Schedule

COSAC 2026

Sunday 27th September

Sunday 27th
15:00-16:00

Delegate Registration
Sunday 27th
19:30-20:00

Delegate Registration & Drinks Reception - sponsored by Killashee Hotel
Sunday 27th
20:00 onwards

COSAC 2026 Welcome Dinner

Monday 28th September

Monday 28th
09:00-9:30

Registration & Coffee
Monday 28th
09:30-17:30

COSAC Masterclasses are full-day, 09:30 - 17:30
Monday 28th
09:30-17:30
The 25th COSAC International Roundtable Security Forum

Masterclass M1

2026 marks the 25th edition of the Forum, a full-throated, bare-knuckles, no-holds-barred immersion into the COSAC Way. You join a group of experienced practitioners of our somewhat dark art. They’ve seen it all, done it all, won some, lost some and had some rained out. They’ve persisted in giving their employers the best information security for resources expended and political will. Like you, they know what works and what doesn’t and have a low tolerance for BS.

You with the group will analyze and comment on recent events, industry trends and problems, even hypothetical but probable scenarios put forth by a fossil-like moderator and based on internet articles, books, news reports and his own wide-ranging, if checkered experience. Widely different perspectives around the room guarantee novel approaches and vigorous defenses of new or established security practices. Two notable characteristics of Forum delegates have been their openness to hearing and analyzing others’ solutions and willingness to have their own brains picked. We listen and we help each other. And with AI, social media, personnel shortages and limited budgets for seemingly unlimited dangers, we need all the help we can get.

Come join us.
Speaker(s)

John O’Leary

President, O'Leary Management Education (USA)

John G. O’Leary, CISSP, is President of O’Leary Management Education. A computer security practitioner since 1977, he has designed, implemented, maintained, administered, broken, troubleshot, fixed, re-fixed, managed, consulted on and taught security for networks ranging from single-site to multi-national. Winner of the 2004 COSAC award, the EuroSec 2006 Prix de Fidelity, the 2011 ISC2 Lifetime Achievement Award and the first ever ISS Guardian Award in 2015, his background spans programming, systems analysis, auditing, project management, operations and quality assurance. John taught graduate school at the University of Texas at Dallas for 10 years (yes, there are universities in Texas, some of them even accredited). A few years ago he received breach notification letters from TJX and the VA in the same week. He is still waiting for OPM to reveal that the Chinese now have all his security clearance information. The Target “situation” got him new credit cards. He does not admit to knowing any Russians or CCP members. He completely missed out on early bitcoin gathering, but hasn’t lost anything in the latest wild fluctuations. He is firmly convinced that COSAC and COSAC APAC are the absolute best information security conferences on earth.
The 10th COSAC 'Design-Off'

Masterclass M2

This design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops.

Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

The materials for the design-off and the final presentations are typically provided in electronic form so attendees should plan to bring a laptop or electronic device that can be used to review materials and work with their team.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. If you have attended in a previous year, be assured that this year will present a new and different challenge. We have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on LinkedIn congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.
Speaker(s)

Jason Kobes

Sr. Staff Cyber Architect & Research Scientist, Northrop Grumman Corporation (USA)

Jason Kobes works as a Sr. Staff Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 25 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master’s of Science in Information Assurance (MSIA) and a Bachelor’s of Science in Computer Science from Iowa State University. Jason holds a SABSA Practitioner of Risk and Governance as well as Architecture. Jason’s areas of research include enterprise risk architecture, accountable anonymity systems and applying actionable enterprise security architecture.

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt Health (USA)

Bill Schultz is a seasoned security architect with more than two decades of experience advancing cybersecurity, enterprise security architecture, and risk management disciplines. A SABSA Master–certified architect, Bill has built and led security and risk management programs, developed organizational and system level architectures, and guided enterprise wide security and risk initiatives. His work focuses on maturing security capabilities, effectively managing risk, and aligning technology decision making with long term business outcomes.
Leave Your Ego At The Door - Negotiation Skills for Security Professionals

Masterclass M3

Security professionals are trained to be right. We’re analytical, precise, and trained to avoid risk. But in high-pressure situations — budget fights, incident response, risk trade-offs — the person who “wins the argument” often loses the outcome. The real deciding factor is usually emotion: fear, status, certainty, and trust.

Think about the negotiations you navigate every week. You negotiate risk appetite with the board. You negotiate ownership and authority with the CIO. You negotiate disclosure timing with legal counsel during a breach. You negotiate liability caps and audit rights with vendors. And sometimes, in the worst moments, you negotiate with a threat actor holding your data hostage. In every one of these scenarios, technical accuracy is table stakes. What separates impact from frustration is the ability to influence humans: calm the room, surface what’s really driving “no,” and build a deal people will actually implement.

AI makes this more urgent, not less. As AI handles more of the technical production work — the analysis, the drafts, the artefacts — security practitioners are freed up to be where they make the real difference: in the room where decisions are made. The bottleneck is no longer the technical work; it’s the human work: judgement, prioritisation, and getting durable commitment across competing agendas.

This masterclass builds negotiation capability through practice. We’ll learn key negotiation theory and immediately apply it to real security scenarios: boardroom budget battles, breach disclosure decisions under regulatory pressure, and high-stakes vendor standoffs. Expect to get your hands dirty with tactical empathy, labelling, mirroring, calibrated “how” questions, and accusation audits. We’ll dissect real cases — including negotiations that went catastrophically wrong — to understand why smart people make terrible deals when ego, time pressure, or fear take the wheel.

This isn’t a lecture. Expect participation, interruptions, and challenge. We’ll close with a competitive negotiation exercise to crown a master negotiator, and everyone leaves with a personal playbook for their next high-stakes conversation.
Speaker(s)

Simon Cross

Enterprise Security Architect, Infoblox (UK)

Simon Cross is an Enterprise Security Architect specialising in cybersecurity, cloud and enterprise security architecture. Across leadership, consulting and pre-sales roles,
he has built a reputation for helping organisations tackle complex security challenges with clarity, pragmatism and strong business alignment. Simon is a contributing editor to
The Open Group Zero Trust Reference Architecture, runs the UK chapter of SABSA World, and is a regular conference speaker on Zero Trust, cloud security, DNS and modern security architecture.

Karel Koster

Manager Cyber Security, FedEx Express Corporation (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a global information security team for FedEx.

Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies. Karel is a People, Process and Technology person, in that order.

Mark Rasch

Computer Security and Privacy Lawyer, Unit221b (USA)

Mark Rasch is a lawyer and computer security and privacy expert and a lawyer in Bethesda, Maryland and is the General Counsel of Threat Intelligence firm Unit 221B, and of-counsel to KJK law.

Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. This includes expertise in GDPR, CCPA, and US and international privacy laws and regulations. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. He was also the Chief Privacy Officer of Fortune 100 company, SAIC and Chief Security Evangelist for Verizon.

Mark has taught white collar crime, computer law, and legal ethics courses, at various institutions including GW, AU and Catholic University Law Schools. He is a frequent media contributor on issues related to technology and the law.
Making Digital Empathy Real: Turning People Centric Security a Reality

Masterclass M4

As technology becomes ever more embedded in work and daily life, security teams must rethink how they design, communicate and implement controls. This master class introduces digital empathy as a practical security capability—one that recognises the diversity of user behaviour, context and culture, and uses that understanding to create more effective, human centred security.

The session explores how Bourdieu’s habitus helps explain why people interact with systems in different and sometimes unexpected ways, and how unconscious assumptions embedded in security design can create friction, exclusion or risk. Building on this, we examine Hofstede’s cultural dimensions to understand how attitudes to authority, uncertainty, individualism and communication shape security expectations across global teams.

Participants then apply these cultural and behavioural insights through threat profiling, user persona mapping and behaviour aware design techniques, developing richer models of user needs and vulnerabilities. These tools support more accurate risk assessments and more inclusive intervention design.

Finally, the master class demonstrates how Zero Trust principles—verify explicitly, least privilege, assume compromise—can be implemented in ways that increase flexibility, reduce cognitive burden and contain human error without blame. By the end of the day, attendees will be equipped with practical frameworks to make digital empathy real inside their organisation and strengthen both security and user experience.
Speaker(s)

Siân John MBE

Partner, EY (UK)

Siân has worked in Cybersecurity for over 25 years across strategy, business risk, privacy, and technology. She is a Fellow of the UK Chartered Institute of Information Security and a council member for the Engineering and Physical Sciences Council (EPSRC). Siân was awarded an MBE in the Queen’s 2018 New Year’s Honours List for services to Cybersecurity.

Char Sample

Professor, Marshall University (USA)

Dr. Char Sample is a cybersecurity researcher and professor at Marshall University where she currently teaches Cybersecurity and Computer Science. Dr. Sample has over 40 years of industry experience beginning in software development, through product test and integration, and finally as a researcher (both applied and academic). Dr. Sample’s research areas are all cybersecurity related with an interest toward cybersecurity decision-making. Past projects have focused on the influence of cultural values on cybersecurity, cyber deception including but not limited to “fake news”, and AI/ML vulnerabilities. Other research areas include data resilience, cyber- physical systems and industrial control systems.

Lori Murray

Cybersecurity Architect, (USA)

Lori is a cybersecurity architect with over 20 years of experience advancing secure, resilient, and user-friendly security solutions. She has led global initiatives in security architecture, threat detection, and cyber resilience at organizations including Microsoft, General Dynamics Mission Systems, and others. . A CISSP with a Ph.D. in Computer Engineering, Dr. Murray has presented and published on AI risks, cyber resilience, and autonomous systems.
Monday 28th
11:05-11:25

Morning Coffee
Monday 28th
13:00-14:00

Lunch
Monday 28th
15:35-15:55

Afternoon Tea
Monday 28th
18:30-19:00

Drinks Reception
Monday 28th
19:00 onwards

Dinner

Tuesday 29th September

Tuesday 29th
09:00-09:30

Registration & Coffee
Tuesday 29th
09:30-10:30
The CISO Operating System: Fixing the 7 Failures in Security Leadership

Session 1A

Most struggling security programs don’t fail because of technology — they fail because of gaps in leadership, structure, culture, and execution.

Drawing on various insights from decades of CISO experience and lessons from over 200 security leaders, this session introduces a practical model for evaluating the effectiveness of a security organization: the CISO Operating System, based on seven interdependent elements of leadership and organizational performance.

Rather than focusing on tools or frameworks, this session challenges experienced CISOs to assess the deeper drivers of success and failure across their programs — including strategy, reporting structure, team capability, operating processes, leadership style, and cultural alignment. While frameworks are important, these often regarded as “soft skills” are typically not covered explicitly by control frameworks. While this model has been created by the presenter and communicated to 1,000’s of CISOs globally, this session is a brand new session – diving deeper into the nuances of leadership.

Participants will work in small groups to assess their own organizations across the seven elements, identify their most significant constraint, and exchange practical strategies with other CISOs and security practitioners who are facing similar challenges.

COSAC Learning Objectives:

A clear model for diagnosing strengths and weaknesses in their security program.

Insight into common failure patterns seen across mature organizations.

CISO ideas for addressing structural, cultural, and leadership gap deficiencies.

An action plan to strengthen one area that limits their effectiveness.

This session is for experienced CISOs and senior security leaders who want to move beyond incremental improvement and strengthen the leadership operating system that drives long-term security performance.

As always, this session will be interactive, with video, props to illustrate the messaging and most of all, will be a facilitated session to gain insights from participants. This session is applicable to both CISOs and SABSA Security Architects, as this discusses the strategies for the environment which they are operating in. While this approach has been created by the presenter and communicated to 1,000’s of CISOs globally through books, podcasts and workshops, this session is a brand new session – diving deeper, as COSAC does, into the nuances of leadership to discuss and capture how we fix these issues in each of these areas.
Speaker(s)

Todd Fitzgerald

Former F500 CISO, Author CISO Compass, CISO SPOTLIGHT, LLC (USA)

Todd Fitzgerald promotes CISO/CPO leadership via advising CISOs, advisory board participation, podcasts, and international speaking engagements. Todd authored 5 books, including #1 Best-selling (2019-2024) and 2020 CANON Cybersecurity Hall of Fame book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers and #1 New Release (2024) The Privacy Leader Compass: A Comprehensive Roadmap for Building and Leading Practical Privacy Programs with Dr. Valerie Lyons. Todd founded the successful CISO STORIES leadership podcast and hosted the first 190 episodes. Named 2016–17 Chicago CISO of the Year, Todd’s senior leadership positions include CyberRisk Collaborative, Northern Trust, Grant Thornton International, Ltd, ManpowerGroup, Wellpoint/National Government Services, Zeneca/Syngenta, IMS Health and American Airlines. Todd earned MBA with highest honors from Oklahoma State University, Business Administration from UW-Lacrosse, and earned certifications of CISSP, CISA, CISM, CIPP/US, CIPP/E, CIPP/C, CGEIT, CRISC, PMP, ITILv3, HI TRUST, and ISO27000. Todd also serves as an adjunct professor teaching Cybersecurity Leadership and IT Risk Management courses for Northwestern University.
Preventing Insider Risk at the Human Layer: How Adversaries Target Your People Before They Target Your Systems

Session 1B

We pour huge effort into technical controls and monitoring, yet many insider risk cases begin long before any alert fires. Adversaries often start by targeting people in relaxed, social settings: that must attend conference, a networking dinner, or a friendly chat with someone who seems genuinely interested. Before you know it, a colleague enjoys a great evening, lets their guard down… and unknowingly gives an adversary exactly the foothold they were looking for.

This session digs into how attackers build trust, leverage and influence well before anything looks suspicious. Using real, anonymised cases that haven’t been shared in public forums, we explore how ordinary, well meaning colleagues can slowly become exploitable—sometimes without realising it themselves.

Participants won’t sit back and listen; they’ll actively analyse cases, debate early warning signs, and explore practical ways to reduce human layer susceptibility without blocking business. We focus on what security leaders can do up front to strengthen resilience, long before an insider threat signal ever appears.

Because when it comes to insider risk, the smartest defence is simple: don’t let the adversary get a chance to start the game.
Speaker(s)

Martin de Vries

Chief Information Security Officer, VDL Groep (Netherlands)

Martin is an experienced Information Security Professional with a background in Project Management, Service Management and Innovation. He joined VDL Groep as their Chief Information Security Officer in September 2025. In this role he helps VDL Groep realising secure, state of the art and innovative digital facilities to meet the company’s strategy. As digitization comes with risks, he ensures that these are assessed and dealt with in the context of the company’s full risk profile.
CISSP certified
AI – Super Hero or Super Villain?

Session 1C

Security AI is often framed through a glass‑half‑empty lens, yet for security architects, it is becoming an indispensable tool. This session for practitioners who are curious, or under pressure to “use AI”, while remaining accountable for rigour, traceability and regulatory compliance. It shows, with examples, how to weave AI into delivery without lowering standards.

Using techniques and purpose‑built tools, the session demonstrates how AI can deliver high‑value architectural artefacts such as threat narratives, assessment outputs, requirements and control sets, models, policy, and risk registers. It also shows how to embed checks and balances that preserve accountability, explainability and defensibility of decisions, while addressing data protection, model governance and assurance concerns.

The session will explore human‑only, AI‑assisted and AI‑developed outputs to expose failure modes such as hallucination, false precision and loss of context, then examine practical patterns to mitigate them. Challenges are expected, with edge cases explored and pressure-tested to determine where AI genuinely adds value versus where it introduces unacceptable risk or noise.

As architecture teams experiment with AI tools while regulatory, audit and organisational expectations harden, this session distils lessons learned from real adoption. It introduces the minimum toolset needed to get started and showcases self‑developed tools that move beyond ad‑hoc prompting in generic chat interfaces, towards repeatable, governable workflows that can be adopted, adapted and justified to sceptical stakeholders.
Speaker(s)

Rob Campbell

Enterprise Security Architect, PA Consulting (UK)

Robert Campbell is a Security Architect at PA Consulting with over 28 years of experience in security. He is responsible for the development of PA’s security architecture framework, focusing on business driven architecture method which aligns to PA’s values and purpose.

Robert is the founder of assuredcontrol.com, a platform where he shares architectural resources and pragmatic guidance for fellow practitioners. A published author, he contributed the Security Architecture chapter to Mike Brass’s book, Governance, Risk and Compliance: Demystifying the Risk and Data Privacy Landscape.

Beyond his architectural work, Robert is a dedicated mentor and educator, committed to teaching the next generation of security professionals how to bridge the gap between complex risk landscapes and effective enterprise governance.
Securing Cyber-Physical Systems with the SABSA framework

Session 1S

Current cyber security practice typically focuses on classic IT ecosystem comprising computing environments running enterprise and business applications. Breaches result in personal data loss, financial loss, and IP theft. We also depend upon cyber-physical systems (CPS) to service many of our personal and business needs. These are complex systems-of-systems comprising digital elements (for control, sensing and safe operation) and physical elements (for interaction with physical entities and providing physical safety constraints).

Our security standards and practices were primarily conceived to secure IT ecosystems. These standards typically focus on individual organisations, which is problematic when seeking to secure complex cyber-physical systems where multiple organisations are responsible for their design, manufacture and operation.

This session explores some potential gaps in security standards, how recent changes relating to automated vehicles are starting to address these. The session examines how the widely adopted risk management approach in ISO 31000 can be adapted and extended. The session then explores how the SABSA framework can aid understanding and treatment of risk in CPS, illustrating it with a case study.

Key learning outcomes:

Understanding of some of the limitation regarding security standards and CPS

Appreciation of how ISO 31000 can be applied to complex cyber-physical systems

An overview of applying SABSA to cyber-physical systems
Speaker(s)

Hugh Boyes

Honorary Fellow, Loughborough University (UK)

Hugh is a security adviser and part-time academic. He recently completed his part-time PhD at the University of Warwick, which focussed on the development of a security framework for digital twins. His research interests relate to the security of cyber-physical systems, industrial IoT, digital twins, particularly those relating to the built environment and national infrastructure. Hugh is a Chartered Engineer, Chartered Cyber Security Professional. As a security adviser, he wrote several standards for BSI and is a regular standards reviewer and contributor. Hugh provides security advice across a range of information intensive public sector initiatives, particularly those involving infrastructure and complex spatial data.
Tuesday 29th
10:30-11:30
Leading on Your Worst Day

Session 2A

You remember exactly where you were that morning. The moment you saw the alert on the screen. The confusion. The realization that this was not an accident. Your world changed forever.

Now imagine finding yourself suddenly in charge, without a playbook and without the ability to reach higher authority. Fragmented information that is often wrong. More rumors than facts. Uncontrolled emotions. And 150 people are looking to you to make a decision.

Ransomware? DDoS? Zero Day?
How about 9/11?

Your speaker started a new job in Manhattan that morning, and by evening was leading volunteer and professional responders at Ground Zero. As cybersecurity leaders, we operate in a different domain but face similar conditions. A major breach or ransomware attack arrives without warning. Dashboards do not tell the full story. Executives demand answers. Teams look for direction. The pressure is immediate and intense.

This talk is a personal account of the first days at Ground Zero and what we can apply to our roles today. We will explore how to make sound decisions with incomplete information, how to establish clarity in the first critical minutes, how to communicate when certainty does not yet exist, and how to steady a team that is processing shock while still expected to perform.

It is also a candid reflection on the psychological weight leaders carry during crisis and what it takes to confront memories that do not neatly fade with time.

Every security professional hopes their worst day will never come. If it does, your personal and professional leadership skills will define you.
Speaker(s)

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark Hardy serves as President of National Security Corporation and co-host of the award-winning CISO Tradecraft podcast. He has been providing cyber security expertise to government, military, and commercial clients for over 40 years, and is the author of over one hundred articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Master’s in Business Administration, a Master’s in Strategic Studies, and is designated as a Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM).
(Ab)using Cognitive Biases: A Hacker's Guide to Defensive Social Engineering

Session 2B

Attendees will learn to apply the B=MAP framework and defensive social engineering to ethically exploit cognitive biases, transforming passive compliance into reflexive security instincts capable of defeating AI-driven deepfake attacks.

For decades, the cybersecurity industry has treated the human mind as a vulnerability we can “patch” with boring, once-a-year compliance slideshows. It is a massive failure. While we force employees through punitive training, attackers are using generative AI to execute perfect, omnichannel deepfake attacks—like the infamous $25M Arup Engineering heist—in under five minutes.

It’s time to stop playing defence and start stealing the attacker’s playbook.

You will be taught how to reverse-engineer the psychological weapons used by threat actors and deploy them for enterprise defence. You will learn the science of “Defensive Social Engineering,” using the B=MAP Framework and the HumanSAMM maturity model to ethically exploit cognitive biases. Discover how to transform security from a high-friction productivity tax into a reflexive instinct, turning your “weakest links” into your most lethal detection sensors against AI-driven deception.

The data is damning: 74% of all breaches trace back to human behaviour, yet 70% of traditional security training is forgotten within 24 hours. We don’t have a “people problem”; we have a fundamentally broken security architecture that ignores the physics of human behaviour. Worse, our shame-based compliance culture creates a spiral where employees hide mistakes, causing reporting rates to plummet.

This session is a tactical guide to tearing down that broken model. We will dissect how threat actors weaponize cognitive biases—like Authority Bias, Scarcity, and Social Proof—and how you can “flip” these exact same levers to engineer a hero-centric security culture. You will learn how to replace high-friction training with zero-friction “Strategic Nudges” delivered directly in the flow of work, bypassing fatigue and building reflexive scepticism.

If you want to outpace AI and deepfakes, you can no longer trust your eyes. You have to engineer your instincts.

Steal the Hacker’s Playbook: Stop relying on passive compliance and learn how to proactively deploy behavioural psychology to manipulate your culture—for good.

Survive the Deepfake Era: Understand the exact anatomy of modern AI deception (like the $25M deepfake scam) and how human intuition is your only viable countermeasure.

Access the B=MAP Engine: Walk away with a scientifically proven behavioural framework for diagnosing exactly why your employees fail security tests and how to permanently fix the root cause.
Speaker(s)

Joshua Crumbaugh

CEO, PhishFirewall (USA)

Joshua Crumbaugh is a world-renowned ethical hacker, social engineering expert, and the CEO of PhishFirewall. During his career as a penetration tester, he famously never met a network he couldn’t breach or a secure facility—including bank vaults and Fortune 500 data centers—he couldn’t talk his way into. Realizing human psychology is the ultimate exploit, Joshua shifted to defense, pioneering the concept of “Social Engineering for Good.” He is the driving force behind PhishEQ, the industry’s first LLM designed to defeat AI-driven phishing by detecting emotional manipulation. Joshua speaks globally, teaching organizations how to build unbreakable, hero-centric human firewalls.
Seeing the Unseen: A SABSA Approach for Discovering Hidden AI in Third-Party Vendors

Session 2C

Vendors increasingly embed AI deep in products and subcontracted services, obscuring model provenance, data lineage, and third party dependencies. This creates a business critical blind spot for security leaders: you cannot govern what you cannot see. Consequences include hidden model risk, opaque data flows, unmodeled threat surfaces, and weak auditability—directly impacting regulatory assurance, incident response, and contract risk.

This session will deliver a practical, repeatable solution for practitioners using SABSA to turn AI discovery into governance. We map the problem through SABSA layers and use SABSA methodology’s structured, risk-driven approach to build a solution to solve it. It reframes discovery as a control, ensuring that AI usage is independently verifiable, traceable, and continuously monitored. By leveraging OSINT and external intelligence, organizations can build a logical control system that aggregates weak signals—such as AI-related job postings, GitHub activity, patents, and cloud telemetry—into strong inferences about vendor AI capabilities.

We present the Vendor Intelligence System for Threats and AI Analysis (VISTA): an OSINT powered method that triangulates public signals (repos, hiring, patents, cloud/service metadata, docs), commercial datasets, and automated crawling to produce an AI usage profile and risk score per vendor, with SABSA aligned controls. The session will include a live walk through of the solution—query packs, signal weighting, vendor scoring, and audit ready evidence—showing how seasoned practitioners can operationalize third party AI visibility in weeks, not months, to materially reduce supply chain risk.
Speaker(s)

Pradeep Sekar

Managing Director, Optiv Security Inc. (India)

Pradeep Sekar is a seasoned cyber security leader who has worked closely with and guided Fortune 100 and Fortune 500 Chief Information Security Officers (CISO), Chief Information Officers (CIO) and their teams across various industries on developing and sustaining a secure, adaptive and robust cyber security program. His unique expertise includes the delivery of innovative cyber strategy solutions and benchmarking insights for global organizations as they look to transform their cyber programs.

He is currently a Managing Director with Optiv Security Inc. where he leads the Advisory Services. He leads the development and delivery of Optiv’s services in the domains of Strategy & Risk Management, Data Security, Application Security and Threat Management.

He is a member of the Economic Times India Leadership Council, which is an exclusive peer group forum of Heads of Businesses from Corporations representing all Indian industries and aims to work towards the end goal of transforming India’s business ecosystem through deliberations and candid exchange of ideas, setting macro agenda for scaling up businesses and driving change that would have a positive impact on business and the overall economy.

He has published thought leadership around security governance, threat profile and risk assessments in industry publications such as ISACA journal as well as on Optiv website (www.optiv.com). He has presented at the IIA/ISACA 9th Annual Hacker conference in Chicago, US; COSAC 2023 and COSAC 2024 Conference in Dublin, Ireland; Cloud Security Alliance Bangalore summit, ISACA Annual Karnataka conference in Bangalore, India; and ISC2 Bangalore chapter conferences.
Architecting for Failure: Designing Cyber Recovery from Failure Modes

Session 2S

Defence in depth is reassuring. It is also architecturally incomplete.

Over the past year, ransomware, identity compromise and systemic supply chain attacks have continued to escalate, with major organisations in the US and UK suffering significant disruption and, in some cases, struggling to recover in a timely or controlled manner. These incidents have demonstrated a hard truth: layered prevention does not prevent failure it merely delays it.

Organisations are now investing heavily in cyber recovery capability. The critical question is not whether to recover, but how to determine which recovery capabilities truly matter and whether they align with how the enterprise is most likely to fail.

Rather than deriving recovery from compliance frameworks or disaster recovery templates, we will explore how to define meaningful enterprise failure modes and use them to shape recovery design.

We will examine:

What re failure modes and how do we categorise them

How defined failure modes directly inform recovery capability decisions

How should you be tracking your recovery capability maturity against failure modes

Large-scale disruption is no longer hypothetical. If resilience is now a board-level expectation, architecting for failure must be addressed deliberately and now.
Speaker(s)

Sophia Mexi-Jones

Security Architect, PwC (UK)

Sophia is a Manager in the Cyber Security Practice at PwC UK, specialising in security architecture and engineering. She owns PwC’s Threat Modelling proposition, leading its development and delivery across client engagements. Her core expertise lies in cloud security, working with a range of cloud-native and platform technologies, including Kubernetes.

Her experience spans the private sector, public sector, and governmental bodies, where she has supported organisations in designing secure architectures and embedding security across the system lifecycle. Sophia has a strong technical background, holding an MSc in Cyber Security, and focuses extensively on threat modelling and cyber recovery across diverse environments from cloud-native systems to Operational Technology.
Tuesday 29th
11:30-11:45

Morning Coffee
Tuesday 29th
11:45-12:45
Named a Top CISO by an Algorithm: An OSINT Investigation into the AI Ego-Baiting Machine

Session 3A

In February of 2026, my name suddenly appeared in a LinkedIn post about "5 CISOs to watch in Norway’s Computer & Network Security Industry" – from a seemingly American online newspaper writing about security by and for CISOs. It’s always nice to be recognized for doing a good job, but there was also something suspicious about the whole thing. Why had I never heard of this site before? Or heard anything from the named journalist before they published an article mentioning me?

Join me on a journey into the world of social engineering, where AI, a network of shell websites, real Norwegian news outlets, and hundreds of CISOs from around the world are exploited to build a seemingly legitimate website – likely so an Israeli “hustle bro” can make more money. Along the way, we will also see how the source criticism and digital literacy we have built up over decades on the internet must essentially be rebuilt for the AI era – and how difficult it can be to distinguish between real content and AI-generated “slop.”

Introduction:
I am a curious person by nature, and I love diving deep into various topics and curiosities. But when I was named one of Norway’s most important CISOs in February 2026, my curiosity was piqued to the extreme. In this session, I will share the story of this ranking, the network behind it, and how professional information security leaders today are falling victim to social engineering – and the consequences this has for us as individuals and as a society.

The Methodology:
The presentation is structured as a storytelling journey. Using timelines, deep-dive OSINT (Open-Source Intelligence), historical retrospectives, and technical analysis, I will walk you through this specific method of internet manipulation. I will also identify the mastermind behind these fictitious, AI-driven rankings.

The Investigation:
I will present my OSINT analysis of the website that published the ranking and the further connections found there. It turns out that CISO Whisperer, the site behind the award, presents itself as being based in Austin, TX, while it is actually operated from Tel Aviv, Israel.

Although CISO Whisperer provides no ownership information or real names for its journalists, OSINT allows us to trace its origins back to The Venture Cation – a network of web- and social media pages that, from mid-2021 to early 2025, published massive amounts of tech, security, and AI content. Interestingly, in December 2024, the content abruptly shifted toward illegal drugs, cryptocurrency, and doping-related topics. By following logical deductions and the collected data, I can trace this back to one specific individual: Omri Hurwitz.

The Mastermind and the Business Model:
Omri Hurwitz, an Israeli ex-military turned “journalist,” is the owner of Omri Hurwitz Media – a PR agency with similar ties to the US and Israel. His online presence is unique, to say the least, having been featured in Rolling Stone and Forbes. However, the problem is that nearly everything he shares, creates, or represents is generated by artificial intelligence – en masse. Understanding his true motivation and business model is equally challenging.

The reason I can identify Hurwitz as the owner of CISO Whisperer is by tracing his “circular economy” of self-promotion. The smoking gun is Singapore Wire – a site owned by Hurwitz – which, only one month after CISO Whisperer launched, crowned it “the leading cybersecurity news platform of 2025.” He hasn’t just named CISOs worldwide as “leaders”; he has named his own one-month-old publication the leader of the year. It is all based on AI slop: rankings written by AI based on web scraping and automated LinkedIn data, creating a circular inflation of image, authority, and importance.

Why This Matters:
One might ask: “Is this really a problem? Can’t we just enjoy the occasional recognition?” I argue this is problematic for several reasons:

Authority Hosting: CISO Whisperer “borrows” authority from established professionals globally. The site only gains followers and positive traction because our professional reputations are being exploited without our consent.

Social Engineering of the Gatekeepers: We don’t know the ultimate motivation. While being called “someone to watch” feels good, sharing and liking this content means you are being socially engineered – the very thing CISOs work to prevent. The methodology is familiar: it’s based on the KGB’s MICE framework (Money, Ideology, Coercion, Ego) for recruiting spies and human assets, later adopted by the CIA. CISO Whisperer has simply automated “Ego-baiting” with AI.

The Strategic Risk: Is this just one man’s capitalist motive, or are there state actors involved? Is it useful for an adversary to map a country’s CISOs and to know which of them are susceptible to flattery?

Feeding the Monster: It becomes even harder to perform source criticism (information literacy) when even mainstream, editorially-led media outlets reprint these rankings without verification. And when the ranked CISOs contribute by sharing and liking this content we enable a less positive development in the field of cybersecurity – simply to enhance our own brand while leaving digital literacy on the backburner. When we don’t investigate, we are “feeding a monster” that may eventually bite the hand that feeds it.

Conclusion:
The purpose of this talk is to open the eyes of the security community to the threats we face – even CISOs are not immune to social manipulation. My intention is not to shame colleagues who “took the bait” – it can happen to the best of us – but to encourage a more vigilant and active relationship with such nominations. We must operate based on knowledge and wisdom, not flattery.
Speaker(s)

Øystein Balstad

CISO, Defendable AS (Norway)

Øystein Balstad is the CISO at Defendable, a top 3 MSSP in Norway. Here he bridges the gap between security governance, -management and operational IT. Since 2019, he has focused on information security management, cybersecurity frameworks, and tactical advisory, rooted in a Master’s degree in Managed Digitization from the University of Oslo and his status as ISO27001 Lead Implementer. Alongside his commitment to the SABSA methodology, Øystein operates on the core philosophy that security has no intrinsic value on its own – it is an essential attribute of the system and the businesses it enables.

An INT-J by nature, he is a deeply analytical thinker who thrives on challenging established truths and going deeper than most to uncover the reality behind the surface. While he prefers the quiet of a deep-dive investigation, he is a compelling speaker when presenting complex subjects where knowledge and wisdom meet.
From No SIEM to Intelligent SOC: Building Detection Capability in a UK Public Sector Estate

Session 3B

Many organisations assume that implementing a SIEM will inherently improve their security posture. Within the UK public sector, this assumption is commonly reinforced by increasing pressure to comply with guidance from the National Cyber Security Centre and demonstrate assurance under frameworks such as GovAssure. However, within environments with limited visibility, fragmented controls, and constrained resources, introducing a SIEM can just as easily amplify noise as it can improve detection.

This session explores a real-world transformation from having no meaningful centralised monitoring to building an intelligent, detection-led security operations capability. It challenges the idea that visibility alone equates to security, and instead focuses on how detection must be deliberately designed, prioritised, and operationalised.

Starting from a position of minimal monitoring, legacy network controls, and limited baseline configuration, this session examines the architectural and operational decisions required to establish effective detection capability. It covers how to justify investment to senior leadership, how to design detection use cases based on business risk rather than available telemetry, and how to avoid common blunders such as undue reliance on external providers or deploying tooling without a clear detection strategy.

Using principles from SABSA, the session demonstrates how detection engineering can be aligned with the organisational mission, translating risk into actionable monitoring and response capabilities. It also explores how automation, lightweight adversary simulation, and iterative use-case development can build capability within teams with limited prior experience in security operations.

Particular emphasis will be placed on designing for sustainability, ensuring that detection capability scales with available skills and avoids operational overload. Attendees will gain practical insight into how to move from reactive alert handling to a structured, intelligence-led approach to monitoring and response.

This will be a highly interactive session, encouraging participants to scrutinise assumptions about SIEM-led transformation, compare approaches across public-sector environments, and reflect on whether their current monitoring capability is truly designed or simply deployed.
Speaker(s)

Colin Manson

Technical Security Manager, Invest NI (Northern Ireland)

Colin Manson is a Technical Security Manager working within the UK public sector, where he is leading efforts to turn security ambition into operational reality.

His career started in Security Operations, where he quickly learned that having tools doesn’t mean having security, a lesson that continues to shape his approach to architecture today. Colin now focuses on building security capability in environments that don’t start from a position of maturity: limited visibility, legacy infrastructure, and small teams expected to deliver large outcomes.

Rather than approaching security as a technology problem, Colin treats it as a design challenge, translating business risk into practical, sustainable controls that people can actually operate. His work spans detection engineering, identity and access management, and security architecture, with a strong focus on ensuring that what is designed can genuinely be delivered and maintained.

He applies frameworks such as SABSA pragmatically, adapting them to real-world constraints rather than ideal models. Colin is particularly interested in the gap between architectural intent and operational reality and why so many transformation programmes struggle to bridge it.

Outside of work, Colin has a background in sports coaching, which continues to influence his approach to leadership and security, focusing on fundamentals, team development, and building systems that work under pressure, not just on paper.
Cybersecurity Architecture as Code: Using AI to Deliver Better Architecture Artifacts, Faster and Better Quality

Seesion 3C

At an all-hands town hall, onsemi's CEO challenged every employee — not just the security team — to stop thinking about AI as a way to automate existing processes and start thinking like a startup: disrupt the process entirely. Rob Rost took that challenge into his cybersecurity architecture program.

This session is a case study on what happened next. It covers the method developed for using AI to produce SABSA-style business-contextual, conceptual, and component-level cybersecurity architecture documents — at a quality and scale that the old approach couldn’t reach. It’s also an honest account of what didn’t work, what had to be rebuilt, and what he would do differently.

Inspired by the 2025 COSAC presentation ‘Automating Secure-by-Design’ by Mexi-Jones and Cassam, this talk continues that conversation with real artifacts, real techniques, and real outcomes from inside a global semiconductor company. The goal isn’t to present a finished product — it’s to share the journey, encourage others to publish their own, and have a practical discussion about how to accelerate the cybersecurity architecture practice with AI.

Come ready to challenge the approach, share your own experience, and leave with something useful.
Speaker(s)

Robert Rost

Cybersecurity Architecture Director, onsemi (USA)

Robert Rost has been focused on cybersecurity for the last 21 years. Robert Rost was the Cybersecurity Architecture Director from 2019 to 2024 at one of the largest non-for-profit healthcare systems in the US. Prior to this role, Robert Rost held the position of IT Operations Director, Defensive Services at the same company. He is currently the Cybersecurity Architecture Director for US-based fortune 500 chip manufacturing company. He was hired by the CISO to build the company’s cybersecurity architecture function. To achieve this outcome, Rob is leveraging his experience, trusted relationships, SABSA training and experience using the Agile Security System by Andrew Townley.

Rob has a passion for cybersecurity architecture, but also for educating everyone, especially the youth and their parents, about Internet safety. He enjoys researching and writing about cybersecurity (www.robertrost.com).

Above all, He enjoys life and has adventures with his wife of 17 years and three children in Southwest United States. He also enjoys serving and volunteering in the Church of Jesus Christ of Latter-Saints and in his community. Rob enjoys strength training, pickleball and ice baths.
Designing Security Around the Most Fallible Asset: Reframing Enterprise Architecture Through a Human-Centric SABSA Lens

Session 3S

Cybersecurity architecture has traditionally been designed around systems, applications, networks, and data. Humans are typically treated as risks to be managed, constrained, or monitored.
What if the primary asset in our design were not the system… but the human, and the task the person is trying to accomplish.

This session challenges the prevailing system-centric paradigm by exploring what happens when we deliberately define the human as the core asset in a SABSA-aligned enterprise security architecture. Instead of designing controls around infrastructure and forcing humans to comply, we examine what changes when security controls, operating models, policies, technologies, and even measurement frameworks are engineered around human capability, cognition, behaviour, and fallibility. Enabling and protecting humans while they accomplish it’s task, much like is done during physical design.
Key questions explored:

Does Zero Trust look different when trust boundaries are defined by human context rather than network perimeters?

Do identity, access, and monitoring controls shift from enforcement mechanisms to augmentation mechanisms?

How do Attributes such as usability, cognitive load, resilience, and psychological safety reshape control design?

What happens to incident response, awareness, and governance when the human is treated as a protected asset rather than a vulnerability or attack surface?

This session combines the often overlooked culture elements of organizations and combines it with a structural reconsideration of enterprise security architecture itself.

If we truly align security to what matters most to the business, and the business ultimately depends on human judgment, decision-making, and action, are we architecting around the wrong asset? We invites you to reconsider a foundational assumption: Is the human the weakest link, or the asset we’ve been designing around incorrectly all along?
Speaker(s)

Jaco Jacobs

Lead Global Security Architect, Accenture (Netherlands)

Jaco has been a “security guy” for more than 25 years during which time he has provided security consulting services to many of the largest organizations around the world. He has spent most of his career developing security IP, training and services for the largest global security providers as well as co-authoring several security publications.

Karel Koster

Manager Cyber Security, FedEx Express Corporation (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a global information security team for FedEx.

Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies. Karel is a People, Process and Technology person, in that order.
Tuesday 29th
12:45-13:45

Lunch
Tuesday 29th
13:45-14:45
Rethinking Supply Chain Cyber Security: From Audit Burden to Threat-Led Defence

Seesion 4A

Organisations are increasingly overwhelmed by audit-based approaches to supply chain cyber security. As regulatory expectations rise and procurement teams demand ever-growing evidence of compliance, suppliers face a proliferation of questionnaires, attestations, and point-in-time checks. Yet despite this escalating administrative load, overall risk is not materially reduced. Attackers do not respect audit cycles, and compliance artefacts rarely reflect the dynamic threat environment or the real security posture of complex supply chains.

This session explores how a threat and defence led model can provide a more realistic and effective approach. Rather than relying on static audits, we will examine how organisations can assess suppliers based on behaviours, controls, and observable risk indicators aligned to the threats most relevant to their sector. We will look at how to use intelligence, shared defence models, and collaborative incident response to raise collective resilience.

The discussion will also revisit lessons from the extranet era, when organisations deliberately limited their exposure to third parties by tightly controlling connectivity. While that model cannot be replicated in today’s hyperconnected world, elements of its mentality—principle of least privilege, controlled pathways, and mutual accountability—remain valuable. The session will explore how these principles can be modernised to meet contemporary supply chain cyber challenges.
Speaker(s)

Siân John MBE

Partner, EY (UK)

Siân has worked in Cybersecurity for over 25 years across strategy, business risk, privacy, and technology. She is a Fellow of the UK Chartered Institute of Information Security and a council member for the Engineering and Physical Sciences Council (EPSRC). Siân was awarded an MBE in the Queen’s 2018 New Year’s Honours List for services to Cybersecurity.
Demystifying encryption in use: homomorphic encryption & multi-party computation

Session 4B

Encryption of data at rest and in transit are well known cryptographic use cases. However, their sibling use case of encryption of data in use is less known and less understood. As an example, the European DORA regulation mentions using encryption of data in use “where necessary”, but that leaves to wonder: when is it necessary to encrypt data in use? And if it is necessary, how can we do so?

This session gives a user-friendly introduction to two popular approaches for encryption in use: homomorphic encryption and multi-party computation, with the goal of allowing security architects to reason about its usage and functionality.

Additionally, we’ll cover how those methods compare with confidential computing, in which cases they would offer value, the current state of available technologies, how practical they are, which capabilities are required to start using homomorphic encryption and multi-party computing, and which constraints to expect.
Speaker(s)

Jasper Rots

Cybersecurity Architect, Splynter (Belgium)

Jasper is a cybersecurity architect specialized in application security and cryptography. He has studied under prominent cryptographers at KU Leuven’s COSIC, and he currently serves as cryptography capability lead and secure system development lifecycle operator at one of Belgium’s major banks. He is known for his enthusiasm, curiosity and can-do mentality, and being able to explore any technical topic. He is an avid speaker, teacher and workshop facilitator.
Education’s Artificial Intelligence Dilemma

Session 4C

In the rush to adopt generative AI, the education sector has found itself on a unique frontline. As CISO for the Department for Education, I’ve observed that while every industry faces AI-driven threats, the stakes in academia are fundamentally different. Our sector is built on a currency of trust. Trust between student and teacher, researcher and peer, and institution and employer.

This session explores why education is uniquely vulnerable to the AI revolution. We will examine how AI-driven synthetic media and automated “scholarship” don’t just pose a security risk, but threaten to dismantle the pillars of academic publishing and assessment integrity. If we cannot verify the human origin of an idea, the traditional academic model begins to fracture.

However, mitigation isn’t found in a frantic race to ban tools. I will outline a strategic framework for resilience: Integrity by Design. We will discuss how to wrap the classic “People, Process, and Technology” triad within a robust operational sandwich of AI governance and dedicated AI incident response. By baking security into the pedagogical process rather than bolting it on, we can protect the sanctity of learning in an era of unprecedented disruption.
Speaker(s)

Martin Sivorn

CISO, Department for Education (UK)

Martin is a senior cyber security leader with a proven record of building and scaling enterprise cyber capabilities across government and global media. He has established security functions from inception in central UK Government and previously created the first coordinated global cyber capability for the Financial Times, enabling secure digital publishing and commercial operations across multiple continents. Currently Chief Information Security Officer at the UK Department for Education, Martin shapes national-scale cyber strategy for the department and UK education sector, supporting sector-wide resilience through collaboration and practical, outcome-driven security. He specialises in measurable, investment-aligned cyber strategies that enable—rather than obstruct—modern digital delivery. A Global Top 100 CISO, Martin speaks on cyber strategy, resilience and digital risk at UK and international forums.
The Architecture for Abandonment: Reducing Tech Debt by Killing Zombies

Session 4S

As Security Architects, we are fluent in Secure by Design, yet often neglect Secure by Decommissioning. For many organisations, the most significant architectural risk is not the latest technology or emerging threats, but the silent persistence of legacy systems that nobody owns, understands, or has the courage to switch off. In 2026, technical debt has evolved from an engineering nuisance into a core security architecture issue.

AI and Machine Learning systems pose even greater challenges for retirement than traditional legacy platforms do. Their intricate dependencies on data, models, tooling, and embedded business logic create complex webs that are difficult to unravel. Inadequate ownership, insufficient documentation, and mounting regulatory requirements will make future AI “Legacy Zombies” significantly more hazardous and costly to decommission securely.

This session argues that end-of-life planning should be a core architectural requirement, not merely an operational afterthought. Leveraging the SABSA Lifecycle, especially its Manage and Measure phase, this talk explores how architects can establish meaningful business, risk, and assurance criteria for retiring systems. Participants will discover how insecure abandonment creates a hidden attack surface, erodes the effectiveness of controls, skews assurance reporting, and undermines organisational resilience.

This interactive session will include a “Funeral Service,” inviting delegates to identify their organisation’s “Legacy Zombies”, systems that are obsolete, unsupported, duplicated, or too risky to keep alive. Together, we will architect their demise: mapping dependencies, surfacing business objections, exposing control gaps, navigating stakeholder resistance, resolving data retention concerns, and defining actionable steps for secure decommissioning. The outcome is a practical, collaborative exercise in designing the “perfect murder” of a legacy system, lawful, methodical, controlled, measurable, and secure.

Key takeaways:

Why technical debt should be treated as a top-tier security architecture risk.

How SABSA supports secure decommissioning through lifecycle governance and measurement.

A practical approach to identifying, prioritising, and retiring “Legacy Zombies”.

Ways to turn end-of-life into a measurable security and business outcome.
Speaker(s)

Chris Blunt

Senior Security Architect, AVEVA (Northern Ireland)

Chris is a SABSA Master with over twenty years of experience demonstrating that security can be a catalyst for growth, not an obstacle. He has advised boards, influenced national cybersecurity policy, and established security functions for governments and global organisations. Known for his knack for turning complexity into clarity, Chris translates complex cybersecurity risk into clear, actionable strategies that give leaders the confidence to act and build lasting resilience.
Tuesday 29th
14:45-15:00

Afternoon Tea
Tuesday 29th
15:00-16:00
Minimum Viable Company: How Organisations Survive After Trust Fails

Session 5A

Most cyber recovery strategies quietly assume that trust still exists — in identity systems, administrators, backups, telemetry, or time. In real incidents, it rarely does. When trust collapses, the question is no longer how quickly can we recover everything, but what can we safely rely on at all.

This session introduces the concept of the Minimum Viable Company (MVC) — the smallest set of capabilities an organisation must restore to operate safely, lawfully, and credibly when compromise is assumed. MVC is not a technology architecture or a DR pattern. It is the outcome of hard, constrained decisions made under pressure: what must come back first, who decides, and what risks are explicitly accepted.
Speaker(s)

Lesley Kipling

Chief Cybersecurity Advisor, Microsoft EMEA (UK)

Previously lead investigator for Microsoft’s detection and response team (DART), Lesley Kipling has spent more than 24 years responding to our customers’ largest and most impactful cybersecurity incidents. As Chief Cybersecurity Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning. She holds a Master of Science in Forensic Computing from Cranfield University in the United Kingdom.
Dropping the C-BOM: A Practical Playbook for Defusing the Post-Quantum Threat

Session 5B

This session presents a practical, tool-ready approach for identifying organisational exposure to post-quantum cryptographic (PQC) risk through enterprise architecture and cryptographic asset discovery.
The session shows how a canonical EA blueprint, utilising a cryptographic taxonomy specified in CycloneDX Cryptographic Bill of Materials (CBOM) format, can be used to create model of cryptographic material in the context an enterprise-wide IT landscape.

The model provides a top-level cryptographic inventory, revealing where quantum-vulnerable algorithms, unsafe cipher suites, and deprecated libraries reside in your technical estate: their proximity to exposes surfaces and which business assets most at risk.

Using dependency modelling and failure mode analysis, we demonstrate concrete, prioritized remediation and migration paths: where to apply hybrid or migration target algorithms, how policies and controls map to technical change, and how operational telemetry closes the loop between architecture and operations.

Attendees will leave with a reproducible method, PQC reference architecture patterns and a clear workflow for turning C BOM discovery into actionable PQC readiness plans.
Speaker(s)

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is a Belgium-based independent security consultant at Cyber Enterprise Modelling (CEM) and has been a regular presenter at COSAC since 2018 on the topic of security by design through automation and modelling.

He is the principal author of the SABSA Institute / Open Group paper “Modelling SABSA with ArchiMate” and chairs the associated SABSA Working Group.

He holds several security, architecture and privacy certifications including both SABSA Chartered Practitioner certifications and a contributor to the forthcoming ArchiMate Next.

Stuart Wilson

PKI and Cryptography Management Consultant, (Ireland)

Stuart brings more than 25 years of experience in PKI and cryptography management across a wide range of industries.

He has worked at the intersection of standards, policy, and enterprise practice — contributing to NIST NCCoE’s Cryptography Discovery and Inventory initiative, the GSMA Post-Quantum Task Force, and most recently the Post-Quantum Financial Forum (PQFF).

Stuart works with large enterprises on building robust cryptography governance frameworks and implementing crypto-agile architectures designed to withstand the transition to post-quantum cryptography.

His work spans certificate lifecycle management, cryptographic discovery and inventory and the design of PQC migration strategies that balance operational continuity with long-term security resilience.
No Humans in the Kill Chain: Architecting Response Capabilities for AI agents and AI-on-AI Attacks

Session 5C

Let's be honest, everything we've built in incident response assumes there's a human at the other end. Our logs, our kill chains, our IoCs, our forensic timelines, all of it expects human-speed actions and human decision-making. That falls apart with autonomous AI systems.

This session draws on real-world IR engagements where AI-driven attacks targeted AI-dependent defences and traditional autonomous systems, and where our usual methods just didn’t work. The indicators are different. The adversary didn’t traverse a network path we typically map. The “decisions” happened at speed where no human actor can attribute.

From those cases, the session introduces a new IR architecture framework built specifically for AI-on-AI conflict: detection patterns for machine-speed adversarial behaviour, forensic approaches when there’s no human intent to reconstruct, and response orchestration that doesn’t wait for an analyst to understand what happened before acting.

This framework also surfaces questions our industry hasn’t even started answering. When AI fights AI, who’s accountable? What does “containment” actually mean when the adversary is a model, not a person? Is your architecture even capable of knowing it’s under attack?

Participants will leave with a working framework, and the uncomfortable realisation that it isn’t enough yet.
Speaker(s)

Fouad Mulla

Lead, Ai & Cloud Security Architect, Independent (Czech Republic)

Fouad Mulla has spent 15 years in cybersecurity, most of it uncomfortably close to the incidents that keep CISOs awake.

His experience spans cloud and AI security architecture, secure development, and enterprise risk management, but his perspective on security architecture is shaped primarily by what he’s seen break during incident response. He currently focuses on the gap between how we design AI-dependent systems and how we actually respond when they fail or come under attack. Fouad holds CISSP, CISM, and SecurityX certifications.
The Illusion of Control: Why Security Architectures Look Strong on Paper and Collapse in Reality

Session 5S

Security architectures are often dense with controls, policies, and assurance artefacts. On paper they appear comprehensive, well governed, and rigorously designed. Yet some of the most heavily controlled environments still experience catastrophic security failures. Why?

This talk explores a recurring architectural trap: confusing the presence of controls with the reduction of risk.

In practice, many systems rely on compensating controls to mask structural weaknesses in identity models, trust boundaries, and system design. Monitoring compensates for overprivilege. Segmentation compensates for untrusted workloads. MFA compensates for fundamentally flat trust relationships. The architecture appears strong because the diagram is full, but the underlying structure is fragile.

When a control fails, the system does not degrade gracefully. It collapses suddenly, revealing that the controls had quietly become load-bearing.

SABSA itself is not the problem. In fact, its emphasis on business attributes, traceability, and architectural integrity was designed to prevent exactly this situation. However, in real-world environments the framework can drift from a design discipline into a control-mapping exercise. Delivery pressure, legacy constraints, and organisational compromise often encourage architects to secure around weak structures rather than redesign them.

The result is an architecture that looks complete within the model, but behaves very differently in operation. Risk appears “treated” or “mitigated”, assurance is inferred from the presence of controls, and compensating mechanisms slowly accumulate into architectural debt.

This talk reframes security architecture as a structural discipline rather than a control inventory exercise. It explores how the illusion of control emerges, where SABSA’s intent is quietly diluted in practice, and how architects can use the framework more rigorously to design systems that remain trustworthy when controls inevitably fail.

If removing a control causes catastrophe, the architecture was never secure…. it was supervised.
Speaker(s)

James Chinn

Enterprise Cloud Security Architect, Admiralgroup PLC (UK)

As Enterprise Cloud Security Architect at Admiral Insurance, I spend my time shaping the vision and strategy for cloud security, which is a polished way of saying I help keep modern technology ambitions from turning into modern security problems. With more than a decade of experience in cloud computing and security, I’ve worked across fintech organisations ranging from scrappy startups to FTSE 100 giants. Along the way, I’ve shared my thoughts with the wider industry through speaking engagements and hosted events, usually on the subject of building security in properly rather than bolting it on later and hoping for the best.
Tuesday 29th
16:00-17:00
From Devils to Angels: Back to the Future of Cyber Security

Session 6A

Much of the focus of internal cyber security is on malicious behaviour. But this is not the only reason incidents happen and risks overlooking other behaviours that are just as dangerous, if not worse.
Centuries ago, do something wrong and you’re either a knave or a fool. While this sentiment persists, there are better ways of carving up the population. Consider the “5% devils, 5% angels and 80% in-between” model. Within the 80% we have the malicious, the reckless, the negligent and the accidental. Of these it is the accidental who, far from being the weakest link, are the least understood link.

The author William Gibson once said: “The future is here, it’s just unevenly distributed”. We now have powerful models for better understanding how variabilities in everyday work can unexpectedly interact, resonate and amplify into emergent, non-linear accidents.

So here we are, twenty-first century cyber security professionals, equipped with exciting new Al technology for enhancing our security controls. The only thing standing between us and success is the human factor. But this is nothing new. A major railway accident from 165 years ago is a valuable case study from which we might heed some valuable lessons.

Let’s flip the script with our security thinking. From as few things as possible going wrong to as many things as possible going right. From treating people as a problem to be blamed and fixed, to recognising people as a flexible resilience resource. And not being blinded by technology.
Speaker(s)

David Porter

Senior Advisor | Emerging Threats, Bank of England (UK)

David Porter has over 30 years’ experience in operational risk and resilience. Originally an AI researcher, his work has covered fraud and money laundering detection, computer security, threat intelligence and incident response. He has worked for both public and private sector organisations.

At the Bank of England, he works on a variety of internal security projects including threat mitigation, incident review and response exercising. He is the author of the original version of the Bank’s CBEST intelligence-led penetration testing manual.

David holds an MSc in Advanced Methods in Computer Science and is a Certified Information Systems Security Professional, Certified Information Security Manager and Certified Fraud Examiner. His book contributions include Analysis for Knowledge-Based Systems, Guide to International Money Laundering Law and Regulation, Corporate Fraud and Handbook of Research on Information Security.
Cybercrime as a System: The Modern Attack Surface Under Pressure

Session 6B

Cybercrime is no longer best understood as a series of isolated attacks. It now operates more like an industry: distributed, specialised and quietly efficient. Behind a successful breach sits a web of malicious and semi-malicious activity including access brokers, phishing infrastructure, traffic distribution, malware services, identity abuse, compromised supply chains and monetisation networks. Each part may appear limited on its own; together they create a scalable operating model for intrusion.

This presentation examines the architecture of that model and how attackers gradually build advantage across the modern enterprise attack surface. It explores how threat actors scrape knowledge, test trust boundaries, exploit supply chain dependencies and expand footholds over time before moving to their real objective. It also considers how AI is beginning to change the pace, scale and economics of this environment for both attackers and defenders.

The presentation argues that while enterprise security has become more integrated and better coordinated, it must now mature further and faster to keep pace with an adversary ecosystem that is increasingly organised, adaptive and industrialised. Drawing on academic research, threat intelligence and architectural analysis, it proposes a more systemic and predictive approach to security architecture, one that is better able to understand dependency, reduce attack surface and disrupt attacks before they reach full effect.
Speaker(s)

Simon Cross

Enterprise Security Architect, Infoblox (UK)

Simon Cross is an Enterprise Security Architect specialising in cybersecurity, cloud and enterprise security architecture. Across leadership, consulting and pre-sales roles,
he has built a reputation for helping organisations tackle complex security challenges with clarity, pragmatism and strong business alignment. Simon is a contributing editor to
The Open Group Zero Trust Reference Architecture, runs the UK chapter of SABSA World, and is a regular conference speaker on Zero Trust, cloud security, DNS and modern security architecture.
The Story of the AVR Roaming Around the Factory Floor

Session 6C

A consumer buys a cheap robot vacuum on TEMU, plugs it in, and sends it on its way. A cautious security professional isolates it on the home network and blocks internet access. The result? The robot slowly stops functioning—because it can’t phone home to its “mothership.”

Now translate that to your industrial environment: what about the (Chinese) Autonomous Visual Robots (AVRs) casually roaming your factory floor? How do you secure devices that are incredibly useful for operations, but engineered with a connectivity model you don’t control?

This session walks through a real world case where an AVR was introduced into a production facility. We explore how we secured it, what risks we uncovered during testing, which compensating controls actually worked, and—most importantly—how to deliver business value without exposing your environment.

Participants will dive into the practical reality of securing modern, cloud tethered devices in an industrial environment where “just block it” isn’t an option. Expect open discussion, early warning signs, security design lessons, and brutally honest insights from the field.

Because if an AVR is going to roam your factory floor, you’d better make sure it’s working for you—and not for someone else.
Speaker(s)

Martin de Vries

Chief Information Security Officer, VDL Groep (Netherlands)

Martin is an experienced Information Security Professional with a background in Project Management, Service Management and Innovation. He joined VDL Groep as their Chief Information Security Officer in September 2025. In this role he helps VDL Groep realising secure, state of the art and innovative digital facilities to meet the company’s strategy. As digitization comes with risks, he ensures that these are assessed and dealt with in the context of the company’s full risk profile.
CISSP certified
E5 Isn’t a Strategy: Designing Security Architecture Before Licensing in the UK Public Sector

Session 6S

The UK public sector has invested heavily in modern security suites aligned with National Cyber Security Centre guidance and assurance frameworks, such as GovAssure and Cyber Essentials. However, many organisations still find it difficult to demonstrate real improvements in resilience, detection, or control effectiveness. In some cases, increased capability introduces complexity without reducing risk.

This session addresses a growing but often overlooked issue: the assumption that acquiring comprehensive security capabilities leads to security maturity. It examines the architectural impact of expanding tools before establishing structure, where organisations follow security principles in theory but lack the governance, lifecycle design, and operational alignment needed for effective controls.

Based on real-world experience from a UK public sector transformation programme, this session reviews environments where advanced capabilities are present but key elements are lacking. These gaps include undefined device baselines, inconsistent identity governance, fragmented monitoring, and limited traceability between controls and risk. This often leads to “performative compliance,” where assurance exists on paper but not in ongoing operations.

Using SABSA, this session demonstrates how architectural thinking connects security capability to business objectives. It discusses how mission, service requirements, and risk appetite should guide the design of identity, device, and detection controls before enabling new capabilities.
The session will address UK public sector constraints, legacy systems, procurement cycles, skill shortages, and audit pressures, and how these factors drive architectural compromise. It will also outline how to shift from simply having controls to achieving measurable effectiveness, enabling organisations to demonstrate real resilience rather than just accumulating tools.

This interactive session will help participants challenge assumptions, assess their environments against architectural principles, and determine whether their current security posture reflects genuine capability or unnecessary complexity. Attendees will leave with practical steps to evaluate and improve their organisation’s security effectiveness.
Speaker(s)

Colin Manson

Technical Security Manager, Invest NI (Northern Ireland)

Colin Manson is a Technical Security Manager working within the UK public sector, where he is leading efforts to turn security ambition into operational reality.

His career started in Security Operations, where he quickly learned that having tools doesn’t mean having security, a lesson that continues to shape his approach to architecture today. Colin now focuses on building security capability in environments that don’t start from a position of maturity: limited visibility, legacy infrastructure, and small teams expected to deliver large outcomes.

Rather than approaching security as a technology problem, Colin treats it as a design challenge, translating business risk into practical, sustainable controls that people can actually operate. His work spans detection engineering, identity and access management, and security architecture, with a strong focus on ensuring that what is designed can genuinely be delivered and maintained.

He applies frameworks such as SABSA pragmatically, adapting them to real-world constraints rather than ideal models. Colin is particularly interested in the gap between architectural intent and operational reality and why so many transformation programmes struggle to bridge it.

Outside of work, Colin has a background in sports coaching, which continues to influence his approach to leadership and security, focusing on fundamentals, team development, and building systems that work under pressure, not just on paper.
Tuesday 29th
17:00–17:15

Refreshments
Tuesday 29th
17:15–18:15
Compliant and Compromised

Plenary 7P

Your Smart TV is watching you back. Your internet-connected fridge is mapping your home network. Your video doorbell is feeding footage into a law enforcement surveillance platform you never signed up for. These are not theoretical attack scenarios — they are documented, real-world behaviours of devices sitting in millions of homes right now, including the homes of your employees, your executives, and, most likely, everyone in this room.

The devices work exactly as designed, that is the problem. They provide services to others as well as the customer that bought the device, often unknown to the owner and at best hidden in some fine print in the click through licence.

The need to secure these IOT devices becoming recognised and legislation is catching up, for example in the EU with the Cyber Resilience Act (CRA) which was formally adopted by the European Parliament, EU Council and entered into force at the end of 2024. It mandates security hygiene: no default passwords, vulnerability disclosure, defined support windows. Good. Necessary. But it does not answer the more uncomfortable question: what is the device actually permitted to do? A device can be fully CRA-compliant while quietly harvesting your viewing habits, your voice, your network topology, and your daily routines — and selling them to parties you have never heard of.

The CRA should help reduce the external attack surface; it does nothing about the manufacturer already being inside.

In this session, we will argue that we need to build a certification framework that fills this gap — one that requires manufacturers to declare, in a verifiable and enforceable way, exactly what their device does, what data it collects, who it talks to, and why. A framework inspired by the discipline of DoD system hardening and the high-assurance principles developed for manned spaceflight: if it is not explicitly permitted, it is prohibited. If it cannot be independently verified, the certificate does not get issued.

We will look at the evidence — Samsung, Vizio, Eufy, Ring — and ask why existing regulation has not stopped any of it. We will work through what such a certification framework would actually need to contain, and we will stress-test it together, because this audience will find the holes faster than anyone.

Among other things, this session will cover:

Why the CRA, ETSI EN 303 645, and NIST IR 8425 are necessary but not sufficient — and what the gap actually looks like in practice

A proposed certification architecture: what manufacturers would need to declare, how it would be independently verified, and how it would be enforced

The hardening principles that should underpin it — least functionality, network egress control, third-party SDK transparency

The governance problem: how do you make this stick when a significant share of consumer IoT is manufactured in jurisdictions that will not cooperate?

The Ring problem: how do you certify behaviour at point of sale when the manufacturer can change what the device does through policy decisions and commercial partnerships years later?

Whether any of this is politically viable, or whether the lobbying reality makes it a non-starter

We do not have all the answers. That is why this is a COSAC session and not a whitepaper. We will bring the framework, the evidence, and the uncomfortable questions — and we expect this audience to do what it does best.
Speaker(s)

Karel Koster

Manager Cyber Security, FedEx Express Corporation (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a global information security team for FedEx.

Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies. Karel is a People, Process and Technology person, in that order.

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptology, Systems Engineering, Information Forensics and Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with more than twenty years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book and was the first recipient of the COSAC award.
Tuesday 29th
18:30-19:00

Drinks Reception
Tuesday 29th
19:00 onwards

Dinner & Irish Music Night

Wednesday 30th September

Wednesday 30th
08:45-09:00

Registration & Coffee
Wednesday 30th
09:00-10:00
Outcome Driven Metrics – The Holy Grail of Metrics

Session 8A

Modern security metrics are overrun by control and activity counts that fail to tell senior stakeholders whether loss, resilience and trust are actually improving. This session treats outcome‑driven metrics as the governing layer and shows how to wire compliance, activity, maturity and risk‑based measures into them as evidence and levers. Attendees leave with a pattern for defining business‑service outcomes, constructing outcome trees and mapping existing telemetry into a minimal, board‑ready set of measures tied directly to loss and resilience, plus a practical test for whether any proposed metric is genuinely informative about risk rather than a decorative KPI.

The material is drawn from real implementations of outcome‑first metrics. Boards, regulators and risk functions now expect security reporting in economic and resilience terms, while most organisations remain stuck on patch counts and tool scores that do not support business decisions. In the session, we will take a common domain, deconstruct it, define the architectural principles and convert them into outcomes, then define KPIs, KRIs and KCIs to determine whether the stated outcomes have been achieved.
Speaker(s)

Rob Campbell

Enterprise Security Architect, PA Consulting (UK)

Robert Campbell is a Security Architect at PA Consulting with over 28 years of experience in security. He is responsible for the development of PA’s security architecture framework, focusing on business driven architecture method which aligns to PA’s values and purpose.

Robert is the founder of assuredcontrol.com, a platform where he shares architectural resources and pragmatic guidance for fellow practitioners. A published author, he contributed the Security Architecture chapter to Mike Brass’s book, Governance, Risk and Compliance: Demystifying the Risk and Data Privacy Landscape.

Beyond his architectural work, Robert is a dedicated mentor and educator, committed to teaching the next generation of security professionals how to bridge the gap between complex risk landscapes and effective enterprise governance.
Information As A Domain of War – IWAR

Session 8B

Information has emerged as a critical warfare domain alongside traditional military environments. COL (R) Lawrence D. Dietz's lecture explores how modern military operations leverage the information environment across three interconnected dimensions: physical infrastructure, informational flow, and cognitive perception.

The presentation establishes that modern warfare operates across a competition continuum—from cooperation and alliance-building through strategic competition to open conflict. Information operations serve as non-kinetic instruments that achieve military objectives by shaping adversary perceptions and decision-making while maintaining operational advantage.

Key operational components include psychological operations (PSYOP), military deception, cyberspace operations, electronic warfare, operations security, and public affairs. Real-world applications examined include Ukraine, Gaza, and Venezuela.

The program details Russia’s sophisticated disinformation ecosystem—combining official communications, state media, proxy sources, and social media weaponization and how China employs “Wolf Warrior” diplomacy and narrative control tactics to advance sovereignty claims and reshape global discourse.

Critically, the presentation demonstrates that information warfare (IWAR) has become integral to national strategy, requiring synchronized coordination across diplomatic, military, and economic instruments to achieve strategic objectives while countering adversarial influence operations.
Speaker(s)

Larry Dietz

General Counsel & Managing Director, Information Security, TAL Global Corporation (USA)

Senior Attorney and former U.S. Army Colonel with more than 25 years of distinguished leadership across military, legal, academic, security, and commercial domains. Globally recognized authority in data privacy, cybersecurity law, cyber warfare, intelligence operations, international humanitarian law, and information operations. Trusted advisor to General Counsel and executive leadership on complex multinational contract negotiations, regulatory risk, and strategic governance in high-risk environments. Accomplished graduate-level educator and thought leader known for translating complex legal, operational, and policy challenges into decisive, mission-aligned outcomes.

He is on the adjunct faculty of American Military University where he teaches national security subjects, the Institute for World Politics where he teaches intelligence and policy and the Monterey College of Law where he teaches Negotiation Skills for Law Students.

He is a volunteer with the American Red Cross serving as a Public Affairs Manager and Expert International Humanitarian Law Instructor.

His degrees include JD, Suffolk University Law School; Master of Strategic Studies, US Army War College; LLM in European Law, University of Leicester, UK; MBA (With Distinction), Babson College and BS in BA, Northeastern University. He is a member of the Bars of the US Supreme Court, State of California and District of Columbia.
The Cognitive Attack Surface - Architecting Defence in Depth for Agentic AI

Session 8C

This session is designed for Cybersecurity professionals to identify the architectural choke points in multi-agent environments before the current surge in illicit AI activity fully matures.

We will be moving beyond the "AI hype" to deconstruct how adversaries are operationalizing autonomous agents to execute entire attack chains with minimal human oversight.

Starting with a overview history of cyberattack, we trace the evolution from 2003 SQL Slammer which reached global proportions in under eight minutes to the 2015 OPM breach and finally to 2025 adaptive malware like PromptFlux which integrates LLM APIs to rewrite its own source code hourly to evade detection.

The presentation provides an exclusive analysis of the “Promptware Kill Chain” focusing on the fundamental reality that LLMs cannot reliably distinguish between instructions and data. We reveal critical research showing that 82.4% of state-of-the-art models, while resisting direct malicious prompts, will immediately execute those same payloads when requested by a peer agent. This “agent privilege escalation” creates a “confused deputy problem” at an unprecedented enterprise scale. We will move past the hype to analyze zero-click exploits like EchoLeak and the “document authority bias” inherent in poisoned RAG systems. Participants will debate the transition from static security controls to “behavioral Indicators of Activity” (IOA) and the efficacy of “Least Agency” governance, including the CaMeL (Privileged LLM) architecture.

Closing takeways cover the architectural reality that prompt injection is not a patchable bug; it is an architectural consequence of LLMs’ inability to distinguish instructions from data. Therefore, the LLM cannot be a trusted actor in any threat model.
Speaker(s)

Valerio Dei

Security Architecture Senior Manager, Bank of Ireland (Ireland)

Valerio is a security and technology leader with over a decade of experience working across telecoms and financial services, mostly in large, regulated environments where resilience and security are critical.

Valerio’s background is in telecommunications engineering, and early in his career he worked in fairly hands-on network and security roles. Over time he becomes more interested in the architectural and strategic side of security; how organisations make security decisions, how risk is managed, and how security can actually support business outcomes rather than just act as a control function.

Currently Valerio is the security architecture senior manager currently the Security Architecture Senior Manager within Group IT Security and Resilience where he leads a team of security architects covering areas like cloud, infrastructure, applications, identity, and data security. A big part of his role is making sure security architecture is aligned with business priorities and risk appetite.
When SABSA Met FAIR: A Framework Dynamic Duo

Session 8S

This session will show how SABSA can incorporate FAIR (Factor Analysis of Information Risk) to increase risk rigor and security decision-making.

The real magic happens when FAIR directly promotes SABSA’s architecture by providing robust risk quantification. This formidable approach aligns with the Motivation column of the SABSA matrix, answering the critical “why” behind security decisions. While FAIR method delivers strong, reliable risk assessments, SABSA ensures these insights are seamlessly combined with other crucial pillars to optimally serve business goals.

Using FAIR to reinforce the “why” component within SABSA underscores the current, urgent demand for healthy, risk-based, and quantifiable security strategies in the face of escalating cyber threats. By combining the two frameworks, security professionals can effectively explain complex risks in financial terms within a SABSA enterprise architecture. This allows for the use of simple, quantifiable terms that stakeholders and leaders can easily understand, making it easier to have meaningful conversations about security priorities and investments.

Discover a fresh and inspiring perspective at how FAIR enhances “Motivation” in SABSA—hence encouraging confidence, sharpening risk management, and supporting SABSA security architecture.
Speaker(s)

Rodney Anderson

Head of Information Security and Compliance, Barnardos Australia (Australia)

Rodney is an accomplished information security professional with more than two decades of experience across diverse industries including large corporate, telecommunications, energy, healthcare, and major financial sectors. Currently, he is dedicated to giving back to society, as the Head of Information Security & Compliance (aka CISO) at Barnardos Australia. There, he exercises thought leadership by crafting practical, risk-appropriate security visions and roadmaps through a commitment to continual improvement.
Wednesday 30th
10:00–11:00
A Security Roadmap is Not a Strategy: Crafting Your North Star

Session 9A

Do you have a security technology strategy?
Are you sure it’s a strategy, or is it a roadmap for technology purchases and updates?

While a technology roadmap is necessary, it is inherently limited. Roadmaps focus on what you will do and when, but they fail to explain why you are doing it or how you will succeed. Relying solely on a roadmap can lead to problems like uncertain objectives, misaligned stakeholders, missed opportunities, and disappointing outcomes. Major consultancies report that many of their security clients lack a genuine security technology strategy. You don’t have to be one of them.

An effective strategy defines the why—your internal business objectives and evolving external threats—and the how—the foundational principles and initiatives you will use to overcome problems. A well-structured strategy acts as a high-level, adaptable “north star” that empowers you to make strategic decisions confidently and communicate meaningfully with everyone from senior management to implementation teams.

In this session, attendees can expect to explore:

The Critical Distinction: A clear breakdown of a true technology strategy versus a technology roadmap.

The Stakes: The tangible benefits of deploying a strategic vision, and the risks of operating without one.

Actionable Methods: Practical examples of methods used to develop core strategy elements.

Real-World Application: An inside look into how we are actively developing and maintaining the security strategy at our company.
Speaker(s)

Gordon Jenkins

Head of Security Architecture, Admiral Insurance (UK)

Dr Gordon Jenkins heads up the security architecture team at Admiral Insurance in the UK. He has 30+ years’ experience in IT and security for large financial services organisations in the UK and US, across investment banking, life & pensions, asset management, and general insurance. He has worked as a security architect for the last 17 years, providing guidance to dozens of major business and infrastructure projects and helping to shape enterprise security functions.
The Death of Truth: Cyber War and the Fifth Domain of Conflict

Session 9B

"Words had to change their ordinary meaning and to take that which was now given them."
- Thucydides

In modern conflict, the most important battlefield may no longer be territory, infrastructure, or even networks; it is truth itself. This presentation continues a five-year COSAC series examining cyber strategy, information warfare, and the manipulation of truth. Cyberspace has expanded the battlefield beyond geography into the information ecosystems that shape public perception and political will.

The misinformation and disinformation campaigns that accompany today’s conflicts echo Russia’s 2022 “special military operation,” now amplified by artificial intelligence. State actors blend technical attacks against telecommunications, energy infrastructure, and government networks with coordinated disinformation designed to shape decisions far from the battlefield.

Are cyber weapons primarily tools of disruption, or instruments of strategic signaling? Have we entered an era where influence operations are more decisive than technical exploits? And if cyber war increasingly targets perception rather than infrastructure, how should the security community adapt its defenses? The session will explore these questions through interactive discussion.

Attendees will leave with a framework for understanding how modern cyber conflict blends technical attacks, strategic signaling, and influence operations, and what that means for defending organizations when the battlefield increasingly includes perception itself.
Speaker(s)

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark Hardy serves as President of National Security Corporation and co-host of the award-winning CISO Tradecraft podcast. He has been providing cyber security expertise to government, military, and commercial clients for over 40 years, and is the author of over one hundred articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Master’s in Business Administration, a Master’s in Strategic Studies, and is designated as a Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM).
You Can't Patch a Mental Model: How Agentic Systems Expose our Hidden Security Assumptions

Session 9C

Agentic security is not hard because it is new. It is hard because it violates the assumptions our security models are built on.

We build controls. Agents adapt around them. It’s not that we built the wrong controls; it’s that we built them on the wrong mental models. We keep trying to “secure agents”, but what’s required is to govern agency. These are fundamentally different problems.

Most agentic security conversations fixate on threats, identity failures, over-privileged agents, and inadequate guardrails. But these are symptoms, not causes. From a systems perspective, they are the predictable outcomes of deeper, unexamined assumptions about how control, trust, authority, intent, and risk are believed to work.

This talk exposes eight hidden assumptions embedded in modern security architectures; assumptions that are laid bare in adaptive, goal-driven systems. We’ll discuss a systems-based lens for security leaders and architects to:

Recognise when your controls are structurally incapable of working,

Reason about agentic risk using the four dynamics that shape the behaviour of all systems (control, decision-making, flow, feedback), and

Derive controls that constrain causes, rather than reacting to behaviour.
Speaker(s)

Ben Hanson

Global Field CTO and Director of Field Engineering , Zenity, (UK)

Ben Hanson is global Field CTO and Director of Field Engineering at Zenity, a leading research and technology voice in agentic AI security. Operating at the cutting edge of agentic AI, he works with CISOs and security teams at the world’s most sophisticated organisations, helping them transition from static security controls and guardrails to the fundamentally different challenge of governing intent and agency. Ben is a leading voice on applying systems thinking to cybersecurity and AI, a member of Edinburgh University’s respected Game Theory and Systems Thinking Lab, and an influential keynote speaker with talks at Cambridge University, Oxford University, ISACA, SANS, Cloud Security Alliance, and UK Cyber Security Council. Previously he was Senior Security Strategist & Advisor at Microsoft, and led the Cyber practice for a top US management consultancy.
Using SABSA NIST CSF Business Attributes

Session 9S

The SABSA Institute (TSI) sponsored SABSA Enhanced NIST Cybersecurity Framework (SENC) workgroup project is developing various tools, techniques and guidance to help your organization put the NIST CSF to work the SABSA way. The SENC project has defined a collection of example Attributes and Attribute Profiles, based on the NIST CSF Functions, Categories and Subcategories and can be leveraged when integrating the NIST CSF into a SABSA Security Architecture. This first SENC project deliverable includes the requirements, method, process and examples for leveraging the NIST CSF based Business Attributes and Attribute Profiles to integrate the CSF into a SABSA security architecture that is tailored to the specific needs, and aligned to the risk appetite, of the business. The business attributes profiling process is one of the more important techniques to integrate the NIST CSF into a SABSA security architecture.

This session provides an overview of the SABSA Business Attribute Library for the NIST CSF and how to use the library to define the NIST CSF related Attributes for your organization. We will detail the Attribute Library contents, how to develop the NIST CSF focused Attributes Taxonomy and how to improve the quality of the selected Attribute Profiles. We use Attributes for Attributes to determine if the set of the Attribute profiles selected from the SABSA NIST CSF Attribute Repository pass the Attribute quality test when customized for the security architecture. The Attribute Profiles can be used to define measurement and reporting requirements to verify that business goals for cyber risk management are being met and, if not, where interventions can be made. We will also work through an example illustrating how the Attribute Profiles can be used to aggregate Attribute measurements and metrics for reporting on NIST CSF compliance and effectiveness. We will also summarize what the SENC Project Team has accomplished to date and what is next for the project to apply and enhance the NIST CSF to help manage your organization’s business risk requirements.
Speaker(s)

Glen Bruce

Cybersecurity Consultant, GDB Cyber Security Consulting (Canada)

In his 50+ years of in-depth experience in IT and security consulting, systems management and technical implementations, Glen Bruce has focused on Security Frameworks, Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information and cybersecurity risk. He has led many information/cyber security engagements, where he has helped clients establish effective strategies, governance, architectures, frameworks, policies, PKIs and infrastructure implementations in support of a wide range of business and technical requirements. Glen is the leader of the TSI SENC workgroup project.
Wednesday 30th
11:00-11:15

Morning Coffee
Wednesday 30th
11:15–12:15
Human-Centric Security: What Anthropology, Archaeology, and Behavioural Science Reveal About Cyber Resilience

Session 10A

Cybersecurity has long leaned on technical frameworks and compliance-driven methods, but security is, fundamentally, about people. This talk draws on interdisciplinary insights from anthropology, archaeology, criminology and behavioural science to rethink how organisations understand risk, design controls and build resilient security cultures.

I will examine how humans construct meaning, behave under uncertainty, negotiate power and adapt within social systems. This assists us to uncover blind spots that purely technical models cannot resolve. Lessons from archaeological method – working with incomplete evidence to reconstruct human behaviour – mirror the realities of security investigation, threat hunting, and interpreting weak signals in complex digital ecosystems.

The talk introduces a human‑centric security model informed by cultural relativity, linguistic framing, behavioural analysis and interdisciplinary research to challenge assumptions embedded in traditional cyber practice. Attendees will explore how cognitive biases shape decision-making, how organisational narratives influence risk perception and how multi-disciplinary approaches strengthen strategic security architecture and enterprise governance.

Highly interactive and debate‑driven, this talk invites participants to question their own assumptions, compare cross‑disciplinary perspectives and collectively build more resilient ways of working. This talk offers unique material, grounded in real-world strategic practice as I am an Honorary Research Fellow, Institute of Archaeology (University College London).
Speaker(s)

Mike Brass

Head of Security Services, National Highways (UK)

I am an accomplished senior leader with extensive experience in cybersecurity, risk, technology, data privacy and governance within complex global and national enterprises (private, charity, government-aligned and Critical National Infrastructure), and across diverse internal functions and global business models.

I have built a reputation for safeguarding businesses from cyber threats, leading transformation programs and providing expert guidance to senior stakeholders. I have shaped Security strategic direction, influenced business strategy and managed large security teams with capabilities spanning operational delivery, risk management and strategic leadership. These include but are not limited to integrating security programmes on cross-organisational, critical multi-million Pound programmes, ensuring that protective measures remain proportionate, forward-looking and aligned with national and organisational strategy.

With a strong partnering mindset, I work with enterprise leaders and regulators to effectively balance the pursuit of strategic goals with the management of enterprise risk.

With my diverse background, my strengths lie in building high-performing teams, providing clear direction in complex problem-solving, and uniting stakeholders to achieve meaningful outcomes for customers, partners and business.

My leadership has resulted in the successful creation and execution of information security strategies to achieve best practice in security and risk management.
Digital Sovereignty and Sovereign Cloud Platforms for National Critical Workloads

Session 10B

Governments and critical infrastructure operators face rising pressure to maintain control over sensitive digital systems. Healthcare records, defence intelligence, justice data, and national infrastructure telemetry all hold strategic value. Many public sector organizations rely on global cloud providers operating under foreign legal regimes. This creates exposure to extraterritorial legislation, opaque operational control, and reduced national oversight.

Digital sovereignty addresses this risk. It focuses on jurisdictional control of data, infrastructure, and operational access. European policy initiatives, including the EU Digital Decade, NIS2, and the European Cloud Certification Scheme, reinforce this direction. Organizations require cloud environments aligned with national legal frameworks and local operational governance.

This session presents a practical model for sovereign cloud adoption across government and regulated sectors. It focuses on four capability domains required to support secure and sovereign digital infrastructure.
How to evaluate when sovereign cloud architectures are required for critical workloads in sectors such as healthcare, defence, and government services.

How to evaluate when sovereign cloud architectures are required for critical workloads in sectors such as healthcare, defence, and government services.

How to design trusted platforms with jurisdictional control using national data residency, customer managed encryption keys, and locally operated security operations.

How to support sensitive analytics and AI workloads while maintaining sovereignty controls and regulatory compliance.
Speaker(s)

Abdul Sayed

Senior Manager/ Cloud Security Architect, PwC (UK)

Abdul works as a Cybersecurity Architect at PwC UK. His work focuses on cloud security architecture, digital sovereignty, and secure transformation for government and regulated sectors. He advises organisations on how to design secure cloud platforms, protect sensitive data, and meet complex regulatory obligations across national and international environments.

Abdul brings more than 20 years of experience across cybersecurity architecture, risk management, and secure systems engineering. His work spans telecommunications, public sector, and critical infrastructure organisations including British Telecom, Etisalat, and Nortel Networks and the Abu Dhabi Police. He specialises in designing security architectures that translate policy, legal, and regulatory requirements into practical technical controls and operating models.

In recent years Abdul has focused on cloud security and sovereign cloud strategy. He supports organisations adopting public cloud while maintaining compliance with data protection law, national security requirements, and sector regulations. His work includes development of security guardrails, threat modelling frameworks, and governance models aligned with standards such as the Cloud Security Alliance Cloud Controls Matrix, NIST architecture guidance, and leading international security frameworks.

Abdul has led the design of secure privileged access architectures for high security environments, including law enforcement networks requiring controlled administrative access to isolated infrastructure. He has also developed enterprise risk and threat modelling frameworks used to embed security requirements into technology programmes and digital transformation initiatives.

His current research and advisory work focuses on sovereign cloud, jurisdictional control of data, and secure architectures for AI and critical national workloads. He contributes to industry discussions on how governments and regulated sectors adopt cloud technologies while maintaining national control, resilience, and trust.

Abdul holds a BSc (Hons) in Software Engineering and an MSc in Information Security.
Fractional Identities for the Agentic AI Future

Session 10C

The emergence of autonomous AI agents acting on behalf of users challenges the current identity paradigm. While existing identity infrastructures are designed to authenticate who performs an action, they do not natively support verifiable delegation—making it difficult to determine who authorized an automated action and under what conditions. This limitation becomes critical in regulated digital ecosystems where accountability, non-repudiation, and auditability are required.

The European Digital Identity Wallet (EUDI Wallet) provides a new foundation for addressing this challenge. By enabling users to derive constrained, purpose-specific identities from verifiable credentials, it becomes possible to create fractional identities that encode limited authority and explicit delegation. These derived identities can be assigned to autonomous agents, allowing them to execute actions within clearly defined policy boundaries.

This session explores architectural approaches for implementing verifiable delegation using fractional identities derived from EUDI Wallet credentials. We discuss how delegation metadata, policy constraints, and cryptographic proofs can allow relying parties to verify not only the acting agent but also the original authorizing user and the scope of authorization. We further examine implications for identity standards, trust frameworks, and interoperability across digital services.

By establishing verifiable delegation as a core identity capability, fractional identities can enable secure and accountable deployment of AI agents across regulated digital ecosystems.
Speaker(s)

Claudio Marforio

CEO, Futurae Technologies AG (Switzerland)

Claudio Marforio is co-founder and CEO of Futurae Technologies, a Swiss cybersecurity company building the authorization layer for regulated digital actions and AI-driven systems. Futurae secures millions of users worldwide and processes hundreds of millions of trusted actions annually across banking, payments, and digital identity platforms.

Claudio’s work focuses on authentication, authorization, and verifiable delegation in complex digital ecosystems. He began his research on usable and secure authentication during his PhD at ETH Zurich, exploring how strong cryptographic security can be deployed at scale without compromising user experience. That research later evolved into Futurae, which today powers advanced authentication, trust signals, and delegated authorization for enterprises operating in regulated environments.

Beyond Futurae, Claudio is also active in the European startup ecosystem as an early-stage investor focused on cybersecurity and digital infrastructure. He works closely with founders and institutions shaping Europe’s digital sovereignty and the next generation of trust infrastructure for the AI economy.
Defending the Final: Applying SABSA Business Attributes to Quantify Cyber Risk for a Live FIFA World Cup Broadcast

Session 10S

A billion viewers. Ninety minutes. If the stream fails during the penalty shootout, no incident response plan recovers the revenue. The match is over. The value is gone.

Live OTT broadcasting is the most hostile environment in cybersecurity: untrusted devices, delegated trust chains, frictionless piracy, and a commercial window that closes the moment the referee blows the final whistle. Most cyber risk models were not designed for conditions where
time destroys value faster than any attacker.

This session introduces an attribute-driven cyber risk quantification model built on SABSA business attribute profiling and applies it to a scenario that breaks conventional approaches: broadcasting a FIFA World Cup final to a global OTT audience.

Five SABSA-derived attributes — Availability, Accountability, Confidentiality, Trust, and Dependency — serve as the organising domains. Each is evaluated on three dimensions: maximum financial exposure, probability-weighted expected loss, and risk appetite alignment. The model does not produce a security score. It produces a number the board can govern. The session walks through every domain against the live broadcast scenario, exposing where incident-type risk models collapse under time pressure and where attribute-driven architecture holds.

Participants leave with a method they can apply to any time-critical business operation — not just broadcast.
Speaker(s)

Dr. Muhammad Malik

Group Manager Of Information Security, beIN Media Group (Qatar)

Dr. Muhammad Malik is a cybersecurity strategy executive with over 25 years of experience building and transforming security programmes across defence, government, media, and regulated industries. He holds a PhD in Computer Science and Engineering from UNSW and advanced certifications from Carnegie Mellon (CISO and CDAIO programmes), alongside SABSA Chartered Architect – Foundation (SCF), CISSP, CISM, and CISA credentials.

He currently leads cybersecurity strategy, AI security governance, and enterprise security architecture at beIN Media Group, where he has designed and implemented security operating models for large-scale OTT broadcasting, live sports streaming, and digital transformation initiatives. His work spans SABSA-driven security architecture, Zero Trust implementation, AI and GenAI risk governance, and board-level cyber risk quantification.

Dr. Malik was recognised with the IDC CISO Excellence Award in 2025 for his contributions to enterprise security leadership. He writes CISO Strategy Blueprint, a cybersecurity strategy newsletter on LinkedIn with over 1,200 subscribers, focused on the intersection of security architecture, risk governance, and board-level decision making. His research has been published in academic journals and practitioner publications including the ISACA Journal.

Prior leadership roles include IBM, KPMG, HP Enterprise Services, and the Australian Department of Defence, where he led security programmes across hybrid-sourced environments spanning multiple classification levels and international standards frameworks.
Wednesday 30th
12:15-13:00

Lunch
Wednesday 30th
13:00–14:00
Where the CISO Sits in 2026: Reporting Lines, Power Structures, and Risk Ownership

Session 11A

The question of where the CISO reports is no longer an organizational preference — it is a statement about who owns cyber risk, who communicates what to whom, and who is accountable when something goes wrong.

In 2026, CISOs are navigating increasing regulatory scrutiny, personal accountability, and boardlevel expectations. The SEC Rulings for SolarWinds case, the Uber CISO Felony conviction, and the personal accountability requirements of NIS2, DORA and evolving AI legislation are all impacting CISO. Yet reporting lines across organizations still vary widely — from CIO/CTO, CRO, General Counsel, CFO, and even directly to the CEO or Board. Each model carries tradeoffs that impact budget authority, independence during incident response, legal exposure, and influence at the “long-awaited seat” at the executive table.

In 2026, CISOs are navigating increasing regulatory scrutiny, personal accountability, and boardlevel expectations. The SEC Rulings for SolarWinds case, the Uber CISO Felony conviction, and the personal accountability requirements of NIS2, DORA and evolving AI legislation are all impacting CISO. Yet reporting lines across organizations still vary widely — from CIO/CTO, CRO, General Counsel, CFO, and even directly to the CEO or Board. Each model carries tradeoffs that impact budget authority, independence during incident response, legal exposure, and influence at the “long-awaited seat” at the executive table.

COSAC Learning Objectives:

How different reporting models affect authority, independence, and accountability.

What has changed in the past 3–5 years due to regulation, litigation, and board expectations?

The tradeoffs CISOs must navigate between alignment, influence, and independence.

The conditions required to evolve reporting structures in their own organizations.

As always, this session will be interactive, with video, props to illustrate the messaging and most of all, will be a facilitated session to gain insights from participants. This session is applicable to both CISOs and SABSA Security Architects, as this discusses the strategies for the environment which they are operating in. This is a new session, exploring these power relationships and the impact on leading cybersecurity.
Speaker(s)

Todd Fitzgerald

Former F500 CISO, Author CISO Compass, CISO SPOTLIGHT, LLC (USA)

Todd Fitzgerald promotes CISO/CPO leadership via advising CISOs, advisory board participation, podcasts, and international speaking engagements. Todd authored 5 books, including #1 Best-selling (2019-2024) and 2020 CANON Cybersecurity Hall of Fame book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers and #1 New Release (2024) The Privacy Leader Compass: A Comprehensive Roadmap for Building and Leading Practical Privacy Programs with Dr. Valerie Lyons. Todd founded the successful CISO STORIES leadership podcast and hosted the first 190 episodes. Named 2016–17 Chicago CISO of the Year, Todd’s senior leadership positions include CyberRisk Collaborative, Northern Trust, Grant Thornton International, Ltd, ManpowerGroup, Wellpoint/National Government Services, Zeneca/Syngenta, IMS Health and American Airlines. Todd earned MBA with highest honors from Oklahoma State University, Business Administration from UW-Lacrosse, and earned certifications of CISSP, CISA, CISM, CIPP/US, CIPP/E, CIPP/C, CGEIT, CRISC, PMP, ITILv3, HI TRUST, and ISO27000. Todd also serves as an adjunct professor teaching Cybersecurity Leadership and IT Risk Management courses for Northwestern University.
So You’re Being Told You Need a Sovereign Cloud…

session 11B

Sovereign cloud is appearing everywhere in board directives and government strategies — usually framed as something you can acquire. But sovereignty isn’t a product. It’s a disposition – a way of shaping architectural and operational conditions so that, over time, an organisation has more agency and resilience, and fewer opaque dependencies and surprises. Treating it as a purchase order obscures the real work.

This session challenges the prevailing narrative by examining what “sovereign” actually means once architecture, operations and geopolitics meet real systems. It explores how policy aspirations often collide with constraints in control planes, trust boundaries, administrative access paths, and the uncomfortable reality that geopolitical shifts can abruptly redraw who ultimately holds power over your workloads.

The session strips sovereignty down to its uncomfortable truths, revealing the silent contradictions between what cloud providers claim, what organisations consuming public cloud say they want, what their architectures allow, and what their geopolitical dependencies make unavoidable – and prompts attendees to treat sovereignty as a stance they cultivate, rather than a vendor promise they rely on.

Attendees will leave with language that reflects how sovereignty really plays out — more explicit control over who can see what, who can do what, and how evidence is produced; less reliance on legal assumptions or vendor-managed emergency channels — and a clearer sense of what reliably holds up when the environment turns hostile.
Speaker(s)

Anne Leslie

Head of Cloud Risk EMEA, IBM (France)

Anne Leslie is a cloud risk and security leader whose work sits at the intersection of digital sovereignty, enterprise architecture and organisational resilience. With a career spanning global financial services, cloud transformation programmes and public–private advisory roles, she specialises in helping organisations navigate the geopolitical, regulatory and architectural constraints that shape modern security strategy.

Her work focuses on surfacing the hidden dependencies that undermine resilience — from control planes and identity flows to cross border legal exposure — and on helping leaders build sovereignty dispositions grounded in system behaviour rather than marketing narratives. She is known for applying complexity aware methods to cut through oversimplified assumptions and reframe difficult cloud and risk challenges into tractable, directional choices.

Anne regularly advises executive teams, regulators and industry bodies on cloud risk, digital sovereignty and emerging technology governance. She has spoken internationally on topics ranging from quantum era preparedness to cloud operating models and sovereign by design architectures, and is recognised for her ability to translate abstract policy goals into practical, architecture aligned action.

Her work is anchored in a simple principle: sovereignty, security and resilience are not products — they are dispositions shaped through constraints, design choices and the ability to operate under real world pressure.
From Whiteboard to Workflow: AI-Assisted Dependency Modelling

Session 11C

Dependency modelling offers a rigorous way to understand how outcomes depend on interconnected capabilities, conditions, and uncontrollable factors. However, building meaningful models often requires significant time, expertise, and analytical effort. This presentation explores how AI-assisted techniques can help practitioners accelerate the modelling process while preserving methodological integrity.

Focusing on the combined use of Large Language Models (LLMs), Agentic AI, and vibe coding, the session shows how AI can assist with extracting dependencies from source material, shaping model logic, testing assumptions, generating analytical artefacts, and rapidly prototyping tooling to support exploration and decision-making. The presentation argues that AI should not replace expert analysis, but can act as a practical augmentation layer that improves efficiency, repeatability, and accessibility.

The session also addresses the risks of AI-assisted modelling, including hallucinated dependencies, weak causal interpretation, and over-reliance on machine-generated outputs. The result is a balanced, practitioner-focused perspective on applying emerging AI capabilities to dependency modelling in a way that is credible, useful, and strategically valuable.
Speaker(s)

Jaco Jacobs

Lead Global Security Architect, Accenture (Netherlands)

Jaco has been a “security guy” for more than 25 years during which time he has provided security consulting services to many of the largest organizations around the world. He has spent most of his career developing security IP, training and services for the largest global security providers as well as co-authoring several security publications.
Zero to SABSA: Scar Tissue from Establishing Security Architecture into Maritime Shipbuilding

Session 11S

A practitioner’s account from the field, when a strategically significant Defence programme moves quickly, stakeholders focus on delivery, and engineers are ready to ‘cut steel’. This session outlines how architectural thinking was integrated into a live project in which security was initially treated as a compliance afterthought rather than a design input. The audience will learn how business attributes, risk drivers, mission context, stakeholder tension, and architectural traceability were employed to shift discussions from “what controls do we need?” to “what mission outcomes must be protected, and why?”

This session shares a consultant’s experience of applying SABSA to set direction, establish a common language, and develop a decision-making framework within a complex defence environment linked to Australia’s emerging littoral manoeuvre capability.

The focus will be on practical challenges: where the architecture narrative fell short, how governance language caused resistance, how assessment and assurance functions can inadvertently delay delivery, and how a security assessor can instead act as an enabler of clearer design and risk ownership. Attendees will walk away with a proven approach to kick-start security architecture in projects with low cyber maturity, fragmented accountability, and no substantial architectural baseline.
Speaker(s)

Marcel Krawczyk

Principal Consultant, Bastion Defence Consulting (Australia)

Marcel Krawczyk is a Defence-aligned cyber security professional, security assessor, and architecture practitioner with extensive experience in delivering risk management, assurance, and accreditation outcomes across Australian Government and complex Defence environments. He currently works as a Cyber Security Principal at Bastion Defence Consulting, where he helps translate risk appetite, policy requirements, and mission priorities into practical security requirements and develop uplift strategies aligned with business outcomes.

Marcel has worked across some of Australia’s most sensitive and strategically significant environments, including Defence Cyber Command, Defence Digital Group, the Future Submarine Program, and the Australian Criminal Intelligence Commission. His experience includes producing security artefacts and authorisation briefs, conducting independent security assessments, guiding and advising system owners through an Authority to Operate process, and providing security architecture support through design assurance, control intent mapping, and risk acceptance. He has supported critical capabilities across cloud systems, Enterprise Resource Planning programs, Navy communications, Army operational simulations, drone development and Defence exercises.

A SABSA Chartered Architect with IRAP, CISSP, CISM, CRISC, and ISO 27001 credentials, Marcel is recognised for translating complex cybersecurity concepts into practical, relatable insights for executives, engineers, and delivery teams alike. His work is grounded in real-world implementation, secure-by-design principles, and the challenge of embedding meaningful architecture and assurance into programmes where cyber maturity is still developing.
Wednesday 30th
14:00-14:15

Afternoon Tea
Wednesday 30th
14:15-15:15
Protecting Our Children: Mobilizing the Security Community Against Online Sexual Predators

Session 12A

The people in this room understand the internet's attack surface better than almost anyone alive. Most of us are also parents, aunts, uncles, coaches, and neighbors. Yet when it comes to child sexual abuse and exploitation online, the security community has largely stayed in its lane — treating this as a law enforcement problem, not ours.

It is ours.
According to the United Nations, it has never been easier for offenders to contact victims, distribute imagery, and recruit others — and 80% of children across 25 countries report feeling in danger online. This is an infrastructure problem. A platform problem. A design problem. Our problems.

This session does not ask you to become an activist. It asks you to become a force multiplier. Drawing on original research and lived experience as a father, the speaker presents a practical threat model of how online predation works, the specific technical and social vectors exploited, and — most importantly — a concrete action model for how COSAC attendees can extend their expertise into their families, communities, and organizations.
Leave with material you can use. Leave ready to act.
Speaker(s)

Robert Rost

Cybersecurity Architecture Director, onsemi (USA)

Robert Rost has been focused on cybersecurity for the last 21 years. Robert Rost was the Cybersecurity Architecture Director from 2019 to 2024 at one of the largest non-for-profit healthcare systems in the US. Prior to this role, Robert Rost held the position of IT Operations Director, Defensive Services at the same company. He is currently the Cybersecurity Architecture Director for US-based fortune 500 chip manufacturing company. He was hired by the CISO to build the company’s cybersecurity architecture function. To achieve this outcome, Rob is leveraging his experience, trusted relationships, SABSA training and experience using the Agile Security System by Andrew Townley.

Rob has a passion for cybersecurity architecture, but also for educating everyone, especially the youth and their parents, about Internet safety. He enjoys researching and writing about cybersecurity (www.robertrost.com).

Above all, He enjoys life and has adventures with his wife of 17 years and three children in Southwest United States. He also enjoys serving and volunteering in the Church of Jesus Christ of Latter-Saints and in his community. Rob enjoys strength training, pickleball and ice baths.
Measuring Digital Safety using Dependency Modelling

Session 12B

Digital systems are increasingly complex, interconnected and continuously evolving making it difficult to assess their safety at any given point in time. Traditional assessments of risk and safety are often infrequent, static, and focused on individual components; limiting their ability to reflect the dynamic nature of modern complex digital systems of systems.

At COSAC APAC 2026 Andy Prow introduced the concept of digital safety, a measurable, time-dependent property of a system that reflects the superposition of risks posed by its components and the dependencies between them throughout the system lifecycle.

This presentation builds on Prow’s concept and shows how we produce a dependency model for a consumer networked device and calculate a digital safety score that is fully traceable. The model can be reviewed, updated and the score recalculated whenever the system is changed improving transparency, resilience, and trust in its safe operation.

We discuss how our approach supports continuous assurance, early identification of emerging systemic risks, and informed decision-making for system operators and designers.

This work establishes digital safety as a measurable and actionable property, enabling a shift from static, retrospective assessments to continuous, model-driven evaluation of system safety.
Speaker(s)

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptology, Systems Engineering, Information Forensics and Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with more than twenty years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book and was the first recipient of the COSAC award.

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is a Belgium-based independent security consultant at Cyber Enterprise Modelling (CEM) and has been a regular presenter at COSAC since 2018 on the topic of security by design through automation and modelling.

He is the principal author of the SABSA Institute / Open Group paper “Modelling SABSA with ArchiMate” and chairs the associated SABSA Working Group.

He holds several security, architecture and privacy certifications including both SABSA Chartered Practitioner certifications and a contributor to the forthcoming ArchiMate Next.
Using SABSA to Find Amelia Earhart

Session 12C

On a warm tropical morning in 1937, Amelia Earhart and Fred Noonan flew into history. They took off in a Lockheed Electra from New Guinea at 10am on the second last leg of their groundbreaking around the world flight. 18 hours later, the Electra, Amelia and Fred had vanished without a trace.

Amelia Earhart is survived by her mystery – as an enduring role model who shattered gender stereotypes in aviation by fearlessly proving that women could pilot long-distance flights with the same skill and courage as men. She has inspired many generations of women to pursue careers in flight and chase their dreams without limits.

On the 88th anniversary of their disappearance we will use the SABSA Enterprise Security Architecture framework and methodologies to find Amelia, Fred and the Lockheed Electra 10E.

Putting SABSA’s engineering approach to work in finding Amelia, involves understanding the context of the flight, employing attributes, engineering SWOT, analysing risks, exploring logical domains and assessing physical domain consequence and impact.

We will leverage SABSA trust modelling to understand the contributing trust management issues on the ground and in the cockpit. We will employ SABSA dependency modelling to uncover the single point of failure (SPOF) that likely lead to the loss of the Electra 10-E and we will use security associations (SA) to unwrap the complex relationships between the logical security services that failed the flight that day.
Using the SABSA framework, we can finally comprehend the attributes of the flight that were not maintained, the domain boundaries crossed without support, the security awareness and training disassociations, the technology limitations and the changing risk environment that cumulatively describe the kill chain that led to the loss of the flight.

Armed with relevant information and the SABSA methodology attendees will be given the opportunity to determine Amelia’s location, and learn why your instruments on the ground are showing green while the ones in your cockpit are screaming “trust me bro” in red…

This unique presentation explores how to use SABSA methodologies in different environments to increase a SABSA professional’s skills and proficiencies with SABSA.

Speaker(s)

Robert Laurie
404 Enterprise Architecture Not Found: How to Build a Defensible ESA Without a Functional EA

Session 12S

Security architects are often advised to "align with Enterprise Architecture (EA)," but this presumes a mature EA capability is in place. In reality, many organisations operate without a reliable enterprise model, a clear target state, or even a unified understanding of how the business actually functions. Consequently, architecture is frequently reduced to ambiguous objectives, inherited standards, obsolete documentation, and tactical decisions masquerading as strategy. In such environments, the work more closely resembles corporate archaeology than genuine architecture.

With escalating threats and regulatory demands, organisations often accelerate IT innovation and transformation, frequently without a clear strategic direction. Security teams must still balance risk and enable secure business outcomes, even in the absence of a defined EA.

This session provides actionable guidance for security professionals who are expected to align with EA in organisations where the function exists in name only. Moving beyond theory, it presents a pragmatic approach to building an ESA grounded in the enterprise’s actual state.

Attendees will participate in an interactive session and gain practical insights into creating ESAs in organisations that are under-modelled, highly politicised, and dependent on institutional memory and informal processes.

Key Takeaways:

Archaeology Toolkit: Uncover business context and constraints by leveraging alternative sources and institutional memory when documentation is absent.

Just-Enough Structure: Develop a Minimum Viable EA to ensure traceability and defensibility while minimising unnecessary complexity

Political Manoeuvring: Shape outcomes in personality-driven environments through clear, targeted communication.

Shadow EA Strategy: Proactively address architectural gaps to establish clarity and direction amid ambiguity.
Speaker(s)

Chris Blunt

Senior Security Architect, AVEVA (Northern Ireland)

Chris is a SABSA Master with over twenty years of experience demonstrating that security can be a catalyst for growth, not an obstacle. He has advised boards, influenced national cybersecurity policy, and established security functions for governments and global organisations. Known for his knack for turning complexity into clarity, Chris translates complex cybersecurity risk into clear, actionable strategies that give leaders the confidence to act and build lasting resilience.

Gavin Ellis

Director of Cyber Security Architecture, AVEVA (UK)

Gavin is a senior security and technology leader with broad experience in architecture, risk management, and enterprise transformation. He is recognised for his talent in turning complex technical challenges into actionable business strategies, enabling organisations to develop stronger, more effective operating models.
Wednesday 30th
15:15–16:15
The Great Conflation: Privacy Ethics vs Privacy Law

Session 13A

As organisations increasingly turn to ethical frameworks to demonstrate responsible technology governance, an important distinction is often blurred: the difference between ethical aspiration and legal obligation. This session addresses this growing challenge by contrasting the perspectives of a US cybersecurity lawyer and Of Counsel with those of a European data protection expert. In doing so, this session examines how privacy is understood through two fundamentally different lenses – Law and Ethics.

Using real-world cybersecurity and privacy incidents, each case will be analysed from two distinct viewpoints: the legal and the ethical. Through these comparative analyses, the session highlights the different purposes served by law and ethics. Legal frameworks exist to ensure adherence to binding obligations and to create operational consistency within organisations. Ethics, by contrast, provides guidance for navigating complex decisions where the law may be silent, ambiguous, or still evolving.
When these two domains are merged or treated as interchangeable, both risk being weakened. Legal obligations may be reframed as voluntary ethical commitments, while ethical reasoning can become constrained by narrow interpretations of regulatory compliance. The result is a governance environment in which organisations claim ethical leadership while failing to meet the deeper accountability that law requires. By untangling privacy ethics from privacy law, this talk offers a clearer framework for understanding how law and ethics should function as complementary but distinct pillars of responsible digital governance.
Speaker(s)

Valerie Lyons

Chief Operations Officer and Board Director, BH Consulting (Ireland)

Included in the ‘Top 100 Women in Cybersecurity in Europe’, and 2026 winner of The Most Inspiring Women in Cyber Award, Dr. Valerie Lyons is executive director and COO at BH Consulting, where she leads data protection, cybersecurity, and AI governance consulting initiatives. Prior to joining BH Consulting, Valerie spent 13 years leading the cybersecurity risk management team in KBC Bank. In 2024 she published The Privacy Leader Compass: A Comprehensive Business-Oriented Roadmap for Building and Leading Practical Privacy Programs. This book has been adapted into a sold-out workshop at several privacy conferences.

Valerie holds an award-winning PhD researching the influence of Privacy as a CSR on consumer trust and privacy concerns and is currently undertaking the Chartered Director program with the Institute of Directors where she also serves as faculty lead on their Cybersecurity for Directors program. She is a Certified Data Protection Systems Engineer (CDPSE), a Certified Information Privacy Professional (CIPP/E), and a Certified Information Systems Security Professional (CISSP). She is a member of the Institute of Directors, honorary fellow of the Irish Information Security Forum, a member of the EDPB pool of experts, and a member of the Irish Internet Governance Forum committee. She also serves on the advisory board of Ceadar, Irelands National Centre for AI.

Mark Rasch

Computer Security and Privacy Lawyer, Unit221b (USA)

Mark Rasch is a lawyer and computer security and privacy expert and a lawyer in Bethesda, Maryland and is the General Counsel of Threat Intelligence firm Unit 221B, and of-counsel to KJK law.

Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. This includes expertise in GDPR, CCPA, and US and international privacy laws and regulations. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. He was also the Chief Privacy Officer of Fortune 100 company, SAIC and Chief Security Evangelist for Verizon.

Mark has taught white collar crime, computer law, and legal ethics courses, at various institutions including GW, AU and Catholic University Law Schools. He is a frequent media contributor on issues related to technology and the law.
Your Security Stack Isn’t Slow. Your Decision System Is

Session 13B

Most security leaders can tell you how many tools they own. Very few can tell you how fast they can change them when a new threat appears. That’s now the real problem.
Attackers change paths in hours. Vendors ship new control points in days. Most enterprise security teams still need weeks of meetings, design reviews, change boards and tool-by-tool coordination before risk is reduced. The gap is no longer just technical. It’s operational. It’s architectural. It’s about decision speed.

This session argues that many security programmes are built to optimise coverage, not change. That worked when the stack was stable. It breaks when identity, SaaS, browser, cloud and AI risk shift at pace. I’ll show why the real attack surface is often the delay between sensing a new problem and enforcing a response across the places that matter.

Using a live breach-response case, we’ll test two models head-to-head: a traditional portfolio of security products, and a control-plane model built for fast sensing, decision and enforcement. The audience will challenge the assumptions in real time and help decide where this model holds, where it fails, and what CISOs should stop buying, start measuring and redesign first.
Speaker(s)

Anton Tkachov

Managing Director - Cyber, PwC (UK)

Anton is leading the Cyber Security Architecture and Transformation for PwC and has been with the firm for more than 11 years. Prior to that, he has been delivering security transformations as a consultant, and running security architecture team as part of his industry role at a blue chip financial services organisations.

Anton is an active member of leading architecture forums. His passion, experience and interest lies with the ‘enterprise’ architecture which allows him to solve security problems by looking at those from a diverse set of perspectives, considering opportunities for the business (not only risks) and simplifying things.

Jonathan Cassam

Security Architecture COE Lead, PwC (UK)

Jonathan is a Senior Security Architect in the PwC Cyber Security practice with diverse experience across both public and private sectors helping organisations tackle some of their most complex security challenges. He also leads PwC’s Security Architecture Centre of Excellence.

Jonathan has more than 17 years of experience that covers a broad range of areas including, strategy, architecture, policy and procedures and training, with particular focus of security architecture and security operations.
Securing Trust in a Fragmented World: AI, Privacy and Democratic Resilience

Session 13C

Artificial Intelligence is reshaping society at an unprecedented pace. From automated content moderation to AI-driven social media feeds, recommendation engines, and generative tools, AI increasingly influences public opinion, information consumption, and civic engagement. While these technologies promise innovation and efficiency, they also introduce complex security, privacy, and digital trust challenges that vary across regions, demographics, and regulatory frameworks.

This session explores how AI can undermine democratic integrity, erode public trust, and expose personal data when governance, security, and privacy measures fail. Participants will examine real-world cases across the US, EU, and emerging markets, highlighting how cultural, regulatory, and infrastructural differences shape AI’s impact.

Through practical examples, the talk will show how organisations can adopt proactive AI governance frameworks, embed privacy-by-design, and strengthen digital trust, transforming AI from a potential societal liability into a strategic enabler of responsible innovation.

Key Takeaways:

Understand global AI risk landscapes – How the US, EU, and other regions approach AI governance, data protection, and digital trust differently, and what lessons organisations can learn.

Recognise AI’s societal impact – How AI-powered platforms can amplify disinformation, manipulate public opinion, and influence behaviour across age groups.

Practical governance strategies – How Cyber, Risk, and Audit teams can implement frameworks to monitor AI use, safeguard data, and maintain public and stakeholder trust.

Balancing innovation with security – Techniques to enable AI adoption while mitigating privacy, ethical, and security risks.

Building democratic resilience – How protecting digital trust today strengthens both organisational credibility and societal confidence tomorrow.
Speaker(s)

Onur Korucu

Non Executive Director and Advisory Board Member, DataRep (Ireland)

Onur Korucu currently serves as Managing Partner, Non-Executive Director, and Advisory Board Member across corporate and academic institutions in EMEA and the US, where she shapes strategies in data protection, cybersecurity, and AI governance. She is also a shareholder in companies specializing in data protection, cybersecurity, and AI automation.

Onur was honored by Business Post as one of the “Top 100 Most Powerful People in Tech in Ireland.” Recognized for her groundbreaking contributions, she was awarded the IAPP Privacy Vanguard Award, a highly esteemed honour given to only one individual per continent, which she received for EMEA in recognition of her leadership in privacy and AI governance. She is also a globally recognized TEDx speaker and was named Cybersecurity Leader of the Year at the 2025 The Women in Tech Global Awards.

Her professional journey spans leading roles at multinational professional services firms such as KPMG, PwC, and Grant Thornton, where Onur managed cybersecurity and privacy teams across global regions. She has also served as Head of Data Protection and Cybersecurity at international firms and as Senior Group Manager for GRC, Cybersecurity, and Data Protection at Microsoft UK & Ireland.

Onur brings a unique multidisciplinary expertise to her work: she is both a qualified engineer and a lawyer with an LL.M. in Information and Technology Law, and she further enhanced her leadership profile with an Executive Master’s in Business Analytics from the University of Cambridge.

She serves as a lecturer for Cybersecurity and Data Protection Master’s programs at universities in Dublin, London, and Istanbul, and is a member of the advisory board for the MS in Cybersecurity program at the University of California.

As an author and thought leader, she has contributed a book on risk-based global approaches to enhancing data protection and published articles in prestigious outlets such as the Harvard Business Review, covering trends in technology, cybersecurity, data protection, and AI innovation.

Onur is a Women in Tech Global Ambassador and the International Association of Privacy Professionals (IAPP) Advisory Board Member and she has successfully held security and privacy leadership roles in multiple geographies as Dublin and Istanbul Knowledgenet Chapter Chair.

Her achievements have been further recognized with nominations and awards, including the PICASSO Europe Privacy Award in the Privacy Executive category, GRC Role Model of the Year, Technology Consulting Leader, Cyber Women of the Year, Risk Leader of the Year, and The Technology Businesswoman awards.
From Risk Acceptance to Security-by-Design: Applying the SABSA Guardrail Model to Transform Legacy Enterprise Architectures

Session 13S

Most enterprise security architectures are not intentionally designed, they evolve over time as systems, integrations, and infrastructure accumulate in response to changing business needs. As a result, many organizations operate complex environments that were not originally built with consistent security-by-design principles or architectural governance.

In these environments, implementing modern security controls can be difficult due to legacy dependencies, compatibility constraints, and operational risk. Security teams therefore frequently rely on security exceptions and formal risk acceptance processes when controls cannot be fully implemented. While necessary, increasing reliance on exceptions often signals deeper architectural misalignment between security objectives and existing infrastructure.

This session introduces the SABSA Guardrail Model, a reusable architectural pattern for applying SABSA attribute-driven security principles within legacy enterprise environments. The model translates business-driven security attributes into architecture guardrails governing new systems, integrations, and infrastructure changes.

Through interactive discussion and architectural scenarios, participants will explore how attribute-driven guardrails can progressively reduce security exceptions and support gradual evolution toward security-by-design enterprise architectures.
Speaker(s)

Nthusi G Kaisara

Senior Cybersecurity Advisor- GRC & Architecture, British Columbia Institute of Technology (Canada)

Nthusi Kaisara is a cybersecurity governance, risk, and compliance professional with over 24 years of experience spanning IT consulting, project management, digital transformation, and cybersecurity. For the past 15 years she has specialized in enterprise cybersecurity, focusing on security governance, risk management, and security architecture oversight, where she has led and supported initiatives to strengthen organizational security posture and architectural governance.

Nthusi holds a Master’s degree in Systems Security and Assurance and is a certified SABSA Security Architect (Foundation Certificate Holder – FCF). She has also recently completed the SABSA Security Architecture Practitioner program.

Her work focuses on bridging cybersecurity governance and enterprise security architecture in complex environments where legacy infrastructure and evolving technology ecosystems present significant architectural challenges.
Wednesday 30th
16:15–16:30

Refreshments
Wednesday 30th
16:30–17:30
Anthony Sale Memorial Session - Time is of the Essence

Plenary 14P

Modern enterprise infrastructure assumes that time is accurate, available, and trustworthy. Critical authentication systems, cryptographic protocols, distributed databases, logging platforms, and monitoring and analysis systems all rely on tightly synchronised clocks to function correctly. Unfortunately, the infrastructure that provides trusted time (GPS receivers, network time services, and hierarchical NTP services) is rarely treated as critical security infrastructure. Consequently, many organisations have not seriously considered how failures or manipulation of time sources could cascade into systemic outages.

Disrupting Position, Navigation, and Timing (PNT) services (especially GPS) is now a core element of electronic warfare (EW) doctrine in the military. Put simply, modern military and civilian infrastructures rely heavily on satellite timing and navigation, so denying or manipulating that signal can degrade an adversary’s ability to coordinate, communicate, and target accurately.

In this talk we consider the art of the possible in disrupting PNT services and the problem of fundamental differences between military doctrine, that assumes that satellite time will be contested, and enterprise infrastructure assuming it will be reliable and correct. Truly, time is of the essence.
Speaker(s)

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptology, Systems Engineering, Information Forensics and Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with more than twenty years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book and was the first recipient of the COSAC award.
Wednesday 30th
17:30–18:30

The COSAC Rump Session

Plenary 15P

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• Electronic submission: Send email to the rump session chair David Lynas at [email protected]
• Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 30th September.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Speaker(s)

David Lynas & Various
Wednesday 30th
18:45-19:15

Drinks Reception
Wednesday 30th
19:15 onwards

Dinner & Networking

Thursday 1st October

Thursday 1st
09:00-09:30

Registration & Coffee
Thursday 1st
09:30-12:30

COSAC Workshops are half-day, 09:30 - 12:30
Thursday 1st
09:30-12:30
Information Warfare (IWAR) Tabletop Exercise

Workshop W1

This half day workshop allows participants to experience the fog of information warfare and apply their analytical and creative skills to address military aggression in Eastern Europe.

Allied Joint Publication 10.1 defines information operations (IO) as “A staff function to analyze, plan, assess and integrate information activities to create desired effects on the will, understanding and capability of adversaries, potential adversaries and audiences in support of mission objectives.”

Using an Eastern European scenario wherein a hostile nation has taken military action against another country using their own forces and proxies. This ‘enemy’ has engaged in a massive cyber and disinformation campaign as a prelude to the military attack.

COSAC Participants will be divided up into teams representing Psychological Operations (PSYOPs), Electronic Warfare (EW), Cyberwarfare, and Public Affairs.

Under the direction of the Task Force Chief of Staff, each team will be given a packet containing guidance, templates, and references to help them develop a strategy, plans and tactics as a part of a NATO authorized task force to develop support plans for two specific operations.

A General Information Campaign to dissuade the attacking forces from attacking and to encourage the local population to support NATO and countering the enemy’s disinformation efforts.

A Tactical plan using cyberwarfare and electronic warfare tactics, techniques, and procedures in support of a hostage rescue operation.

A representative of the International Committee of the Red Cross will monitoring the operations to ensure that there are no violations of International Humanitarian Law.

The Group will develop a final briefing incorporating their individual plans to be presented to the Task Force Commanding Officer.

Notes:

Colonel (Retired) Dietz spent 14 years as a subject matter expert to the US Department of Defense Information School which trains Public Affairs personnel for all of the Armed Services. Dietz served as the Chief of Staff and Information Operations Officer for a series of tabletop exercises called the Joint Public Affairs Contingency Course (JCPAC). The premise was that the class was mobilized to support a task force. Various scenarios included Honduras, Liberia, and Pakistan. The nature of the exercise has been modified for a condensed format.

Be advised that mis and dis-information and more sophisticated phishing/smishing campaigns are all part of the growing wave of criminal and intelligence (bad guys) efforts globally. Many times they are working together.
Speaker(s)

Liz Dietz

, (USA)

Dr. Liz Dietz, EdD, MSN, BSN, FAAN is a highly qualified leader in community and public health with over five decades of service at local, national, and international levels. A Lieutenant Junior Grade in the United States Public Health Service during the Vietnam era, she served as the Evening Charge Nurse of a 65-bed surgical unit at Brighton Marine Hospital, demonstrating early her capacity for leadership, crisis response, and ethical decision-making in complex environments.

Over the course of 56 years in Community and Public Health, Dr. Liz has combined academic, clinical, and humanitarian expertise. She is Professor Emerita at San José State University, where she taught Community and Public Health Nursing across undergraduate and graduate programs and served as administrator of the Family Nurse Practitioner Program.

A dedicated volunteer with the American Red Cross for 46 years, Dr. Liz has served in numerous leadership roles, including Pacific Division Advisor for Disaster Disability Integration. Her field experience spans critical global and national events—serving in Guam during Super Typhoon Paka, leading Disaster Health Services at the Pentagon following 9/11, and collaborating with the National Transportation Safety Board (NTSB) during two aviation disasters. She continues to support service members and their families as a Service to the Armed Forces Partner and Manager of the Red Cross team at the Northern California Military Entrance Processing Station.

An Expert International Humanitarian Law Instructor, Dr. Liz brings to her work a deep understanding of the principles that guide international legal frameworks in times of crisis and conflict. Her advanced education includes a Doctor of Education (EdD) from the University of San Francisco, a Master of Science in Nursing (MSN) in Community Health/Adult and Pediatric Nurse Practitioner from Boston University, and a Bachelor of Science in Nursing (BSN) from Cornell University–New York Hospital School of Nursing.

With her lifelong dedication to health equity, humanitarian service, and global ethics, Dr. Liz exemplifies the professional and moral insight essential to serve as an Observer for International Law.

Larry Dietz

General Counsel & Managing Director, Information Security, TAL Global Corporation (USA)

Senior Attorney and former U.S. Army Colonel with more than 25 years of distinguished leadership across military, legal, academic, security, and commercial domains. Globally recognized authority in data privacy, cybersecurity law, cyber warfare, intelligence operations, international humanitarian law, and information operations. Trusted advisor to General Counsel and executive leadership on complex multinational contract negotiations, regulatory risk, and strategic governance in high-risk environments. Accomplished graduate-level educator and thought leader known for translating complex legal, operational, and policy challenges into decisive, mission-aligned outcomes.

He is on the adjunct faculty of American Military University where he teaches national security subjects, the Institute for World Politics where he teaches intelligence and policy and the Monterey College of Law where he teaches Negotiation Skills for Law Students.

He is a volunteer with the American Red Cross serving as a Public Affairs Manager and Expert International Humanitarian Law Instructor.

His degrees include JD, Suffolk University Law School; Master of Strategic Studies, US Army War College; LLM in European Law, University of Leicester, UK; MBA (With Distinction), Babson College and BS in BA, Northeastern University. He is a member of the Bars of the US Supreme Court, State of California and District of Columbia.
The COSAC Risk Workshop Series – Using AI to Enhance Enterprise Risk Management

Workshop W2

The purpose of the risk workshop is to explore the hard parts of understanding risk. We have previously conducted workshops in Ireland and Australia on how to understand and model risk, how to explain and display risk to stakeholders, and how to think like our adversaries to identify threats that we would otherwise miss. Last year we discussed the emergence of AI and how it is being used as a tool by cybersecurity professionals as well as how it is being used by our adversaries.

This year we will resume the discussion on the impact of AI on our ability to perform different enterprise risk management or Cyber Risk activities. For example, using AI to review logs, or vulnerability information. There are many vendor based solutions now touting “AI”, but this discussion will focus more on how we can build an enterprise risk management strategy that capitalizes on different AI capabilities. This is not prompt engineering for generative AI, although that could be a component of the strategy. As a group we will discuss and develop an enterprise approach for leveraging AI capabilities to improve our ability to manage enterprise risk.

There is no need to have attended the session last year as AI is a rapidly developing field that will likely have new capabilities available when we meet at COSAC that did not exist last year, or may not exist at the time of writing this abstract. Being aware of, and able to take advantage of these capabilities will allow us to make better use of them. Our adversaries are using AI, so should we.
Speaker(s)

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt Health (USA)

Bill Schultz is a seasoned security architect with more than two decades of experience advancing cybersecurity, enterprise security architecture, and risk management disciplines. A SABSA Master–certified architect, Bill has built and led security and risk management programs, developed organizational and system level architectures, and guided enterprise wide security and risk initiatives. His work focuses on maturing security capabilities, effectively managing risk, and aligning technology decision making with long term business outcomes.

Jason Kobes

Sr. Staff Cyber Architect & Research Scientist, Northrop Grumman Corporation (USA)

Jason Kobes works as a Sr. Staff Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 25 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master’s of Science in Information Assurance (MSIA) and a Bachelor’s of Science in Computer Science from Iowa State University. Jason holds a SABSA Practitioner of Risk and Governance as well as Architecture. Jason’s areas of research include enterprise risk architecture, accountable anonymity systems and applying actionable enterprise security architecture.
Network Security Futures - Part 1: AgentDNS - Architecting Navigation Through the AgentWeb

Workshop W3 - Part 1 09:30-10:50

The World Wide Web already hosts AI services such as ChatGPT and is evolving rapidly to handle the next wave of AI, that of autonomous Ai-enabled endpoints or Agentic AI. As vast numbers of AI Agents become directly accessible on the internet, the existing addressing schemes that have supported web sites will no longer be adequate.

Work is underway in the IETF to evolve the existing DNS system into a more suitable root domain naming and service discovery system designed for Large Language Model (LLM) agents. This system, known as AgentDNS, will enable agents to autonomously discover, resolve, and securely invoke third-party tools through a unified namespace, semantic service discovery, protocol-aware interoperability, and unified authentication and billing.

In this presentation, we review AgentDNS using an architectural approach, defining the addressing requirements for AI Agents, and building a conceptual architecture. From this we prepare a Logical/Physical layer Security Design Pattern which demonstrably traces back to the requirements and enables an assured component layer solution to be delivered. Based on this architecture, we assess the completeness of the IETF AgentDNS proposal.
Speaker(s)

Dr Malcolm Shore

Chief Architect, David Lynas Consulting (New Zealand)

Malcolm’s career spans many years in government and industry, and as an adjunct academic. As the Director of Information Systems Security in GCSB, he developed and managed the national information security programme for New Zealand. His Technical Director roles include CES Communications where he was responsible for developing embedded cryptography products and BAE Systems Applied Intelligence where he managed the security evaluation, reverse engineering and penetration testing teams. He has held a number of Chief Security Officer roles in the telecommunications field, including Telecom NZ, NBN Co, and Huawei Australia. He is currently Chief Architect for David Lynas Consulting providing security and AI architecture training and consultancy both in Australia and offshore. Malcolm is an adjunct PhD Supervisor at Deakin University in Melbourne and is the author of numerous online cybersecurity and programming courses published through Linkedin Learning and Offensive Security.

Stephanie Park

Assurance Lead, Australian Domain Authority (Australia)

Stephanie Park is a cybersecurity professional specialising in information security governance. She is dedicated to making complex information accessible and practical for organisations. In her current role, she oversees assurance for the .au domain supply chain, helping the organisation stay agile and responsive to emerging challenges.
Network Security Futures - Part 2: Fun with Micro-segmentation; Subnets, Supernets, and Aliases

Workshop W3 - Part 2 11:10-12:30

Micro-segmentation is a familiar concept, but new emphasis is being placed on this technique that creates one of the few proactive security solutions available to architects. IAM and PAM solutions all for users and user groups to exist in tightly formed boundaries and these boundaries can extend beyond file and server permissions to the network segmentation tricks.

Segmenting networks is a normal activity routinely specified by security architects, but micro-segmenting networks requires knowledge of “how to” in an automated environment where the usual segmentation is not as tight as the micro-segments. Thus, the architect must both explicitly specify the necessary micro-segments and verify the micro-segments were implemented as specified while not breaking the existing infrastructure.

This session covers subnets, super-nets and IP aliasing both separately and used together. The session will provide exercises where the participants can walk through different use cases and design their own creative solution to share with the group.

Value: The value in this session lies in being able to design and create unique solutions that enhance security in a business enabling manner. Creative use of situational aware addressing for subnetting and super-netting when done properly, allows for security with transparent overhead, allowing the architect to put a unique stamp on their work product.

Uniqueness: While the technology is old, the implementation is not. Tightening up micro-segments is an overlooked component of micro-segmentation that leaves security gaps that are not always visible to security enforcement points. By proactively, tightening this space the defenders gain an advantage that prevents distractions and allows for greater focus on prioritized assets.

Timeliness: Micro-segmentation in ZTA and security architecture in general is having a resurgence as assumptions about network size and shape continues to evolve and becomes increasingly more dynamic in nature. Trust relationships are inherently situational and dynamic in nature with networks are frequently viewed as static objects, excluding CSP elasticity, but the same technology can be applied in smaller environments with little to no disruption.

Approach: This session is part lecture and part exercise with problems typically seen in enterprise architectures. The problems will have participants working in small groups or pairs to determine solutions and share with the larger group.
Speaker(s)

Char Sample

Professor, Marshall University (USA)

Dr. Char Sample is a cybersecurity researcher and professor at Marshall University where she currently teaches Cybersecurity and Computer Science. Dr. Sample has over 40 years of industry experience beginning in software development, through product test and integration, and finally as a researcher (both applied and academic). Dr. Sample’s research areas are all cybersecurity related with an interest toward cybersecurity decision-making. Past projects have focused on the influence of cultural values on cybersecurity, cyber deception including but not limited to “fake news”, and AI/ML vulnerabilities. Other research areas include data resilience, cyber- physical systems and industrial control systems.
From Static Risk Registers to Living Risk Models: Extending SABSA Threat Scenarios with Dependency Modelling and Bayesian Evidence for Complex Nonlinear Systems

Workshop W4

Cybersecurity risk is frequently assessed using static registers and scoring models that struggle to represent the dynamic and contextual behaviour of modern digital systems. This limitation becomes particularly visible in AI-driven platforms, where relatively minor architectural modifications can significantly alter exposure and privacy risk. In such environments, risk behaviour often resembles that of complex nonlinear systems characterized by sensitivity to initial conditions, rather than the stable and predictable dynamics traditionally assumed in engineered technological systems.

SABSA approaches security and risk from a business-driven perspective and introduces threat scenarios as a richer mechanism for describing operational risk. This session explores how that approach can be extended by treating threat scenarios as dynamic system models rather than static descriptions. The underlying perspective draws on systems thinking and a set of conceptual lenses including relativity (risk as context-dependent), causation (how dependencies and control structures influence outcomes), technique (the tendency of organisations to optimise for efficient risk methods rather than fidelity), and chaos (nonlinear behaviour and tipping points in complex systems).

Building on these ideas, the workshop demonstrates how dependency modelling and Bayesian inference can transform threat scenarios into continuously updated knowledge models. Participants will work through a practical scenario beginning with SABSA-aligned contextual analysis and threat scenario modelling. The scenario is then extended into a dependency model capturing relationships between controls, opportunities, catalysts, and amplifiers. A lightweight reference implementation will demonstrate how evidence such as testing results and operational telemetry can update probabilistic assessments and highlight which architectural changes most effectively reduce exposure.

The session presents a practical method for architects to treat cybersecurity risk as an evidence-driven capability that supports more informed prioritisation and architecture decision-making.
Speaker(s)

Isaac Farooq

CEO & Chief Security Architect, Eternal Nexus (Saudi Arabia)

Senior Leader with demonstrable skills in security-related thought leadership, strategic vision, and delivering tailored cybersecurity strategies and programs across multiple industries. Expertise in Global Cybersecurity Frameworks.

Worked with hundreds of large organizations across many industries & regions such as Government, BFSI, Transportation, Energy and Healthcare in the capacity of cybersecurity, data and emerging technology advisor.

Worked in advisory positions for the KSA government. Has consulted with World-class Consultancies such as PwC and Accenture. Advised Security leaders and CxOs on Business-Driven Cyber Strategy and Implementation.

Holds a PhD in Computer Science and is actively involved in learning and teaching Computer Security, Data and AI related fields.
Thursday 1st
10:50-11:10

Morning Coffee
Thursday 1st
12:30-12:45

Conference Close
Thursday 1st
12:45-13:45

Lunch

COSAC
Patrons

A completely new COSAC experience pushing the boundaries of cybersecurity further than ever before. Smart people, inspiring guest speakers and a ton of passion. Become a COSAC Patron and gain access like no other.

Become a patron

COSAC APAC
2027.

23rd - 25th Feb: Melbourne, Australia

More Info Register

Contact

Get in contact with us by email, phone or just stay social and connect with us on LinkedIn

COSAC 2026

Sunday 27th September

Sunday 27th 15:00-16:00

Sunday 27th 19:30-20:00

Sunday 27th 20:00 onwards

Monday 28th September

Monday 28th 09:00-9:30

Monday 28th 09:30-17:30

Monday 28th 09:30-17:30

The 25th COSAC International Roundtable Security Forum

Masterclass M1

Speaker(s)

The 10th COSAC 'Design-Off'

Masterclass M2

Speaker(s)

Leave Your Ego At The Door - Negotiation Skills for Security Professionals

Masterclass M3

Speaker(s)

Making Digital Empathy Real: Turning People Centric Security a Reality

Masterclass M4

Speaker(s)

Monday 28th 11:05-11:25

Monday 28th 13:00-14:00

Monday 28th 15:35-15:55

Monday 28th 18:30-19:00

Monday 28th 19:00 onwards

Tuesday 29th September

Tuesday 29th 09:00-09:30

Tuesday 29th 09:30-10:30

The CISO Operating System: Fixing the 7 Failures in Security Leadership

Session 1A

Speaker(s)

Preventing Insider Risk at the Human Layer: How Adversaries Target Your People Before They Target Your Systems

Session 1B

Speaker(s)

AI – Super Hero or Super Villain?

Session 1C

Speaker(s)

Securing Cyber-Physical Systems with the SABSA framework

Session 1S

Speaker(s)

Tuesday 29th 10:30-11:30

Leading on Your Worst Day

Session 2A

Speaker(s)

(Ab)using Cognitive Biases: A Hacker's Guide to Defensive Social Engineering

Session 2B

Speaker(s)

Seeing the Unseen: A SABSA Approach for Discovering Hidden AI in Third-Party Vendors

Session 2C

Speaker(s)

Architecting for Failure: Designing Cyber Recovery from Failure Modes

Session 2S

Speaker(s)

Tuesday 29th 11:30-11:45

Tuesday 29th 11:45-12:45

Named a Top CISO by an Algorithm: An OSINT Investigation into the AI Ego-Baiting Machine

Session 3A

Speaker(s)

From No SIEM to Intelligent SOC: Building Detection Capability in a UK Public Sector Estate

Session 3B

Speaker(s)

Cybersecurity Architecture as Code: Using AI to Deliver Better Architecture Artifacts, Faster and Better Quality

Seesion 3C

Speaker(s)

Designing Security Around the Most Fallible Asset: Reframing Enterprise Architecture Through a Human-Centric SABSA Lens

Session 3S

Speaker(s)

Tuesday 29th 12:45-13:45

Tuesday 29th 13:45-14:45

Rethinking Supply Chain Cyber Security: From Audit Burden to Threat-Led Defence

Seesion 4A

Speaker(s)

Demystifying encryption in use: homomorphic encryption & multi-party computation

Session 4B

Speaker(s)

Education’s Artificial Intelligence Dilemma

Session 4C

Speaker(s)

The Architecture for Abandonment: Reducing Tech Debt by Killing Zombies

Sunday 27th
15:00-16:00

Sunday 27th
19:30-20:00

Sunday 27th
20:00 onwards

Monday 28th
09:00-9:30

Monday 28th
09:30-17:30

Monday 28th
09:30-17:30

Monday 28th
11:05-11:25

Monday 28th
13:00-14:00

Monday 28th
15:35-15:55

Monday 28th
18:30-19:00

Monday 28th
19:00 onwards

Tuesday 29th
09:00-09:30

Tuesday 29th
09:30-10:30

Tuesday 29th
10:30-11:30

Tuesday 29th
11:30-11:45

Tuesday 29th
11:45-12:45

Tuesday 29th
12:45-13:45

Tuesday 29th
13:45-14:45

Tuesday 29th
14:45-15:00

Tuesday 29th
15:00-16:00

Tuesday 29th
16:00-17:00

Tuesday 29th
17:00–17:15

Tuesday 29th
17:15–18:15