Mon., February 26

1:30pm – 6:00pm Registration Open
3:00pm – 4:30pm CSO50 Winner Presentations
4:30pm – 5:30pm CSO50 Interactive Workshop
5:30pm – 6:30pm Networking Reception

Tues., February 27

7:30am – 5:30pm Registration Open
8:30am – 12:15pm CSO50 Winner Presentations
12:15pm – 1:30pm Lunch with Table Discussions
1:30pm – 5:00pm CSO50 Winner Presentations

Wed., February 28

8:00am – 7:00pm Registration Open
9:00am – 12:30pm CSO50 Winner Presentations
12:30pm – 2:00pm Lunch with Table Discussions
2:00pm – 5:30pm CSO50 Winner Presentations
7:00pm – 7:30pm CSO50 Awards Cocktail Reception
7:30pm – 9:30pm CSO50 Awards Dinner & Ceremony

Conference Sessions

CSO is pleased to announce that the following sessions will be presented by award-winning organizations at our CSO50 Conference + Awards.  We continue to add newly confirmed sessions to this page, so please revisit for updates.


Safeguarding Privileged Access with Behavioral Analytics

Kurt Lieber, Executive Director, Security Risk Management, Identity and Access Management, Security Program Office, Aetna

Aetna is one of the nation’s leading diversified health care benefits companies, serving more than 44 million people with information and resources to help them make informed healthcare decisions. With such a large potential attack surface, Aetna was concerned that its on premises and cloud resources were vulnerable to insider threat risks and external account compromise – all of which could lead to privileged access right abuse and data exfiltration. Moreover, the sheer volume of alerts send to security teams were not risk ranked, which forced teams to randomly select which cases to remediate first. Join us for this session to learn how Aetna became the first organization in the healthcare sector to implement behavioral analytics for consumer authentication and access – and how it now enables 80 percent of users to access their information with just their fingerprint.

Leveraging Security Intelligence for Improved Supplier Risk Management

Derek Morford, Business Information Security Officer, Allstate

The Allstate Corporation is the nation’s largest publicly held personal lines insurer, protecting 16 million households from uncertainties through auto, home, life and other insurance. As the threat landscape evolves, Allstate proactively rebuilt its supplier security risk management process to safeguard all customer, agent, and employee information. To improve their existing supplier security risk management function, the team rebuilt their procurement, privacy and information security process to incorporate industry best practices, frameworks and procedures. Join us to hear how this effort reduced their supplier risk while increasing their visibility into their supplier’s security posture.

Assessing and Improving Physical Security for Critical Infrastructure

Sam Rozenberg, Engineering Services Security Manager, American Public Power Association

The American Public Power Association (APPA) is the voice of not-for-profit, community-owned utilities that power 2,000 towns and cities nationwide. While many security guidelines are available from the North American Electric Reliability Corporation (NERC) and other critical infrastructure sectors, public power utilities need a physical security guideline more focused on their needs. That’s why the APPA created a comprehensive guideline designed to help the owners and operators of over 2,000 community-and state-owned electric utilities better ensure the safety and security of their company’s personnel, critical assets, and information. Join us for this session to learn how the APPA’s new guidebook of physical security measures and leading practices can help mitigate threats, vulnerabilities, and potential attacks – and ultimately contributes to a more resilient power grid.

Assessing the Maturity of Cybersecurity Risk and Controls

Brian Fricke, CISO, Bank of the Ozarks

Headquartered in Little Rock, Arkansas, Bank of the Ozarks conducts banking operations through 252 offices across 9 states and, based on asset size, has been recognized as a top performing bank in the United States for seven consecutive years. The bank nonetheless had no appropriate mechanism to assess their cyber risk posture, nor was there any appropriate mechanism to assess the efficacy of its cybersecurity controls. To address this head on, they set out to establish a repeatable method to assess 149 critical security sub-controls and to measure the inherent and residual risk to the organization. Join us for this session to learn how their new assessment procedures improved the maturity ratings of the vast majority of controls – and all within the risk appetite defined by the board of directors.

Fannie Mae’s Journey to DevSecOps

Fannie Mae partners with lenders to create housing opportunities for families across the country — and helps make the 30-year fixed-rate mortgage and affordable rental housing possible for millions of Americans. To support this mission, Fannie Mae must support robust security practices throughout the organization. For years, Fannie Mae has aimed toward: 1) conducting cyber security assessments earlier in the development lifecycle; and 2) engaging business partners in the review and mitigation of cyber security risks. Through DevSecOps, Fannie Mae has now reached that goal — and stakeholders from development, operations, and cyber security now monitor, analyze, test, and proactively determine and fix vulnerabilities earlier in the development lifecycle. Join us for this session to see how DevSecOps has helped to dramatically increase code quality standards and reduce the vulnerabilities at Fannie Mae.

Managing Change to Achieve Better Cybersecurity Awareness

Suzie Smibert, Global Director, Enterprise Architecture and CISO, Finning International
Nickolas Hilderman, Senior Security Analyst, Finning International

In business since 1933, and now employing more than 12,000 people around the world, Finning is the world’s largest dealer of Caterpillar heavy-industry equipment. To improve its cybersecurity posture, Finning’s IT security team implemented a global cybersecurity awareness campaign designed to: 1) enable employees to better identify and respond to potential cybersecurity incidents; and 2) elevate a cybersecurity culture so it’s as routine as their already-pervasive health and safety environment. Join us to learn how they’ve rolled this program out in multiple languages and geographies, and why it’s become a valuable lesson in managing change.

Creating a Proactive, Risk-Aware Culture Across a Global Organization

Laura Jones, Risk Manager, Cybersecurity & Assurance, Kimberly Clark Corporation
Tom Sullivan, Senior Manager, Cybersecurity Risk and Compliance, Kimberly-Clark Corporation

With 42,000 employees worldwide, Kimberly-Clark sells leading brands in more than 175 countries. To better assess and control threats to Kimberly-Clark’s critical information systems and to reduce its risk profile, the organization implemented a corporate-wide risk management framework. Designed to develop a proactive, risk-aware culture, this new framework includes an automated tool to drive efficiency in managing risk, enhance risk communications and increase agility in risk response. Join us for this session to learn how this global effort aims to standardize risk management practices for consistent, risk-based decision-making at all levels within Kimberly-Clark.

Stonewalling Ransomware Before It Hits Production Assets

Eric Schlesinger, CISO, Polaris Alpha

With research, exploration, and problem solving, Polaris Alpha provides governments around the world with engineering and tools designed to protect the warfighter and allied communities. Like many organizations targeted by ransomware, Polaris Alpha knows it can face significant mitigation and recovery costs across not only data and productivity loss, but fixes and possible regulatory penalties. With that in mind, the organization began to apply the concept of honeypots to delay and detect a ransomware infection. Join us for this session to learn how their STONEWALL project uses deception technology to create a ransomware defendable network that chokes and slows down a threat, thereby allowing security teams to be alerted before the ransomware attacks production assets.

Providing Transparency to Cyber-Threat Readiness and Situational-Response Stakeholders

Alissa Johnson, CISO, Xerox

Xerox is an $11 billion technology company committed to accelerating business whether paper or digital. It’s 39,000 employees are focused on automating, personalizing, packaging, analyzing and securing information for small and mid-size businesses, large enterprises, governments, graphic communications providers, and the partners who serve them. Like most organizations, Xerox experiences increasing demand from concerned customers, executives, partners, and board members, to demonstrate cyber-threat awareness and ability to respond in real-time. To meet this challenge, they created the Xerox Enterprise Cyber Threat Management Portal — a custom-designed solution that provides intelligence-driven, cyber-threat readiness and situational-response task workflow management. Join us for this session to learn how this system responds in real time to disseminate bulletins from the CISO’s organization to a defense-in-depth matrix “playbook” of global IT and security operations teams and business focal points.
Do you have any suggested edits to theses draft?

Reimagining Security to Change Team Culture

Alissa Johnson, CISO, Xerox

Xerox is an $11 billion technology company committed to accelerating business whether paper or digital. It’s 39,000 employees are focused on automating, personalizing, packaging, analyzing and securing information for small and mid-size businesses, large enterprises, governments, graphic communications providers, and the partners who serve them. To adapt to evolving markets and drive innovation for better solutions, it became critical for Xerox’s security services organization to operate in lock step with the company’s vision. Join us for this session to learn how the organization successfully “reimagined” Xerox’s Global Security Services organization and successfully cultivated changes in team culture to improve results.