact” adversely impact the outcomes of a SABSA analysis. If so, what changes need to be made to the SABSA process to avoid every SABSA Government analysis starting with the security of Australia as the context level.
Speaker(s)

Carol Sutton

Consulting Engineer, On The Business (Australia)

Concept definition and early-stage acquisition for secure information and communications systems have been the focus of Carol’s career. Particularly in military aircraft platform acquisition, Carol has specialized in supporting systems such as command and control, training as well providing guidance on system security requirements for a range of other platforms.

With innovation in technologies, the need to be smart about how security is defined and implemented, Carol has taken the lessons identified earlier in her career to help develop holistic solutions including people, processes, data and infrastructure. This approach led to the successful implementation of a new specialist cell within Australia’s Air Operations Centre. Carol’s responsibility within the implementation team was the development of the security artefacts for certification of the systems.

Subsequently Carol was invited to create a ‘green field’ Operational Command and Control Centre for the fifth and future generation Royal Australian Air Force. Currently awaiting acquisition related information from a major ally, the capability management office is working to create an environment for a successful implementation and transition into service. Although in the early stages of the ADF’s capability lifecycle model, Carol is working to create a design that is secure, resilient and operational by design.
Mesh, Hype or Hope? Reassessing Cybersecurity Mesh Architecture (CSMA) in the Shadow of Zero Trust

Session 8B

In an industry already saturated with architecture frameworks—Zero Trust, SASE, CARTA, BeyondCorp, and more—the introduction of Cybersecurity Mesh Architecture (CSMA) by Gartner raises a compelling question: Do we truly need another one?

This session critically evaluates the purpose, promise, and practicality of CSMA in today’s cybersecurity landscape. Framed through the lens of identity security and Zero Trust adoption, we will explore whether CSMA is a transformative leap forward or a repackaged consolidation strategy born of market fatigue and vendor sprawl.

Participants will walk through the core principles of CSMA – distributed enforcement, identity fabric, composability—and contrast these with Zero Trust and other popular paradigms. The talk will use real-world use cases and architectural patterns to assess where CSMA fits (or doesn’t) within the modern enterprise stack. We’ll also examine its implications on non-human identities, hybrid infrastructure, and the elusive goal of security tool integration.

Importantly, this session is not a sales pitch for another model – but a thought-provoking dialogue on architectural fatigue, strategic overengineering, and the security leader’s dilemma: whether to adopt, adapt, or abstain from yet another framework.

Takeaway: A clear-eyed understanding of whether CSMA is the next essential evolution – or just another architectural acronym in a crowded boardroom conversation.
Speaker(s)

Abbas Kudrati

Chief Identity Security Advisor - APJ, Silverfort (Australia)

Abbas Kudrati is a highly experienced cybersecurity practitioner and CISO, currently serving as Silverfort’s Regional Chief Identity & Security Advisor. Previously, Abbas was Microsoft Asia’s Chief Cybersecurity Advisor for the Security Solutions Area. Alongside his work at Silverfort, Abbas serves as an executive advisor to multiple prestigious institutions, including LaTrobe University, HITRUST ASIA, EC Council ASIA, and various security and technology start-ups. Abbas also actively supports the wider security community by mentoring students and working with ISACA Chapters.

With extensive expertise in Identity Security, Identity and Access Management (IDM), Identity Threat Detection and Response (ITDR), and Identity Governance, Abbas has a proven track record of helping organizations strengthen their security postures and protect critical digital assets in an increasingly complex threat landscape.

As a bestselling author, Abbas has published several books that have become industry-standard references, including “Threat Hunting in the Cloud” by Wiley, “Zero Trust Journey Across the Digital Estate” by CRC Press, and “Managing Risks in Digital Transformation” by Packt. He is also the Technical Editor for two books, “Effective Crisis Management” by BPB and “IoT Security with Microsoft Defender for IoT” by Packt, he is currently authoring his latest book on the topic of “Cybersecurity Mesh Architecture – Hype or Hope”.

In addition to his writing, Abbas is a part-time Professor of Practice with LaTrobe University and a sought-after keynote speaker on topics such as Zero-Trust, Cybersecurity, Identity Security, Cloud Security, Governance, Risk, and Compliance. His extensive experience and knowledge make him a valuable asset to any organization seeking to improve its cybersecurity and identity security strategies.

https://aka.ms/abbas
Tuesday 24th
16:45-17:30
SABSA Foundations Complete… Now What?

Session 9A

Let’s be honest, completing the SABSA Foundations course is one thing but knowing where to begin is another thing entirely. Great in theory… but how do I implement this within the context of my business? It’s easy to get lost in the complexity of the framework so what is needed is a manageable, low risk project to gain momentum and build confidence. The answer could be developing a Team Charter.

This session is open to all participants, regardless of prior SABSA knowledge or experience. We will go through the process of using the SABSA framework to define roles, responsibilities, and communication channels for a security team, and describe how SABSA’s architectural concepts were applied as practical steps.

We didn’t need a complete overhaul of our security program; we started small and built from there. I’ll cover the challenges we faced, the lessons we learned, and the positive impact this project had on our team’s effectiveness.

If you’re looking for a practical, low-risk way to start your SABSA implementation journey, this session aims to provide you with a starting point.
Speaker(s)

Dan Schoemaker

Information Security Manager, Phoenix HSL (Australia)

Dan has been working in the IT Infrastructure/Operations and Security fields for over the past decade. Currently running the Group Security function for a global company, he is driven to ensure security is business driven and architected properly. Being a self-driven techie, he ultimately believes in learning by doing and having a crack.
Securing Australia's Federated Future: Rethinking Access, Trust, and Compliance Across Domains

Session 9B

Australia’s digital infrastructure is becoming increasingly federated. Government departments, healthcare networks, research institutions, and private enterprises are no longer isolated systems. They now rely on shared platforms, cross-agency data flows, and multi-cloud architectures. However, most organisations continue to depend on centralised identity and access control systems that were designed for siloed environments. These outdated models are unable to handle the complexity of shared authority, distributed data governance, and jurisdictional compliance.

This session tackles a key strategic challenge: how to secure access, maintain trust, and uphold compliance in systems where control is fragmented and collaboration is essential. It introducesa modern access control framework based on Attribute-Based Access Control, enriched with privacy-preserving cryptographic techniques such as verifiable credentials and Attribute-Based schemes. This approach enables fine-grained, policy-driven access without depending on central authorities or static roles.

Drawing on real-world case studies from health and government, we will explore how these models can support secure cross-domain collaboration, reduce risk exposure, and align with national privacy reforms and cyber strategies. The session will also examine how these approaches can be implemented in practice, ensuring data sovereignty, transparency, and interoperability without compromising innovation.

Whether you are responsible for architecture, security policy, compliance, or digital service delivery, this session will provide practical insights into building access and trust frameworks that match the complexity of modern Australia’s digital landscape.
Speaker(s)

Ahmad Salehi Shahraki

Lecturer in Cybersecurity, La Trobe University (Australia)

Dr Ahmad Salehi Shahraki is a Lecturer in Cybersecurity at La Trobe University’s Department of Computer Science and Information Technology. He is a recognised expert in decentralised access control, applied cryptography, secure data systems, and blockchain security. His research focuses on privacy-preserving access control, federated trust models, and secure architectures for cloud, IoT, and digital health environments. His extensive publication record in top-tier journals and conferences is a testament to his academic prowess. He actively supervises postgraduate students working at the forefront of cybersecurity innovation, further contributing to the field.

Dr Ahmad Salehi Shahraki is a leader in industry engagement initiatives, working at the intersection of academia and industry to advance applied cybersecurity research and education. He is the driving force behind the La Trobe Cybersecurity Club, a platform that fosters student development and professional engagement. As a member of the university’s Cybersecurity Industry Advisory Board, he plays a crucial role in shaping the future of cybersecurity. His academic journey includes significant roles at La Trobe University, RMIT University, and Monash University. At RMIT, he was instrumental in the Digital CBD initiative and held esteemed research fellow positions at the Blockchain Innovation Hub and the Centre for Cyber Security Research and Innovation. He holds a PhD in Cybersecurity from Monash University and a master’s in research from QUT. Dr Ahmad is an active member of IEEE, AISA, IACR, ACM, and ACS, and is a regular reviewer for leading cybersecurity venues. His work highlights the importance of collaboration, impact, and the development of future-ready cybersecurity capability across
sectors.
Tuesday 24th
17:40-18:40
High Assurance Computing in the Commercial Sector: Niche or Necessity?

Plenary 10P

As digital transformation accelerates across industries, commercial enterprises are facing heightened exposure to sophisticated cyber threats, regulatory scrutiny, and reputational risk. High Assurance Computing (HAC), with its rigorous standards for correctness, confidentiality, integrity, and trust has been confined traditionally to the defence, aerospace, and critical national infrastructure (CNI) sectors.

With increasing understanding that CNI is substantially dependent on commercial suppliers, HAC is rapidly gaining relevance in the commercial sector.

This session explores the strategic and technical imperatives driving the adoption of high assurance principles in modern enterprise environments. It will cover key elements such as formal verification of cryptographic systems, tamper-resistant processing, secure boot chains, trustworthy key management and audit chains, illustrating how these once-esoteric practices are becoming essential safeguards for sectors like finance, healthcare, and cloud-native SaaS platforms.

As the threat landscape evolves and digital trust becomes a business differentiator, this talk will assert that the application of high assurance computing in commercial enterprise is not just relevant, it’s necessary.
Speaker(s)

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptology, Systems Engineering, Information Forensics and Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with more than twenty years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book and was the first recipient of the COSAC award.
Tuesday 24th
18:45-19:15

Drinks Reception
Tuesday 24th
19:15

Dinner

Wednesday 25th February

Wednesday 25th
09:00-09:30

Registration & Coffee
Wednesday 25th
09:30-10:15
The Pragmatist's Guide to Safely Automating the Management of Critical Infrastructure

Session 11A

How do you safely automate the management of infrastructure responsible for providing society with essential services?

Infrastructure whose failure scenarios result in catastrophic cascading failures that can lead to loss of life, extensive environmental impacts, and loss of organisational or government reputation.

In this session, we will examine the five-year journey an Australian major hazard facility embarked upon that resulted in the safe adoption of automated ways of working. You will see how a risk and business centric approach, underpinned by SABSA and functional safety engineering standards (IEC 61508/61511), increased process maturity, uplifted capability, removed people from harm’s way, reduced operational risk by a factor of 10, and modernised work management.

We will discuss use cases C-suite and plant managers care about (hint: it’s not configuration management), COTS vs. inhouse development, pre-requisite logical services required to ensure human and computer instantiated workflows remain distinguishable, the “physics” of maintenance debt and its impact on organisational change management, as well as the challenges associated with event-driven automation and extending orchestration to the physical world.

All concepts discussed will be related to a vendor neutral “just in time network administration” capability we build throughout the presentation culminating in its implementation through a live demo.
Speaker(s)

Luke Snell

Principal Networks, (Australia)

He is an accredited Functional Safety Engineer (TÜV Rheinland, SIS) where his career has seen him work across autonomous and traditional surface and underground mining operations, ports, rail environments, utility and power (LV + HV), as well as water pipeline networks.

Since 2020 he has focused on supporting critical infrastructure and major hazard facilities; where he is solving problems related to automation, edge compute, hybrid cloud, and industrial data centers.

Luke frequently rides the Architect’s Elevator from the “engine room” to the “executive suite”, is a firm believer in solving business problems with technology instead of technical issues with products and tooling, and is quite cheeky about challenging the norm.

Outside of technology you’ll find him engaging in all sorts of creative shenanigans be that improv theatre, writing on his blog ether-net, or trying to find unsuspecting people to indoctrinate into his Dungeons & Dragons campaigns. He also co-coordinates SABSA World Perth.
Why Misinformed Teams Build Weak Security Programs

Session 11B

After spending 20 years leading security teams across government and enterprise environments, one pattern emerges: the strongest security programs are not built by teams with the biggest headcount, largest budgets or most tools, but by teams that have the best information and are driven by context and data. Misinformed teams inevitably develop weaksecurity programs that fail when facing real-world threats.

During my CISO career I have witnessed how security teams operating without proper data context make decisions based on assumptions rather than data and evidence. They deploy controls that do not match actual risk scenarios, prioritize threats that are not present in their environments, and end up missing actual gaps they should be addressing.

The presentation examines how context transforms the effectiveness of your security program. Through case studies from other companies as well as my own teams, I will demonstrate how data driven approaches make threat modelling, incident response, risk assessments and other
security functions more efficient and impactful.

Key takeaways will include strategies for building context-driven security functions, establishing engagement channels that help your teams focus on what matters, and creating processes grounded in data rather than the industry hype.
Speaker(s)

Martin Choluj

CISO, ClickHouse (USA)

Martin Choluj is a seasoned cybersecurity executive with over 15 years of experience in the field. He currently serves as the CISO at ClickHouse, an open-source, column-oriented OLAP database management system for real time analytics, machine learning, GenAI, observability and data warehousing. In this role, he leads the company’s security, privacy, IT operations and engineering productivity initiatives.

Before joining ClickHouse, Choluj was the CISO at Campaign Monitor, where he oversaw security functions across multiple martech SaaS brands. His prior experience includes roles at the Reserve Bank of Australia, the Central Bank of Ireland and Symantec.

Choluj holds a Master’s Degree in Security and Forensic Computing from Dublin City University and a Bachelor’s Degree in Information Technology. He has earned multiple certifications, including CISSP and GIAC GSE.

In addition to his professional roles, Choluj is an advisor to venture capital firms and an angel investor. He is also a member of Silicon Valley CISO Investments (SVCI), an invite-only community of cybersecurity leaders turned investors.
Wednesday 25th
10:20-11:05
Bridging Business and Cybersecurity: An Enterprise Security Architecture Journey in the Australian Energy Sector

Session 12A

This session shares the journey of an Australian energy company in establishing a practical and scalable Enterprise Security Architecture using the SABSA framework. It explores how SABSA has been leveraged as the “glue” component, from a cyber security perspective, to address emerging business challenges, digital transformation, and an evolving regulatory landscape.

As organisations adopt new ways of working and face an increasingly uncertain threat landscape, security architects are under increasing pressure to deliver interoperable, reusable, and business-aligned cybersecurity artefacts. This presentation will include practical artefacts and examples that demonstrate how this approach has enabled the organization to respond rapidly to:

New business priorities—such as integrating Distributed Energy Resources (DER)

Adopting a new product-centric and agile delivery model for digital transformation

Aligning digital products with best practices and regulatory frameworks, including ISA/IEC 62443 and the Australian Energy Cybersecurity Framework (AESCSF v2.0)

Synchronising security artefacts with other enterprise architecture domains: Business, Information, Application, and Technology.

Attendees will be encouraged to consider SABSA as a holistic, risk-informed approach that serves as a strategic enabler for cybersecurity in complex and evolving environments.
Speaker(s)

Samuel Pinzon

Cyber Security Architect, Western Power (Australia)

Samuel Pinzon is a Senior Cyber Security Architect at Western Power, a critical infrastructure provider in Western Australia’s energy sector. With almost two decades of experience in cybersecurity and enterprise architecture, Samuel specialises in aligning security strategies with business transformation initiatives, regulatory compliance, and operational resilience.

At Western Power, Samuel leads the development of a SABSA-based Enterprise Security Architecture, enabling the organisation to navigate the complexities of digital transformation while maintaining a risk-informed cyber security posture. His work focuses on creating reusable, interoperable cybersecurity artefacts that bridge the gap between business objectives and technical implementations.

Prior to join Western Power, Samuel worked for about 15 years in the Oil & Gas sector, where he supported the implementation of multiple cybersecurity solutions across both upstream and downstream operations as security architect. He also led programs to implement cybersecurity practices in operational technology (OT) environments, applying the standard IAS/IEC62443 standard.

Samuel holds industry-recognised certifications, including CISSP, SABSA Chartered Foundation (SCF), ISA/IEC62443 Cybersecurity Expert, and TOGAF Foundation. He brings a pragmatic, business-aligned perspective to security architecture and is an advocate for using SABSA as a strategic enabler in complex environments.
Dynamic Risk Management

Session 12B

Effective Risk Management is a sacrosanct for any organization to remain a going concern. Organizations that can optimize their risk postures have greater chance of maximizing stakeholder values. But risk variables are moving extremely fast and static risk management can no longer enable risk optimization.

The Strategic Value Risk Model (SVRM) was developed to enable organisation to manage ever changing risk environment and maintain an optimized risk posture, thereby enabling value optimization. The SVRM focusses organizations on what really matters, as opposed to chasing down every emerging threat and uncovered vulnerabilities. It also enables definition and management of effective risk governance metrics, thereby enabling board of directors and senior leaders drive value chain alignment.
Speaker(s)

Gabriel Akindeju

Chief Security Officer, Risks Consult Ltd (New Zealand)

Gabriel Akindeju is an innovative and strategic Technology Risk Management and Security Management thought leader with background in Enterprise Technology Risk Management and Enterprise Security Governance and Architecture; Information Systems Management; Instrumentations and Controls Engineering; Electronic Electrical Engineering; PRInCEII and Agile practices. His overall objectives are to help organisations (1) leverage effective technology risk management and security for the creation of stakeholder values by optimising risk-reward dynamics (i.e. improve Risk Agility and Controls Optimisation Efficiencies); (2) prevent value erosion via the deployment of effective risk and security operations management framework and processes (i.e. optimise Risk Posture and minimise Risk Profile); and (3) safely and securely recover, if and when, business disruptions occur due to technology related issues and/or events (i.e. improve resilience and incident response readiness).

Gabriel is skilled in transformational Enterprise Technology Risk Management and Security capability maturity uplifts and has helped various organisations, including in his current role, bootstrap capability maturity programmes through structured yet agile architectural frameworks and processes. He has a special knack for senior leadership engagement and can drive positive uplift in enterprise culture shift through simple, easy to manage and yet effective initiatives.

Gabriel is a prolific innovator and an advocate of continuous improvements through adoption and applications of complex adaptive system integration concepts. He is passionate about the alignment and transformation of technologies; and technology governance and management processes into strategic enablers and competitive differentiators for businesses through risk optimisation.

Gabriel was the winner (one of 2) of the UK’s 2006 best IS dissertation award for his work on RFId, courtesy of the ISACA, UK; Gabriel also won the ISACA Certificate of Excellence Award in 2006, courtesy of the ISACA Auckland Chapter; and was cited in the 2008 edition of Marquis Who’s Who in the world. Gabriel won an Oceania Geographic Region CRISC award in Dec 2012; and more recently was cited in the Volume 4 (June 2020) of the ISACA Journal – Building Enterprise Security Programme.

Gabriel often speaks at professional seminars and likes to help professional candidates seeking certifications through both formal review seminars and informal mentorship. He enjoys professional teams, who pride in value creation, professionalism, & training and promote personal professional development as tools to defining, creating, and delivering superlative customer experiences
Wednesday 25th
11:05-11:25

Morning Coffee
Wednesday 25th
11:25-12:10
The Grammar of SABSA Attributes

Session 13A

When undertaking any work as a risk professional, it behooves us to proceed with caution and choose our words wisely. Business Drivers, Attributes and the careful crafting of their definitions for the Enterprise to which they belong are foundational to the ESA toolbox. With our craft, we hope to capture complexity within plain language while remaining flexible and removingambiguity.

This session is for those who feel that creating meaning from words is both a powerful and dangerous undertaking. These brave persons want to better would language for their work. It is also for anyone who enjoys a cheeky bit of wordplay.

Attendees will be exposed to principles and tools to help form robust attributes and demonstrate their utility for ESA. By the end of the session you will be drafting Attributes with the decisiveness of James Murray heading the Oxford Scriptorium.
Speaker(s)

Kirk Nicholls

Security Advisor, Sportsbet (Australia)

Kirk is a security architect who loves that the job is an endless source of puzzles and learning.He is an SES volunteer, SABSA Institute Board member and instigator of SABSA World Australia.

Someday the novelty will wear off, but not today.
Zero to Owned: Mapping the Lifecycle of a Credential Stealer to Corporate Breach

Session 13B

This research explores how infostealer malware turns into an early-stage access vector for corporate breaches. The focus is on how stealer logs, which are publicly available in various Telegram channels and marketplaces, contain data that attackers can use to identify and target businesses. Logs are collected from infected personal and unmanaged devices. Once the data is extracted, it typically contains a mix of credentials, cookies, tokens, and browser-stored artifacts. + Working and defense from common infostealers like Raccoon, Redline, and LummaC2.

The research shows how credentials for internal portals, cloud dashboards, developer platforms, and communication tools are exposed through this process. The goal is to help security teams understand what gets leaked, how it’s organized for resale or sharing, and how organizations can monitor public channels for signs of risk.

Infostealer malware is built to collect and dump anything useful from a device. This includes saved browser credentials, autofill data, session cookies, API tokens, wallet addresses, and app-specific passwords. Once collected, these logs are uploaded to Telegram bots, marketplaces, or leak sites.

The research walks through how these logs are typically structured and what credentials they contain. Examples include login details for GitHub, Slack, AWS, Gmail, Notion, Discord, Office 365, database dashboards, and internal dev tools. Logs often include SSH private keys, JWT tokens, and webhook URLs. In many cases, cookies allow attackers to access services without even needing passwords.

By analyzing some incidents using OSINT methods, the research maps the lifecycle of credential stealers. It covers the path from infection, to log exposure, to potential misuse. The examples are based on public stealer log collections and show how much sensitive access data ends up in the open. + Working and defense from common infostealers like Raccoon, Redline, and LummaC2.

1. Introduction and Context

Why stealer logs are a practical threat to modern businesses

Who gets infected and how that leads to third-party exposure

Overview of log distribution on Telegram, forums, and marketplaces

2. What Gets Leaked

Email credentials and 2FA backup codes stored in browsers

Cookies for authenticated sessions on platforms like Slack, GitHub, Notion, and AWS

OAuth tokens and refresh tokens for Google, Microsoft, and custom apps

SSH private keys, API tokens, and .env files from local folders

Passwords stored for database tools like phpMyAdmin, MongoDB dashboards, and Redis GUIs

Admin panel logins saved in browser autofill

3. How These Credentials Are Collected

Behavior of common stealers like Raccoon, RedLine, and Lumma

How logs are organized: domain tags, browser metadata, IP and system info

How tokens and cookies are exfiltrated directly from browser memory

Screenshot files and grabber modules that capture opened panels or inboxes

4. Public Distribution and Market Behavior

Telegram bots offering credential search by domain or keyword

Leaked dumps uploaded to paste sites, temporary file hosts, or clearnet panels

Marketplaces selling access to logs filtered by country, platform, or business domain

Bulk stealer data shared freely in forums for credit farming or reputation

5. Patterns in Exposure

Domains most commonly seen in leaked logs: SaaS tools, cloud dashboards, CMS panels

Frequent exposure of productivity tools: Office 365, Google Workspace, Notion, Trello

Developer-focused credentials: GitHub tokens, SSH keys, CI/CD credentials

Trends by region or sector: fintech and startups often show up in public logs due to widespread SaaS usage

6. What Could Be Done With These Credentials

Accessing internal Slack or Discord channels without triggering 2FA

Reusing GitHub credentials to access private repos or commit history

Connecting to remote servers using stolen SSH keys

Using API tokens to interact with third-party services and leak data

Logging into email accounts and resetting passwords to other platforms

Silent access to cloud dashboards through cookies, bypassing login completely

7. Detection and Monitoring

OSINT-driven ways to monitor for leaked credentials tied to your domain

Tracking mentions of company names, emails, or internal tool domains in stealer bots

Watching for unauthorized access attempts originating from leaked IPs or cookie sessions

Collaborating with threat intel and DFIR teams to correlate exposure

8. Preventive Measures and Awareness

Reducing password reuse across internal and personal systems

Auditing session expiry and token validity in cloud applications

Encouraging staff to avoid storing work credentials in browser managers

Monitoring employee credential exposure through domain-based threat feeds

Educating teams on the risk of downloading free software or tools from unreliable sources

Expected Outcomes:

A full understanding of how credential stealers operate and what they capture

Visibility into how credentials are exposed publicly and what attackers look for

Clear examples of credentials and tokens leaked in real logs

Techniques to detect if your organization appears in these public spaces

Practical recommendations for reducing exposure to stealer-based threats

Who Should Attend:

SOC teams and detection engineers

Threat intelligence analysts

Incident responders and DFIR teams

Cloud security and SaaS administrators

Red teamers and defenders looking to simulate this attack path

Key Takeaways:

Credential stealers expose far more than just passwords

Logs containing cookies, tokens, and keys can grant direct access to business services

Publicly leaked logs are searchable and actively used by attackers

Monitoring these sources can provide early warning of possible compromise

Preventing credential theft starts outside the perimeter, often on unmanaged devices
Speaker(s)

Danish Tariq

Director, Cyber Security, Laburity (Pakistan)

Danish Tariq is a Security Engineer by profession and a Security researcher by passion. He has been working in Cyber Security for over 8 years and it all started out of a curiosity to break things and look deep down into those things (physical or virtual) back in his teenage years. His major expertise is Penetration Testing and Vulnerability Assessments.

He was also involved in bug bounty programs as well, where he helped many companies by ﬁnding vulnerabilities at different levels. Companies include Microsoft, Apple, Nokia, Blackberry, Adobe,

Spoke @ BlackHat MEA 2022 (Brieﬁng: Supply-Chain Attacks)

Featured in “The Register” for an initial workaround for the NPM dependency

Certiﬁed Ethical Hacker, Certiﬁed Vulnerability Assessor (CVA), Certiﬁed AppSec Practitioner, Certiﬁed Network Security Specialist (CNSS), IBM Cyber Security Analyst

Ex-Chapter Leader @ OWASP

Ex-Top Rated freelancer (Information security category) on Upwork

Recent security research and CVEs include – CVE-2022-2848 & CVE-2022-25523

Served as a Moderator @ OWASP 2022 Global AppSec

Hassan Khan Yusufzai

Director, Laburity (Pakistan)

Hassan Khan is a highly experienced Security Researcher with a proven track record of internet-wide scanning and penetration testing. A sought-after speaker, Hassan recently presented at the BlackHatMEA 2022, 2023 conference. His expertise extends to Ruby security, where he has conducted extensive research over the past few years. As a certiﬁed OSCP (Offensive Security Certiﬁed Professional), Hassan has also made a name for himself as a successful bug bounty hunter on both HackerOne and Bugcrowd.

Hassan’s achievements have earned him recognition in the industry, including inclusion in the Google Security Hall of Fame (2017), Twitter Security Hall of Fame (2017), and Microsoft Security Hall of Fame (2017). He has also conducted extensive research into WordPress security and won the HackFest CTF competition.

In addition to his research, Hassan is also the developer of several security testing tools and an npm scanner for account hijacking, further demonstrating his commitment to the security ﬁeld and his skills as a developer.
Wednesday 25th
12:15-13:00
Beyond Taxonomies A New Ontological Lens for SABSA Data Architecture

Session 14A

In a world obsessed with data - whether for insights, governance, compliance, or control—volume is often mistaken for value. But under the SABSA framework, where data begins life as a physical asset, meaningful transformation requires more than classification. Traditional tools such as the ‘business taxonomy of assets’ and ‘business attributes taxonomy’ have served us well, yet their hierarchical rigidity may no longer align with the complex, fluid nature of today’s data ecosystems.

Presenting from dual perspectives – that of a cub reporter hungry for clarity and a regional information ambassador advocating for purpose-driven stewardship – we explore how SABSA’s conceptual and contextual layers can be revitalised through ontological thinking. Together, we propose a shift in focus from static taxonomies to flexible ontologies, enabling organisations to navigate ambiguity, reinforce relevance, and transform data into embedded knowledge.

Key topics include:

Data Cleansing as Stewardship: Neglecting this foundational step is like letting an under-11s football team run riot in your newly renovated house.

Metadata’s Dual Edge: A potential gateway to insight – or a quiet amplifier of bias?

OWL as Enabler or Encumbrance: Can the Web Ontological Language evolve from overhead to guardian?

We argue that embracing ontology allows SABSA to support intuitive, gut-driven decision-making with structured insight – particularly in organisations where data is the dominant, if not sole, asset. We outline a practical ontological model for SABSA’s conceptual and contextual layers, demonstrating how it can better reflect the real-world complexity that businesses face.

By the end of the session, attendees will be invited to reconsider the relevance of ontologies for modern security architectures – and perhaps reimagine what SABSA could become when data is understood not just as resource, but as relationship.”
Speaker(s)

Bethany Sinclair-Giardini

Senior Business Consultant, TechnologyOne (Australia)

Dr Bethany Sinclair-Giardini has spent most of her career in Information Governance, working with information assets, ensuring their security, integrity and retention/disposal. She is a passionate advocate for ensuring data and information assets are managed coherently with adequate metadata in terms of lifecycle management. She is a leading member of her industry organisation, RIMPA Global, and has been a member of the SABSA Institute since 2024 when she first presented at COSAC APAC. She configures recordkeeping software in her day job, and crops up now and then at information security events around Melbourne.

Carol Sutton

Consulting Engineer, On The Business (Australia)

Concept definition and early-stage acquisition for secure information and communications systems have been the focus of Carol’s career. Particularly in military aircraft platform acquisition, Carol has specialized in supporting systems such as command and control, training as well providing guidance on system security requirements for a range of other platforms.

With innovation in technologies, the need to be smart about how security is defined and implemented, Carol has taken the lessons identified earlier in her career to help develop holistic solutions including people, processes, data and infrastructure. This approach led to the successful implementation of a new specialist cell within Australia’s Air Operations Centre. Carol’s responsibility within the implementation team was the development of the security artefacts for certification of the systems.

Subsequently Carol was invited to create a ‘green field’ Operational Command and Control Centre for the fifth and future generation Royal Australian Air Force. Currently awaiting acquisition related information from a major ally, the capability management office is working to create an environment for a successful implementation and transition into service. Although in the early stages of the ADF’s capability lifecycle model, Carol is working to create a design that is secure, resilient and operational by design.
Authorised and Compromised – The Biometric Illusion

Session 14B

Biometrics were meant to kill the password. Instead, they have become permanent keys with no revocation path. We can change your password, we cannot change our face.

This presentation unpacks the systemic risks behind the rush to adopt biometric authentication - risks baked into the technology, amplified by architecture, and overlooked by compliance. From India’s Aadhaar leaks to facial recognition hacks on commercial phones, the pattern is clear: convenience is winning, and users are losing.

Biometric authentication is being sold as progress. But beneath the promise lies a problem of permanence, precision, and power – who controls the data, who accesses it, and what happens when it’s wrong.

This presentation will examine:

Why biometric data is inherently high risk, and why most storage and transmission models don’t treat it that way

Real-world failures of biometric systems, from government IDs to commercial smartphones

How biometric spoofing and false positives are exploited, even in mature deployments

What effective biometric implementation actually looks like

Key takeaways:

Biometric data is immutable – we cannot treat it like passwords

Spoofing is practical, repeatable, and underreported

Consent and transparency in biometric systems are mostly performative

Most implementations trade off accuracy, auditability, or user rights – sometimes all three

There are ways to deploy biometrics safely, but they’re expensive, complex, and rarely done properly
Speaker(s)

Gaurav Vikash

Head of Security and Risk (APAC), Axon (Australia)

Gaurav is a cyber executive with over 16 years of experience leading security programs across global enterprises, regulated industries, and national infrastructure. His portfolio spans incident response, architecture, and governance across financial services, government, SaaS, and critical infrastructure.

He’s a seasoned keynote speaker and panel moderator, known for challenging orthodoxy, exposing systemic blind spots, and delivering hard-earned insights with clarity and conviction.

Beyond the day job, Gaurav serves as a volunteer with the State Emergency Service, mentors emerging professionals through the Australian Women in Security Network, and actively supports the next generation of cyber leaders. He also trains IRAP assessors, delivers CCSP courses, and advises peers through pragmatic, compliance-driven cyber strategy.
Wednesday 25th
13:00-14:00

Lunch
Wednesday 25th
14:00-14:45
Architecting Stovepipes of Excellence: A Case Study on Connecting Threat Actors, TTPs, Controls, and Assurance Programs

Session 15A

This talk walks through a real-world case study showing how we managed to create security traceability around assets, threats they face and risk mitigation investment.

Instead of keeping threat intel, controls, assurance and overall security architecture in silos, we figured out how to make different parts of a modern organisation work together to provide a solid perspective on prioritised risk mitigations and improve spending on assurance activities that matter.

We started by profiling threat actors based on what they wanted, what they could do, and who they typically went after. Then we mapped their favourite tactics and techniques using MITRE ATT&CK as our guide. The interesting part came when we linked these attack patterns directly to existing security controls – suddenly we could see exactly where we had important gaps and where we were over-investing.

Weaknesses in recovery procedures, gaps in system dependencies and unclear operational resilience targets were revealed.

We could finally show leadership how specific threats connected to business risk and prove that our security investments were hitting the right targets. SABSA helped to remind us how we needed to create traceability throughout.
Speaker(s)

Dimitri Vedeneev

Director, CyberCX (Australia)

A political science nerd, that stumbled into a career in cybersecurity by accident over 14 years ago. Lucky to be selected and work with the Australian national security community within the Australian Signals Directorate, followed by several stints in software product and consulting companies across the UK, Europe and North America.

In the last few years, I’ve moved back to Australia and now work at CyberCX, the leading sovereign cyber security consultancy, solutioning and providing delivery quality assurance across cyber security deliveries on cyber strategies, operating model designs, multi-skillset engineering and integration projects and dabble in assisting penetration testing and threat intelligence integration into non-standard programs of work.

A recent SABSA convert, just beginning my security architecture career, there’s plenty more to learn and understand ahead.
If Socrates was a CISO or Even Worse - Your Business Stakeholder

Session 15B

The nature of the cyber security risk is both complex and broad, and present in almost any part of digital operations making it a top non-financial risk. On a daily basis stakeholders are being faced with decisions on how to proceed with the implementation of the business strategy whilst providing a commensurate level of protection against ever evolving cyber threats and ensuring critical products and services operate within the desired risk thresholds.

The accuracy, completeness and timely accessibility of the information required to determine the optimum way forward is more important than ever.

The session draws in from philosophy to illustrate how ancient wisdom can be applied to cyber security and risk management. Will illustrate how Socratic method, an interactive technique for establishing knowledge, allows us to test assumptions through honest dialogue, think differently and ultimately guide us towards better understanding the implications of decisions that needs to be made. The audience will experience how to draw strength from contrarian thought, and utilise it as a tool for both establishing ignorance and knowledge.
Speaker(s)

Dimitrios Delivasilis

CEO, Qiomos (UK)

For over twenty five years, Dimitrios has been a technology executive with a proven success record of delivering future proof information security strategies and helping organisations implement their digital transformation plans with a commensurate level of assurance. Mastering specialisation in business-driven security strategy, architecture and operational resilience, Dimitrios draws strength from the diverse experience in leadership roles, predominantly within financial services, i.e., Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC.

Driven by his vision to shift the resilience risk paradigm by challenging core beliefs and driving better decision making, in 2020, Dimitrios founded Qiomos and started providing value-driven services to guide organisations into building resilient services and products. In 2024, this extensive experience led to the launch of the innovative QnousTM solution – a single source of truth to strengthen operational resilience by modelling the organisation’s security posture and centralising security-related information into a single data model. Dimitrios is now working with organisations, across the globe, streamlining their security risk management and truly simplifying their security decision-making.

Mz Omarjee

Head: IT Client Security and Moonshots, Standard Bank Group (South Africa)

Muhammed Zubair (MZ) Omarjee, is a former Enterprise Security Architect providing advisory to leading banking institutions in South Africa and abroad. He is instrumental in crafting technology strategies as it relates to digital transformation, mobile banking and cyber security. He plays a pivotal role in shaping information technology practices as a transformative business driven and risk-oriented discipline.

Having a proportionate balance of real-world practical experience and technical competence, Muhammed Zubair excels in changing the mind-set required for Digital Transformation. He has a unique ability to operate end to end working interchangeably from strategy development, product design, solution engineering, and full stack software development. His current scope of responsibility covers 18 countries across the African subcontinent.
Wednesday 25th
14:50-15:35
Using Security Patterns to Protect Cloud

Session 16A

We'll begin by exploring the concept and purpose of security patterns and how these align with the SABSA framework.

While there are different definitions that exist in the industry, with a specific focus on those published by cloud providers (AWS, Azure). We'll focus on how to navigate and identify the most practical and meaningful ones

Next, we’ll delve into techniques for writing and using effective security patterns, highlighting best practices and common pitfalls to avoid.

Participants will have the opportunity to understand how security patterns can be adopted in practice.

We’ll then examine how security patterns can enhance overall security and why they offer a more practical approach compared to relying solely on security standards.

Participants will learn the core steps for writing security patterns as part of the SABSA framework.

We’ll provide practical examples of a security pattern for AWS and how this is being applied in businesses to provide design assurance.
Speaker(s)

Ken Fitzpatrick

Director, Patterned Security Consulting (Australia)

Ken Fitzpatrick: Author of securitypatterns.io, a popular website providing information and resources on how to write and apply security patterns and best practices. Director at Patterned Security Consulting, a professional services company helping organisations mature and embed Security by Design into business practices. Engaged with businesses in achieving certification to ISO 27001 and SOC2. An experienced security expert with 20 years of experience across public and private sectors.
Architecting Human Resilience: Embedding Cyber-Aware Business Simulation into Enterprise Practice

Session 16B

Cyber threats continue to evolve, but integrated business awareness training remains stagnant. In this session, we explore how enterprise/security architecture approaches can be used to embed simulation and immersive training into operational practice to uplift business resilience. Drawing from field-tested approaches across Defence, government and regulated industries, Derek Grocke presents a blueprint for integrating experiential learning methods, enterprise architecture domains and systems thinking into a unified model that embeds reinforcement learning into business as usual.

This session reframes traditional tabletop exercises, highlighting how process targeted digital twin environments, cyber ranges, and business aligned simulation models can enhance not just technical preparedness but real decision making, incident response coordination, and organisational insight. From the boardroom to the supply chain, attendees will gain insights in to how the use of real-world simulations can inform and evolve with the business to reflect enterprise priorities, regulatory obligations, and operational risks.

Designed for seasoned professionals, this session avoids prescriptive training models and focuses on reusable, strategic patterns for building human-centric resilience programs. Emphasis will be placed on architectural governance, lifecycle integration, and aligning with standards such as NIST SP 800-160, ISO 42010, and the Australian Government Protective Security Policy Framework (PSPF).
Speaker(s)

Derek Grocke

Director, Madrock Advisory (Australia)

Derek Grocke is the founder of Madrock Advisory and a senior practitioner in space, cyber, critical infrastructure and Defence systems. He has over 20 years of experience leading enterprise transformation initiatives that integrate architecture, cybersecurity, simulation, operational readiness and audit.

Derek has advised Defence, national regulators, critical infrastructure, and private sector organisations across Australia and internationally on integrating cyber resilience into business/operations and critical mission operations. Derek specialises include the critical process desktop assessments and the establishment of simulation-enhanced environments for process simulation, training, testing (ICT, operational technologies, financial processing and RF systems), cyber incident response, and business continuity.

His approach is underpinned by many years assessing, establishing alignment and managing businesses needing to align with frameworks including ISO/IEC 27001, ADF supply chain & specific engineering requirements, NIST SP 800-53/160, ISM/DSPF, AU DHS Right Fit For Risk, ZTA (corporate and OT), CISCO SAFE, CPS 232/234, US CMMC, SABSA, TOGAF and the SOCI Act. He is an active contributor to the advancement of practical, cross-disciplinary security education through cyber ranges and simulation, and an active contributor to the US led Space ISAC, NATO Cyber War Games and AU TISN.
Wednesday 25th
15:35-15:55

Afternoon Tea
Wednesday 25th
15:55-16:40
Privacy by Design: A Conceptual Ideal, A Practical Failure

Session 17A

Privacy is often viewed as a policy or compliance requirement - designed in theory but seldom architected into practice. Controls are typically retrofitted, with limited connection to business objectives or the entire data lifecycle.

This presentation tackles the gap in privacy implementation and asks: what if Privacy by Design was truly architected by design?

We explore how the SABSA framework offers a business-driven, attribute-based approach to embed privacy across the data lifecycle – including classification, sensitivity labelling, usage, sharing, and secure disposal. Without architectural grounding, organisations risk data exposure, inconsistent handling, and loss of trust.

The discussion also covers the paradoxes of AI and data privacy – where growing demands for data analytics clash with strict privacy obligations. SABSA helps balance these tensions by linking privacy requirements to business risk, producing measurable, enforceable outcomes.

Attendees will learn to translate privacy requirements into architectural layers, implement dynamic sensitivity and lifecycle-aware controls, and create a unified privacy-by-design framework bridging legal, technical, and business perspectives.

Key takeaways:

The need for architectural ownership of privacy beyond legal mandates

Using SABSA attributes to model and govern privacy effectively

Designing controls adaptive to data sensitivity and lifecycle

Aligning privacy goals across legal, technical, and business domains
Speaker(s)

Paul Blowers

CISO, Grant Thornton (Australia)

Paul is a seasoned security leader with over 35 years’ experience across Law Enforcement, Defence, Intelligence, and the private sector, spanning New Zealand, the USA, the UK, Europe, and now Melbourne, Australia.

A certified SABSA® practitioner and accredited Business Change expert, he has held key leadership and operational roles including CISO for New Zealand Police, Security Architect and Information Manager, and founder of his consultancy, Hi-Spec Security.

Since 2023, he has served as CISO and Privacy Officer at Grant Thornton, leading Business Assurance initiatives focused on security and privacy strategy, governance, compliance, and risk management.

Currently, Paul is deeply engaged in exploring the paradoxes of AI and data privacy.
Fear of the Dark

Session 17B

Legacy is a frequently used term in a relatively young industry, reserved for systems made of ageing: hardware, operating systems, software and applications, storage media, file formats, peripherals, connectors and so on. Typically, another term accompanies such systems, the process of ‘sweating assets’ for better or for worse. Not to mention ‘end of life’ and ‘lifecycle management’. Inevitably the word ‘risk’ makes an appearance.

Quite often left unattended these legacy systems or components may simply continue to work and that return on investment continues to pay off. Perhaps no longer with vendor support, scarce availability of parts (new or used), limited recovery methods or upgrade paths, lost expertise, or loaded with vulnerabilities with ever increasing risk (there it is again) as the environments and systems around them evolve and change. It’s a choice, and life isn’t always so simple.

There is another side to that coin. Those systems that today are considered the current norm, sometimes labelled ‘next gen’ or ‘cutting edge’. But where will they be in years or decades to come? Will they continue to work in isolation, can they be sweated as simply as those that came before? What of that lurking demon known as planned obsolescence?

When a button is pushed, or a key is turned the user expects something to happen. What happens when nothing now happens, all that presents is darkness, a blank screen, no sign of life, no change in state…this is the Fear of the Dark.

Pivoting from prior themes of a CISOs viewpoint through cinematic classics in previous COSAC presentations, your presenter delves into the societal problem that is largely being ignored in terms of longevity, resilience and risk.

This session will look at the unappreciated challenges faced by industry and society as time passes, where tech debt begins to transform into tech liability and sunken costs. At best impacting productivity, usefulness or choices, or at worst grinding operations to a halt and generating more and more waste with a material societal impact and significant financial cost.

The aim is to have a discussion with the audience on these ever-mounting issues in the short and long term, and how cyber security professionals and practitioners may manage these kinds of challenges in their own organisations, and within our broader personal lives.

In other words, can we find a way to reduce and navigate these lurking risks? Or will we keep “walking a dark road at night…a constant fear that something’s always near…fear of the dark….fear of the dark…”
Speaker(s)

Steven Kintakas

Practice Lead - Architecture, Astralas (Australia)

Steven is a cyber security professional with a career spanning over 22 years of experience across a range of industries including finance, energy & utilities, resources, transport, manufacturing, government, health, education, and telecommunications.

Practice Lead of security architects at Astralas, Steven is a practitioner and leader focused on building trust. In providing business-driven and outcome-based value to manage risk effectively, Steven has contributed to the improvement of cyber risk management across many ASX-listed companies and some of Australia’s largest organisations in fields such as security architecture & strategy, managed services, incident response, research and development, and technical solutions and controls.

Previously a Director and sector leader within Deloitte Australia’s Cyber practice, he has also held various leadership and technical positions at Computer Associates, CGI, Fujitsu Australia, Dimension Data, and Zimbani.

A Deakin University alumnus, having double-majored in computer science and information systems, Steven’s post-nominals include: SCF, CISSP, CISM, CCSP, and CDPSE.

Steven is currently the Board Secretary of the ISACA Melbourne Chapter, a return speaker to the COSAC conference having previously presented in Ireland & Melbourne, and a regular speaker at AISA’s Australian Cyber Conference.

An avid supporter and member of the Geelong Football Club, he is passionate about enjoying good food & drink (in particularly wood-fired cooking) with his family and friends.
Wednesday 25th
16:45-17:30
From Chessboard to Boardroom: A Shift in Ideology to Harness World Class Talent with SABSA

Session 18A

- Since we started leveraging SABSA methodologies to secure wins - not just on chess boards, but any Board. 😉

When people think of enterprise security architecture, they don’t often envision “talent” as a core asset. But what if talent is the very mission that needs to be secured, nurtured and future proofed to endure the test of time?

As a former junior professional chess player turned SABSA enthusiast, I invite the audience to unpack the multifaceted aspects of architecting world class (chess) talent. Inspired by the Polgar sisters’ educational experiment which famously suggests geniuses can be made, this unique session explores how SABSA can model and sustain human potential.

The unique value proposition stands in the journey to understand how to measure intangible assets such as talent!!

Finally, is talent innate, or just a bunch of meticulously engineered factors? Join me as we dissect it, learn to measure it, manage risks around it and maintain it. Drawing on a decade of experience in competitive chess, I reveal successes, failures, lessons learnt and efforts to prepare for junior world championships and meticulous planning.
Speaker(s)

Andra Cimpean

Senior Cyber Security Specialist, Department of the Premier and Cabinet - Office of Digital Government (DGov) (Australia)

Andra Cimpean works as Senior Cyber Security Specialist for Department of the Premier and Cabinet of WA, advising state government entities on their cyber maturity journey.

As a former professional chess player, she brings in a unique perspective with her strategic and problem-solving skills. She holds a Master’s in Cyber Security from Edith Cowan University and a Bachelor’s in Psychology along with accreditations such as SABSA Chartered Security Architect and ITILv4. Andra also completed the SABSA A1 Advanced Risk, Governance and Assurance Practitioner course and is currently writing the paper submission.

Andra is the Deputy Chair for the Australian Information Security Association WA Branch. Awarded “Best Volunteer” Award at the CyberCon 2023 for her efforts in organising charity and student-focused initiatives and Finalist for the “One to Watch in Protective Security” at Australian Women in Security Awards 2024, she has contributed to various publications, enjoys public speaking and has been invited as university guest lecturer for cyber students to teach about Enterprise Security.
Not Just Lean. But Lean & Mean.

Session 18B

Establishing cyber capabilities in any organisation requires an intentional approach that need to strike a balance between difference forces within an organisation.

Getting it right the first time, while not impossible, requires more than just implementing a framework or methodology. Learn how to grow beyond just being a lean organisation, to one that is both Lean & Mean – making every resource/investment count and to move from being reactive to proactive in posture.
Speaker(s)

Joshua Qwek

Director, Cyber Team One (Australia)

Joshua Qwek is a business focus, forward-thinking technology & cyber leader who has over nearly two decades of value creation experiences across different industries & sectors spanning higher education, financial services, and industrial sectors.

He brings deep expertise in Governance, Risk, and Compliance (GRC), with hands-on experience implementing and building cyber capabilities and developing architecture functions.
Wednesday 25th
17:40-18:40
The COSAC Rump Session

Plenary 19P

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• Electronic submission: Send email to the rump session chair David Lynas at [email protected]
• Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 25th February.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.
Speaker(s)

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 42nd year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.
Wednesday 25th
18:45-19:15

Drinks Reception
Wednesday 25th
19:15

Dinner

Thursday 26th February

Thursday 26th
09:30-10:00

Registration & Coffee
Thursday 26th
10:00-17:45
6th COSAC APAC Security Architecture Design-Off

Masterclass M1

Returning for a 6th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops.

Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on LinkedIn congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.
Speaker(s)

Jason Kobes

Sr. Staff Cyber Architect & Research Scientist, Northrop Grumman Corporation (USA)

Jason Kobes works as a Sr. Staff Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master’s of Science in Information Assurance (MSIA) and a Bachelor’s of Science in Computer Science from Iowa State University. Jason holds a SABSA Practitioner of Risk and Governance as well as Architecture. Jason’s areas of research include enterprise risk architecture, accountable anonymity systems and applying actionable enterprise security architecture. Jason is also an adjunct professor at Marymount University for the Criminal Justice department Cyber Crime and Digital Terrorism class.

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Center (USA)

Bill Schultz is a practicing lead security architect who has worked in the Information Technology field for over 20 years, with the majority focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill holds the SABSA Master certification. Bill has implemented security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives at Vanderbilt University Medical Center and has been leading the development of the security architecture for 15 years.
COSAC APAC International Round Table Security Forum

Masterclass M2

The 2026 session of the Forum addresses a Pandora’s box full of new information security issues in a world where older issues won’t stay buried. You’ll join a group of similarly situated professionals - experienced, dedicated, resilient, perhaps bloodied in past successes and failures – to seek realistic solutions and accommodations to the challenges facing us in 2026 and beyond.

AI, quantum computing, machine learning, security staffing, privacy, compliance, incident handling, ransomware, … the list goes on and on. Forum delegates are always learning, willing to listen to and learn from others who’ve encountered things they might not have, definitely not shy about sharing opinions, strategies and techniques, and committed to our strange and but very necessary profession.

With moderating by a not-quite-extinct security dinosaur, you and your peers will experience a half-day immersion in the COSAC APAC way. Moderator questions or comments on associated issues and related publications can produce very different reactions from the crowd. Participants cast their own light on raised topics based on constraints, objectives, tools, techniques, hidden land mines and final outcomes. We all learn from each other.

Come join us and help solve the current and maybe future information security problems of the world.
Speaker(s)

John O’Leary

President, O'Leary Management Education (USA)

John G. O’Leary, CISSP, is President of O’Leary Management Education. A computer security practitioner since 1977, he has designed, implemented, maintained, administered, broken, troubleshot, fixed, re-fixed, managed, consulted on and taught security for networks ranging from single-site to multi-national. Winner of the 2004 COSAC award, the EuroSec 2006 Prix de Fidelite and the 2011 ISC2 Lifetime Achievement Award and the first ever ISS Guardian Award in 2015, his background spans programming, systems analysis, auditing, project management, operations and quality assurance. John taught graduate school at the University of Texas at Dallas for 10 years (yes, there are universities in Texas, some of them even accredited). A few years ago he received breach notification letters from TJX and the VA in the same week. He is still waiting for OPM to reveal that the Chinese now have all his security clearance information. The Target “situation” got him new credit cards. He does not admit to knowing any Russians or CCP members. Although he completely missed out on early bitcoin gathering, the March 2023 Silicon Valley Bank failure cost him nothing. He is firmly convinced that COSAC is the absolute best information security conference on earth.
Building an AI Fast Track Agent

Masterclass M3

AI has evolved remarkably quickly from chatbot to agent, and is well on the way to delivering virtual employees. In this workshop we take a hands-on approach to understanding agentic AI, and step by step build the datasets and tools we need to augment an AI model with a modicum of SABSA expertise.

We’ll use the datasets to augment a standard Generative AI Large Language Model (LLM) and attendees will learn how to prepare the system prompts necessary to drive its operation. To conclude the workshop, attendees will prepare their augmentation dataset, select their preferred LLM, and use their AI Fast Track Agent to prepare a fast track deliverable for a project.

Attendees are encouraged to work in groups and participate hands on in each practical lab throughout the course of the workshop.
Speaker(s)

Dr Malcolm Shore

Chief Architect, David Lynas Consulting (New Zealand)

Malcolm had a career in the RNZAF before joining GSCB as the Director of Information Systems Security where he developed and managed the national information security programme for New Zealand. Subsequently as Technical Director CES Communications he was responsible for developing embedded cryptography voice and data products. As Technical Director at BAE Systems Applied Intelligence he managed the security evaluation, reverse engineering and penetration testing teams.  He has held a number of Chief Security Officer roles in the telecommunications field, including Telecom NZ, NBN Co, and Huawei Australia. As a consultant he has undertaken security architecture contracts in the UK, Australia and the Gulf region. Malcolm is currently Chief Architect at DLC and is a partner in Outpace AI, Australia.

Malcolm has represented Australia and New Zealand in cybersecurity forums internationally, has participated in the ISO and Open Group standards bodies, and has held board roles in both AISA and the SABSA Institute. He is also a partner in the Global Forum for Cyber Expertise (GFCE).

As a part time academic, Malcolm developed and lectured in the Post Graduate Diploma in Forensics and Security at Canterbury University in New Zealand and is now an adjunct PhD Supervisor at Deakin University in Melbourne.  Malcolm was instrumental in developing and launching the vocational Certificate IV in Cybersecurity throughout Australia.  He has published research in the cybersecurity field, and is the author of numerous online cybersecurity and programming courses published through Linkedin Learning and Offensive Security.
Thursday 26th
11:35-11:55

Morning Coffee
Thursday 26th
13:30-14:30

Lunch
Thursday 26th
16:00-16:20

Afternoon Tea
Thursday 26th
18:00-18:15

Conference Close - COSAC Chairman's Closing Remarks

COSAC
Patrons

A completely new COSAC experience pushing the boundaries of cybersecurity further than ever before. Smart people, inspiring guest speakers and a ton of passion. Become a COSAC Patron and gain access like no other.

Become a patron

COSAC
2025.

28th Sept - 2nd Oct: Kildare, Ireland

More Info Register

Contact

Get in contact with us by email, phone or just stay social and connect with us on LinkedIn

COSAC APAC 2026

Tuesday 24th February

Tuesday 24th 08:30-09:00

Tuesday 24th 09:00-09:20

Tuesday 24th 09:30-10:15

Implementing the SABSA NIST CSF Community Profile

Session 2A

Speaker(s)

From Value Chain to Prompt: AI Fast Track

Session 2B

Speaker(s)

Tuesday 24th 10:20-11:05

Enterprise Security Architecture – Using SABSA to Deliver ISO 27001 the Right Way

Session 3A

Speaker(s)

Beyond the Algorithm: Cultivating Trust in the AI Era

Session 3B

Speaker(s)

Tuesday 24th 11:05-11:25

Tuesday 24th 11:25-12:10

When SABSA met FAIR: A Framework Dynamic Duo

Session 4A

Speaker(s)

Human Crash-Test Dummies, and How AI has Taken the RED out of DREAD...

Session 4B

Speaker(s)

Tuesday 24th 12:15-13:00

Optimising Information Asset Utilisation Through Co-Design and SABSA Integration

Session 5A

Speaker(s)

Space Engineering Inspired Cyber Resiliency

Session 5B

Speaker(s)

Tuesday 24th 13:00-14:00

Tuesday 24th 14:00-14:45

How to Influence Your Way to Cyber Budgets

Session 6A

Speaker(s)

Beyond Chatbots: Building Semantic Intelligence for Next-Generation GRC Automation

Session 6B

Speaker(s)

Tuesday 24th 14:50-15:35

Using the SABSA Matrix with Stakeholders to Define Project Perspectives and Actions

Session 7A

Speaker(s)

Taming the Untrusted: Zero Trust Approaches and Cross-Sector Case Studies

Session 7B

Speaker(s)

Tuesday 24th 15:35-15:55

Tuesday 24th 15:55-16:40

The Needs of the Many Outweigh the Needs of the Few, or the One - Spock

Session 8A

Speaker(s)

Mesh, Hype or Hope? Reassessing Cybersecurity Mesh Architecture (CSMA) in the Shadow of Zero Trust

Session 8B

Speaker(s)

Tuesday 24th 16:45-17:30

SABSA Foundations Complete… Now What?

Session 9A

Speaker(s)

Securing Australia's Federated Future: Rethinking Access, Trust, and Compliance Across Domains

Session 9B

Speaker(s)

Tuesday 24th 17:40-18:40

High Assurance Computing in the Commercial Sector: Niche or Necessity?

Plenary 10P

Speaker(s)

Tuesday 24th 18:45-19:15

Tuesday 24th 19:15

Wednesday 25th February

Wednesday 25th 09:00-09:30

Wednesday 25th 09:30-10:15

The Pragmatist's Guide to Safely Automating the Management of Critical Infrastructure

Session 11A

Speaker(s)

Why Misinformed Teams Build Weak Security Programs

Session 11B

Speaker(s)

Wednesday 25th 10:20-11:05

Bridging Business and Cybersecurity: An Enterprise Security Architecture Journey in the Australian Energy Sector

Tuesday 24th
08:30-09:00

Tuesday 24th
09:00-09:20

Tuesday 24th
09:30-10:15

Tuesday 24th
10:20-11:05

Tuesday 24th
11:05-11:25

Tuesday 24th
11:25-12:10

Tuesday 24th
12:15-13:00

Tuesday 24th
13:00-14:00

Tuesday 24th
14:00-14:45

Tuesday 24th
14:50-15:35

Tuesday 24th
15:35-15:55

Tuesday 24th
15:55-16:40

Tuesday 24th
16:45-17:30

Tuesday 24th
17:40-18:40

Tuesday 24th
18:45-19:15

Tuesday 24th
19:15

Wednesday 25th
09:00-09:30

Wednesday 25th
09:30-10:15

Wednesday 25th
10:20-11:05

Wednesday 25th
11:05-11:25

Wednesday 25th
11:25-12:10

Wednesday 25th
12:15-13:00

Wednesday 25th
13:00-14:00

Wednesday 25th
14:00-14:45

Wednesday 25th
14:50-15:35