Schedule

This full-day immersion in the COSAC way lets you analyze events, mostly actual, some hypothetical, from perspectives based on widely different experiences and perceptions of success and failure. Delegates rigorously defend their opinions, but willingly help others and learn from each other. The perspectives are illuminated by deep and broad information security knowledge and experience. And nobody charges consulting fees.

The moderator, a grizzled if not very knowledgeable security dinosaur, describes some actual recent event or publication or prediction of the future or analysis of security-related activity, then comes up with a question or comment or two about associated issues. He might prod one or more delegates for their take on issues in question, more likely, he’ll try to avoid getting in the way, thus prompting participants who have been there and done that to illuminate topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

Discussions and analyses on this first day of COSAC continue throughout, often beyond the conference, leading to unique, realistic and workable solutions. Forum delegates take their profession very seriously, but not necessarily themselves. Come join us and help solve the information security problems of the world.

Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on LinkedIn congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

ZTA promises an improved security posture while improving insider threat protection but, the devil is in the details. This full day course breaks down the details in a clear and engaging way by uncovering the hidden complexities of ZTA, exploring how various technologies work to achieve ZTA goals, and discussing the trade-offs involved.

Included are various architectural views, technologies and (of course) implementation details, along with details on both security vendor’s and cloud vendor’s implementations. We will explore evolving areas of opportunities to continue the enhancement of ZTA along with an open and engaging discussion to understand additional considerations and solutions. We will add to our understanding of various security and cloud vendor approaches, as well as potential privacy and security risks, leading to a discussion of where the future of ZTA is headed.

Expect key insights, interactive discussion and practical takeaways to help you navigate this area of cybersecurity with confidence. Whether you’re a decision-maker, IT professional, or just curious about how modern security works, this technical course will leave you better equipped to understand and implement Zero Trust effectively with a broader understanding of the various security and privacy considerations along with risk mitigation.

As automation is taking over the world and more and more physical systems and processes are controlled by the systems under our watch, the cyber security risks for our environment are getting greater. So is there possibly something we can learn from them in order to secure a high risk, potentially life threatening environment? I believe so and I will share my analysis.

Current aviation security practices have developed over the last century, each time updating as new threats materialized. They are securing of these complex processes and supply chains in order to safely fly us around the globe. In this sense it much like our industry, we are being asked to secure more and more processes. Just looking after the data very often isn’t enough anymore. Process can’t fail because people then will fail.

During this session we will analyze the aviation security concepts developed for the safety of their industry and how they are or can be applied in our industry. What are the strengths, how can we apply these to secure our core and OT processes. Let’s look around and learn.

We will introduce the concept of a self-evolving security boundary, an AI-driven system that dynamically captures and processes data, translating it into actionable architecture updates. By automating diagramming as code, this system continuously refines security postures, allowing real-time remapping of architectures against the prevailing threat landscape. Attendees will gain insights into deploying AI-driven security solutions that transform the secure-by-design process from a static compliance exercise into an adaptive framework where security architectures evolve in response to live intelligence.

Through live demonstrations and real-world case studies, this session will provide a deep dive into how Generative AI enhances security decision-making, reduces operational overhead, and enables organizations to outpace emerging cyber threats. By the end, attendees will be equipped with actionable strategies to integrate AI-driven automation into their security workflows, making security an adaptive, continuous process rather than a one-time assessment.

The SABSA Enhance NIST Cybersecurity Framework (SENC) workgroup project, sponsored by the SABSA Institute (TSI), is currently developing tools, techniques and guidance to help your organization put the NIST CSF 2.0 to work the SABSA way. This session will provide a first look at the SENC-team developed SABSA NIST CSF 2.0 Profile and supporting Subcategory Examples designed to help you more easily integrate the CSF into your SABSA security architecture.

The SENC Project Team has now finalized a library of example SABSA business attributes and attribute profiles based on the NIST CSF Categories and Subcategories. The next team focus is defining a SABSA-specific NIST CSF 2.0 Profile to include enhanced and additional CSF categories and subcategories aligned to the SABSA method and a collection of SABSA-specific Examples supporting the CSF subcategories aligned to the SABSA NIST CSF 2.0 Profile. The SABSA CSF Profile will provide an easier and more complete integration of the CSF into your security architecture. The collection of SABSA specific Examples for implementing the CSF Subcategories will provide additional insight into effectively leveraging the SABSA CSF.

The application of the NIST CSF typically focusses on the processes, technologies and controls while losing sight of managing the business value and risks involved. The SABSA CSF Profile and Examples will provide a more complete solution for effectively managing business risk across the enterprise. This session will be a review of what the SENC Project Team has accomplished to apply and enhance the NIST CSF 2.0 to manage your organization’s business risk requirements.

This presentation explores how proven engineering practices from various fields, like space engineering, aeronautical engineering, or redundancy engineering, can be utilized for more cyber resilient architectures. These fields are renowned for their rigorous redundancy strategies, and we are going to explore how they can be adapted to fortify our security frameworks against innocuous threats.

Space systems for example are designed to operate in the most unforgiving environments, where failure is not an option. These systems achieve unparalleled reliability through the implementation of extensive redundancy measures at every level, from hardware components to software protocols. By drawing inspiration from these practices, we can develop security architectures that are not only robust but also capable of maintaining functionality in the face of sophisticated cyber threats and operational disruptions.

This presentation will delve into specific space engineering methodologies, such as:

• Layered Redundancy: Implementing multiple layers of defence to ensure that if one component fails, others can take over seamlessly.
• Fault Tolerance: Designing systems to continue operating properly in the event of the failure of some of its components.
• Modular Design: Creating systems with interchangeable modules that can be easily replaced or upgraded without affecting the overall operation.
• Rigorous Testing: Applying rigorous pre-launch testing and simulation practices to identify and mitigate potential vulnerabilities before they are exploited in real-world scenarios.

Attendees will gain insights into how these space engineering principles and others from the wider field of engineering can be translated into practical strategies for building threat-resilient security architectures. We will examine case studies and practical applications that demonstrate the efficacy of these approaches in protecting critical enterprise assets. This presentation aims to inspire a paradigm shift towards more robust, redundancy-inclusive security architectures, paving the way for a new era of cyber resilience.

Ideas covered in this presentation are not meant to be just taken and implemented but should spark a discussions on opportunities for security architects delivering more cyber resilient solutions. With this presentation we want to put a spotlight on often underrated cybersecurity threats, as witnessed in the latest incidents, and raise awareness on existing frameworks and tools addressing this space, like Mitre in their Cyber Resiliency Engineering Framework and NIST’s Special Publication 800-160 on the development of Cyber-Resilient Systems.

The key difficulties lie in integrating AI with legacy systems, the potential overestimation of its benefits, and the risk of “prompt fatigue”, as security teams contend with an overload of interactive tools. Despite these hurdles, AI adoption in cybersecurity continues to rise, with many organisations already integrating AI solutions into their operations.

This session will delve into the role of AI assistants in security operations, addressing both their potential and the practical challenges involved. The presenter will explore real-world use cases and offer insights on how organisations can leverage AI to improve security without falling into common pitfalls.

Through a blend of analysis and a case study, the presenter will illustrate how AI assistants can be integrated into security architectures, automating routine tasks, enhancing decision- making, and ultimately helping organisations improve their security posture.

Europe is currently in a rat race to enhance cybersecurity in the Union and legislation, directives and regulations are coming left, right and center. What they all have in common is that information security management is not elective anymore, it’s a prerequisite for doing almost any kind of business.

In my talk I’ll take you through my journey of making and implementing a business-oriented ISMS and how I put it into everyday operations using SABSA-principles – without telling anyone, of course! By merging ISO27001:2022, CIS18, ITIL, SABSA, with the triangle People, Process, Technology, I was able to produce and implement a state-of-the-art ISMS that is used every day.

After having the pleasure of attending COSAC for three years in a row it seems to me that many security architects tend to thrive in the upper architectural layers, but very few are presenting the “A’s” in SABSA – how did you actually apply your architecture in practice? This is the key takeaway and source of inspiration for my talk

In World War II, every government censored communications –the press, their soldiers’ correspondence, and even letters home from prisoners of war3. At that time, information interdiction seemed straightforward. Hollywood picked up on the theme with movies such as Eye of the Needle4. Information dissemination was controllable and controlled. The deception program Operation Mincemeat may have even changed the course of the war.

Fast forward to 2025. Ubiquitous internet connectivity, cellphone cameras, and automated translation services would imply that censorship and disinformation would be nearly impossible. Yet it still flourishes at multiple levels. Why?

This talk will examine the progression of Russian information control and disinformation over the last decade and explore where other states have learned and copied this methodology. We’ll discuss the necessary conditions for this to occur (limit access to authoritative data, restrict information exchange, create social and legal consequences for dealing in unwanted truth), and explore whether this will remain a “feature” of information warfare for the foreseeable future, or if somehow our cybersecurity profession has a trick up its sleeve to force the truth into the open. Will the rise of totalitarian states be the foreseeable future for the world, or will our security community somehow keep them at bay?

This lively and provocative session will examine how companies collect, analyze, and leverage personal data to target consumers with tailored goods and services, charging higher prices based on perceived willingness to pay. It will explore how AI enables dynamic pricing, behavioral manipulation, and predictive analytics, creating an uneven playing field where consumers often don’t even know they’re at a disadvantage. The discussion will cover the legal and regulatory frameworks governing data collection and use in the United States and the European Union, including privacy laws like the GDPR and CCPA, as well as the implications for data security and consumer protection. The session will also address whether these practices are inevitable or if meaningful legal and technical solutions can restore balance. Attendees will gain insights into how to protect themselves from these tactics and how regulators and lawmakers could reshape the landscape to promote greater transparency, fairness, and respect for consumer privacy.

Flow Engineering complements SABSA and provides techniques to visualise, analyse, and optimise value realisation for ESA initiatives. This session will explore how security architects can apply Flow Engineering to developing an ESA to streamline implementation, reduce friction, and enhance adaptability. By leveraging SABSA and Flow Engineering techniques, security architects can identify bottlenecks, eliminate waste, and design security architectures that enable—not hinder—business success.

The key takeaways for participants will be an understanding of:

• The fundamentals of Flow Engineering and how they apply to the development of an ESA.
• How to align Flow Engineering with the SABSA framework to deliver a dynamic, valuedriven ESA.
• The Flow Engineering techniques can be used to identify bottlenecks, reduce friction and complexity, and optimise flows.

This session is a reflection on:

• Prioritizing from a business/technical/architecture perspective: yes, the chicken and the egg all over again … we want you to fix all of problems, but we need to lay down the proper foundation first
• How do you build a function & layer that works and is future proof? Can it grow organically?
• Why Ownership is key to addressing for long term success and how to go about that cultural change?
• What can you do to integrate IAM in a seamless way? … Building the data do you need to show how things are progressing and what still needs investments to be made

By the end of the session, you will get some practical insights in dealing with the IAM elephant in the room, as well as some key points that might help with avoiding the deja-vu when renewal cycles hit.

LAMs, which represent the next stage of AI development, are distinct from LLMs in their capacity to make real-time decisions based on constant streams of personal and behavioral data. Wearable AI devices, such as AI “pins,” smart glasses, and rings, now integrate with phones, email, social media, and other platforms to collect and aggregate data. This creates the ability for AI to analyze and recreate human interactions at scale, enabling highly personalized services but also raising significant concerns about consent, data ownership, security vulnerabilities, and potential misuse of personal data. The presentation will examine how these systems bypass traditional privacy and security controls by breaking down data silos and combining data from previously separated sources.

Through an exploration of real-world examples and legal frameworks, the session will highlight the key risks posed by AI-generated content and the behavioral profiling conducted by LAMs. The presentation will analyze copyright and trademark issues that arise from AI-generated images and text, including cases involving unauthorized use of copyrighted material in AI training datasets. It will also address privacy violations stemming from deepfake technology and the re-identification of anonymized data.

The session will further examine the security implications of LAMs’ real-time decision-making capabilities. Because LAMs rely on integrated data streams from multiple devices and platforms, they create new attack surfaces for hackers and other threat actors. Data centralization and interoperability increase the likelihood of large-scale data breaches and unauthorized access to personal information. The presentation will explore how LAMs’ ability to capture and analyze biometric and behavioral data creates new vulnerabilities, such as the potential for AI-generated impersonation and social manipulation.

SABSA’s comprehensive, layered approach is one of its strengths, but it can be challenging to decide where to start. Security and business teams are often siloed, making it difficult to get organisational buy-in. Many newly qualified architects experience a “knowledge-to-action gap,” finding it hard to translate their theoretical knowledge into meaningful actions. The risk of over-engineering the architecture is clear – too much detail could make the architecture impossible to understand or maintain, but too little could limit the value to engineering colleagues or senior management. For these reasons, many new architects look for clear examples and case studies to help them get started, but there are limited examples available because companies’ architectures are confidential.

Our team is facing all these challenges, and more, as we start to adopt SABSA. This talk will share how we are trying to navigate these challenges. How we are limiting our initial scope to avoid overwhelm. How we are setting initial goals to provide a clear starting point. How we are prioritising benefits with stakeholders to get organisational buy-in. How we are setting guidelines to avoid over-engineering and ensure that the architecture is useful but maintainable. The aim is to provide an example to help other new SABSA architects get started, and to share what we’ve learned about what is working for us, and what is not.

Fast forward to 2025 and the world needs to be viewed through a different lens, one where governments can cease to be in days not decades. As security professionals we have become used to the idea of Zero Trust Architectures where this encompasses users, devices and applications but have we gone far enough to verify identity and trustworthiness?

We have used Dependency Modelling to identify otherwise extremely impactful risks and re-architect our systems to dilute these risks throughout a manageable business structure. However, this requires us to have access to the full-range of the failure mechanisms of the components upon which we depend.

But what if one of those “components” are your employees? What if they can be influenced, disinformed, indoctrinated or coerced at scale? Or just plain distracted? At a time when many organisations are implementing Return-to-Office programs there is much talk of the use of intrusive monitoring to measure how long an employee spends sitting in their seat, how often they move their mouse or how many emails they send; none of which will give a business an understanding of what the employee is thinking or believing.

In this talk I will review the steps an organisation would need to consider if the Zero Trust approach is extrapolated to its logical conclusion; steps that could well go against acceptable privacy expectations and current norms.

This talk will offer plenty of opportunities for contributions and participation from the COSAC delegates as we re-evaluate the business/employee trust frontier.

As ever, dependency modelling will still make a showing with some real-world epic fails.

This session explores what security means in a complex cyber-physical environment with a diverse array of socio-technical interactions. It will explore the inadequacies of the vast portfolio of national and international standards in respect of these environments and interactions. Come and explore the nexus between physical and digital worlds and the challenges security engineers will face in the safe and secure realisation of digital twins.

Key learning outcomes

• An understanding of how safety and security align through the concept of harm
• An appreciation of challenges regarding security of digital twins
• An outline of a framework for safety and security analysis of digital twins

The value of the talk is: 1) to encourage others to publish and share their success stories; 2) to help others avoid pitfalls and leverage success in building or maturing their cybersecurity architecture program; 3) to see and discuss architecture program artifacts, processes and techniques. All of this content and expected discussion is to help others accelerate their cybersecurity architecture practice capabilities.

We’ll cover how to create user personas (think “Remote Worker” or “Data Geek”), map out their daily workflows, and turn those into real system features. We’ll break down complex security tasks into simple, user-friendly steps, and show how to build security right in from the start.

Join us to learn how to create security that’s not just strong, but also a breeze to use!

Through interactive demonstrations, we’ll explore:

1. Hidden Attack Vectors:
– How seemingly innocent API design choices in CSV parsing created unexpected security vulnerabilities
– Real-world examples of exploitation attempts against core libraries
– Novel mitigation strategies developed during Ruby core implementation

2. Cross-Language Security Implications:
– Security challenges unique to multilingual API environments
– How attackers exploit language-specific parsing differences
– Implementation of language-agnostic security controls

3. Revolutionary Defense Patterns:
– New security testing methodologies derived from core library development
– Advanced techniques for detecting parser differentials
– Implementation of zero-trust principles in API design

This session provides exclusive insights never presented at other security conferences, drawn from both Ruby core development and enterprise API security implementations. Participants will gain practical, immediately applicable strategies for securing their APIs against next-generation threats.

By applying mathematical rigor and systematic dependency mapping, attackers can identify subtle flaws and interdependencies that traditional methods may overlook. This talk delves into the technical underpinnings of these approaches, showcasing how automated exploit generation and attack graph analysis have transformed the offensive cyber toolkit. Furthermore, we discuss the ethical implications of utilizing such advanced techniques, highlighting the inherent risks of dual-use research, potential for collateral damage, and the responsibility of cybersecurity professionals.

Finally, we outline comprehensive mitigation strategies, including secure-by-design principles, defence-in-depth architectures, and robust ethical oversight. By understanding and pre-emptively countering the methods used to generate these sophisticated attacks, we aim to equip defenders with actionable insights to protect against emerging threats.

This session will explore, in a fun, interactive participation manner, the differences in how we may behave with respect to cybersecurity. Let’s face it – if we are designing systems, processes, and training for our end users, but we don’t really understand how they will use the information – we may not achieve the intended impact and thus our strategy will be at risk.

By leveraging advanced static and dynamic analysis techniques, we uncover the intricate workings of this malware, strategically hidden within seemingly legitimate firmware patches. Through meticulous investigation, including static examination for file headers, hashes, and embedded resources, and dynamic analysis within controlled environments, we decipher the malware’s operational stages. This includes its initial execution triggers, subsequent macro-driven deployments, and ultimate persistence mechanisms through.

Top 5 facts about your talk: Firmware as a Malware Vector: My talk highlights how firmware updates, especially for common devices like Sabrent, can be exploited as sophisticated vectors for malware, going beyond traditional
attack surfaces.

Case Study Focus: The presentation dives into a specific case study involving Sabrent firmware updates, revealing how widespread the exploitation is and why it’s a growing concern.

Advanced Analysis Techniques: We explore both static and dynamic analysis methods, breaking down techniques like examining file headers, hashes, embedded resources, and running the firmware in controlled environments.

Malware Persistence Tactics: I discuss how the malware ensures long-term control through mechanisms like registry modifications, making it exceptionally difficult to detect and remove.

Real-World Implications: This isn’t just theory–the findings have practical implications for security teams and organizations looking to safeguard their devices from firmware-level threats.

This session takes a SABSA-driven approach to dissect both enterprise DNS architecture and the DNS infrastructure exploited by attackers. It uncovers hidden risks, overlooked opportunities, and measurable business impacts.

We’ll explore how adversaries manipulate DNS—from malicious AdTech Distribution Systems to domain abuse—and demonstrate how DNS derived intelligence can shift defences left, proactively stopping attacks before they begin.

With DORA and NIS2 now bringing DNS into regulatory focus, we’ll examine why it has been neglected for so long and what must change.

Attendees will gain a structured framework for assessing DNS risk and value—reframing DNS as a strategic business enabler rather than just technical infrastructure.

We’ll cut through the confusion with a bold, no-nonsense approach to quantum readiness, laying out clear, actionable steps to build a resilient, results-driven roadmap toward post-quantum security. We will explore the vulnerabilities that quantum computing introduces to traditional encryption techniques and discuss the urgent need for quantum-resistant algorithms.

Attendees will leave energised and equipped to push past hesitation and take decisive steps to secure their infrastructures against an emerging reality. This is your wake-up call. Let’s move quantum readiness from theory to action—before it’s too late. Prepare to rethink your approach, galvanise internal discussions, and take meaningful steps to bolster your organisation’s resilience in the post-quantum era. It’s time to navigate this new frontier COSAC-style: together, boldly and with intention.

In 2023 I presented a session that talked as through the new, the ugly and the challenging regarding cyber security law. This 2025 session will be an update. We will go around the world region by region and discuss new and anticipated laws, regulations, and other political issues that might influence your cybersecurity roadmap in that region. Among other things, this talk will cover:

• What AI regulation are we seeing around the world?
• In the EU, how’s NIS2 doing, what are the Cyber Resilience act and the Cyber Solidarity Act?
• The US has new SEC policies and CIRCIA mandates that require critical sectors to report incidents.
• Implementation of the Cybersecurity Law of the People’s Republic of China, relentless pushing for data localization.
• Per region, we will discuss what is new, expected, and strange, and we will discuss the impact those laws and regulations can or will have on our cybersecurity agenda.

This breakthrough has the potential to accelerate the timeline for practical quantum computing from decades to within a few years, with far-reaching implications for cybersecurity. This submission explores how the Majorana chip’s topological qubits can revolutionize encryption, threat detection, and overall cybersecurity resilience.

As security professionals, we aim to protect systems and data, but when those defenses create unnecessary friction, we push users to risky workarounds, enable shadow IT, and frustrate users. Are our security controls enabling safe and efficient operations, or are they becoming obstacles?

This session we will explore:

The unintended consequences of security-first, user-second approaches – when friction leads to riskier workarounds.

Real-world examples of hostile security architecture – from punishingly strict MFA to overzealous privilege management.

Balancing security with usability – why effective security should be seamless, not burdensome.

Practical strategies for security teams – how to build transparent, adaptive, and user-aware security that protects without alienating users.

By the end, you’ll gain actionable insights into designing security measures that are both effective and user-friendly, ensuring compliance and resilience without creating unnecessary roadblocks.

Let’s build security that works for users – not against them.

I’ll cover what we, as part of the various working and regulatory expert groups, are doing to help the entire open-source community navigate the actual requirements. We’ll explore how these roles are played together by the leading industry players (yes, revealing some non-trivial scenarios) and what best practices and tools can be used right away for your organization or by you as an individual contributor. Finally, let’s discuss how we together should turn CRA into an opportunity to make open-source better for all.

Why did I choose this talk? CRA is a hot topic everybody is talking about, but there are a lot of myths and misunderstanding about it, specifically in the negative context. I’m EU-based and working directly with policy makers through working groups and standardization bodies so that I’ll highlight how the OSS ecosystem can support the positive intentions of it.

After this session organizations and individual contributors will better understand the scope, what actions they need to focus on, what tools and practices are available right now and what they should expect next.

I’m a member of the key CRA Expert and Working Groups as well as contributor to the NSAI (National Standards Authority of Ireland). I’ll provide the most up to date insights and recommendation for the EU CRA (Cyber Resilience Act).

This session underscores the importance of collaboration between enterprise cybersecurity teams and consumer-focused organizations to combat these growing threats. Attendees will explore real-world examples of how AI advancements have been weaponized by cybercriminals while learning about cutting-edge tools designed to protect identities, secure private information, and safeguard devices. Through live demos, participants will experience practical solutions such as smart AI-driven security tools that empower both businesses and consumers.

The agenda includes an introduction to modern cybersecurity challenges, understanding risks posed by data breaches and malicious AI use, strategies for protecting identity and privacy, and the role of AI in enhancing security standards. By bridging gaps between enterprise and consumer protection efforts, this session aims to foster a proactive, unified approach to mitigating cyber risks in our
increasingly interconnected world.

There are many ways a security architecture can fail that have nothing to do with the architecture itself. It can be as simple as a failure to communicate, as complex as conflicting executive responsibilities or the result of overt sabotage. Sometimes choice of language and more effective communication is the solution. Sometimes clear responsibilities, authority and executive support will help. Occasionally, there may be little you can do. We will provide a few real-life examples where architectures have failed when implemented, didn’t achieve their objectives after implementation, or were doomed from the start.

This session will review real-world examples of well-defined and implemented security architectures that have failed or will fail to achieve their intended purpose. The reality is that a security architecture that successfully manages business risk depends on more than a well-defined architecture. We will outline some of the important critical success factors to recognize and manage, and what to do when confronted with some of these obstacles. This is a collection of cautionary tales of what to watch for, how to recognize and resolve specific issues and know when to “walk away”.

We will discuss some of the real-world challenges facing security professionals in modern environments, including:

• Poorly defined roles, responsibilities, and authorities
• The pace of change
• The constant need to reinvent the wheel
• The amount of technical debt
• Busy work vs. meaningful work

This interactive session will explore strategies to address these challenges, including the following:

• Defining and implementing effective RACI models
• Fostering collaboration between DevOps and Security
• Integrating security into the DevOps Lifecycle
• Automating security activities
• Specifying reusable patterns
• Limiting and eliminating sprawl
• Evaluating and prioritising work

This session offers a deep dive into a real-world cyber-attack experienced by my organization. We will explore the anatomy of the attack, from its setup to its execution, and analyse its impact. You’ll gain valuable insights into our response strategies, how we managed the crisis, and the steps we took to regain control and resume normal operations. Join us for a compelling and informative discussion that will equip you with practical knowledge to enhance your organization’s cyber resilience.

What This Session Will Propose

This session will propose a structured approach to defining clear, actionable, and effective security requirements from the outset of a project. We will discuss best practices for integrating security considerations throughout the project lifecycle—from initial planning and procurement to final delivery. Additionally, the session will highlight the importance of collaboration between stakeholders, including business leaders, project managers, and security architects, to ensure that security requirements align with business goals and technical feasibility.

What Participants Will Get Out of the Session

• An understanding of how poorly defined security requirements affect business risk, project cost, and compliance.
• Insights into how security architects are impacted when dealing with vague or unworkable requirements.
• A framework for improving security requirement definition, ensuring alignment with project needs and business objectives.
• Practical strategies for embedding security into project planning, procurement, and implementation.

Conclusion to Wrap It All Up

Effective security requirements are a cornerstone of successful projects, yet they are often overlooked or poorly defined. By improving the way security requirements are structured and implemented, businesses can enhance security outcomes, reduce risk, and enable security architects to deliver better solutions. This session will provide attendees with actionable steps to ensure their
security requirements are no longer “crap” but instead contribute to successful project execution and long-term security resilience.

Design (SbD) is about anticipating these risks and proactively building protective measures directly into AI systems. It means ensuring that models are robust against misuse and transparent in how they function, and that users can easily contest inappropriate outputs. This approach extends beyond the individual and considers the wider societal impacts of AI deployment and use.

In this talk, the speaker outlines the five key principles of SbD along with strategies to incorporate them into GenAI development/deployment, under the following headings:

1. Proactive Risk Identification and Mitigation
2. Bias Detection and Fairness
3. Truth and Explainability
4. User Control and Feedback Loops
5. Robustness Against Adversarial Attacks

SbD is not just a technical requirement—it is a foundational approach to proactively ensuring that AI systems are trustworthy, fair, and resilient against misuse. This approach benefits not just individual users but also society as a whole by mitigating misinformation, reducing harm, and fostering transparency and accountability.

When faced with this challenge the UK energy sector, with the support of the UK NCSC, created a methodology to prioritise controls based on the most likely attacks that attackers will use.

By attending this session, you will:

• Find out about the Threat-Informed Cyber Resilience (TICR) methodology and how it was developed by the UK energy sector working with the UK NCSC.
• Learn how you can use the MITRE ATT&CK framework and combine this with cyber intelligence knowledge and controls to decide where your security priorities lie.
• See how MITRE ATT&CK has been extended in TICR to include physical security concerns and personnel security.
• See how the kill chain used by attackers can flow between IT systems to ICS/OT systems and from physical security weaknesses and how these security domains interact.
• See how individual companies have justified and set priorities for their security budgets based on the most likely and relevant attacks.
• See how TICR can also be applied to a sector to help solve common security concerns.

But these have typically have significant short-comings:

• They are often disconnected from the reality of what is in place and abstracted in an attempt to fit a framework, a style of assessment or digestible to senior stakeholders.
• Assessments typically compartmentalise capability looking at how things perform in isolation or by category not necessarily by how harm is caused or organisation compromised.
• Organisations are complex, assessments take time and situations are never static. These factors limit point-in-time activities.

Cyber security incidents and red teams exercises continue to expose these issues as they cause harm, or demonstrate its possibility, based on what is really there and how things are really working. Where the real detail has mattered.

The key question for organisations is – “how can I better connect what is really there and how it really works to how someone might seek to cause me harm and make that discernable to leadership and integrated with all the other stakeholder communities who are also trying to help leadership make decisions?”

This presentation will look at a recent case-study of enabling an organisation to connect the real position of their technology and the configuration of their estate and threats to security leadership by:

• Using SABSA to provide that ‘architectural connectivity’ between the technical estate as it really is, the threats being faced, and enabling different security communities to use this to lead effectively and coherently.
• Influencing stakeholders to buy them into a single connected approach.
• Leveraging technology to both accelerate and provide a platform to enable the understanding of the real position and architecture to be maintained.

When the government seeks specific information within a dataset, it often compels the production of the entire dataset, overwhelming providers and undermining individual privacy. Third-party providers are reluctant to assume the role of government agents tasked with filtering through sensitive information to comply with investigative demands, resulting in broad disclosures that compromise personal privacy. This session will examine the structural and legal flaws in current compulsory process frameworks, including the Stored Communications Act, the Fourth Amendment’s particularity requirement, and evolving case law on data privacy and government searches. The discussion will explore the legal tension between the government’s investigatory needs and individual privacy rights and analyze why current procedural safeguards are inadequate. The session will conclude with proposed legal and technical reforms to narrow the scope of compelled production, improve oversight, and create more effective mechanisms for protecting personal data while meeting legitimate law enforcement objectives.

This session explores the application of OSINT in maritime investigations, focusing on AIS (Automatic Identification System) monitoring, anomaly detection, and satellite communication analysis. Attendees will learn how vessels manipulate tracking data through signal spoofing, dark fleet tactics, and registry obfuscation. The talk will also highlight the cybersecurity dimensions of maritime intelligence, where attackers exploit digital vulnerabilities to mask movements and conduct illicit activities.

By integrating shipping registries, satellite imagery, port logs, and cyber threat intelligence, analysts can construct a comprehensive view of maritime operations. Real-world case studies will demonstrate how OSINT methodologies have exposed smuggling networks, sanctions evasion, and covert fleet movements. This session equips professionals across cybersecurity, law enforcement, journalism, and intelligence with the skills to transform open-source maritime data into actionable intelligence, ensuring that no vessel remains truly untraceable.

Manifesting from the digital realm, cybersecurity is rich in the traits that make risk analysis difficult. This is compounded by large, highly complex and interconnected systems characterised by multiple many-to-many relationship along the attack chain: risks – vectors – vulnerabilities – actors – controls.

These inherent issues have important consequences for how cybersecurity teams design and implement their GRC and assurance frameworks. How can we optimise our risk posture, using our limited resources, when any adjustment without triggering the ‘butterfly effect’.

In this presentation, the speakers will explore recent developments in EA tooling that promise better visualisation of cybersecurity risk. While the virtual world might never become so tangible as to be familiar, it is becoming increasingly possible to immerse and interact with the virtual world and understand it more intuitively – offering a depth of situational awareness and understanding that few can achieve from a bookshelf of traditionally documented artefacts.

The session, which will include a practical demonstration, should be of value to a wide range of delegates that would be interested in what visualisation can contribute to security management.

This will be original content, being presented at conference for the first time.

In this session, we will examine the latest trends shaping the global cybersecurity investment market, from solutions attracting venture capital to the motivations behind large-scale acquisitions. Attendees will gain insights on how geopolitical events, economic pressures, and emerging regulations influence funding strategies, and discover where the next wave of disruptive technologies will emerge.

I will share fresh data from venture capital reports, private equity benchmarks, and interviews with leading cyber investors to spotlight security domains—such as secure DevOps, AI-driven cyber ‘anything’, Data Security Posture Management and Application Detection and Response capabilities —that show the most promise. By evaluating high-performing and under-the-radar startups, participants will learn which innovations offer the potential for the best return on investment while mitigating cyber risks. I’ll reveal how established vendors and emerging players are competing for capital, and how strategic funding choices could accelerate and enhance my client’s cyber security strategy.

Attendees will leave with recommendations for building a ‘cyber innovation watch’ capability within their organisations, tools and information sources that could help them to achieve that.

There are also Cyber Risk Quantification solutions such as BitSight, Security Scorecard and SAFE. This leads to a complex market looking to be the one risk dashboard to rule them all. However, all of these systems tend to be opaque in their scoring and it’s hard to understand the logic behind a particular risk score. All these solutions are competing with each other and with Excel to be the central reporting and risk visualisation tool for the company.

This session will cover some of these competing challenges, consider how you bring risk, attack surface and threat data together to provide insights to the organisation and consider how an organisation can control its own risk whilst making the best use of technology available. The key will be to consider risk assurance and reporting in such a way that the organisation maintains control of its dashboard and aggregating the various reports and tools provided by vendors.

This presentation will focus on how a data-driven comprehensive representation of the security fabric can drive faster and better decision-making. Using real-life case studies, we will highlight how the development of a single source of truth helps to identify actionable insights, simplify remediations actions and improve the risk position of the organisation. Most importantly, it becomes the foundation for the operationalisation of self-assurance across the estate which brings commercial benefit to the business through facilitating smooth and rapid delivery whilst also optimise the utilisation of the cyber security resources.

Sir Dermot Turing explores all these questions, and at the same time tries to get to the bottom of why we are all here, while avoiding all mention of matters nautical.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• Electronic submission: Send email to the rump session chair David Lynas at [email protected]
• Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 1st October.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Through the lens of a real-world case study, we will explore the strategic, customer-centric, and technological dimensions of this critical aspect of modern business. Participants will gain invaluable insights into:

• Strategic Business Approach that aligns vision with Identity
• The Customer Journey: Designing for Trust and Convenience
• Technology Implementation: Architecture and Integration
• Lessons Learned: Navigating Challenges and Achieving Success
• The Road Ahead: Future Initiatives and Emerging Trends

The Workshop will conclude with an open forum for participants to ask questions, share experiences, and discuss potential collaborations. Attendees will leave with a comprehensive understanding of a digital identity implementation and will be primed to embark on their own transformative Digital Identity journeys.

The 3rd edition of COSAC LAB will include a riddle focused on Biomimicry in Cybersecurity, incorporating SABSA attributes, security architecture, and creativity. The results of the riddle, including the announce of the winner(s) and other insights, will be presented during the COSAC LAB session.

Details regarding the rules of the game, explanations, awards, and other pertinent information will be provided at the venue.
This 3rd edition aims to provide a creative approach to finding solutions and resolving issues. It will offer an opportunity to engage in activities without consequence, breaking down barriers.

The COSAC LAB is designed to establish a dynamic environment, whether physical or virtual, where individuals can collaborate to explore and build upon ideas and solutions generated during the COSAC Security Conference. This pioneering LAB will act as a fertile ground for cultivating these concepts, providing them with greater potential for further development, publication, and other significant opportunities.

This exercise is distinct at the COSAC Security conference, a lab where various possibilities can be explored, allowing for opportunistic, resistant, and innovative approaches characteristic of its nature.

This approach combines theoretical exchanges with practical application. The laboratory aims to apply its creations in real-world scenarios, with the goal of enabling the creation of innovations in everyday life.

For this edition, I encourage participants to leverage their creativity to its fullest potential.

Remember how easy and fun it was to draw imaginative pictures as kids.

However, as the current political climate around the world demonstrates, logic is no longer always seen as a trusted advisor. Political and religious beliefs are often chosen over science and logic. With this being the new normal in politics globally, it is only a matter of time until businesses follow suit.

Rules, regulations, and policies are increasingly aligned to support political, social, and religious norms, even if they are not the most effective or elegant solutions. Logic is losing ground; more and more people are choosing to listen to messages that align with their worldview rather than the voice of reason. This means we need to change our communication style to gain stakeholder support.

In this talk, we will explore techniques and resources that have helped me adjust my message to difficult stakeholders. Topics we will cover include:

• Making friends first
• Turning enemies into friends
• What’s in it for them
• Active listening
• Using mediation and apolgies
• How to apologize
• The art of losing a battle but winning a war
• Telling a story

As always, I welcome an active discussion so we can learn from each other.

This year we will discuss the impact of AI on our ability to perform different enterprise risk management or Cyber Risk activities. For example, using AI to review logs, or vulnerability information. There are many vendor based solutions now touting “AI”, but this discussion will focus more on how we can build an enterprise risk management strategy that capitalizes on different AI capabilities. This is not prompt engineering for generative AI, although that could be a component of the strategy. As a group we will discuss and develop an enterprise approach for leveraging AI capabilities to improve our ability to manage enterprise risk.

AI is a rapidly developing field that will likely have new capabilities available when we meet at COSAC that do not exist at the time of writing this abstract. Being aware of, and able to take advantage of these capabilities will allow us to make better use of them. Our adversaries are using AI, so should we.

When Boards and Executives ask about the cloud and the organization’s adoption is it IaaS, Saas, or PaaS and how do you address the difference(s) without using those words? How do you discuss the positive and negative risks that cloud adoption introduces and what a shared responsibility really means? How do you address the difference between accountability and responsibility? How do you explain the risks that no longer exist, are no longer part of the organization’s responsibility, and that auditors can no longer assess? How do you assess risks that have been transferred? How do you manage Identity and Access Management and ensure that silos are not created or entrenched?

Which starts the conversation turning technical, or does it? What is the philosophy of the organization as it relates to single or multiple vendors and redundancy? When do you start talking about technical design requirements and the related costs for the components, configurations, operations and maintenance? When do you start considering common security configurations and potential compliance related security requirements?

Can you follow the threads as multiple conversations take place at once? What are your questions as we unpack this weighty and timely topic?

Designed for Security Architects, this interactive session introduces a structured methodology that transforms security services cataloguing into a functional, usable architecture. Participants will engage in Value Stream Mapping and POPIT Analysis to define security services that align with business needs. Using a practical case study—Threat Intelligence Services—attendees will apply the model to security capability development activity, including role definition, procurement specifications, service metrics, and HLD/LLD documentation.

The session also explores the role of AI-driven Large Language Models (LLMs) in accelerating security capability development. A live demonstration will showcase how AI can support the creation of a structured, working catalogue, making the development process more efficient and adaptable.

This half-day workshop equips attendees with a repeatable approach and supporting artefacts to drive the successful implementation of security capability frameworks within their organisations.