COSAC 2024

Sunday 29th September

Sunday 29th
15:00-16:00

Delegate Registration
Sunday 29th
16:30-18:30
The SABSA Institute Forum

The SABSA Institute (TSI) and the TSI Liaison Group (LG) update. The TSI Forum includes a question-and-answer session and an opportunity to meet and interact with The SABSA Institute Board of Trustees (Directors) and LG members.

The SABSA Institute (TSI) and the TSI Liaison Group (LG) update.

The TSI Forum also includes a question-and-answer session, and an opportunity to meet and interact with The SABSA Institute Board of Trustees (Directors) and LG members.

Agenda:

Introduction to TSI (for non-members)

The SABSA Institute update

Liaison Group EMEA & North America update

Liaison Group APAC update

Questions & Answers session

Networking: Meet the SABSA Institute Board of Trustees and Liaison Group Members

Speakers:

Gareth Watters – TSI Board Trustee

Glen Bruce – TSI Board Trustee – Chair EMEA & NA Liaison Group

Kate Mullin – TSI Board Trustee – Deputy Chair EMEA & NA

Kirk Nicholls – TSI Board Trustee – Chair APAC Liaison Group

Advance registration is required, please complete the registration form here.
Speaker(s)

Gareth Watters
Glen Bruce
Kate Mullin
Kirk Nicholls
Sunday 29th
19:30-20:00

Delegate Registration & Drinks Reception - sponsored by Killashee Hotel
Sunday 29th
20:00 onwards

COSAC 2024 Welcome Dinner

Monday 30th September

Monday 30th
09:30-17:30

COSAC Masterclasses are full-day, 09:30 - 17:30
Monday 30th
09:00-9:30

Registration & Coffee
Monday 30th
09:30-17:30
The 23rd COSAC International Roundtable Security Forum

Masterclass M1

The 2024 edition of the Forum will not be generated by artificial intelligence. Instead, the actual intelligence and experiences of the attending delegates will be focused to analyze and solve (not just admire) current and emerging information security issues, many more political or organizational than technical.

This is where the real-world experience (positive and negative) of battle-hardened COSAC delegates adds significant value to the session. Specific technical or vendor-focused solutions might work fine in one environment but fail or be disallowed in another. Historically, delegates have always been willing to listen to and learn from others who’ve encountered things they might not have, not shy about sharing strategies and techniques. In short, committed professionals.

An ancient security dinosaur will moderate as a roomful of you and your peers dig into current events, trends, and publications. We seek solutions or, at least, pathways to solutions. It’s a front window into the conference, a full-bodied immersion in the COSAC way. Divergent viewpoints are not just expected, but welcomed. Reality and professional experience trumps theory.

Come help us shine light on and solve the latest (and some of the oldest) issues.
Speaker(s)

John O’Leary

President, O'Leary Management Education (USA)

John G. O’Leary, CISSP, is President of O’Leary Management Education. A computer security practitioner since 1977, he has designed, implemented, maintained, administered, broken, troubleshot, fixed, re-fixed, managed, consulted on and taught security for networks ranging from single-site to multi-national. Winner of the 2004 COSAC award, the EuroSec 2006 Prix de Fidelite and the 2011 ISC2 Lifetime Achievement Award and the first ever ISS Guardian Award in 2015, his background spans programming, systems analysis, auditing, project management, operations and quality assurance. John taught graduate school at the University of Texas at Dallas for 10 years (yes, there are universities in Texas, some of them even accredited). A few years ago he received breach notification letters from TJX and the VA in the same week. He is still waiting for OPM to reveal that the Chinese now have all his security clearance information. The Target “situation” got him new credit cards. He does not admit to knowing any Russians or CCP members. Although he completely missed out on early bitcoin gathering, the March 2023 Silicon Valley Bank failure cost him nothing. He is firmly convinced that COSAC is the absolute best information security conference on earth.
The 8th COSAC Security Architecture Design-Off

Masterclass M2

Returning for a 8th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment.

This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.
Speaker(s)

Jason Kobes

Sr. Staff Cyber Architect & Research Scientist, Northrop Grumman Corporation (USA)

Jason Kobes works as a Sr. Staff Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master’s of Science in Information Assurance (MSIA) and a Bachelor’s of Science in Computer Science from Iowa State University. Jason holds a SABSA Practitioner of Risk and Governance as well as Architecture. Jason’s areas of research include enterprise risk architecture, accountable anonymity systems and applying actionable enterprise security architecture. Jason is also an adjunct professor at Marymount University for the Criminal Justice department Cyber Crime and Digital Terrorism class.

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Center (USA)

Bill Schultz is a practicing lead security architect who has worked in the Information Technology field for over 20 years, with the majority focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill holds the SABSA Master certification. Bill has implemented security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives at Vanderbilt University Medical Center and has been leading the development of the security architecture for 15 years.
Futures Thinking and Cyber: Modelling Emerging Risks

Masterclass M3

For over a decade we have been undergoing digital transformation with rapidly evolving technology changing the way we live and work. That brings great opportunities for organisations but also bring new threats. This in turn brings challenges for budgeting and planning to manage the risk over multiple years. How do we predict investment to allow us to fully address the security challenges we may face to ensure that we are preparing for the future? Often the business or sales-people sit on 'happy island' when considering emerging technology landscapes whilst many security people sit in 'despondency dell'. This workshop will help us to develop the futures literacy needed to be able to plan for different emerging futures.

Workshop Part 1

This session will provide an overview of futures thinking techniques and approaches. It will cover some of the key theory of futures thinking, providing guidance on the creative process required to rigorously model emerging technologies, to navigate risk versus opportunity, and to manage the tendency to consider the future in binary terms as offering either utopia or dystopia.

These theories and approaches will include an introduction to:

• Futures literacy through narrative

• Futures and systems thinking

• Strategic foresight

Workshop Part 2

This session will look at some of the technical and threat modelling approaches most relevant to cyber security. We will explore how we can most usefully model the economic, societal, political, and cyber threats. This isn’t about doom and gloom but about thinking about broad pressures on thinking. Items covered in this session will include:

• Scenario Planning

• PESTEL and VUCA analysis

• STRIDE threat modelling

• Bow Tie analysis

Workshop Part 3

This part of the workshop will put into practice some of the theory and in groups we will work through some scenarios and futures modelling.

Prizes will be given for the most innovative solutions and a special booby prize given for the weirdest.
Speaker(s)

Siân John MBE

Chief Technology Officer, NCC Group (UK)

Siân John MBE is Chief Technology Officer at NCC Group responsible for intelligence, insight and innovation within the company. Siân has worked in Cybersecurity for 25 years across strategy, business risk, privacy, and technology. She is a Fellow of the UK Chartered Institute of Information Security, Chair of the techUK Cybersecurity committee, and a council member for the Engineering and Physical Sciences Council (EPSRC). Siân was awarded an MBE in the Queen’s 2018 New Year’s Honours List for services to Cybersecurity.

Genevieve Liveley

Professor of Classics, University of Bristol (UK)

Genevieve is Professor of Classics and Turing Fellow at the University of Bristol. As a narratologist, she has particular research interests in stories and their impact on futures thinking – especially in the context of emerging technologies and cyber security. She is the Futures Challenge Fellow for the UKRI’s Digital Security by Design (DSbD) Discribe Hub+ programme, and is Director of RISCS – the UK’s Research Institute for Sociotechnical Cyber Security.
Resilience: From Hardware to Humans and Everything in Between V2

Masterclass M4

Building on last year’s success the team decided to upgrade the “ From Hardware to Humans and Everything in Between” course. Resilience is widely considered the antidote to many of the problems that plague cybersecurity. The problem is that resilience definitions vary, and solutions typically fail to address all aspects of resilience, thereby resulting in a significant variety in security profiles of “resilient solutions”.

This year we decided to upgrade the workshop by including a practical discussion based on a real living network.

This 4-part workshop opens with defining and discussing the challenges of how to identify, measure and improve resilience in existing environments. We set the overview for each day by introducing each of the areas covered to include hardware, operating systems, software, networks, data, users, and residual security gaps, using the framework of “as is”, “to be” and “reality”. The workshop will center around the Living Lab Network, a student real world laboratory housed at Purdue University Indianapolis.

Part 1: What’s new with 2.0? Like releases, this has not been tested. We open with a discussion of the exemplar network. We will examine the network from various viewpoints, noting where the 4 Rs of resilience are already present, and identifying residual gaps. We also will discuss the high level overview (OV-1), the goals of the institution and how the Living Lab Network supports those goals.

Part 2: Part 2 dives into the hardware, firmware, and IoT devices. Understanding fault rates, failure rates, supply chains, vendor data, and transparency goals will be explored. These values will be applied to the exemplar network within the “as is” followed by steps to get to the “to be” state, and finally concluding with the “reality state” where financial concerns are reconciled with risk tolerance..

Part 3: Software & Data Resilience – We will open with a discussion on software resilience (or lack thereof), and reliability. We will discuss secure coding, DevSecOps and other software security solutions along with their effectiveness. After discussing software we will move onto data resilience. Trust, privacy, and data fidelity have various points of potential vulnerability and exploit, which are not easily solved. Using the “as is” followed by “to be” and finally the “reality”state we examine how data can be both trustworthy and resilient. We will discuss the various complexities with this to explore different approaches to trust, privacy and data fidelity determining how we can achieve better transparency with regard to trust and privacy.

Part 4: Intelligence: Artificial (AI) and Human(HI) and Policy Resilience – AI continues to expand in cybersecurity. What are the strengths and limitations? Where do AI outperform HI and where does HI outperform AI? Training, education, decision-science using the “as is” followed but “to be” and finally the “reality”state. How do cognitive models work in the resilience framework? Should ethics be included in this analysis? How can different cognitive models be navigated in the HMI? What is possible through understanding the human mind, and how can this knowledge inform policies and procedures? What guardrails are in place to address various biases with the models? What are the requirements to remove flawed cognitive data?
Speaker(s)

Lynette Hornung

Principal Security Architecture Manager, Iowa State University (USA)

Lynette Hornung is a Principal Security Architecture Manager at Iowa State University. She has her MS in Information Assurance from Iowa State University, CIPP-US and SABSA security architecture certifications. Senior Member of IEEE. She enjoys researching a variety of topics in information security, such as Artificial Intelligence and its many complexities, such as ethics, privacy and security. She likes to study and analyze the many aspects of security architecture, cybersecurity, financial technology and the intersection with the legal landscape and geo political events.

Char Sample

Professor, Marshall University (USA)

Dr. Char Sample is a cybersecurity researcher and professor at Marshall University where she currently teaches Cybersecurity and Computer Science. Dr. Sample has over 40 years of industry experience beginning in software development, through product test and integration, and finally as a researcher (both applied and academic). Dr. Sample’s research areas are all cybersecurity related with an interest toward cybersecurity decision-making. Past projects have focused on the influence of cultural values on cybersecurity, cyber deception including but not limited to “fake news”, and AI/ML vulnerabilities. Other research areas include data resilience, cyber- physical systems and industrial control systems.
Monday 30th
11:05-11:30

Morning Coffee
Monday 30th
13:00-14:00

Lunch
Monday 30th
15:35-16:00

Afternoon Tea
Monday 30th
18:30-19:00

Drinks Reception
Monday 30th
19:00

Dinner (sponsored by GDB Cyber Security Consulting) & Traditional Irish Music

Tuesday 1st October

Tuesday 1st
09:00-09:30

Registration & Coffee
Tuesday 1st
09:30-10:20
Where Do We Test From Here? Building An Evergreen Protected Security Ecosystem

Session 1A

Technical assurance and vulnerability management have been parallel but complementary functions in organisations for a number of years. Technical assurance has included: testing the security of a system including penetration testing, hardware assurance, and cryptographic testing; compliance driven testing including web application testing and PCI/DSS; and now regulatory testing required by schemes such as CBEST, TIBER, and DORA including full threat led red team testing.

In parallel the vulnerability management world has grown from vulnerability scanning, to vulnerability management, then proactive testing as part of the DevOps process with DAST and SAST, and now into continuous controls monitoring.

We’ve also seen the growth in expectation around the use of automation and machine learning in testing with automated stress testing with low setup cost high agility approaches popularised by Netflix and Google becoming more popular as vendors offer tooling to enable this.

This is creating pressures on traditional testing and assurance services and merging the capabilities with continuous controls monitoring to build success. This session will consider this journey, the move towards continuous controls management and looking to automate remediation as well as testing.

It will address some key questions including:

• How should be looking to build an evergreen and secure ecosystem

• when automation is useful and when it is not and

• whether we can achieve that aim of proactive cyber defence considering how we combine technology with human expertise, context and insights to ensure an organisation is as resilient as possible.
Speaker(s)

Siân John MBE

Chief Technology Officer, NCC Group (UK)

Siân John MBE is Chief Technology Officer at NCC Group responsible for intelligence, insight and innovation within the company. Siân has worked in Cybersecurity for 25 years across strategy, business risk, privacy, and technology. She is a Fellow of the UK Chartered Institute of Information Security, Chair of the techUK Cybersecurity committee, and a council member for the Engineering and Physical Sciences Council (EPSRC). Siân was awarded an MBE in the Queen’s 2018 New Year’s Honours List for services to Cybersecurity.
Today’s CISO: Behind Closed Doors or Behind Bars

Session 1B

CISOs have been in the hot seat lately, as evidenced by charges levied by the U.S. Securities and Exchange Commission in October 2023 against Solarwinds and CISO Tim Brown for “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities”, in that he overstated the cybersecurity practices and understated or failed to disclose known risks.

In May 2023, Joe Sullivan, Former CISO for Uber was sentenced to three years’ probation and ordered to pay a fine of $50,000 USD, after being found guilty of two felonies, one for obstructing justice by not revealing the breach to the FTC and another for misprision (concealing a felony from authorities).

This session will discuss the current state of the CISO, these cases and their implications, the approaches the CISO should take to avoid prosecution, and the insights from the CISOs. The presenter has had one on one interviews with both the CISO from Solarwinds, as well as the Former CISO from Uber (after the conviction) and can share these perspectives. The session will be interactive as we discuss these cases, as well as the security program itself, and where else the CISO may become liable in the future.

For several decades, the presenter has used an innovative approach to delivering content – props, videos, sound, and audience participation to create a memorable entertaining and informative experience with actionable material. The speaker is a top-rated RSA speaker and ISACA top-rated speaker.
Speaker(s)

Todd Fitzgerald

CISO, Cybersecurity Leadership Author and Advisor, CISO SPOTLIGHT, LLC (USA)

Todd Fitzgerald promotes CISO/CPO leadership via advising CISOs, advisory board participation, podcasts, and international speaking engagements. Todd founded the successful CISO STORIES leadership podcast and hosted the first 190 episodes. Todd authored 5 books, including #1 New Release (2024) Privacy Leader Compass: A Comprehensive Roadmap for Building and Leading Practical Privacy Programs, and #1 Best-selling (2019-2024) and 2020 CANON Cybersecurity Hall of Fame book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers. Named 2016–17 Chicago CISO of the Year, Todd’s senior leadership positions include Northern Trust, Grant Thornton International, Ltd, ManpowerGroup, Wellpoint/National Government Services, Zeneca/Syngenta, IMS Health and American Airlines. Todd earned MBA with highest honors from Oklahoma State University, Business Administration from UW-Lacrosse, and certifications of CISSP, CISA, CISM, CIPP/US, CIPP/E, CIPP/C, CGEIT, CRISC, PMP, ITILv3, HI TRUST, and ISO27000.
Help! Business Requirements During the Energy Transition

Session 1S

Just a normal day for the security architects at a DSO (Distribution System Operator) being in the midst of the Energy Transition Race.

Time for an Enterprise Security Architecture upgrade.

The journey starts on the contextual layer of the Business, right?

The journey starts on the contextual layer of the Business, right?

The Business context.

Right?

Cool. “Dear business, can I see your documents, your requirements?”.

“Oh, you’ve just released OGSM’s containing loads of items and performance targets on KPI’s?”. Thanks, we will analyze those.

But wait… these don’t really align to what’s been described as business targets and some of it conflicts with the Strategy we’ve seen in the presentations.

“Can we have a quick chat about this?” –silence–

We better team up with the EA team, as it turns out they are ahead, and we can piggyback on their relationships with the business.

And then when you’ve just established an opening with the business, they re-organize. The person you had on your side is now focusing on a different area.

What next?

In this highly interactive session we would like to present our challenging journey, discuss our observations, our challenges and learn from the participants how we can do better, what should be our next steps.
Speaker(s)

Raymond Van Dijk

Security Architect, Alliander (Netherlands)

Raymond is an Enterprise Security Architect at Alliander. He believes that in today’s complex (cloud, agile and (partly) outsourced) environments it is imperative that security is built-in and strives for business enablement. He is using the digital transformation to improve the usability of security and push for security innovation.

Rob Epskamp

Security Architect, Alliander (Netherlands)

Rob believes that security architecture should be designed to support business goals and objectives. Making new solutions and technologies possible with a risk-based approach. With a reliance on digital technologies, and an evolving landscape, there is a need for a more strategic integration. Flexibility and adaptability are necessary to quickly adjust security measures in response to emerging threats. Agility is essential to respond to new challenges. Close collaboration with security teams and other business units will ensure that security measures are aligned with business priorities.
Tuesday 1st
10:25-11:15
Turtles All The Way Down

Session 2A

System hardening plays a pivotal role in bolstering cybersecurity defenses, and the adoption of immutable operating systems coupled with containerization technologies offers a promising approach for organizations requiring flexible solutions, which can scale with the enterprise. This presentation delves into the benefits and challenges associated with utilizing an immutable operating system with multiple independent containers, while also examining the distinctions between various containerization technologies including separation kernel technologies, virtual machines, Docker containers, and Kubernetes containers.

Immutable operating systems, characterized by their unmodifiable nature once deployed, provide inherent security advantages by reducing the attack surface and minimizing vulnerabilities associated with system modifications. When combined with containerization, which encapsulates applications and their dependencies in isolated environments, organizations can achieve enhanced security, scalability, and resource efficiency.

However, the choice of containerization technology influences the efficacy and suitability of the overall architecture. Separation kernel technologies offer strong isolation between containers at the kernel level, ensuring robust security but often at the expense of flexibility and performance overhead. Virtual machines provide greater isolation through hardware emulation, but their heavier footprint may impact scalability and resource utilization.

In contrast, Docker containers offer lightweight virtualization with efficient resource utilization, enabling rapid deployment and scalability. Kubernetes containers provide orchestration capabilities for managing containerized applications at scale, offering features such as auto-scaling and self-healing.

In discussing these options, a notional architecture that combines the strengths of immutable operating systems with flexible container and orchestration options will be proposed. This architecture leverages the security benefits of immutability while harnessing the flexibility and scalability afforded by containerization and orchestration. A list of candidate applications and operating environments/systems will also be provided as a starting point for further study.

By adopting such an architecture, organizations can establish a robust cybersecurity posture characterized by enhanced resilience, agility, and scalability, while mitigating potential risks associated with system hardening and containerization technologies.
Speaker(s)

Rob Hale

Fellow, Information Operations, Lockheed Martin (USA)

I have been teaching Governance and Compliance at Boise State since 2022 and have been working in the Cyber Security and Information Operations career field for over 35 years. I have been a Fellow at Lockheed Martin since 2008, where I lead cyber security architecture and integration efforts for the 5G.MIL(TM) program. I have also led a number of certification and accreditation efforts for customers in the law enforcement and intelligence communities.
A Clockwork CISO

Session 2B

In January of 2015 a qualified academic was appointed as the Finance Minister of Greece with a mandate to renegotiate a disastrous programme that had sent the deficit of Greece further into the red. Upon his second meeting with the “troika” (decision group) he was told by one of the powerbrokers of the Eurozone “Elections cannot be allowed to change an economic programme of a member state!”.

Many times, per month, quarter, or even per year, qualified information security professionals are appointed as Chief Information Security Officers the world over. They are armed with a mandate to negotiate, steer, traverse (choose your verb) organisations to uplift their cyber security programs and capabilities, to hopefully manage cyber risk and enable opportunity. Upon starting they are often told by their stakeholders (typically C-suite, sometimes the board) that they have no budget, save for whatever may have been allocated to the role for years, but they are expected to materially turn around the security posture and culture of the organisation within 12 to 24 months, if they’re lucky.

To quote that Finance Minister: “It’s lunacy”.

This session will look at the challenges faced by the role of a CISO, through the lens of Europe’s post-GFC crisis, and the absurdity that is commonly faced by leaders in information security who are tasked with an immense, complex challenge with both arms tied behind their back.

The aim is to have a discussion with the audience and posit pragmatic ideas on how a CISO may manage such futility so as not to find their mission over before it even begins.

In other words, unlike the radical, ‘game theory’-loving Finance Minister, can the CISO find a way to avoid further “austerity” and make a positive impact on the organisation’s cyber security.
Speaker(s)

Steven Kintakas

Practice Lead - Architecture, Astralas (Australia)

Steven is a cyber security professional with a career spanning over 22 years of experience across a range of industries including finance, energy & utilities, resources, transport, manufacturing, government, health, education, and telecommunications.

Practice Lead of security architects at Astralas, Steven is a practitioner and leader focused on building trust. In providing business-driven and outcome-based value to manage risk effectively, Steven has contributed to the improvement of cyber risk management across many ASX-listed companies and some of Australia’s largest organisations in fields such as security architecture & strategy, managed services, incident response, research and development, and technical solutions and controls.

Previously a Director and sector leader within Deloitte Australia’s Cyber practice, he has also held various leadership and technical positions at Computer Associates, CGI, Fujitsu Australia, Dimension Data, and Zimbani.

A Deakin University alumnus, having double-majored in computer science and information systems, Steven’s post-nominals include: SCF, CISSP, CISM, CCSP, and CDPSE.

Steven is currently the Board Secretary of the ISACA Melbourne Chapter, a return speaker to the COSAC conference having previously presented in Ireland & Melbourne, and a regular speaker at AISA’s Australian Cyber Conference.

An avid supporter and member of the Geelong Football Club, he is passionate about enjoying good food & drink (in particularly wood-fired cooking) with his family and friends.
Building Cloud Architectures Top-Down: Aligning with Business Motivations

Session 2S

While major cloud providers offer comprehensive reference architectures for implementing functional technical structures such as landing zones, these models often lack direct alignment with core business motivations. This misalignment frequently results in architectures developed from the bottom up, focusing on technical specifications rather than strategic business outcomes.

Such an approach can meet technical requirements precisely yet fail to deliver on security and operational efficiency due to poorly defined service management and the absence of an effective operating model.

This session proposes a different approach using a top-down, business-driven approach to cloud architecture. It will outline a method for using business motivations and objectives to drive cloud strategy and design, ensuring that the technical deployment of cloud environments inherently supports and enhances business goals.

Participants will learn how to:

• Consider cloud architecture design from a business perspective, ensuring that every technical decision is made with strategic objectives in mind.

• Implement frameworks and methodologies that bridge the gap between business leaders and technical teams, fostering a shared understanding and vision.

• Develop effective service management practices and operating models that are tailored to the business, enhancing security, efficiency, and adaptability in cloud environments.

Through real-world examples, this session will demonstrate how a business-driven approach not only mitigates the risk of misaligned cloud implementations but also creates an architecture which spans all 6 of the SABSA layers rather than just the Component and Physical layers which the cloud vendors would lead you to believe is enough. Attendees will leave with practical strategies for delivering cloud architectures that are operationally secure not just technically.
Speaker(s)

Rob Campbell

Enterprise Security Architect, PA Consulting (UK)

Rob Campbell is a seasoned Enterprise Security Architect with nearly 30 years of experience in cyber and information security. Passionate about advancing the profession, he focuses on innovating security architecture approaches and enabling knowledge-sharing among practitioners.

Rob has developed practical tools, methodologies, and frameworks to help architects navigate complex enterprise environments. His expertise spans security architecture, risk management, compliance, and incident response, with a strong focus on aligning security strategies with business objectives.

At COSAC, Rob shares his deep technical knowledge and pragmatic insights, providing actionable takeaways for building resilient and future-proof security models.
Tuesday 1st
11:15-11:35

Morning Coffee
Tuesday 1st
11:35-12:25
Laying The Groundwork for Quantum Resilience

Session 3A

Quantum Computing is going to be the next disruptor that has a potential of turning security upside-down. I like to draw a parallel with AI and ML, that were discussed and researched for many years, until a sudden breakthrough that has rapidly accelerated the adoption and resulted in disruption we see today.

The same will happen with Quantum Computing, but there is an important difference – while the use of AI introduces new attack surfaces, the advancement of QC disrupts and invalidates current defences, which is much harder to tackle post-fact.

In this session we will gain a common understanding of quantum computing and challenges it brings. We will then look at specific threats to the way we use and rely on traditional encryption to protect long term secrets. Using SABSA, we will identify a number of practical things organisations could do in order to achieve ‘crypto-agile’ architecture that will enable them to manage the risk of current defences becoming obsolete.

NOTE: This is not a lecture in physics or mathematics, the session is practical in nature and examples I will be sharing are from real-world implementations.
Speaker(s)

Anton Tkachov

Managing Director - Cyber, PwC (UK)

Anton is leading the Cyber Security Architecture and Transformation for PwC and has been with the firm for more than 9 years. Prior to that, he has been delivering security transformations as a consultant, and running security architecture team as part of his industry role at a blue chip financial services organisations.

Anton is an active member of leading architecture forums. His passion, experience and interest lies with the ‘enterprise’ architecture which allows him to solve security problems by looking at those from a diverse set of perspectives, considering opportunities for the business (not only risks) and simplifying things.

The most enjoyable aspect of Anton’s client work is around connecting with the like-minded architects to solve problems.
The New KPI On the Block: Outcome-Driven Metrics

Session 3B

If you’ve been keeping up, the latest buzz in the IT and cybersecurity world is the adoption of Outcome-Driven Metrics (ODMs). These metrics aim to measure the effectiveness of specific investments in a way that bridges the communication gap with the boardroom. Their purpose is to enable stakeholders to directly link cybersecurity investments to the levels of protection delivered. Importantly, ODMs are designed to be easily explainable to non-IT executives, using clear and simple language.

While this all sounds promising, it’s natural to wonder if it’s too good to be true. That’s why I’ve decided to use them. In this interactive session, I’ll share my experiences and views on ODMs, and in good COSAC fashion, we’ll examine them and address the following questions.

1. How do they work?

2. How do you implement them?

3. In what scenarios are they likely to work?

4. In which scenarios will they fail?

5. Can they track return on investment?

6. Can they track effectiveness?

7. Are they likely to be biased?

8. Are they just old wine in new bottles?

Are you curious? Let’s dive in.
Speaker(s)

Karel Koster

Manager Cyber Security, FedEx Express Corporation (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a global information security team for FedEx.

Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies. Karel is a People, Process and Technology person, in that order.
The Information Security Program Framework – What You Didn’t Know You Needed

Seesion 3S

Now that your SASBA security architecture is effectively managing and governing the risks to your organization and enhancing the business value, what does it actually look like? Is it something that anyone can easily recognize and understand their responsibilities in relation to what has been implemented or is it operating “under the covers” and is assumed to be mostly technology? Your SABSA security architecture is now operating as your Information Security Program and you need something to “glue” all the various artifacts, processes and responsibilities together into a framework that you can see and easily manage.

An Information Security Program Framework is a reference point for the collection of artifacts, processes and responsibilities that support the ongoing operation and management of information security governance, architectures, vulnerabilities, threats and risks, resilience, remediation and reporting processes, as well as adapting to the shifting business requirements. The Framework is used; as an anchor point for discussion and decision, as the reference for managing the collection of RACI charts to illustrate everyone’s role in the security program, and illustrates how a business decision becomes a requirement to be incorporated or accommodated into the information security program. The Framework becomes the anchor point for the security services from your services catalog if you have one.

This session will outline the need, value and use of an Information Security Program Framework and how you can define one and put it to work for your organization. We will identify the attributes of an effective Framework and the various framework components and connections to consider. There are various frameworks and standards available but the one-framework-for-all seems to be elusive. We will look at several sources and references to draw from and discuss the considerations for defining and using an effective Framework that is right for your organization. An Information Security Program Framework should represent the operation of your SABSA Security Architecture. Do you already have one or more frameworks in your own organization and have some insights to share? Maybe together we can put frameworks to better use.
Speaker(s)

Glen Bruce

Cybersecurity Consultant, GDB Cyber Security Consulting (Canada)

In his 50+ years of in-depth experience in IT and security consulting, systems management and technical implementations, Glen Bruce has focused on Security Frameworks, Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information and cybersecurity risk. He has led many information/cyber security engagements, where he has helped clients establish effective strategies, governance, architectures, frameworks, policies, PKIs and infrastructure implementations in support of a wide range of business and technical requirements. Glen is the leader of the SENC workgroup project.
Tuesday 1st
12:30-13:20
The Path from Offsite Backups to Real Resilience (via COSAC)

Session 4A

“Do you have offsite backups?”

I’d answered this due diligence question many times before, always with the same answer – encrypted backups, on tape, stored offsite, in a dedicated third-party storage facility. But when I saw it last year, I realised this answer and even the question were out of date. These days almost everything we do is offsite with a major cloud provider.

We take advantage of their high availability, distributed data storage solutions. Is that equivalent to the old offsite backup control, or is it better? I wasn’t sure we could explain that to ourselves yet.

Over the next couple of months, I started digging around the topics of backups and recovery. So, when I attended COSAC 2023, I was keen to join the Masterclass session on Resilience: From Hardware to Humans and Everything in Between. By the end of that day, I had a new view of what resilience means, and I realised I wasn’t asking all the right questions. Spoiler alert – it’s not all about backup and recovery!

In this talk I will describe an initiative to clarify what resilience means in our organisation and what it should look like. I’ll describe how we got started down this path, the questions it is raising, how we’re responding, what we’re learning, and where I think the path takes us next. This is a real-world example of responding to an idea sparked by a day at COSAC and the impact that might have.
Speaker(s)

Gordon Jenkins

Head of Security Architecture, Admiral (UK)

Dr Gordon Jenkins heads up the security architecture team at Admiral Insurance in the UK. He has 25+ years’ experience in IT and security for large financial services organisations in the UK and US, across investment banking, life & pensions, asset management, and general insurance. He has worked as a security architect for the last 14 years, providing guidance to dozens of major business and infrastructure projects and helping to shape enterprise security functions.
Annual Reports: Security by Obscurity on Steroids

Seesion 4B

According to the Dutch Corporate Governance Code, Supervisory Boards should take care to consider the impact of new technologies and cybersecurity on their long-term value creation strategy, and include cybersecurity, supply chain dependencies and data protection in their risk management.

This aligns with new European regulation like NIS2 and DORA, that put forward much more stringent requirements for board members on having knowledge about and being accountable for cybersecurity or they risk of being held personally liable. These new requirements come at a time when 13% of the Top 100 Dutch Board Members have had any dealings with IT in their career, and only 1% has indirect experience with cybersecurity.

This is reflected in the way most of them talk about cybersecurity in their annual reports – a section that is often missing or minimized. “Cybersecurity is a top priority for us” and “we have done many things to improve cybersecurity the last year” are about as much food for the thought the average annual report gives its reader. Although presenting information about the state of cybersecurity potentially puts a target on the back of a company, security by obscurity should never be the answer.

Investors and citizens have a right to know how well-guarded their information and the continuity of the organisation is from a cybersecurity perspective. Many organisations, even critical infrastructure, seem to conveniently neglect the systemic risk to society of them being unable to operate for multiple days like with a ransomware attack. We need to understand the likelihood of that happening, how the organisation is addressing those risks and whether there’s a plan B.

This session contains the following segments with the aim of providing attendees with the ammunition to challenge cyber security public reporting in their organisation:

A passionate plea for why not sharing the state of cyber maturity and resilience is harmful to society and ought to be delivered through a standardized reporting mechanism.

A round-up of cybersecurity reporting requirements of major corporate governance codes around the world.

A deep dive into the state of cybersecurity reporting in the annual reports of major Dutch companies, with some best-in-class examples.

A proposal for and discussion with the audience on which cybersecurity elements should be reported on and disclosed, without causing harm to the company.

Guidance and a call for action to the audience who can play a leading role as subject matter experts in moving their organisations to enhance cybersecurity reporting.
Speaker(s)

Esther Schagen-Van Luit

Chief Security Advisor NL, Microsoft (Netherlands)

Esther Schagen-van Luit is the Chief Security Advisor for the Netherlands at Microsoft, where she helps Chief Information Security Officers and policymakers from leading private and public organizations in the Netherlands adapt their security strategies and policies to support their business to seize opportunities with digital transformation. Previously she served as the European Principal for the Information Security Forum, Chief Information Security Officer (CISO) of Deloitte Netherlands, Dutch Caribbean, Belgium and Deloitte Legal, and as cybersecurity strategy consultant with Deloitte Netherlands and UK. She takes a special interest in cybersecurity governance of executive and supervisory boards, and diversity and inclusion in the cybersecurity industry.
The Impact of Cyber Trends on Security Architecture into 2025

Session 4S

In the fast-paced world CxOs are generally seeing their cyber security position improving in their organisations, but continue to face considerable challenges. A number do not see that increasing the security technology foot-print in their business as the answer, and staff attrition, and rapid adoption of the cloud continue to cause great concern and uncertainty.

Furthermore, the cyber landscape itself is changing. Regulation through NIS 2, Telecommunications Security Act (TSA) and Digital Operational Resiliency Act (DORA) have emerged making cyber much more directly financially impacting. New technologies and innovative working (e.g. AI) is creating more and different risks to be responded to, and the industry of ‘threat’ continues unabated.

But how does enterprise security architecture respond to these, and if it does, how might it have to think differently or apply itself differently to best support the enterprise?

This 40 min presentation explores these trends, the application of SABSA and Q&A covering:

a. Cyber trends and emerging technologies.
b. How these trends impact our thinking as ESAs.
c. Where does SABSA support overcoming these trends for stakeholders and where does our focus in SABSA need to shift.
Speaker(s)

Jonathan Cassam

Cyber Security Senior Manager, PwC (UK)

Jonathan is a Senior Manager in the PwC Cyber Security practice with diverse experience across both public and private sectors helping organisations tackle some of their most complex security challenges. He also leads our Secure-By-Design proposition and works with a number of clients to securely delivery solutions.

Jonathan has proven delivery capability and offering real value to businesses with experience that covers a broad range of areas including, strategy, architecture, policy and procedures and training, with particular focus on security architecture

Sophia Mexi-Jones

Security Architect, PwC (UK)

Sophia is a Senior Associate at the Cyber Security Practice at PwC UK with a keen focus in architecture and engineering. Her main experiences and interests lie in cloud security working with a range of different cloud specific technologies such as kubernetes. Her work spans across different industries such as private sector, public sector and governmental bodies.

Sophia has a strong technical background with a MsC in Cyber Security. Her focus within architecture lies with threat modelling where she has focused on a range of systems such as Cloud to Operational Technology. Asides for this, Sophia has a wide range of knowledge of various cloud platforms such as Google, AWS and Azure.

Sophia is an avid speaker at various security/technology conferences and aims to continue to spread her knowledge in cloud security and threat modelling.
Tuesday 1st
13:20-1400

Lunch
Tuesday 1st
14:00-14:50
From Compliance Management Towards Risk Management

Session 5A

A case study of the Dutch Government

The legislation and regulations for the use of Cloud applications for the Dutch Government have changed significantly in recent years. While in the past it was not done to store or process data in the cloud, the current policy is based on Cloud for certain confidential data, as long it is done in a secure manner. One of the conditions set is that a targeted risk assessment takes place and the correct measures are taken to protect the data.

The content of the presentation is about a case at the central government in the Netherlands of how a targeted risk analysis was carried out, what lessons were learned and what steps are being taken to streamline this process.

The case will mainly focus on which elements are used in the risk analysis, how risks are constructed, which positive or negative effects a risk entails and how security control frameworks, GDPR, Cloud Acts and other legislation are dealt with. In addition, selecting and adapting a risk analysis methodology is an important part of the case. SABSA can help us in selecting the important elements within risk assessments.

Lessons learned:

– Risk analysis methods and the risk management process

– Risks when using the Cloud.

– Legislation for processing data in the Cloud and information security aspects
Speaker(s)

Edwin Vos

Principal Consultant, Nivo (Netherlands)

Edwin is a principal consultant at Nivo, working for more than 35 years in IT. His main focus is architecture and IT security. As a consultant he worked for many large companies within the Netherlands. The last years focusing merely on the Dutch Government. His interests lies in the unknown things.
Cyber Misfits and the SABSA Founders Bursary

Session 5B

Recipients of the Bursary award share their personal experiences embarking into their cyber journey and how the Bursary helped shape their career transition and welcome them into a global community.

Sharing the love. In 2020, Ghariba Bourhidane and Clara Grillet started career transitioning in cybersecurity by following courses. In 2022, their cyber career go deeper and was boosted by receiving the first ever SABSA Founders Bursary award.

Sharing the love. In 2020, Ghariba Bourhidane and Clara Grillet started career transitioning in cybersecurity by following courses.

Two years later, they want to share feedback on how the award was seminal in making their career transition successful:

– Certifications like SABSA are a major plus for job-seekers

– COSAC values out-of-the-box problem-solving where non-traditional profiles feel welcome

– Exposure to professionals with diverse life paths builds self-confidence and give value to non-technical skills

– Profound sense of belonging from joining a well-established community

– Receiving an award alleviates impostor syndrome and self-deprecation

Being part of the SABSA community gave them additional tools to facilitate and secure their sense of belonging to the cyber community.

Highlighting value. Non-traditional profiles bring new approaches and innovative thinking. They draw on diverse soft skills that can lift hurdles in interpersonal relationships and team projects. Hiring managers, coworkers, company culture and HR staff can all play a role to attract, welcome and keep atypical practitioners.

Thinking back and paying it forward. In this session, we share personal stories that show the immense value of the SABSA Founders Bursary for newcomers to cybersecurity. We will interact with the audience to encourage them to share their own experiences either being a newcomer themselves or working with newcomers. We will interrogate how each team can support inclusion so non-traditional colleagues in the broadest sense (nationality, gender, academic background, past experiences,…) thrive.
Speaker(s)

Ghariba Bourhidane

CyberSecurity Consultant, TreeBridgeMosaic srl (Belgium)

Ghariba Bourhidane is a dreamer, sensitive and unconditional coffee lover. She is currently working as Cybersecurity Consultant providing services security risk management, cybersecurity culture and giving deeper experiences advice in security awareness, topics which drive her passion for the cybersecurity field.

Recently volunteering as TSI Community Manager, she previously worked as Deputy CISO of an insurance group by managing the Third-Party Security Risk concept, dealing with IT project security aspects, being responsible for IT-Security communication and becoming a security awareness specialist.

She has completed two university degrees in Business Sciences and in Business Financial Engineering.

Clara Grillet

Cyber Threat Intelligence Analyst, Centre for Cybersecurity Belgium (Belgium)

Clara Grillet holds political science and law degrees but quickly found herself drawn to cybersecurity for its intersection of IT, economics, strategy and (geo)politics. As a cyber threat intelligence analyst, she enjoys delving into complex and dynamic situations. Clara is a keen public speaker on matters related to cyber threat intelligence and ransomware. She is also a teacher with Cyberwayfinder, a Benelux-based cybersecurity school for adults looking to transition professionally into cybersecurity. Prior to this, Clara worked in the financial and data protection sectors.
Reimagining A Robust Supply Chain Security Architecture Leveraging SABSA

Session 5S

Global supply chains are undergoing massive strains in 2024 due to geopolitical conflicts, rapid technological evolution and regulatory changes that pose challenges to organizations irrespective of the industries they operate in. The extended supply chain for hardware suppliers and service providers spans several countries and continents while the sprawl of software components and open-source projects further increase the sophisticated nature of supply chain attacks.

Another internal challenge for organizations is the governance and ownership of supply chain security which is usually shared amongst security, procurement and legal teams. Securing the supply chain and ensuring uninterrupted business operations have become top of mind for business and security leaders in their day-to-day job responsibilities.

In this interactive session, we will discuss a real-life case study of a Canadian multinational financial services company where the challenge was to securely manage the organization’s supply chain across the 36 countries it was operating in. For this organization, we leveraged and applied SABSA principles to build in traceability from the key business objectives of the executive stakeholders to the specific security services, mechanisms, and components that every security and procurement teams needed to incorporate to secure their supply chain. These security components were utilized to build a supply chain architecture that weaved in governance for the security and procurement teams involved. The result is an adaptable security architecture that is used by security teams as well as business objectives that matter to the CEO and Board.
Speaker(s)

Pradeep Sekar

Managing Director, Optiv Security Inc. (India)

Pradeep Sekar is a seasoned cyber security leader who has worked closely with and guided Fortune 100 and Fortune 500 Chief Information Security Officers (CISO), Chief Information Officers (CIO) and their teams across various industries on developing and sustaining a secure, adaptive and robust cyber security program. His unique expertise includes the delivery of innovative cyber strategy solutions and benchmarking insights for global organizations as they look to transform their cyber programs.
Tuesday 1st
14:55–15:45
Empowering Colleagues, Securing Success

Session 6A

Admiral Group Plc is a UK-based insurance group that provides a range of insurance products and financial services to over 9 million customers worldwide. In 2018, Admiral embarked on its cloud journey to achieve its strategic vision of becoming a data-driven organisation and leveraging its customer base and data for a competitive advantage. In this talk, I will share how we built, secured, and scaled our capabilities, and discuss the challenges we faced,

the lessons we learned, and how that lead us to rip up the rule book on Security Engagement and develop a de-centralised and democratic approach to securing our investments into cloud by making it everyone’s responsibility and the cultural changes this forced.

We will cover three main topics: What led to us deciding to move to Cloud? how we initially approached securing our cloud environment and how we realised that this approach was wrong and the steps we took to create a de-centralised security model and finally what this looks like and how we would approach it if we were going to do this again.

The Key take aways for the audience will be how to approach this type of model, What benefits this model can have on an organisation and what are the pitfalls of doing it.
Speaker(s)

James Chinn

Enterprise Cloud Security Architect, Admiral (UK)

As the Enterprise Cloud Security Architect for Admiral Insurance in the UK, I bring more than a decade of cloud computing expertise to the table. In the last 7 years, I have worked with Fintech companies of all sizes, from startups to FTSE 100 Giants. I shape the vision and strategy for cloud security at Admiral, and I have shared my insights and hosted events in the industry as a security Architect.
How to Nurture Effective Security Teams While Tapping into Diverse Talent Pipelines

Session 6B

This presentation aims to demonstrate the benefits of onboarding diverse profiles to security teams. It is part of a continuous effort to formulate a framework which helps security teams perform better while optimising diverse skill sets already present in the organisation. This presentation will provide proof-of-concept on how an internal talent pipeline has given professional growth opportunities to staff with the relevant transferable skills while also making the security teams more effective.

Complexity is in the nature of the problem (securing an organisation and building cyber resilience), as well as in the complex tasks needed to address them (high-dimensionality and high-interdependencies).

The number of tools and the combination of tools being used in the industry, and the introduction of new technologies – all these change at an incredible pace. Teams need to be agile, flexible and adaptive, and need both a broad, as well as deep knowledge of various domains in order to work with diverse stakeholders. How do we face complex challenges with a limited team budget for human resources and the seemingly small talent pool?

“In complex adaptive systems, diversity makes fundamental contributions to system performance.” – Scott E. Page

Building diverse teams with the necessary skill sets to meet these challenges and adapt to the changing tech and threat landscape is necessary – but also not an easy task. The question is how.

Through the lens of the PPT framework:

The success of organisations are tied to talented people and effective teams – and how well they can adapt to a complex business environment by managing the the dynamic nature and interdependencies of these three components:

• People (human weaknesses, strengths – identifying potentials, highlighting current skills and understanding competencies needed, optimising the skill set of a team),

• Processes (business landscape is changing with demographics and innovations, risks in the supply chain are increasing), and

• Technology (disrupting industries, way of working and living).

How can we enable our teams to manage challenges involving the the above three

components?

Through the lens of “Quality of Hire” indicators:

Organisations must learn to work with uncertainty, and manage talent and resources when the long-term nature of the present skills shortage is considered a major security threat. Success depends on hiring, managing and retaining talent and resources within security teams – while also learning how to make these teams highly effective.

For this, hiring managers need to have an understanding of how to measure the effectiveness of teams, in order to create a strategy for improvement and optimisation.

The use of “Quality of Hire” indicators may provide a way to determine an effective talent recruitment and retention strategy, while creating a reliable pipeline for atypical profiles with relevant transferable skills into the different security teams.

This presentation will focus on three indicators (Performance, Tenure and Engagement) as a guide to creating a clear picture of how well a team works and adapts to a highly dynamic environment.

Promoting Reskilling: Could promoting cognitive diversity – reskilling diverse profiles with transferable skills – be a sustainable answer to addressing the skills shortage in the industry, while also providing a way to address the challenges in the complexity of the challenges?
Speaker(s)

Rosanna Kurrer

Educator, CyberWayFinder (Belgium)

Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas, Salesforce.com, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.
Modelling Uncertainty and Building Cyber Resilience

Session 6S

The ever increasing reliance on technology has drastically shifted how organisations function. The interconnectedness and convergence of the digital solutions, together with the business opportunities they bring, increase the number of critical failure points. The latter explains why regulators, across the globe, have been particularly active in this topic and consequently resilience has become the latest global hot topic in many sectors.

A key premise of building cyber resilience is to develop an in-depth understanding of ‘what is materially important’ for the business. Analysing the important business services into the processes, technology and people defines the quantitative and qualitative characteristics of those assets which need to be preserved even during a successful cyber attack.

This presentation will demonstrate how SABSA methodology can be leveraged to capture the business context and how the business context in turn becomes a strong foundation to build a robust cyber resilience. Instead of addressing the challenge from a theoretical point of view, real-life use-cases will be presented from the financial services and energy sectors. Emphasis will be given on the operationalisation of SABSA methodology to capture the idiosyncrasy of the organisation, demonstrate the relevance of the security services, model the security posture and become the conduit that brings together the risk management framework, threat scenarios, control library and operational controls.
Speaker(s)

Dimitrios Delivasilis

CEO, Qiomos (UK)

For over twenty five years, Dimitrios has been a technology executive with a proven success record of delivering future proof information security strategies and helping organisations implement their digital transformation plans with a commensurate level of assurance. Mastering specialisation in business-driven security strategy, architecture and operational resilience, Dimitrios draws strength from the diverse experience in leadership roles, predominantly within financial services, i.e., Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC.

Driven by his vision to shift the resilience risk paradigm by challenging core beliefs and driving better decision making, in 2020, Dimitrios founded Qiomos and started providing value-driven services to guide organisations into building resilient services and products. In 2024, this extensive experience led to the launch of the innovative QnousTM solution – a single source of truth to strengthen operational resilience by modelling the organisation’s security posture and centralising security-related information into a single data model. Dimitrios is now working with organisations, across the globe, streamlining their security risk management and truly simplifying their security decision-making.
Tuesday 1st
15:45-16:05

Afternoon Tea
Tuesday 1st
16:05–16:55
True Threat Intelligence – What You REALLY Want To know

Session 7A

In the complex field of cybersecurity, the term "threat intelligence" often becomes a catch-all, encompassing everything from basic incident reports to in-depth vulnerability analyses. My presentation, "True Threat Intelligence - What You REALLY Want to Know," aims to clarify this ambiguity by distinguishing the various layers of what is generally classified under threat intelligence. More critically, it zeroes in on the essence of what constitutes "true threat intelligence"—a nuanced, actionable insight that goes far beyond the surface-level accumulation of data.

True threat intelligence is an art form that demands a deep, covert infiltration into the underbelly of hacker organizations. It’s about gaining trust within these groups, understanding their dynamics, and extracting valuable information that can be used to preempt and neutralize potential cyber threats before they strike. This session will delve into the intricate, resource-intensive process of gathering genuine threat intelligence, highlighting the essential elements of patience, substantial resources, and keen judgment required to navigate the shadowy corridors of cyber threat actors.

A focal point of my talk will be the innovative role of “evil chatbots” in the realm of cyber espionage. As we venture deeper into the age of AI, these chatbots emerge as a critical tool for engaging with and understanding hacker communities. They serve a dual purpose: as instruments for gathering intelligence and as subjects of ethical debate, reflecting the complex moral landscape of cyber intelligence operations.

This presentation will demystify the concept of true threat intelligence, drawing a clear line between generic cybersecurity reporting and the strategic, high-stakes operation of acquiring actionable insights. Attendees will gain a comprehensive understanding of the challenges and intricacies involved in true threat intelligence gathering, as well as the pivotal role this intelligence plays in enhancing cybersecurity defenses against increasingly sophisticated digital threats.

Prepare to embark on a journey into the heart of cyber espionage, where the pursuit of true threat intelligence reshapes our approach to cybersecurity strategy and operations. Join me for an in-depth exploration of what it truly takes to uncover the actionable intelligence you REALLY want to know.
Speaker(s)

Mark Rasch

Attorney, Law Office of Mark Rasch (USA)

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland and is the General Counsel of Threat Intelligence firm Unit 221B, and of-counsel to KJK law.

Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. This includes expertise in GDPR, CCPA, and US and international privacy laws and regulations. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high- technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. He was also the Chief Privacy Officer of Fortune 100 company, SAIC and Chief Security Evangelist for Verizon

Mark has taught white collar crime, computer law, and legal ethics courses, at various institutions including GW, AU and Catholic University Law Schools. He is a frequent media contributor on issues related to technology and the law.
The Cybersecurity Alchemist

Session 7B

Alchemy: the art of purifying the impure by imitating and accelerating the operations of nature in order to perfect matter. How do alchemists transform base metals into gold? The metaphorical aim of the alchemist is the purification of the soul, the progressive metamorphoses of the spirit. The alchemist's journey in Paulo Coelho's book is transmutation: elevating the imperfect to perfection. The main character of the book travels and lives according to the different cultures and traditions of each visited country. He eventually returns to his starting point but completely changed, grows up, conscious and strong. A real human firewall!

How does the combination of European and African values help find out solutions in Cybersecurity? What impact does the factor: “ethnic cultural values” have on the development of a stronger cybersecurity program? What if the evolution of an organization’s cybersecurity maturity also depends on the cultural diversity of individuals of the organization?

Coming from a cultural duality: African and European, I am often categorized in one or the other culture and rarely in both at the same time. Yet, I am what I call “a cultural bridge”.

My power: Using my two cultures in the development of solutions. Beyond easy and generic classifications, I see cultures as a spectrum and an endless combination.

African values vary widely from one country to another due to the diversity of its folklore, cultures, traditions, and religions.

Values common to African countries can be identified as – Communalism – Respect for elders – Hospitality – Spirituality – The importance of family and community ties.

These values often emphasize interconnectedness, harmony with nature, and a strong sense of identity and belonging.

My European values also differ depending on the country in which we live, but we can still identify some common ones. In Europe, the common values are – Democracy and Rule of Law – Human Rights and Privacy – Freedom of Expression and Information – Individualism and Critical Thinking – Equality and Inclusivity.

Based on these, what are the existing or future bridges that allow you to build a robust cybersecurity program. What added value does each of these cultures bring to its robustness?

By sharing my personal experiences and research, I would like to provide to the participants food for thought on how to think about cybersecurity differently and sharing some tools that they can use and apply in their challenges.
Speaker(s)

Ghariba Bourhidane

CyberSecurity Consultant, TreeBridgeMosaic srl (Belgium)

Ghariba Bourhidane is a dreamer, sensitive and unconditional coffee lover. She is currently working as Cybersecurity Consultant providing services security risk management, cybersecurity culture and giving deeper experiences advice in security awareness, topics which drive her passion for the cybersecurity field.

Recently volunteering as TSI Community Manager, she previously worked as Deputy CISO of an insurance group by managing the Third-Party Security Risk concept, dealing with IT project security aspects, being responsible for IT-Security communication and becoming a security awareness specialist.

She has completed two university degrees in Business Sciences and in Business Financial Engineering.
You Can Fix Stupid: Automating to Reduce Risk

Session 7S

In a world where cyber threats are evolving at an alarming rate, organizations are expected to do more with less, employees are given ever increasing workloads, and human error remains a significant contributor to data errors and security breaches, automation emerges as a crucial solution.

Businesses are increasingly looking toward automation to streamline processes, improve productivity, and “enhance operational efficiency”. A naïve security team might be afraid of the risk that automation poses. But, using a SABSA perspective, we can see that risk from a different angle and recognize it as an opportunity: both to focus on what is important to the business and to reduce the exposure of systems to the human factor.

Through real-world examples, we will illustrate how automation can enhance security posture and minimize the impact of human errors on an organization. We’ll also explore the various ways automation can support security risk assessment, such as enhancing anomaly detection and fortifying defense mechanisms. Facilitated by a member of your friendly neighborhood automation team, participants can expect to discuss the best ways to communicate and partner with groups modifying their processes so that security can take advantage of a rare chance to course-correct across their organization.
Speaker(s)

Ashling Lupiani

Cognitive Solutions Developer, City of Hope (USA)

Ashling Lupiani, SABSA SCF is a Cognitive Solutions Developer at City of Hope. She is a neuroscientist and biomedical engineer with experience in speech and gait research. She spent 5 years running neurorehabilitation engineering studies with human participants and conducting data analysis to investigate sensorimotor systems. She co- authored 5 papers and presented at conferences in Toronto and Boston, USA, COSAC APAC 2023 & 2024, and COSAC 28, 29 & 30.
Tuesday 1st
17:00–17:50
Revolutionising Threat Modelling with Emerging Technologies

session 8A

In the traditional landscape, threat modelling has been a predominantly manual and meticulous process, demanding substantial expertise and time. However, the advent of cutting-edge technologies is set to transform this scenario radically.

Our presentation delves into how an amalgamation of sophisticated technologies across the tech stack can automate and enhance the threat modelling process, making it more efficient and accessible. At the heart of this transformation is the integration of Generative Artificial Intelligence (GenAI) tools, such as GPT-4, which is significantly lowering the skill barriers traditionally associated with creating threat models.

During our presentation we will:

● Explore the unique contributions of technologies like Security Copilot, Gemini, and other elements of the technology stack that, when chained together, offer a robust methodology for automated threat modelling.

● Glimpse at a ‘Promptbook on ChatGPT,’ aimed at simplifying the entry into technical security architecture work.

● Discuss the possibility of generating dynamic architecture documents, analysing the security estate comprehensively, and employing chained GPT models for a holistic threat analysis.

The intersection of AI and traditional security tooling is paving the way for a new era in threat modelling – one where automation, efficiency, and inclusivity are at the forefront, transforming the landscape of cybersecurity architecture.
Speaker(s)

Jonathan Cassam

Cyber Security Senior Manager, PwC (UK)

Jonathan is a Senior Manager in the PwC Cyber Security practice with diverse experience across both public and private sectors helping organisations tackle some of their most complex security challenges. He also leads our Secure-By-Design proposition and works with a number of clients to securely delivery solutions.

Jonathan has proven delivery capability and offering real value to businesses with experience that covers a broad range of areas including, strategy, architecture, policy and procedures and training, with particular focus on security architecture

Sophia Mexi-Jones

Security Architect, PwC (UK)

Sophia is a Senior Associate at the Cyber Security Practice at PwC UK with a keen focus in architecture and engineering. Her main experiences and interests lie in cloud security working with a range of different cloud specific technologies such as kubernetes. Her work spans across different industries such as private sector, public sector and governmental bodies.

Sophia has a strong technical background with a MsC in Cyber Security. Her focus within architecture lies with threat modelling where she has focused on a range of systems such as Cloud to Operational Technology. Asides for this, Sophia has a wide range of knowledge of various cloud platforms such as Google, AWS and Azure.

Sophia is an avid speaker at various security/technology conferences and aims to continue to spread her knowledge in cloud security and threat modelling.
It Takes A Village: Raising Cybersecurity Capability Across the Enterprise

Session 8B

The shortage of cyber security skills is well known and this is only getting worse. So what can we do about it?

When we step back from the problem we can see that many organisations are not efficient in their security engagement. Security teams perform triage and process work which does not require advanced security skills, and often we still see late engagement of security in projects and business decisions, introducing delays and requiring re-work.

Things can be different if cyber security activity is embedded in the day today work of other professionals and functions. Security requirements can be specified by procurement professionals, security configurations and patching owned by IT functions and security objectives specified by business executives.

In this talk, Paul will share experiences across a range of different sectors showing practical examples of how security and business goals were aligned and the security workforce expanded by placing cyber capability into other jobs.
Speaker(s)

Paul Dorey

Visiting Professor, Royal Holloway University of London (UK)

Paul Dorey is facilitator for the UK Energy Emergencies Executive Cyber Security Task Group (E3CC), the UK Aviation Cyber Security Forum and is co-lead for the UK NCSC ICS Community of Interest Supply Chain Expert Group. His leadership roles have included Global CISO at BP and Barclays and other CISO roles in financial services, technology and pharmaceutical sectors. He currently advises security leaders, business executives and governments on cyber security strategy and risk reporting and acts as an expert witness. He is a Visiting Professor in Information Security at Royal Holloway, University of London.
Achieving life Goals Without Joining A Cult or Losing Friends

Session 8S

How security architecture can help you keep your new year’s resolutions and other lifestyle objectives.

Everyone dreams but few turn them into reality. Making it happen does not need to exact a taxing price on social life and comfort. Using my own personal challenge, I draw on my experience as a relatively newcomer to SABSA and to cybersecurity in general to show how the SABSA problem-solving approach can be used to tackle private goals. In my case, it enabled me to overcome health limitations in order to fulfill my parents’ last wishes.

Frustration begets frustration. Most adults have at least once in their lifetime promised themselves they would change their behavior. Few ever succeeded, let alone maintained that new good habit beyond a few weeks. What was supposed to make them feel better about themselves ended up feeding a sense of failure. This creates a vicious circle: you are less likely to dream big and experience stress when you have been repeatedly confronted with failure. When frustration is imposed (e.g. poor health diagnosis), its limitative power increases tenfold. What a waste of human energy!

Applying SABSA to tackle human challenges. Who said security architecture was limited to complex IT questions? Thinking of a life goal as a project just like any other work project, whose vision and success can be articulated, as well as broken down to the smallest step increases the likelihood that you can track your progress and therefore keep up with your promises. SABSA doesn’t impose a direction, rather you are more likely to commit to a plan that you’ve come up with yourself and which follows your own logic. The SABSA framework can be used to boost self-satisfaction and virtually eradicate a sense of failure or dissatisfaction with yourself.

Powering through life. Life goals might seem insurmountable, even more when you attempt to tackle different goals at the same time. Security architecture forces you to identify possible links between goals, thus multiplying the impact of each step. Using diverse and creative trackers, you can monitor progress every week. Even when you don’t achieve 100% of your stated goal, your achievements are visible. This has tangible macro effects: when you feel better, others around you benefit from your positive energy (family, friends, coworkers, everyday interaction with strangers,…). This creates a virtuous circle where by helping yourself, you are more likely to feel generous with others and create a positive environment.

Using personal examples, I bring the SABSA mindset to the private realm. I wish to give participants the tools to apply it to their own challenges.
Speaker(s)

Clara Grillet

Cyber Threat Intelligence Analyst, Centre for Cybersecurity Belgium (Belgium)

Clara Grillet holds political science and law degrees but quickly found herself drawn to cybersecurity for its intersection of IT, economics, strategy and (geo)politics. As a cyber threat intelligence analyst, she enjoys delving into complex and dynamic situations. Clara is a keen public speaker on matters related to cyber threat intelligence and ransomware. She is also a teacher with Cyberwayfinder, a Benelux-based cybersecurity school for adults looking to transition professionally into cybersecurity. Prior to this, Clara worked in the financial and data protection sectors.
Tuesday 1st
17:50-18:10

Refreshments
Tuesday 1st
18:10–19:00
The Smart Practitioner’s Guide To getting Stuff Done

Plenary 9P

DOING WHAT YOU CAN WITH WHAT YOU’VE GOT WHERE YOU ARE

This paper proposes an unconventional yet highly effective approach to helping information security teams deliver better security outcomes by blending the organisational, technical, and process reality that surrounds them with human-centric methodologies, including design thinking and negotiation techniques drawn from the practice of conflict resolution.

Leaning on inspiration from a real-world project I have led in public sector healthcare, my idea is to illustrate with pragmatic and reusable examples how security practitioners can achieve useful consensus about what their teams and wider organisations should focus on. In so doing, they can build buy-in for their strategic and operational security initiatives, making a real difference for their organisations and feeling for themselves that their contribution matters.

THE IDEA

Traditional approaches to information security tend to be technology-heavy and often overlook the human element, where teams operate under an oppressive feeling of constraint and with a scarcity mindset. This can impede good critical thinking and lead to sub-optimal decisions and operational practices, which ultimately leads to gaps in defences.

By embracing a human-centric approach rooted in design thinking and leveraging integrative negotiation techniques, security teams can foster outcome-oriented collaboration and innovation in tackling cybersecurity challenges, making the most of the available time and resources.

This talk explores the intersection of information security, design thinking, and negotiation in a real-world context where human life is what is at stake (public sector healthcare) and where the application of an unconventional approach yielded unconventionally positive results.

• Design Thinking to Uncover What Really Matters

In the public sector healthcare project, design thinking principles guided the development of a strategic roadmap that prioritised patient outcomes. By empathising with healthcare professionals and patients, the security team identified unique security needs and co-created solutions that seamlessly integrated with existing workflows.

The iterative nature of design thinking allowed for continuous improvement and adaptation to evolving threats, resulting in a robust security framework tailored to the needs of the healthcare environment.

• Negotiation Techniques to Address Intractable Disputes

Negotiation techniques played a pivotal role in garnering buy-in from stakeholders across diverse departments. By framing security concerns within the context of patient outcomes, the team facilitated productive discussions that aligned competing interests and neutralised inter-team and interpersonal conflict toward a shared goal that everybody committed to. This was a game-changer.

Through principled negotiation and active listening, we managed to reach a consensus on the priority initiatives that the security team needed to focus on, balancing risk mitigation with operational efficiency, paving the way for a successful implementation of the new 3-year strategic initiative and garnering the goodwill and active commitment of all contributors.

• Facilitated Discussions to Make Sure Every Voice is Heard

Facilitated discussions served as a cornerstone of the approach, providing a structured forum for stakeholders to voice their concerns and contribute to the decision-making process. Skilled facilitators adeptly managed group dynamics, ensuring that all perspectives were heard and respected, particularly those of neuro-diverse team members who had previously struggled to communicate their ideas and who, it turned out, had an incredibly impactful role to play.

Conclusion

By embracing human-centric methodologies like design thinking and best practices from other professional domains such as conflict resolution, this talk will show how security practitioners can unlock untapped potential from existing human talent in their organizations, orchestrating this energy into better security outcomes.

The real-world examples from public sector healthcare demonstrate the tangible benefits of design thinking, negotiation techniques, and facilitated discussions in establishing focus, achieving consensus and buy-in, and keeping teams on track to achieve superior security outcomes.

Let’s embark on an unconventional journey together, where we’ll learn to leverage the power of human ingenuity to build even better defence in depth in our organizations and safeguard what matters most.
Speaker(s)

Anne Leslie

Cloud Risk & Controls Leader, IBM (France)

Anne Leslie is the Cloud Risk and Controls Leader for EMEA at IBM. With 18+ years of experience spanning financial services and technology, she is a distinguished expert at the intersection of AI, cloud, operational resilience, and cybersecurity.

Since joining IBM, Anne has been instrumental in guiding clients worldwide in securely accelerating their adoption of public cloud and AI technologies, while also preparing them for the future landscape shaped by quantum computing. Her work ensures these organisations can adapt their operating models and enhance their resilience in a rapidly changing digital environment.

Co-editor of The AI Book and co-author of The RegTech Book, Anne excels at facilitating outcome-oriented dialogue on complex industry issues, building positive relationships across diverse stakeholder groups. She is actively driving industry momentum around post-quantum readiness by advising clients on strategies to mitigate risks and embrace quantum-resistant solutions. Well-established as a trusted voice in the industry, Anne regularly contributes her thought leadership to C-level conferences and working groups convened by public authorities.

Irish by nature and French by design, Anne lives with her family in Paris, France, which has been her home for almost 30 years.
Tuesday 1st
19:15-1945

Drinks Reception
Tuesday 1st
19:45

COSAC 2024 Gala Dinner (sponsored by The SABSA Institute) & Race Night

Wednesday 2nd October

Wednesday 2nd
09:00-09:30

Registration & Coffee
Wednesday 2nd
09:30-10:20
NYETwork Warfare: the End of Civilisation As We Know It

Session 10A

“Everything was destroyed, and few out of many returned home.” - Thucydides

Two years ago, we discussed whether the Russian offensive included all-out cyber, or if the combatants were husbanding their resources. Last year, we noted that 50-year-old tanks and munitions work well in battle, whereas cyber weapons have a shelf life closer to milk than to wine.

As a kinetic stalemate grinds through men and materiel, cyber has blossomed as a new form of expeditionary warfare, now targeting critical infrastructure, the most prominent of which (as of this writing) has been Kyivstar, Ukraine’s largest telecom provider. The fabric of society is now a target, seemingly in violation of Rule 1 of the Law of International Warfare.

“This attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable.”

– Illia Vitiuk, head of Security Service of Ukraine (SBU) cybersecurity department

Most critical infrastructures are not state-run in western nations. The United Kingdom has named thirteen critical infrastructures. The United States has sixteen. Regardless, these are being identified, cataloged, and targeted in a systematic way so as to provide a potential early strategic advantage in the event of future conflict.

What happens to our society if the digital gloves come off? What are the consequences of an adversary who cannot win on the battlefield taking the battle to the civilian population, shutting off power, water, and communications? What preparations can be made, realistically, to prepare our countries for what we can see is already happening? What message should we, as the senior global brain trust, craft to mobilize our societies and our governments before they suffer a catastrophic loss that might be avoided if we speak up now?
Speaker(s)

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark Hardy serves as President of National Security Corporation and co-host of the award-winning CISO Tradecraft podcast. He has been providing cyber security expertise to government, military, and commercial clients for over 35 years, and is the author of over one hundred articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration, a Masters in Strategic Studies, and is designated as a Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM).
Bridging The Gap: Fostering Collaboration Between Security & Technical Teams

Session 10B

Do you suffer from a team that can't seem to talk to each other? Can you cut the air with a knife when entering your security meetings? Do people audibly sigh whenever you mention raising a ticket or inquire about its status? If so, then this session is for you.

In today’s fast-paced and interconnected digital world, the harmony between security and technical teams is crucial. Yet, all too often, these teams operate in silos, causing friction, inefficiencies, and ultimately, compromising security. But fear not, for there is hope.

Join us as we embark on a journey to transform discord into harmony, to dissolve the tension that permeates the air, and to replace sighs with nods of understanding. We’ll delve into the heart of the matter, addressing the root causes of disconnection and discord between security and technical teams.

From inspiring motivation to breaking down barriers, we’ll discuss what motivates and drives people to take ownership of their place in Information Security. Say goodbye to the days of disjointed communication and hello to a future where security and technical teams work hand in hand towards a common goal.
Speaker(s)

Dan Schoemaker

Information Security Manager, Phoenix HSL (Australia)

Dan has been working in the IT Infrastructure/Operations and Security fields for over the past decade. Currently running the Group Security function for a global company, he is driven to ensure security is business driven and architected properly. Being a self-driven techie, he ultimately believes in learning by doing and having a crack.
Building An Adaptive Security Architecture

Session 10S

The presentation addresses 3 trends currently challenging the cybersecurity operating model.

• Customer expectations are shifting - Digital natives think in terms of customer journeys, and they want safe but low-friction experiences along the way.

• Threats are evolving - There are now new ways to exploit human nature and decision making, using technologies like AI. Lastly,

• Regulations are fragmenting - Countries recognise the value of data and are taking a stronger, more localised, position on how to protect it.

These factors have important consequences for how cybersecurity teams design and implement their governance, risk, compliance and assurance frameworks. We will argue that the new paradigm which is decentralised, where speed and accountability for decision-making are favoured over structures of centralised authority and control.

A pre-requisite of this kind of adaptive security is for decision making at all levels of the organization, which implies effective communications based on a common ‘source of‘truth’.

In this presentation, the speakers will present their experience of establishing a security architecture that reflects these aims and principles, based on control modelling, thresholds, and real-time security data.

The session should be of value to a wide range of delegates that may be facing similar challenges and would be interested in learning what an architectural approach can contribute to the solution.

This will be original content, being presented at conference for the first time.
Speaker(s)

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is a Belgium-based independent security consultant at Cyber Enterprise Modelling (CEM) and has been a regular presenter at COSAC since 2018 on the topic of security by design through automation and modelling. He is the principal author of the SABSA Institute / Open Group paper “Modelling SABSA with ArchiMate” and chairs the associated SABSA Working Group. He holds several security, architecture and privacy certifications including SABSA Chartered Practitioner and ArchiMate.

Ben Stephen Woods

Head of Cyber Risk Assurance, The LEGO Group (Denmark)

Ben leads the Cyber Risk and Assurance team at the LEGO Group:, a global function that includes Human Risk, Risk Management, Technical Risk, and Assurance. Ben is also the Deputy CISO.
Wednesday 2nd
10:25-11:15
Towards Secure AI

Session 11A

The hype cycle continues to thrive as illustrated by recent press coverage and political attention regarding the “existential threat” posed by AI, particularly LLMs and generative AI. Inevitably some people are asking how do we secure AI? This session considers AI-related risks and their potential evolution. To address these risks, we need to consider what governance and security mean in an AI context.

Responding to the political attention AI has received, national and international standards organisations are embarking on development of new standards. This session will explore these initiatives, discussing the challenges facing us standardising a rapidly evolving technology. In framing these standards, further discussion is needed about whether AI really is a new problem, or simply highlights inadequacies in our current IT and security standards.

Drawing to a close, the session will explore the role that the supply chain, security professionals, and SABSA could play in addressing challenges arising from use of AI and the consequences and/or liabilities arising from AI embedded in solutions.

Key learning outcomes

• An understanding of AI security risks and vulnerabilities

• An appreciation of the limitations of security standards

• An outline of key issues to address in deployment of AI solutions
Speaker(s)

Hugh Boyes

Honorary Fellow, Loughborough University (UK)

Hugh Boyes is a security adviser and an Honorary Fellow at Loughborough University. He is a Chartered Engineer, Chartered Cyber Security Professional and a Principal member of the UK NPSA-sponsored Register of Security Engineers and Specialists (RSES). Hugh has been the technical author for several standards issued by BSI and is a regular standards reviewer and contributor.

As a security adviser Hugh works across a range of information intensive public sector initiatives, particularly those involving infrastructure and complex geospatial data. His research interests relate to the security of cyber-physical systems, industrial IoT and digital twins, particularly those in the built environment and the critical national infrastructure.
If Socrates Was A CISO or Worse..Your Business Stakeholder

Session 11B

The nature of the cyber security risk is both complex and broad, and present in almost any part of digital operations making it a top non-financial risk. On a daily basis stakeholders are being faced with decisions on how to proceed with the implementation of the business strategy whilst providing a commensurate level of protection against ever evolving cyber threats and ensuring critical products and services operate within the desired risk thresholds.

The accuracy, completeness and timely accessibility of the information required to determine the optimum way forward is more important than ever.

The session draws in from philosophy to illustrate how ancient wisdom can be applied to cyber security and risk management. Will illustrate how Socratic method, an interactive technique for establishing knowledge, allows us to test assumptions through honest dialogue, think differently and ultimately guide us towards better understanding the implications of decisions that needs to be made. The audience will experience how to draw strength from contrarian thought, and utilise it as a tool for both establishing ignorance and knowledge.
Speaker(s)

Dimitrios Delivasilis

CEO, Qiomos (UK)

For over twenty five years, Dimitrios has been a technology executive with a proven success record of delivering future proof information security strategies and helping organisations implement their digital transformation plans with a commensurate level of assurance. Mastering specialisation in business-driven security strategy, architecture and operational resilience, Dimitrios draws strength from the diverse experience in leadership roles, predominantly within financial services, i.e., Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC.

Driven by his vision to shift the resilience risk paradigm by challenging core beliefs and driving better decision making, in 2020, Dimitrios founded Qiomos and started providing value-driven services to guide organisations into building resilient services and products. In 2024, this extensive experience led to the launch of the innovative QnousTM solution – a single source of truth to strengthen operational resilience by modelling the organisation’s security posture and centralising security-related information into a single data model. Dimitrios is now working with organisations, across the globe, streamlining their security risk management and truly simplifying their security decision-making.

Mz Omarjee

Head: IT Client Security and Moonshots, Standard Bank Group (South Africa)

Muhammed Zubair (MZ) Omarjee, is a former Enterprise Security Architect providing advisory to leading banking institutions in South Africa and abroad. He is instrumental in crafting technology strategies as it relates to digital transformation, mobile banking and cyber security. He plays a pivotal role in shaping information technology practices as a transformative business driven and risk-oriented discipline.

Having a proportionate balance of real-world practical experience and technical competence, Muhammed Zubair excels in changing the mind-set required for Digital Transformation. He has a unique ability to operate end to end working interchangeably from strategy development, product design, solution engineering, and full stack software development. His current scope of responsibility covers 18 countries across the African subcontinent.
Embedding Architecture to Keep Up With the Pace of Change

Session 11S

The IT organisation around our team is making key structural and governance changes, including re-aligning to business value stream structures, migrating from waterfall processes to Agile change delivery, and introducing a new control framework. And these are just some examples.

To keep up with these changes, and this pace of change, we need to update our security architecture practices. We are aligning Security Architects with their Solution and Enterprise counterparts to maximise security “shift left”. We are embedding architects in value stream verticals and service horizontals to maximise our coverage with limited resources. We’re helping to share the definition and roll out of the new control framework, to ensure Architecture and Risk processes and artefacts are aligned from the outset. And to keep up with the pace of Agile, we’re taking first steps from point in time design docs towards living architecture artefacts, and re-learning what re-usable architecture means as a result.

In this talk I will explain how we’re tackling all of these changes, lessons learned to date and where we’re going next.
Speaker(s)

Gordon Jenkins

Head of Security Architecture, Admiral (UK)

Dr Gordon Jenkins heads up the security architecture team at Admiral Insurance in the UK. He has 25+ years’ experience in IT and security for large financial services organisations in the UK and US, across investment banking, life & pensions, asset management, and general insurance. He has worked as a security architect for the last 14 years, providing guidance to dozens of major business and infrastructure projects and helping to shape enterprise security functions.
Wednesday 2nd
11:15-11:35

Morning Coffee
Wednesday 2nd
11:35–12:25
It Is Not A Duck: How OT Differs from IT

Session 12A

The idea for this came to me today (March 21st) after having visited a dutch conference. It has been lingering in the back of my mind for some time but having seen the call for speakers in my Linkedin-feed this morning I decided to put it forward. On my way home I even came up with a title.

The core of my presentation is that there is a difference between IT and OT and that it should be treated differently, from a security perspective. In the past I have seen that large companies treat the OT they have (HVAC of camera surveillance systems) as if it were a regular IT system. Leading to frustation of both security professionals – trying to secure these systems – and facility departments – trying to operate them.

So I’d like to argue that the IT Security guy (with his ISO2700x of equivalent framework) is not the one to turn to when it comes to securing OT. It the OT Security guy with the IEC62443 certificate. And perhaps explain the basics of IEC62433..

I’d really like to start a discussion on why companies have their OT connected to the internet…
Speaker(s)

Jan Van Kemenade

Information Security Officer, Durmazon (Netherlands)

I’m a 61 year old dutchman with 35+ years experience in various roles in IT and 10+ years insecurity. Currently working, self-employed, as an Information Security Officer assigned to a (relatively) small company – a pension administration service that works for 40+ pension providers in the Netherlands. In the past I have worked for a number of companies, mostly in the financial sector. Once I start talking I’m hard to stop but I’m not that great at writing, so I’ll leave it at this.
Recovering Personal Privacy Through Web Decentralisation

Session 12B

Outside China, Apple and Google control more than 95 percent of app store market share with the Apple App Store holding nearly 2 million and Google’s Play store holding nearly 3.5 million. The impact of this proliferation of apps and their everyday routine use, together with other web interactions, means that users’ personal data is spread widely on suppliers’ servers throughout the Internet.

This arrangement provides an enormous attack surface for malevolent actors. This array of personal digital data points is taking on a much more important role in personal identification than previously, with their compromise potentially leading to individuals losing control of their (digital) identity used by a large number of service providers.

In 1989 Tim Berners-Lee conceived the Solid (Social LInked Data) project as a way to give individual users full control over their personal data and the freedom to combine it or share it between applications.

Users keep their personal data in “pods” (personal online data stores) hosted wherever they choose. Applications that are authenticated by Solid are allowed to request data if the user has given the application permission.

2024 has seen the first substantial rollouts of this technology in Europe in the recruitment and healthcare sectors. In this talk we discuss the architecture and technical operation of Solid and whether it has the potential to disrupt existing business models where an individual data subject can become the data controller.
Speaker(s)

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptology, Systems Engineering, Information Forensics and Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with more than twenty years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book and was the first recipient of the COSAC award.
The Grammar of Attributes, Requirements & ESA

Session 12S

‘Words mean things’, as Drill Sergeant once enthusiastically bellowed at me after failing to communicate effectively. I came to understand this was because of the lethal consequences of the profession he was training me for.

When undertaking any work as a risk professional, it is sensible to proceed with caution and choose our words wisely. Business Drivers, Attributes and the careful crafting of their definitions for the Enterprise to which they belong are foundational to the ESA toolbox. With our work, we hope to capture complexity within plain language expressions while remaining flexible and removing ambiguity.

This session is for those who feel that creating meaning from words is both a powerful and dangerous undertaking. These brave persons will want to better harness language for their work. It is also for anyone who enjoys a cheeky bit of wordplay.

Attendees will be exposed to principles and tools from game design, systems engineering and linguistics. These concepts will be connected back to Security Attribute writing and demonstrate their utility for ESA. By the end of the session you will be equipped to define Requirements and Attributes with the decisiveness of James Murray heading the Oxford Scriptorium.
Speaker(s)

Kirk Nicholls

Security Advisor, Sportsbet (Australia)

Kirk is a security architect who loves that the job is an endless source of puzzles and learning.He is an SES volunteer, SABSA Institute Board member and instigator of SABSA World Australia.

Someday the novelty will wear off, but not today.
Wednesday 2nd
12:30– 3:20
Contextual Trust: Trust In the Untrustable World of Connected and Autonomous Vehicles

Session 13A

The Connected and Autonomous Vehicle (CAV) sector is rapidly evolving, presenting unparalleled opportunities for integration and third-party data utilisation. This evolution, however, introduces significant challenges, particularly regarding the integrity and reliability of vehicle-generated data. The stakes are high: compromised data could lead to accidents, traffic disruptions, hinder emergency services, and more. This session delves into the technologies underpinning CAVs, upcoming enhancements, potential threats, and necessary controls. It will explore the intricate web of supply chain relationships, the data exchanged between stakeholders, and how these factors contribute to the sector's security posture.

A central theme of this presentation is the concept of “contextual trust” – a framework for assessing and ensuring the integrity of data in environments which could be considered untrustable. By leveraging contextual data points and blockchain technology, we can construct a more robust, trust-based model that safeguards against data spoofing, unreliability, and unavailability. This approach not only enhances the security of CAV operations but also underpins the development of safer, more reliable autonomous transportation systems.

Attendees will gain insights into:

The current and future landscape of CAV technologies and the pivotal role of data integrity.

The multifaceted security threats facing the CAV sector and the controls to mitigate these risks.

The mechanics of contextual trust and blockchain technology in establishing a dependable data ecosystem.

Strategies for implementing these technologies to foster trust and security within the untrustable facets of CAV operations.

This session builds on the Gordon Jenkins work presented at COSAC a couple of years ago but refocuses on CAV. It aims to equip attendees with the knowledge and tools to navigate the complexities of CAV security, focusing on the importance of trust and integrity in advancing the sector’s safety and reliability.
Speaker(s)

Rob Campbell

Enterprise Security Architect, PA Consulting (UK)

Rob Campbell is a seasoned Enterprise Security Architect with nearly 30 years of experience in cyber and information security. Passionate about advancing the profession, he focuses on innovating security architecture approaches and enabling knowledge-sharing among practitioners.

Rob has developed practical tools, methodologies, and frameworks to help architects navigate complex enterprise environments. His expertise spans security architecture, risk management, compliance, and incident response, with a strong focus on aligning security strategies with business objectives.

At COSAC, Rob shares his deep technical knowledge and pragmatic insights, providing actionable takeaways for building resilient and future-proof security models.
Telegram & Discord, A Wretched Hive of Scum and Villainy

session 13B

In the sprawling digital landscape, platforms like Telegram and Discord have become pivotal arenas for threat actor communications, offering a blend of anonymity and accessibility that is highly attractive to the cybercriminal underworld. This session, entitled "Telegram and Discord - A Wretched Hive of Scum and Villainy," will peel back the layers of these digital ecosystems to reveal the dynamics of threat actor communities.

The focus will be on understanding where these actors converge, the nature of their interactions, and the illicit activities they orchestrate within these seemingly benign platforms.

The presentation will navigate the complexities of infiltrating these communities, detailing strategies for gaining trust and gathering intelligence within networks that are notoriously wary of outsiders. Attendees will gain insights into the sophisticated methods employed by threat actors to safeguard their forums from prying eyes, including the weaponization of tools against security researchers, law enforcement officials, and others who venture too close.

A special emphasis will be placed on the gaming community, a vibrant and often-targeted sector where threat actors blend seamlessly with legitimate users, exploiting platforms and tools for malicious purposes. This segment will explore the unique challenges and opportunities that the gaming ecosystem presents for cybersecurity efforts, highlighting recent incidents that underscore the urgency of addressing these threats.

Moreover, the session will discuss recent U.S. criminal prosecutions that have brought to light the activities of cybercriminals operating within Telegram and Discord. These cases serve as a critical reminder of the legal and ethical considerations involved in tracking and engaging with threat actors, offering lessons for cybersecurity professionals navigating this treacherous terrain.

This presentation promises to offer a comprehensive overview of the digital underbelly that thrives on platforms like Telegram and Discord. Participants will leave with a deeper understanding of the methods and motives of cybercriminal communities, equipped with the knowledge to more effectively combat the threats they pose. Through a blend of technical insight, real-world examples, and strategic guidance, this session aims to empower attendees to confront the challenges of cybersecurity in the era of social messaging platforms.
Speaker(s)

Mark Rasch

Attorney, Law Office of Mark Rasch (USA)

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland and is the General Counsel of Threat Intelligence firm Unit 221B, and of-counsel to KJK law.

Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. This includes expertise in GDPR, CCPA, and US and international privacy laws and regulations. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high- technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. He was also the Chief Privacy Officer of Fortune 100 company, SAIC and Chief Security Evangelist for Verizon

Mark has taught white collar crime, computer law, and legal ethics courses, at various institutions including GW, AU and Catholic University Law Schools. He is a frequent media contributor on issues related to technology and the law.
Seamlessly Traversing Shifting Boundaries

Session 13S

The ability to cross boundaries is one of the most natural human behaviours, in fact, it is so natural and normal that we don’t even give it a second thought.

Whether we walk out of our houses into public or walk into a bank or store from the street, we don’t even consciously think of the fact that we are crossing a boundary or that each boundary that we cross is beholden to a set of rules that we learn to follow from a young age. One can even go so far as to say that each of these boundaries defines and protects a zone. The Oxford dictionary defines a zone as “an area or stretch of land having a particular characteristic, purpose, or use, or subject to particular restrictions”. Why is it then that we make it so incredibly difficult for ourselves to define and traverse zones in modern business environments? In this session we will explore how we can use an adapted version of SABSA domain modelling to define and manage zones within a modern enterprise and use these zones to create and communicate security information flows and controls to stakeholders concisely and consistently.
Speaker(s)

Jaco Jacobs

Security Architecture Lead, Accenture (Netherlands)

Jaco has been a “security guy” for more than 25 years during which time he has provided security consulting services to many of the largest organizations around the world. He has spent most of his career developing security IP, training and services for the largest global security providers as well as co-authoring several security publications.
Wednesday 2nd
13:20-14:00

Lunch
Wednesday 2nd
14:00–14:50
Computer Crime Prosecutions As A tool To Stifle Dissent

Session 14A

In an era where digital information flows freely, the boundary between public interest journalism and computer hacking has become increasingly blurred. This session will delve into the controversial prosecution of Timothy Burke, a journalist from Tampa, Florida, who faced legal repercussions for his investigative work exposing hypocrisy in Fox News' broadcasts, including interviews between Tucker Carlson and Kanye West. His case serves as a stark example of how governments and corporations are leveraging computer crime laws to suppress dissent and penalize whistleblowers and journalists.

At the core of modern computer hacking statutes are vague and ambiguous terms such as “without authorization” and “in excess of authorization.” These phrases, initially designed to protect against unauthorized access to computer systems, have evolved into tools that facilitate the transformation of hacking laws into generalized secrecy laws. This presentation will explore the implications of such legal frameworks, highlighting how they are used to prosecute individuals for exposing government or corporate secrets, thereby stifacing critical journalistic endeavors and public discourse.

Furthermore, we will examine the historical underpinnings of these statutes, tracing back to common law trespass laws. The session will argue that concepts of property and trespass, formulated in the 14th century, are ill-suited to govern the complex, interconnected landscape of the 21st-century internet infrastructure. The presentation will critically assess the adequacy of these outdated legal foundations in addressing contemporary cyber challenges, arguing for a reevaluation and modernization of legal principles to reflect the realities of digital age.

This session aims to shed light on the precarious balance between safeguarding digital assets and ensuring the freedom of information and expression. By dissecting the case of Timothy Burke and the broader context of computer crime prosecutions, we aim to foster a nuanced understanding of the legal, ethical, and societal implications of using hacking laws as instruments to stifle dissent. Attendees will leave with a deeper appreciation of the need for legal reforms that both protect against genuine cyber threats and uphold the principles of democracy and free speech.
Speaker(s)

Mark Rasch

Attorney, Law Office of Mark Rasch (USA)

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland and is the General Counsel of Threat Intelligence firm Unit 221B, and of-counsel to KJK law.

Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. This includes expertise in GDPR, CCPA, and US and international privacy laws and regulations. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high- technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. He was also the Chief Privacy Officer of Fortune 100 company, SAIC and Chief Security Evangelist for Verizon

Mark has taught white collar crime, computer law, and legal ethics courses, at various institutions including GW, AU and Catholic University Law Schools. He is a frequent media contributor on issues related to technology and the law.
What Are You Doing, Dave?

Session 14B

As organizations increasingly rely on technology to conduct their operations, the intersection of artificial intelligence (AI) and cybersecurity emerges as both a promising avenue for defense and a looming threat.

This presentation delves into three critical areas where AI intersects with cybersecurity, examining its applications for defense, the risks posed by malicious actors, and the emerging challenges in combating disinformation.

AI for Enhanced Detection: The first area of focus revolves around leveraging AI and machine learning principles to fortify cybersecurity measures within organizations. By employing sophisticated algorithms, organizations can enhance their ability to detect rogue or anomalous activities occurring within their IT systems. This proactive approach enables early identification of potential threats, allowing for timely intervention and mitigation efforts.

AI-Powered Cyber Attacks: However, the same AI technologies that bolster defense mechanisms can be wielded by adversaries with malicious intent. Hackers are increasingly leveraging AI to develop, weaponize, and execute sophisticated attack campaigns against targeted organizations. By harnessing AI’s capabilities, adversaries can automate tasks, evade traditional security measures, and launch highly targeted and coordinated attacks with unprecedented precision and speed.

Deep Fakes and Social Engineering: The third area explores the darker side of AI, focusing on its role in the proliferation of deep fakes and disinformation campaigns for the purpose of social engineering. AI-driven tools enable the creation of hyper-realistic fake audio, images, and videos, posing significant challenges in verifying the authenticity of digital content. Malicious actors exploit these capabilities to spread misinformation, manipulate public opinion, and deceive individuals and organizations for nefarious purposes.

In this presentation, we will delve into each of these areas, examining the opportunities, challenges, and implications of AI’s intersection with cybersecurity. By understanding both the potential benefits and risks associated with AI in cybersecurity, organizations can better navigate the evolving threat landscape and implement robust defense strategies to safeguard their digital assets and operations.
Speaker(s)

Rob Hale

Fellow, Information Operations, Lockheed Martin (USA)

I have been teaching Governance and Compliance at Boise State since 2022 and have been working in the Cyber Security and Information Operations career field for over 35 years. I have been a Fellow at Lockheed Martin since 2008, where I lead cyber security architecture and integration efforts for the 5G.MIL(TM) program. I have also led a number of certification and accreditation efforts for customers in the law enforcement and intelligence communities.
Previewing Security in ArchiMate 4.0

Session 14S

Since its first publication as a standard in 2009, ArchiMate® has become the most widely adopted notation for describing enterprise architecture but, through to the current version 3.2, support for the security perspective has been informal and under-developed.

The idea of a Security Overlay for ArchiMate was first introduced at COSAC 2018, a great deal of progress has been made – principally via the SABSA Institute Working Group dedicated to the modelling of SABSA in ArchiMate (MSA). This culminated in a revised White Paper, a schema definition of the Overlay and the introduction of a 2-day training course to the SABSA Institute catalogue. However, support for security perspective has only had the status of a ‘community contributed’ proposal.

This is about to change. The next major release of ArchiMate 4.0 will for the first time include security concepts, relationships and patterns in the core language, based largely on the SABSA proposal.

This presentation, given by a contributor to this work, will preview what is expected to be included in the ArchiMate 4.0 release and how it will advance the ‘state of the art’ beyond what we have at present.
Speaker(s)

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is a Belgium-based independent security consultant at Cyber Enterprise Modelling (CEM) and has been a regular presenter at COSAC since 2018 on the topic of security by design through automation and modelling. He is the principal author of the SABSA Institute / Open Group paper “Modelling SABSA with ArchiMate” and chairs the associated SABSA Working Group. He holds several security, architecture and privacy certifications including SABSA Chartered Practitioner and ArchiMate.
Wednesday 2nd
14:55–15:45
Cybercrime – Does it Pay?

Session 15A

Our goal as security practitioners is to stop bad things from happening to the organization we have chosen to protect. When this happens and law enforcement is able to finally catch the bad actors, what actually happens?

Do they get what they deserve or does cyber crime actually pay? In this session we’ll look at this issue globally – is the punishment fitting the crime? What can we do to make this a crime that doesn’t actually pay, or at the very least, comes with some significant risk? As with all COSAC presentations, this should spark a lively debate and hopefully can serve as a call to action to our governments to make a change.
Speaker(s)

John Ceraolo

Head of Information Security, Verifiable Inc. (USA)

John Ceraolo, an internationally recognized author, and speaker on multiple security topics including social engineering, security services and awareness, brings more than 30 years of experience in the information security industry. Ceraolo is currently the Head of Information Security at Skilljar, a Seattle-based customer education SaaS platform provider.
Security Awareness Training for Generative AI

Session 15B

Generative AI is remarkable for its ability to utilize extensive data to answer complex questions. However, in a business context, not all data should be accessible to everyone.

Human customer service representatives are adept at utilizing their comprehensive knowledge of previous cases and processes to respond to customer inquiries while safeguarding sensitive company and customer information.

In contrast, generative AI, in its default setting, strives to provide detailed answers and can inadvertently overshare information. This becomes a significant concern when handling customer interactions. The pivotal question then arises: how can one enhance the security of an AI model, ensuring both operational efficiency and data confidentiality? For seasoned security professionals like us, this entails adopting innovative approaches.

Join two COSAC regulars who will unveil their journey of deconstructing this challenge and reconstructing a solution. Participants will gain insights into current best practices for designing and implementing the following control objectives in AI:

Data Sanitization and Filtering

Privacy by Design

Audits and Monitoring

User Consent and Transparency

Anti-Phishing Measures

Let’s enrich our biological intelligence with a skillset needed to secure the artificial one.
Speaker(s)

Karel Koster

Manager Cyber Security, FedEx Express Corporation (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a global information security team for FedEx.

Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies. Karel is a People, Process and Technology person, in that order.

John O’Leary

President, O'Leary Management Education (USA)

John G. O’Leary, CISSP, is President of O’Leary Management Education. A computer security practitioner since 1977, he has designed, implemented, maintained, administered, broken, troubleshot, fixed, re-fixed, managed, consulted on and taught security for networks ranging from single-site to multi-national. Winner of the 2004 COSAC award, the EuroSec 2006 Prix de Fidelite and the 2011 ISC2 Lifetime Achievement Award and the first ever ISS Guardian Award in 2015, his background spans programming, systems analysis, auditing, project management, operations and quality assurance. John taught graduate school at the University of Texas at Dallas for 10 years (yes, there are universities in Texas, some of them even accredited). A few years ago he received breach notification letters from TJX and the VA in the same week. He is still waiting for OPM to reveal that the Chinese now have all his security clearance information. The Target “situation” got him new credit cards. He does not admit to knowing any Russians or CCP members. Although he completely missed out on early bitcoin gathering, the March 2023 Silicon Valley Bank failure cost him nothing. He is firmly convinced that COSAC is the absolute best information security conference on earth.
Using the SABSA Enhanced NIST Cybersecurity Framework

Session 15S

What is the best way to leverage the NIST Cybersecurity Framework (CSF) 2.0 when implementing or updating a SABSA developed security architecture? The NIST CSF 2.0 is a significant upgrade to the de-facto global framework for managing cybersecurity threats but it still lacks several of the essential elements for a robust cybersecurity program.

The NIST CSF 2.0 is a significant upgrade to the de-facto global framework for managing cybersecurity threats but it still lacks several of the essential elements for a robust cybersecurity program. The SABSA Institute (TSI) sponsored SABSA Enhance NIST Cybersecurity Framework (SENC) workgroup project is developing various tools, techniques and guidance to help your organization put the NIST CSF 2.0 to work.

This session is a high-level view of what the updated NIST CSF 2.0 provides, and a first look at what the SENC project is delivering to enhance implementation of the CSF. The SENC project is defining SABSA-specific guidance for leveraging the NIST CSF 2.0 including: developing the contextual architecture to front end use of the CSF with the SABSA attributes profiling process including a few example Attribute Profiles for selected industry sectors; a SABSA NIST CSF 2.0 Profile to include enhanced and additional CSF categories and subcategories aligned to the SABSA method; SABSA NIST CSF 2.0 Informative References that map the SABSA NIST CSF 2.0 Profile to the SABSA matrix; and a collection of SABSA-specific Examples for the CSF subcategories aligned to the SABSA NIST CSF 2.0 Profile.

Too often, the application of the NIST CSF focusses on the processes, technologies and controls while losing sight of managing the business value and risks involved. We will outline example content from the SENC project deliverables and what will be available to the SABSA community when the project is completed. The SENC project will provide specific recommendations for leveraging SABSA to apply and enhance the NIST Cybersecurity Framework 2.0 to help manage your organization’s business risk requirements.
Speaker(s)

Glen Bruce

Cybersecurity Consultant, GDB Cyber Security Consulting (Canada)

In his 50+ years of in-depth experience in IT and security consulting, systems management and technical implementations, Glen Bruce has focused on Security Frameworks, Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information and cybersecurity risk. He has led many information/cyber security engagements, where he has helped clients establish effective strategies, governance, architectures, frameworks, policies, PKIs and infrastructure implementations in support of a wide range of business and technical requirements. Glen is the leader of the SENC workgroup project.
Wednesday 2nd
15:45-16:05

Afternoon Tea
Wednesday 2nd
16:05 – 16:55
10 years, 10 cases, 10 Lessons Learned

Session 16A

In this highly graphical session, I will present a mostly anonymised journey across the threat landscape that businesses have had to endure over the last decade.

Like a casebook of notes from the field I will cover the weaponization of the legal system, the malicious commercial director, the IT team who were a little too smart, the overly curious manager, one of the largest regulatory investigations ever undertaken, investigations, accidents, misconfigurations and consequences, a dalliance with state sponsored actors and finally and for the first time the Anglo Irish Bank story from the insider in the room. Covering retail, services, legal, manufacturing, financial services, regulatory bodies, and local government my intention is to inform, entertain and enable attendees to take home some food for thought and potentially incorporation into their organisations irrespective of vertical or technology stack.
Speaker(s)

Stephen Bowes

Practice Director, BSI Group (Ireland)

Stephen cut his teeth in the financial services industry working his way up the technology stack from mainframe programmer (he wrote the code for the left-handed cheque book for AIB) through to Head of Technical Delivery with companies such as AIB, ACCBank, Anglo Irish Bank, IBRC and Bank of Ireland. Following the fallout of the banking inspired financial crash Stephen has spent the last 10 years on the other side of the fence with BSI Group Consulting Services engaging with dozens of clients across UK, Ireland, and Europe to assist them meet their digital, regulatory and security objectives.
The Key Challenges of Adapting AI Governance Into Europe’s Data Protection Framework

Session 16B

In the digital age, the proliferation of Artificial Intelligence (AI) technologies has transformed the way we interact, work, and conduct business. From personalized recommendations to autonomous decision-making systems, AI has permeated various facets of society, promising efficiency, innovation, and convenience. However, with these advancements come concerns regarding privacy, data protection, and ethical use of AI.

In response to these challenges, regulatory frameworks such as the General Data Protection Regulation (GDPR) have been established to safeguard individuals’ rights and regulate the processing of personal data. Yet, the evolving landscape of AI necessitates continual adaptation and augmentation of these regulations. Addressing this gap, the EU has recently formalised the introduction of the AI Act. This act aims to 1) establish a comprehensive framework for the regulation of AI systems, addressing issues of transparency, accountability, and fundamental rights and 2) provide AI developers and deployers with clear requirements and obligations regarding specific uses of AI. However, the act’s alignment with the GDPR presents a myriad of challenges. This presentation delves into the intricate interplay between the AI Act and GDPR, examining ten key challenges that compliance with the EU data protection framework presents for the use and development of AI tools and will cover topics such as:

• Overlapping Regulations: Analyzing the areas of convergence and disparity between the AI Act and GDPR, and identifying potential conflicts in compliance requirements.
• Data Protection and Privacy: Evaluating the implications of AI algorithms on data privacy and the extent to which they adhere to GDPR principles such as purpose limitation, data minimization, and data subject rights.
• Ethical Considerations: Discussing the ethical dilemmas arising from AI technologies and their impact on fundamental rights, including the right to privacy, non-discrimination, and autonomy.
• Regulatory Enforcement and Accountability: Examining the enforcement mechanisms under both the AI Act and GDPR, and the responsibilities of stakeholders in ensuring compliance and accountability.
By shedding light on the intersection and challenges posed by the AI Act and GDPR, this presentation aims to provide a comprehensive understanding of the regulatory landscape surrounding AI technologies, empowering organizations to navigate regulatory compliance while fostering innovation and ethical use of AI.

Key Learning Outcomes:

• An understanding of the key requirements of the AI Act that relate to GDPR.
• An overview of the opposing approaches to data protection in the AI Act and GDPR.
• An understanding of data subject rights, and data protection principles
• An understanding of organisations’ obligations under both the AI Act and the GDPR
Speaker(s)

Valerie Lyons

COO, BH Consulting (Ireland)

Included in the ‘Top 100 Women in Cybersecurity in Europe’, Dr. Valerie Lyons is executive director and COO at BH Consulting, where she leads data protection, cybersecurity, and AI governance consulting initiatives. Prior to BH Consulting, Valerie spent 13 years leading the cybersecurity risk management team in KBC Bank. She is a recognised expert in building cybersecurity and data protection governance into corporate strategies, and in 2024 published The Privacy Leader Compass: A Comprehensive Business-Oriented Roadmap for Building and Leading Practical Privacy Programs. This book has been adapted into a sold-out workshop at several IAPP conferences. Valerie holds an award-winning PhD researching the influence of Privacy as a CSR on consumer trust and privacy concerns and is currently undertaking a Post Grad in Corporate Governance. She is a Certified Data Protection Systems Engineer (CDPSE), a Certified Information Privacy Professional (CIPP/E), and a Certified Information Systems Security Professional (CISSP). She is a member of the Institute of Directors, honorary fellow of the Irish Information Security Forum, a member of the EDPB pool of experts, a member of the Privacy as a CSR Stakeholder Group (Maastricht University), and a committee member of the Irish Internet Governance Forum.
Dynamic Business Security Architecture

Session 16S

In the evolving landscape of business security, the integration of MITRE ATT&CK® framework plays a pivotal role in enhancing organizational resilience against cyber threats. Our approach leverages the MITRE ATT&CK® from understanding adversary motives to the implementation of mitigation strategies and ensuring robust protection mechanisms.

We introduce the Critical Information Protection Strategy Dependency Map, a novel tool designed to navigate the complex interplay between business impact, adversary techniques, and mitigation procedures. This dynamic map begins with identifying business impacts and systematically links them to potential adversarial techniques. Subsequently, it aligns appropriate mitigation techniques and procedures, culminating in targeted assurance questions. This methodology ensures that mitigations are contextually relevant, activated based on the specific business context at the point of impact and adversarial interaction.

Key insights from our strategy include the importance of deep business knowledge through the identification and analysis of critical information assets in collaboration with technology users. Utilizing the MITRE ATT&CK® framework as a foundation, we optimize it to fortify business resilience. Our strategy emphasizes outcome-focused strategic planning to protect the business context against adverse activities, thereby safeguarding the company’s financial health. Moreover, our approach eliminates redundancy and bias by employing an effective mapping process. This not only manages the intricate business context but also ensures the dynamic and consistent application of mitigation techniques across different layers of the business, adhering to the principles of Engineering Trustworthy Secure Systems. Our methodology stands as a testament to building secure systems that are both dynamic and aligned with business objectives, offering a comprehensive blueprint for organizations aiming to enhance their security architecture.
Speaker(s)

Mikko Larikka

Senior Principal Consultant, Nixu, a DNV Company (Finland)

Mikko has over 20 years of experience in building and assessing security for continuously digitalizing business. Latest assignments relate to a world-class automated recovery requirements management for businesses in fields of energy, media, government, national security, health, and finance business. Mikko has a solid background: he started as in intern at Nixu in the early 00’s and worked with Active Directory, Symantec Enterprise Security Architecture, Digital Services Development and Security Operations Center related assignments as Solution Specialist and Project Manager.
Wednesday 2nd
16:55-17:15

Refreshments
Wednesday 2nd
17:15–18:05
Anthony Sale Memorial Session - The Spy in the Coffee Machine

Plenary 17P

Overtly Tony Sale was known for his outstanding engineering talents which he used to rebuild the WW2 code breaking Colossus and create the National Museum of Computing at Bletchley Park. However, during the Cold War Tony toiled secretly supporting MI5’s efforts to identify covert radio transmissions in the UK, signals which were used by hostile intelligence services working to undermine the UK Government and its allies.

This work was the precursor to modern technical surveillance counter measures (TSCM), an increasingly important field, and one that is practiced today both by Governments and commercial entities who are trying to protect their most sensitive information from competitors and hostile nations.

This paper draws upon TSCM principles to identify the threats from the Internet of Things (IoT) and how our dependence on 21st Century Personal Communication Devices and applications can expose our ‘signals’ to hostile state and organized crime actors.

We will explore the TSCM techniques in use today and how we can help protect from, or at least confuse, a modern attacker.

The question really is …. is there a spy in my coffee machine?
Speaker(s)

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptology, Systems Engineering, Information Forensics and Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with more than twenty years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book and was the first recipient of the COSAC award.
Wednesday 2nd
18:10–19:00
The COSAC Rump Session

Plenary 18P

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• Electronic submission: Send email to the rump session chair David Lynas at [email protected]
• Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 2nd October.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.
Speaker(s)

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 42nd year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.
Wednesday 2nd
19:15–19:45

Drinks Reception (sponsored by David Lynas Consulting)
Wednesday 2nd
19:45

Dinner (sponsored by David Lynas Consulting) & COSAC Prize Night

Thursday 3rd October

Thursday 3rd
09:00-09:30

Registration & Coffee
Thursday 3rd
09:30-1230

COSAC Workshops are half-day, 09:30 - 12:30 & 13:30 - 16:30
Thursday 3rd
09:30-1230
The COSAC Risk Workshop Series: Risk Aggregation & Compound Risk

Workshop W1

The purpose of the risk workshop is to explore the hard parts of understanding risk. We have previously conducted workshops in Ireland and Australia on how to understand and model risk, how to explain and display risk to stakeholders, and how to think like our adversaries to identify threats that we would otherwise miss.

In this workshop we will begin to explore the challenge of how to aggregate risk in a complex environment to help determine which mission objectives are most at risk. We understand single weaknesses and single risks well, but once things get complex it becomes complicated to understand how the risk compounds. Averages don’t do the trick; neither does plotting all the risk on a graph. Actuarial science has solutions, but these solutions require years of data we don’t have. This collaborative workshop will dive into this risk problem to discuss the specific challenges and collectively try to uncover a path forward.
Speaker(s)

Jason Kobes

Sr. Staff Cyber Architect & Research Scientist, Northrop Grumman Corporation (USA)

Jason Kobes works as a Sr. Staff Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in security digital transformation, systems engineering, information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and using AI for automation. Jason has a Master’s of Science in Information Assurance (MSIA) and a Bachelor’s of Science in Computer Science from Iowa State University. Jason holds a SABSA Practitioner of Risk and Governance as well as Architecture. Jason’s areas of research include enterprise risk architecture, accountable anonymity systems and applying actionable enterprise security architecture. Jason is also an adjunct professor at Marymount University for the Criminal Justice department Cyber Crime and Digital Terrorism class.

William Schultz

Senior Director, Enterprise Cybersecurity, Vanderbilt University Medical Center (USA)

Bill Schultz is a practicing lead security architect who has worked in the Information Technology field for over 20 years, with the majority focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill holds the SABSA Master certification. Bill has implemented security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives at Vanderbilt University Medical Center and has been leading the development of the security architecture for 15 years.
The 2nd COSAC Lab

Workshop W2

This year, I propose the second edition of the COSAC LAB.

For the year 2024, the lab will use a new approach based on the lessons learned from the first edition performed in 2023.

1. What is the COSAC LAB?

The intent is to create an environment where people can come together and explore ideas and solutions that were generated during COSAC and develop them in a way which will give the ideas greater potential for further development by the creator or a team they create during the lab.

COSAC LAB speakers: « Hello, the first condition to get in the COSAC LAB workshop is to accept the rules without knowing them”.

Participant: Atchoo !

COSAC LAB speakers : « Bless you »

Participant: Psssst, come here, COSAC reviewers, I will tell you what’s happens here but for now, it’s a secret so keep it for you. Ok we enter in the workshop. Oh, the speakers bring some materials: games, computer, paper, paints, music and so one. I’m not so good at DIY and common, it’s not my age anymore!

Participant: Now, the speakers explain that the first rule is to put away watches and phones. They are the time masters and timekeeper. Interesting, isn’t it? They said that we will work during a time breach. I am curious and interested. Let’s continue, they ask us to propose an idea and I have one: be vulnerable to increase awareness: paradox or reality? They ask other participants if they would like to join my idea to work together on that, and maybe create a new learning model based on paradoxical behaviour.

Participant: Oh wait! Someone else proposes something very new.

Participant: You know what, it is interesting too! A lot of people have ideas. Like I said before they bring some materials to unleash our creativity. I see that I can use AI Art platform. I will try it. People join my idea about paradoxical behaviour. Let’s begin…

COSAC LAB speakers: We give you some steps to follow to achieve your objectives in a COSAC style. Of course, you are free to follow steps or not. Here the aim is to break the figure. We are here to participate too and help if we can.

Participant: Ok the conclusion is … SURPRISE!

2. Characteristics of the COSAC LAB

Value: These design workshops not only build teams from people who may have never worked together before. This workshop will bring a list of ideas which can be developed. It will provide potential ideas for sponsorship by the SABSA foundation and provide interesting future COSAC presentation. This is new and the goal is to “break the figure”. The opportunities for evolution and modification are limitless. The more feedback is given, the more people play the game, the more creative possibilities the COSAC Lab will offer.

Uniqueness: The COSAC Lab comes from its essence the COSAC which is a completely different conference as we know them. This conference is intended for people who build, create, and innovates. A laboratory’s main objective is to provide reliable results.

A laboratory whose results are too often unsafe could not be approved by the competent authorities. The COSAC Lab is the only laboratory that demands to be in danger. Everything is possible. It wants to be opportunist, nutcracker, refractory and innovative.

The first condition to be “accepted” in the COSAC Lab is to accept the conditions and the rules of COSAC Lab without knowing them. Bring the ideas together instead of losing them in discussion.

Timeliness: It is important to develop to get ideas on paper at COSAC instead of losing them.

Approach: The COSAC Lab is the place where the theoretical exchanges will take place in a practical way. Steps to follow are proposed, they remain flexible, only value creation counts.

We will create a time breach when you evolve. We will be the master of the time.

Rule 1 : No phones and no watches

Rule 2 : A commitment to attribute to all authors

Rule 3 : You must agree not to steal ideas and use competitively in a negative way

Rule 4 : You agree to build on good ideas collaboratively, the COSAC-way

A group of people trust each other, will exchange ideas, work together on an issue, an idea, a problem or other. This laboratory aims to export its creations in the real world. Its ultimate goal is to enable the creation of innovations in real life.
Speaker(s)

Ghariba Bourhidane

CyberSecurity Consultant, TreeBridgeMosaic srl (Belgium)

Ghariba Bourhidane is a dreamer, sensitive and unconditional coffee lover. She is currently working as Cybersecurity Consultant providing services security risk management, cybersecurity culture and giving deeper experiences advice in security awareness, topics which drive her passion for the cybersecurity field.

Recently volunteering as TSI Community Manager, she previously worked as Deputy CISO of an insurance group by managing the Third-Party Security Risk concept, dealing with IT project security aspects, being responsible for IT-Security communication and becoming a security awareness specialist.

She has completed two university degrees in Business Sciences and in Business Financial Engineering.
Incident Response Exercise Design Workshop

Workshop W3

Do you want to learn to build a functional incident response exercise?

Perhaps you’d like to have clear and measurable exercise goals and performance reporting. The kind that will endear you to your training team and produce clear and actionable reporting. Good news, we can do that together. After all it’s dangerous to go alone.

The workshop will provide attendees with both support and guidance in developing a plan for a simple incident response exercise. Attendees will be walked through the process of making key decisions and creating usable exercise documents. The workshop will include an introduction to exercise concept development, scenario planning, exercise logistics, communication plans, effective evaluation and post-exercise reporting.

Attendees will leave with a usable exercise plan that will be relevant and usable within their organisation. A selection of video and print resources will be made available for attendees to explore and utilise post-workshop.
Speaker(s)

Kirk Nicholls

Security Advisor, Sportsbet (Australia)

Kirk is a security architect who loves that the job is an endless source of puzzles and learning.He is an SES volunteer, SABSA Institute Board member and instigator of SABSA World Australia.

Someday the novelty will wear off, but not today.
So You Want to Be a CISO

Workshop W4

Building on a workshop at COSAC APAC – a workshop from the viewpoint of two CISO’s from different continents.

Leveraging and sharing their experiences, their thoughts on the direction that the role of CISO’s is taking, and what someone considering the role should be aware of before taking the leap. In addition, both CISO’s share how they have leveraged SABSA in their roles and why it is critical to the success of the CISO, Information Security, and Business.

This material is relevant and timely addressing the changing CISO role in light of SolarWinds CISO’s SEC charges, the CISO from Uber being sentenced to prison by a US Federal jury, the CEO from Drizly being held accountable for security failures and similar to how the American Sarbanes Oxley Act changed the face of Financial Governance across the world the U.S. Securities and Exchange Commission finalized cybersecurity Rule has the potential to have seismic impacts to the Cybersecurity profession.

The value of this session is assisting those considering becoming a CISO, new or seasoned CISO’s, or those who work with CISO’s understand considerations for success with an approach that is both presentation and a discussion between the CISO’s and audience.

Speaker(s)

Harley Aw
Kathleen Mullin
Thursday 3rd
11:15-11:35

Morning Coffee
Thursday 3rd
12:30-13:30

Lunch
Thursday 3rd
13:30-16:30
Security for the Gobsmacked Human

Workshop W5

They’ve had enough. They just get used to one environment and some SOB changes it. And we security geeks want to add change to the change. No wonder they growl at us. Complex, ever-evolving work environments turn communities of competent, veteran users into fumbling rookies who make new-guy mistakes, some of which impact security.

Organizational restructuring is almost a constant. People still resist change, make mistakes, painstakingly follow bad security practices and get socially engineered. And bad guys find creative ways to defeat our newest, most sophisticated security measures.

We’ll give guidance for coping with human foibles, complexity and change in securing our vital assets.

Part 1 – Securing the semi-predictable humans – Phishing, really automated social engineering, has been an element in almost every Ransomware event and a multitude of other egregious breaches. We’ll examine why social engineering works so well on our employees, on all humans, for that matter. We’ll give suggestions for shoring up this most vital link in our security chain.

Part 2 – Securing the ever-changing organization – Change agents that can seriously affect security are gaining traction everywhere. Massive organizations are making their own rules and privacy decisions, at least until governments levy gargantuan fines. Mergers, acquisitions, divestitures, downsizing in many forms, even internal reorganizations can bring danger. We’ll identify areas of security focus and give recommendations for minimizing security incidents and effects in the midst of the upheaval.
Speaker(s)

John O’Leary

President, O'Leary Management Education (USA)

John G. O’Leary, CISSP, is President of O’Leary Management Education. A computer security practitioner since 1977, he has designed, implemented, maintained, administered, broken, troubleshot, fixed, re-fixed, managed, consulted on and taught security for networks ranging from single-site to multi-national. Winner of the 2004 COSAC award, the EuroSec 2006 Prix de Fidelite and the 2011 ISC2 Lifetime Achievement Award and the first ever ISS Guardian Award in 2015, his background spans programming, systems analysis, auditing, project management, operations and quality assurance. John taught graduate school at the University of Texas at Dallas for 10 years (yes, there are universities in Texas, some of them even accredited). A few years ago he received breach notification letters from TJX and the VA in the same week. He is still waiting for OPM to reveal that the Chinese now have all his security clearance information. The Target “situation” got him new credit cards. He does not admit to knowing any Russians or CCP members. Although he completely missed out on early bitcoin gathering, the March 2023 Silicon Valley Bank failure cost him nothing. He is firmly convinced that COSAC is the absolute best information security conference on earth.
Digital Transformation Masterclass

Workshop W6

An intriguing session that will attempt to re-orient the mindset required to undergo a Digital Transformation. In an unusual manner (not about just technology or apps) session will provide real world insight and experiences

as it relates to the following:

• The drivers of why we have to undergo Digital Transformation.
• The thinking required for a Digital Transformation.
• The Organizational Shift to a Digital Transformation.
• New ways of marketing.
• New ways of Hiring.
• Technologies at play in that enable Digital Transformation.
• Interactive practical activity on how to digitize something that’s highly physical and manual in nature.
Speaker(s)

Mz Omarjee

Head: IT Client Security and Moonshots, Standard Bank Group (South Africa)

Muhammed Zubair (MZ) Omarjee, is a former Enterprise Security Architect providing advisory to leading banking institutions in South Africa and abroad. He is instrumental in crafting technology strategies as it relates to digital transformation, mobile banking and cyber security. He plays a pivotal role in shaping information technology practices as a transformative business driven and risk-oriented discipline.

Having a proportionate balance of real-world practical experience and technical competence, Muhammed Zubair excels in changing the mind-set required for Digital Transformation. He has a unique ability to operate end to end working interchangeably from strategy development, product design, solution engineering, and full stack software development. His current scope of responsibility covers 18 countries across the African subcontinent.
Beyond the Script: Using Improv to Enhance Tabletop Exercises

Workshop W7

Cybersecurity is known as the department of “NO” while SABSA uses business opportunity risk to transform it to “YES”. This session leverages improvisational skills to increase the engagement, imagination, and impact of tabletop exercises.

We will show how to strategically leverage a tabletop exercise scenario and expand upon it with methods from improv comedy for continuing the scene. Using the techniques of “Yes, And” and “No, But”, we will overcome scenario objections, get participant buy-in to expand upon the premise, address unrealistic recovery options, and keep creativity in the solutions proposed. The optimal outcome is making tabletop exercises fun while producing more relevant and actionable results.

This material is relevant and timely as cyber-risk insurers ask if tabletop exercises are conducted, external audit firms look at scope and reports from tabletop exercises, and the business looks for tangible results from exercises that use many hours of valuable human resources.

This session, redesigned from the bottom up based on our experience at COSAC APAC, will be interactive with the attendees being called upon to participate in games and exercises leveraging improv to show the value of using this novel approach and adding fun to what might otherwise be a compliance ritual.
Speaker(s)

Ashling Lupiani

Cognitive Solutions Developer, City of Hope (USA)

Ashling Lupiani, SABSA SCF is a Cognitive Solutions Developer at City of Hope. She is a neuroscientist and biomedical engineer with experience in speech and gait research. She spent 5 years running neurorehabilitation engineering studies with human participants and conducting data analysis to investigate sensorimotor systems. She co- authored 5 papers and presented at conferences in Toronto and Boston, USA, COSAC APAC 2023 & 2024, and COSAC 28, 29 & 30.

Kathleen Mullin

CIO | CISO, My Virtual CISO, LLC (USA)

Kathleen Mullin is an influential information security practitioner and international speaker with over twenty-five years of experience. She started her career in Accounting and Internal Audit before moving into Information Technology and Cybersecurity. She has been CISO at various organizations, focusing primarily on healthcare. Most recently, she is CIO|CISO for MyCareGorithm a SaaS startup focused on transforming the Doctor/Patient experience.

Throughout her career, Kate has volunteered and contributed to information security as a profession, including serving on multiple board and advisory positions. Currently she is a Board member of the SABSA Institute (TSI) and Chair of the TSI EMEA-NA Liaison Group.
This is the Way! Using SABSA to Transform a Global Managed Security Services Provider

Workshop W8

In late 2022 I was assigned to lead a team mandated with creating and implementing a strategy to transform the Managed Security Services business of a global organization that provides end-to-end security services. This organization operates more than twenty delivery centres globally and has grown, organically and through acquisition, to more than 3000 delivery centre employees.

Due to the rapid growth, many of the delivery centres were operating in their own bubbles and using their own operating models, service definitions, delivery processes, playbooks, runbooks, people management processes, SLAs, metrics and technology stacks. This caused a high degree of inconsistency in the quality, delivery methods and collaboration between the centres, especially when providing services to clients with global footprints.

In this session we will look at how SABSA was used in this transformation journey and the value and impact that it has had on the organization.

Part 1: Context – Setting the context of the requirements and putting the necessary governance in place (Program Governance Model)

Part 2: Setting the baseline – Creating a way to consistently communicate priority and value through language and terminology (Business Attributes & Glossary)

Part 3: Organization – Creating a repeatable organization model based on priorities, requirements, skills and technology (Domain Model & Talent Program)

Part 4: Performance Targets – Creating internal and external facing KPIs and SLAs to measure performance

Part 5: Processes – Creating repeatable operational processes

Part 6: Delivery Method – Updating existing mandated delivery methods to reflect and implement changes
Speaker(s)

Jaco Jacobs

Security Architecture Lead, Accenture (Netherlands)

Jaco has been a “security guy” for more than 25 years during which time he has provided security consulting services to many of the largest organizations around the world. He has spent most of his career developing security IP, training and services for the largest global security providers as well as co-authoring several security publications.
Thursday 3rd
16:30-16:45

Afternoon Tea
Thursday 3rd
16:45

Conference Close - COSAC Chairman's Closing Remarks

COSAC
Patrons

A completely new COSAC experience pushing the boundaries of cybersecurity further than ever before. Smart people, inspiring guest speakers and a ton of passion. Become a COSAC Patron and gain access like no other.

Become a patron

COSAC APAC
2026.

24th - 26th Feb: Melbourne, Australia

More Info Register

Contact

Get in contact with us by email, phone or just stay social and connect with us on LinkedIn

COSAC 2024

Sunday 29th September

Sunday 29th 15:00-16:00

Sunday 29th 16:30-18:30

The SABSA Institute Forum

Speaker(s)

Sunday 29th 19:30-20:00

Sunday 29th 20:00 onwards

Monday 30th September

Monday 30th 09:30-17:30

Monday 30th 09:00-9:30

Monday 30th 09:30-17:30

The 23rd COSAC International Roundtable Security Forum

Masterclass M1

Speaker(s)

The 8th COSAC Security Architecture Design-Off

Masterclass M2

Speaker(s)

Futures Thinking and Cyber: Modelling Emerging Risks

Masterclass M3

Speaker(s)

Resilience: From Hardware to Humans and Everything in Between V2

Masterclass M4

Speaker(s)

Monday 30th 11:05-11:30

Monday 30th 13:00-14:00

Monday 30th 15:35-16:00

Monday 30th 18:30-19:00

Monday 30th 19:00

Tuesday 1st October

Tuesday 1st 09:00-09:30

Tuesday 1st 09:30-10:20

Where Do We Test From Here? Building An Evergreen Protected Security Ecosystem

Session 1A

Speaker(s)

Today’s CISO: Behind Closed Doors or Behind Bars

Session 1B

Speaker(s)

Help! Business Requirements During the Energy Transition

Session 1S

Speaker(s)

Tuesday 1st 10:25-11:15

Turtles All The Way Down

Session 2A

Speaker(s)

A Clockwork CISO

Session 2B

Speaker(s)

Building Cloud Architectures Top-Down: Aligning with Business Motivations

Session 2S

Speaker(s)

Tuesday 1st 11:15-11:35

Tuesday 1st 11:35-12:25

Laying The Groundwork for Quantum Resilience

Session 3A

Speaker(s)

The New KPI On the Block: Outcome-Driven Metrics

Session 3B

Speaker(s)

The Information Security Program Framework – What You Didn’t Know You Needed

Seesion 3S

Speaker(s)

Tuesday 1st 12:30-13:20

The Path from Offsite Backups to Real Resilience (via COSAC)

Session 4A

Speaker(s)

Annual Reports: Security by Obscurity on Steroids

Seesion 4B

Speaker(s)

The Impact of Cyber Trends on Security Architecture into 2025

Session 4S

Speaker(s)

Tuesday 1st 13:20-1400

Tuesday 1st 14:00-14:50

From Compliance Management Towards Risk Management

Session 5A

Speaker(s)

Cyber Misfits and the SABSA Founders Bursary

Session 5B

Speaker(s)

Sunday 29th
15:00-16:00

Sunday 29th
16:30-18:30

Sunday 29th
19:30-20:00

Sunday 29th
20:00 onwards

Monday 30th
09:30-17:30

Monday 30th
09:00-9:30

Monday 30th
09:30-17:30

Monday 30th
11:05-11:30

Monday 30th
13:00-14:00

Monday 30th
15:35-16:00

Monday 30th
18:30-19:00

Monday 30th
19:00

Tuesday 1st
09:00-09:30

Tuesday 1st
09:30-10:20

Tuesday 1st
10:25-11:15

Tuesday 1st
11:15-11:35

Tuesday 1st
11:35-12:25

Tuesday 1st
12:30-13:20

Tuesday 1st
13:20-1400

Tuesday 1st
14:00-14:50

Tuesday 1st
14:55–15:45

Tuesday 1st
15:45-16:05

Tuesday 1st
16:05–16:55

Tuesday 1st
17:00–17:50