To see the full 2017 agenda with session abstracts, please scroll down.

Monday, May 1

1:30pm – 6:00pm Registration Open
3:00pm – 4:35pm CSO50 Winner Presentations
4:35pm – 5:35pm CSO50 Interactive Workshop
5:35pm – 6:35pm Networking Reception

Tuesday, May 2

7:30am – 5:30pm Registration Open
8:30am – 12:15pm CSO50 Winner Presentations
12:15pm – 1:30pm Lunch with Table Discussions
1:30pm – 5:10pm CSO50 Winner Presentations

Wednesday, May 3

8:00am – 7:00pm Registration Open
9:00am – 12:41pm CSO50 Winner Presentations
12:41pm – 2:00pm Lunch with Table Discussions
2:00pm – 5:38pm CSO50 Winner Presentations
7:00pm – 7:30pm CSO50 Awards Cocktail Reception
7:30pm – 9:30pm CSO50 Awards Dinner & Ceremony

Conference Sessions

CSO is pleased to announce that the following sessions will be presented by award-winning organizations at our CSO50 Conference + Awards.  We continue to add newly confirmed sessions to this page, so please revisit for updates.

 

IMPROVING SITUATIONAL AWARENESS TO ADDRESS RAPIDLY EVOLVING CYBER THREATS

DJ Goldsworthy, Director, Security Operations and Threat Management, Aflac

A Fortune 500 company serving 50 million customers worldwide, Aflac encountered a significant increase in the volume, velocity and spectrum of significant new security threats, now including ransomware. To address this, the company created a custom threat intelligence system capable of consuming large amounts of threat data, and leveraging the data to protect the business environment and inform security decisions. Join us to learn how they developed a system to: rapidly incorporate threat intelligence from industry sources, partners, government and private sector; observe patterns and behaviors from existing infrastructure; and self-calibrate and adapt to evolving threats.


IMPROVING AND AUTOMATING FILE TRANSFER GOVERNANCE WITH BUSINESS PARTNERS

Jerry Fink, Director, Information Security, Blue Cross and Blue Shield of North Carolina

Operating in a highly regulated industry, Blue Cross and Blue Shield of North Carolina (BCBSNC) needs to share data with many business and trading partners.  Like most companies, BCBSNC developed governance processes on the intake side of new file transfers, but lacked the same level of controls to ensure the transfers were decommissioned when no longer needed.  Join us to learn how their Managed File Transfers (MFT) Recertification project resulted in solution to recertify existing transfers in a sustainable, automated model that leveraged existing processes and technology used for certifying user access.


LEVERAGING RFID AND THE INTERNET OF THINGS FOR SECURE DOCUMENT MANAGEMENT

Michael Hoffman, Analyst, BNY Mellon

On behalf of several financial institutions, BNY Mellon is the designated custodian for about 100 million physical home loan documents.  Documents under custody require management throughout the term of the loan, and BNY Mellon’s previous process had weak tracking capabilities and a manual audit procedure for the documents.  Join us to learn how their Smart Docs Cyber Custodian – using RFID tags that enable document tracking throughout BNY Mellon and electronic access by clients — ensures files are transferred quickly and accessible when needed.


IMPROVING SAFETY AND SECURITY THROUGH IMPROVED AWARENESS

Bob Eichler, Director of Information Security, Cancer Treatment Centers of America

Cancer Treatment Centers of America® (CTCA) is a national network of five hospitals dedicated to serving cancer patients in an environment where safety, security and privacy are high priorities. In response to the rising number of catastrophic events caused by ransomware at various healthcare organizations across the country, CTCA launched a new education framework to create a highly reliable culture that protects the safety of all patients and employees. Join us to learn about the initiation and execution of this campaign and how it is positively enhancing safety and security throughout the organization.


PROTECTING INTELLECTUAL PROPERTY IN A HIGHLY COLLABORATIVE ENVIRONMENT

Carolyn Smith, Senior Security Analyst, Celgene Corporation
Michael R. Stanley, Director, Global Information Security, Celgene Corporation

Seeking to deliver truly innovative and life-changing drugs, Celgene has created compounds for more than 300 clinical trials at major medical centers. To Celgene, the next most precious thing beyond their employees is the organization’s intellectual property and the information used by employees. Unlike Financial Services or other highly regulated companies, Celgene’s data protection needs are unique since their environment is highly collaborative with new types of information being created continuously. Join us for this session to learn how Celgene has embarked on a long-term data loss prevention journey that methodically addresses the needs of each business unit across the organization.


SHARE ALL THE INDICATORS

Preston Werntz, Chief of Technology Services, National Cybersecurity and Communications Integration Center (NCCIC), Department of Homeland Security

The Cybersecurity Information Sharing Act of 2015 instructed DHS to develop Automated Indicator Sharing (AIS) as the way for private sector entities and government departments and agencies to share cyber threat indicators in near-real-time.  Join us for this session to learn how the AIS initiative allows bidirectional sharing of cyber threat indicators and defensive measures between the public and private sectors at machine speed – making one organization’s protection another’s prevention.


MODERNIZING INFRASTRUCTURE SECURITY THROUGH MICRO SEGMENTATION

Mike Makowka, Security Principal, Information Systems, Flowserve Corporation

Flowserve manufactures and services fluid motion control systems for some of the world’s most critical applications.  Since physical or cyber attacks on their client organizations could be catastrophic, Flowserve found itself needing to modernize its security posture to address future threats and protect heavily regulated client production facilities.  Join us to understand how they increased their ability to identify threats, reduced the time required to identify them, simplified management and reduced administration costs.


FINDING OPERATIONAL EFFICIENCIES WITH DATA LOSS PREVENTION

Swatantr Pal, Senior Manager, Global Information Security, Genpact

With 75,000 employees serving one-fifth of the Fortune Global 500, Genpact is a leader in business process management and services.  After experiencing rapid company growth, the organization realized its data loss prevention efforts were experiencing too many false positives and not enough good reporting to senior management.  Join us to learn how they targeted and tuned their policies and procedures — including a preventative pop-up box that greets users before sending sensitive information — to improve their overall security posture.


IMPROVING SECURITY AWARENESS WITH NOVEL APPROACHES

Andrew Roberts, Former Director, IT Compliance and Risk Management, Grand Canyon University

Like many other organizations, Grand Canyon University found the results of their security awareness program to be lacking.  Rather than putting additional resources into more of the same, they redesigned the objectives of their program and then took a fresh approach to achieving their new set of goals.  Join us to learn how their new approach reduced in-person training to only 15 minutes in total enhanced with brief, regular communications designed to engage, entertain, and encourage employees to take the desired actions.  The results: engaged employees, fewer help desk calls, and reduced costs.


SAFEGUARDING INFRASTRUCTURE WITH GLOBAL IDENTITY GOVERNANCE

Stephanie Miller, Lead Security Analyst – Governance, Risk and Compliance, IT, The Hershey Company

Operating in more than 70 countries, and growing through technological modernization, strategic acquisitions and new product development, The Hershey Company is a leading manufacturer of chocolate and non-chocolate confectionaries. With their growth, the organization understands that it’s critical to secure their infrastructure from unwanted access to critical applications and breaches that encompass both on-premise and cloud entities. Join us for this session to learn how Hershey created a centralized process enabling a global identity governance infrastructure with automated provisioning.


IMPROVING SECURITY IN THE THIRD-PARTY VENDOR SUPPLY CHAIN

Brenda Callaway, Divisional VP, Information Security & IT GRC, Health Care Service Corporation
Craig Eidelman, Modern Workplace Security Specialist, Microsoft

Healthcare organizations rely on numerous third-party vendors to handle everything from logistics to human resources, software development, financial recordkeeping, physical security and cybersecurity. Those third parties — especially those who have access to the organization’s network and sensitive data — represent an opportunity to improve services and lower costs, as well as a potential risk to the healthcare organization’s ability to ensure security, privacy and compliance. This is why five healthcare organizations and 22 vendors serving the healthcare industry, representing thousands of Business Associates, have collaborated to launch the HITRUST Business Associate (BA) Council. Their mission is to instill confidence, manage risk, gain efficiencies and inspire excellence in healthcare IT by driving innovation and adoption throughout the third-party vendor supply chain, leveraging the HITRUST CSF Assurance Program. Join us for this session to learn how the HITRUST Business Associate Awareness Program is improving IT security in healthcare.


CREATING HIGHLY-EFFICIENT SECURITY AWARENESS TRAINING

George J. Doliker, CISO, INC Research

With 6,600 employees operating in more than 110 countries across six continents, INC Research works with pharmaceutical and biotech companies to assist with their clinical trials. Since the clinical research field is heavily regulated, there can be seemingly endless training required for field associates, and it can be particularly rigorous since providers like INC Research can experience more that 100 audits per year by various client companies making sure they are doing their work correctly. All of this explains why there is intense pressure to produce highly-efficient security awareness training at INC Research. Join us to learn how they’re using various innovative techniques to allow their higly mobile workforce to consume equal-or-greater amounts of less-intrusive security training – all resulting in a net reduction of 3,500 hours of disruptive training per year.


STRENGTHENING THE CYBER SECURITY POSTURE OF A LARGE HEALTHCARE NETWORK

Rob Collins, CISO, Indian Health Service

Indian Health Service (IHS) is an agency within the United States Department of Health and Human Services responsible for providing federal health services to approximately 2.2 million American Indians and Alaska Natives.  IHS discovered that its information security program had become stagnant and unable to perform at the operational level needed to effectively secure a large healthcare network spanning over 679 hospitals, clinics, and health stations across 38 states and 567 sovereign nations.  Join us to learn how they’ve turned all of this around by establishing a world-class cybersecurity program to support a vast healthcare network.


BUILDING TRUST, COOPERATION, COORDINATION AND COLLABORATION ACROSS VERTICAL SECURITY SECTORS

Michael Echols, CEO, International Association of Certified ISAOs (IACI)

The International Association of Certified ISAOs (IACI) is a global association of cyber threat analysis and intelligence organizations created to promote information sharing through guidance, threat awareness, and management services to reduce reduction cyber risks in government and industry. The IACI is a 501(c)6 non-profit organization founded by the Defense Industrial Base Information Sharing and Analysis Center, Webster University, and the Global Institute for Cyber Security Research. The IACI is creating a model of inclusion allowing all entities — even small and medium sized businesses – to take part in cyber intelligence activities designed to expand cyber resilience. In a short time, five ISAOs have launched across vertical sectors including air and space, credit unions, critical manufacturing, maritime and port security, and national rural health. Join us to hear how this information sharing initiative came together, and where it’s headed.


IMPROVING CYBERSECURITY THROUGH BETTER VISIBILITY

Connie Barrera, Director, Information Assurance and CISO, Jackson Health System

Jackson Health System is a nonprofit academic medical system offering world-class care to any person who walks through its doors. Like so many healthcare organizations, Jackson Health realized its systems are greatly impacted by hacking, data exfiltration and ransomware. Ultimately, they reached an “innovate or die moment” when they realized that IoT will flood their networks, hackers will get inside, and there will be ever more crevices in which to hide. Since they can’t afford — or even find — enough skilled staff to keep up, the security team proposed re-designing key processes and made targeted technology investments to super-charge existing security products and staff. The result: better security control across the entire environment without breaking the budget. Join us for this session to learn how they built a first-class security infrastructure that relies on a clear line of visibility into attacker activity inside the network, including unmanaged and IoT devices.


HYPERVIGILANT: STRENGTHENING THE HUMAN FIREWALL WITH ADVANCED INFORMATION SECURITY AWARENESS

Victoria L. Thomas, Information Security Awareness Leader, Kimberly-Clark Corporation

Kimberly-Clark Corporation and its well-known household brands are an indispensable part of life for countless global consumers. With 50,000 workers spread across 150 countries, the company faced the daunting task of educating staff at all levels about emerging information security principles, and how to respond appropriately to cunning cyber threats. Learn how Kimberly-Clark transformed its information security awareness program by empowering employees to become cybersecurity heroes, sparking worldwide behavioral change at work, at home and on the go.


SUCCESSFULLY INCENTING EMPLOYEES TO JOIN THE INFORMATION SECURITY BATTLE

Ron Green, EVP & CSO, Mastercard

Mastercard operates the world’s fastest payments processing network and connects consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories.  Despite their good security awareness efforts among employees, Mastercard realized that more must be done to educate employees about phishing attempts. So they took a new approach with the Mastercard Phishing Tournament designed to engage – and incent – employees to actively look for spam and social engineering messages in their inboxes.  Join us for this session to learn how a $2,000 quarterly employee winner – and a $10,000 annual prize for one lucky employee – is not only turning employees into active members of the information security team, but adding many additional soldiers in the ongoing security fight.


DEVELOPING A MODERN AND COMPREHENSIVE CYBER SECURITY AWARENESS PROGRAM

Mike Stewart, Director, Information Security Awareness and Education, Monsanto Company

As a Fortune 500 company, Monsanto’s goal is to empower farmers to produce more from their land while conserving natural resources like water and energy.  With an eye on protecting their digital assets, Monsanto recognized that, as technical security controls improve, human vulnerabilities are becoming the fastest growing method of threat for corporations across the globe.  Join us to understand how Monsanto’s Information Security Office (ISO) set out on an aggressive plan to develop a comprehensive cyber security awareness program — while simultaneously revamping all security policies to address specific risks related to today’s rapidly changing security landscape.


BUILDING AN EFFECTIVE IDENTITY LIFE-CYCLE MANAGEMENT SYSTEM

Arun DeSouza, Chief Information Security and Privacy Officer, Nexteer Automotive Corporation

With manufacturing and engineering facilities around the world, Nexteer Automotive is a leader in advanced steering and driveline systems for the automotive industry.  Formed by a divestiture, the company faced a carved out Active Directory structure ill-suited to meet Nexteer’s identity management needs.  With this in mind, the organization sought to build an effective federated identity life-cycle management system to strengthen enterprise security and privacy. The key business drivers included minimizing risk of intellectual property loss, securing access to cloud applications, lowering the risk of a data breach and automating talent on-boarding and off-boarding processes.  Join us to learn how they put it all together.


USING INNOVATIVE COMPETITION TO IMPROVE APPLICATION SECURITY

Richard Menta, Lead IT Security Specialist, Quest Diagnostics

Quest Diagnostics annually serves one in three adult Americans and half the physicians and hospitals in the United States, and with 43,000 employees, their insights reveal new avenues to identify and treat disease, inspire healthy behaviors and improve health care management. The organization discovered that when they gathered developers in a room for two days and trained them on secure coding techniques, improvement was modest. Not all developers used what was taught, and those that did slipped back into old habits. To reduce the risk to their applications, they needed a creative approach to engage developers and get them to retain and continually use those techniques. Join us to learn how their innovative Capture the Flag event made training less tedious, more fun – and achieved better results.


MINIMIZING INSIDER THREATS THROUGH BEHAVIOR ANALYTICS AND MACHINE LEARNING

Jennifer Darwin, Director, Identity and Access Management, Sallie Mae

Offering a variety of solutions that help students pay for their college education, Sallie Mae strives to ensure their customers and workforce members’ sensitive data is not at risk. Since traditional approaches to security can’t detect attacks by malicious insiders (or outsiders impersonating insiders), Sallie Mae took a new approach combining user behavior, data analytics and predictive anomaly detection to increase awareness of potential threats. Join us to understand how they now use user behavior and asset analytics to gain better visibility and security breach prevention.


PROTECTING CRITICAL INFRASTRUCTURE STATEWIDE

Michael Roling, CISO, State of Missouri, Office of Administration

The State of Missouri’s Office of Cyber Security (OCS) launched a program to identify vulnerable, Internet connected systems belonging not to just state and local governments, but also to businesses, utilities, and academic institutions across the State of Missouri. The overall goal of the program is to identify the most vulnerable, high risk systems that if left insecure, could lead to disruptions within its critical infrastructure or significant data loss of citizen, student, and customer data.  Join us to learn how this new program allows them to identify vulnerable systems, contact the owners of impacted systems, and shows risk reduction over time.


PROTECTING CONSUMER INFORMATION WITH SENSORS LOCATED AROUND THE WORLD

Jasper Ossentjuk, CISO, TransUnion

TransUnion is one the world’s leading business intelligence providers, maintaining one of the largest collections of consumer information.  To protect their data, the organization created the TransUnion Enterprise Security Ratings Platform (SRP) that gathers terabytes of data from security sensors around the world and provides insight to indicators of compromise, infected machines, improper configuration, poor security hygiene and harmful user behavior.  The data is analyzed to determine the severity, frequency and duration of incidents and then mapped to known networks, resulting in an overall security rating for each selected organization.  Join us to see how the ratings provide intelligence and insight into each organization’s security posture on an ongoing basis and are used in TransUnion’s third party security program, self-assessment exercises, security benchmarking (competitive and internal) and mergers and acquisition activities.


ENGAGING WHITE HATS TO PROTECT CORE FINANCIAL ASSETS

Ben Holley, Principal Analyst – Bug Bounty Program, United Airlines

Managing the hundreds of millions of frequent flier miles across more than 93 million Mileage Plus member accounts is no small task, and United Airlines has to protect this critical data and assets from ambitious criminals intent upon stealing miles that have cash value.  With a commitment to ensuring the reliability of their critical infrastructure and confidentiality of customer data, United Airlines built a multilayered cyber security program in which their unique “Bug Bounty” program is the most visible.  Join us to learn how United has successfully engaged the global security researcher community of creative white hat hackers to validate the secure configuration of their primary web properties.


PROVIDING COMPREHENSIVE IDENTITY MANAGEMENT ACROSS MULTIPLE BUSINESS UNITS

Patrick Landry, IT Technical Director, USAA

The USAA family of companies provides insurance, banking, investments, retirement products and advice to 12 million current and former members of the U.S. military and their families. Not long ago, USAA’s CEO announced that all business units would be merged into a single member services area. USAA didn’t have the identity management infrastructure to handle that volume, so they began a journey on a new approach to access management with identity being the new perimeter. Join us to learn about their comprehensive Identity and Access Management Lifecycle Management (IAM-LCM) program, and how it came together.


CREATING VISIBILITY TO REDUCE FRAUD AND DENY CYBERCRIMINALS

Dr. Chris Pierson, EVP, Chief Security Officer and General Counsel, Viewpost

Viewpost helps companies invoice and make payments to their trading partners by enabling them to send electronic invoices and payments on Viewpost’s secure business network — so knowing who their good customers are versus those who are cybercriminals is critical to Viewpost’s fraud prevention.  To reduce fraud, Viewpost’s security, fraud, and financial crimes teams worked together to uniquely code and develop software that analyzes all customers based on their risk, financial crime status, and relationships with other companies.  Ultimately, this new tool displays the individuals they want to watch, take off the platform, or allow to continue transacting business.  Join us to learn how this has reduced the risk of fraud, met the compliance expectations of their banking partners, and denied the platform to companies and individuals who might use the platform for other purposes.


CREATING AN END-TO-END VIEW OF CONTROL POSTURE AND COMPLIANCE

Jeffrey Zirbel, Manager, IT Security and Risk Management, Voya Financial

Voya Financial® helps Americans plan, invest and protect their savings so they can get ready to retire better. Like many companies, Voya faces increasing challenges in efficiently providing information and evidence to a growing number of auditors, regulators, clients, and vendors — all while maintaining quality and consistency. To address this, Voya has implemented an innovative approach which provides accurate and current information, and uses a clear line-of-sight from policies through control to evidence to create a holistic view of its control posture and policy compliance. Voya is now able to respond to inquiries based on a variety of frameworks, while providing faster and more accurate responses. In turn, this has freed up a significant number of hours to dedicate to higher value work. Join us for this session to understand how they put it all together.