2019 Agenda


The CSO50 Conference agenda reveals a wide variety of security executives presenting the projects that won their organizations CSO50 Awards for 2019. They’ll present how their projects came to fruition, how they’ve delivered business value, and key takeaways you can leverage for your organization. (Please note that exact session times on the agenda are subject to slight adjustment.)


Synthesizing the Top Security Compliance Standards For Efficiency

Prasant Vadlamudi, Director, Technology GRC, Adobe

Founded in 1982 and now employing more than 19,000 worldwide, Adobe provides tools to design and deliver digital experiences to a spectrum of producers ranging from emerging artists to global brands. In the process of analyzing the top industry security compliance standards, certifications and regulations like SOC2, ISO27001, PCI DSS, HIPAA – all of which represent more than a thousand different controls – Adobe synthesized and boiled them down to about 200 controls Adobe calls the Common Controls Framework (CCF). Join us for this session to learn how CCF’s comprehensive set of security activities and compliance controls enables Adobe’s engineering, product operations, infrastructure and applications teams to achieve improved compliance with security certifications, standards and regulations.

View Presentation

Creating a Comprehensive and Global Third-Party Risk Program

Phani Dasari, VP, Global Third Party Risk Management, ADP

Founded nearly 70 years ago, ADP is a comprehensive global provider of cloud-based human capital management (HCM) solutions that unite HR, payroll, talent, time, tax and benefits administration, as well as business outsourcing services, analytics and compliance expertise. ADP’s enterprise risk organization identified third-party risk as a critical potential risk requiring all relevant organizations across ADP to focus on identifying and reducing third-party risk. To meet this objective, ADP has advanced its third-party assurance efforts from localized in the organization to a connected global program with end-to-end automation, allowing enhanced tracking of all vendor engagements and proactive identification of risks related to third-party engagements. Join us for this session to learn how ADP now leverages a combination of business engagement, synergies between the global security organization and procurement and contract management organizations to implement standards, governance, processes and tools.

View Presentation

Stopping Critical Infrastructure Cyber Attacks Before They Start

David Badanes, Director, Digital Group, The AES Corporation

The AES Corporation is a Fortune 500 global power company that provides affordable, sustainable energy in 15 countries through a diverse portfolio of distribution businesses, thermal and renewable generation facilities. As a part of the world’s critical infrastructure – and one that is highly targeted for attacks by numerous adversaries – AES believes the best way to protect the world’s electricity consumers is to empower the personnel of AES to stop attacks before they start. Growing cyber threat awareness among the global employee base of AES required a fundamental shift away from cybersecurity as simply a compliance function. Paired with our cybersecurity operations center, we work to educate, train and inform our global workforce of the importance of cybersecurity hygiene and the impact of a successful attack. Join us for this session to learn how AES has focuses on building a strong program of cybersecurity awareness — benchmarked against the Security Awareness Maturity Model designed by the SANS Institute — and put into place an employee awareness program that achieves, and exceeds, that goal.

View Presentation

Predicting and Preventing Fraudulent Activity

Matthew Harper, Director, Cyber Crime Prevention, Aflac

Founded in 1955, today’s Aflac is a Fortune 500 company providing financial protection to more than 50 million people worldwide.  Using Account Take Over (ATO) and other techniques, criminals are taking advantage of Aflac’s transition from a legacy serving model to a digital-first environment.  To protect Aflac policyholder data while enabling digital transformation, Aflac has chosen to leverage in-place security technology and real-time channel/servicing data – including from call centers, online, claims, and client master data — to create a flexible analytics platform that can flag suspect activity in real-time — and alert business partners in fraud, claims operations, and security to take corrective action.  Join us for this session to learn how Aflac now investigates fraudulent claims more efficiently, and can predict and prevent fraudulent activity before a loss incurs.

View Presentation

Balancing Security and Privacy with AI

Dhananjay (DJ) SampathCEO & Co-founder, Armorblox

While technological innovations bring new options for better security, organizations must continuously evaluate how they impact privacy.  For example, cheaper and better cameras can provide better surveillance, but at the risk of invading privacy.  When securing IT, the same balance of security and privacy is at work.  While today’s top threat vector is email security, and while organizations need better ways to monitor communications for security, no individual wants the organization reading their emails, documents and social tools.  That said, AI now enables machines to automatically analyze communications and flag issues for security, without violating privacy.  Join us for this session where we’ll describe how new techniques that leverage deep learning and natural language understanding (NLU) can deliver better security without sacrificing privacy.

Deception Technology: A Look Under the Hood

Carolyn Crandall, Chief Deception Officer & CMO, Attivo Networks

Deception technology is experiencing rapid adoption for in-network threat detection, but its value in identifying, investigating, and responding to attacks isn’t well known.  What’s deception’s role as a best practice?  How can it help collect forensics for faster investigation and actionable, automated information sharing and response?  Join us for this session for answers to these questions and more.  We’ll explore how deception technology reduces risk by fitting within standard security frameworks — 32 subcategories within NIST 800-61 rev 2, ISO 27000 family — to reduce dwell time, accelerate response, and build an active defense.

Securing Sensitive and Encrypted Data and Transactions

Bobby Julka, SVP, Access and Identity Engineering, Bank of America

With more than 36 million active digital banking users, Bank of America is one of the world’s leading financial institutions, serving individual consumers, small and middle-market businesses and large corporations with a full range of banking, investing, asset management and other financial and risk management products and services.  At Bank of America, data encryption is a vital part of securing sensitive information, and in their large-scale encryption systems, one of the biggest engineering challenges is generating and managing encryption keys.  Hardware Security Modules (HSMs) are used by financial services and other firms seeking high assurance to secure sensitive, encrypted data and transactions, but typically require custom setup, hardware, and integration.  Join us for this session to understand how Bank of America leverages HSMs for a six-figure cost saving per application, and can reduce a six-month or more project coding effort to just a few weeks.

Reducing the Risk of Known Vulnerabilities

Jason Cathey, CISO, Bank OZK

Founded in 1903 as a small community bank, Bank OZK has grown to more than 250 offices in ten states. Shortly after implementing a newly established vulnerability management standard that includes time to remediation and vulnerability scan schedules, the bank realized its patch program, standard configurations and software life cycle management wasn’t as effective as they believed. Join us for this session to learn how they reduced the risk of known vulnerabilities by targeting remediation efforts based on asset criticality and severity of vulnerability.

View Presentation

The Importance of Ratings in the Broader Cybersecurity Dilemma

David HawkinsPrincipal Engineer, BitSight Technologies

Starting in the middle of the last century, the U.S. Air Force experienced a sudden and embarrassing realization of where their fighter aircraft ranked in ability.  This observation led to changes in the U.S. Airforce’s approach to fighter design and engineering — a transformation with interesting correlations to today’s broader cybersecurity dilemma.  Join us for this session to understand how today’s cybersecurity reality is suffering similar challenges as the U.S. Air Force during the 1950s through the 1980s, how ratings have evolved and been used in a variety of markets, and the evolutionary realities related to today’s risk, ratings, and procurement process in the United States.

Optimizing Third-Party Risk Management with Automation

Siobhan Hunter, Director, IT Governance, Risk and Compliance, Blue Cross NC

Since 1933, Blue Cross and Blue Shield of North Carolina (Blue Cross NC) has offered its customers high quality health insurance at a competitive price – and today is a fully taxed, not-for-profit North Carolina company employing more than 4,700 North Carolinians and serving more than 3.89 million customers. Like many companies operating in a highly regulated industry and relying upon multiple third party relationships, Blue Cross NC’s third-party risk management process was highly manual, inefficient, carried a substantial administrative overhead, and often failed to deliver timely results for our internal business stakeholders. To modernize, Blue Cross NC redesigned the program by integrating their managed service provider’s offerings with Blue Cross NC’s governance, risk and compliance platform. Join us for this session to learn how their innovative approach automates much of their third-party risk management process, enabling the organization to succeed in managing security due diligence and governance comprehensively and efficiently.

View Presentation

Mitigating Risk with Ongoing Cybersecurity Risk Assessment

Scott Moser, CISO, Caesars Entertainment

Since its beginning in Reno, Nevada, in 1937, Caesars Entertainment has grown through development of new resorts, expansions and acquisitions, and today is the world’s most diversified casino-entertainment provider and the most geographically diverse U.S. casino-entertainment company.  To better manage cybersecurity risk, Caesars Entertainment conducted an enterprise cybersecurity risk assessment to identify, analyze, prioritize, and recommend actions to mitigate risk below business tolerance levels.  Innovative areas of the project included the risk scoring system used to measure risk, the pairing of risks against an assessment of National Institute of Standards and Technology (NIST) Cybersecurity Framework security controls, and the engagement of business leaders.  Join us for this session to learn the benefits of this program and how the CISO and CIO use it to provide cybersecurity reports to the board of directors’ audit committee and address risk mitigation.

View Presentation

Protecting Devices in Remote Parts of the World

Joel Urbanowicz, Director, Information Security and ICT Operations, Catholic Relief Services

Catholic Relief Services (CRS) was founded in 1943 by the Catholic Bishops of the United States to serve World War II survivors in Europe, and today reaches more than 130 million people in more than 100 countries on five continents. Due to environmental circumstances – like internet connectivity, volatile political situations, and diversity in patch management styles of ICT professionals located around the world – unmet patch management was creating security exposure. Moreover, many of these countries — Ethiopia, DR Congo, Central African Republic and Sudan among others – don’t have adequate terrestrial network infrastructure, necessitating the use of very expensive and heavily constrained satellite network services. All of this introduced significant challenges for end user device management since visibility into what was happening in field offices was often difficult, and bandwidth so constrained as to make Windows patching nearly impossible. Join us for this session to learn how the CRS environment is now better protected, patch management is properly organized and users have streamlined experience regardless of their remote location in the world.

View Presentation

How to Put the Sec in DevOps

Matt Rose, Global Director Application Security Strategy, Checkmarx Inc.

Many organizations are adopting security in their DevOps processes, but what do they need to consider when introducing application security to their DevOps?  What obstacles can be expected and how are organizations successfully overcoming them?  And what functionality is critical to enabling real automation of an AppSec program?  Join us for this session as we explore the benefits of adding security to DevOps automation.

Improving Vulnerability Management for the Fifth Largest City in the United States

Todd Therrien, Interim CISO, City of Phoenix

The City of Phoenix is a municipality that serves the 5th largest city in the U.S. with a population of more than 1.4 million. As the city experienced rapid growth in the last decade, it was determined that the vulnerability management of the municipality’s security and networks was too disjointed, decentralized and ad hoc at best – and management had very little insight into issues, workloads or bottlenecks preventing vulnerabilities from being remediated. With effective management in mind, the city of Phoenix’s Information Technology Services team focused on consolidating and centralizing its network vulnerability management by incorporating cloud-based technology, utilizing specialized software and workflow to help eliminate detected risks, adopt, new standards and change existing business and legal contract practices. Join us for this session to learn how the team can now better monitor current vulnerabilities, remediated items, response time and persistent items.

Why It’s Time to Rethink DLP

Vijay Ramanathan, Product Management SVP, Code42

Legacy Data Loss Prevention has failed the security field, and it’s promised has turned into an endless cycle of policy management, user blocking and blind spots, all while missing the top priority: protecting the user’s data. Join us for this session to understand why legacy DLP has pitfalls, hear interesting data about insider threats and leakage, and learn how and why organizations should be thinking about protecting their users over preventing users from doing their work.

Improving Threat Intelligence, Detection, and Response for Cloud Workloads

Dan Constantino, Director, Security Operations, Cox Automotive

With 40,000 auto dealer clients across five continents, Cox Automotive’s most notable family of brands within its 25 businesses includes Autotrader, Dealer.com, Dealertrack, KBB (Kelley Blue Book), Manheim, NextGear Capital, VinSolutions, vAuto, Xtime and Clutch Technologies. To better defend against cybersecurity threats impacting Cox Automotive, the organization set out to improve security capabilities with threat intelligence, detection, and response for cloud workloads. Join us for this session to hear how to elevate your Cloud Security Program and learn how automation has improved the efficiency, effectiveness, and speed of phishing incident remediation from 60 minutes to just 10. Dan will also cover how cloud alerting capabilities enables them to identify misuse of cloud resources (like cryptocurrency mining) before they incur a large cost from their cloud provider.

View Presentation

Adaptive Third Party Risk Assurance

Kay NaiduDirector Cyber Risk Assurance, Delta Dental of California

An estimated 60% of cyber data breaches originate at third parties according to a recent Ponemon report. As more risk-aware organizations have strengthened their cyber risk management, adversaries have shifted focus to business partner ecosystems that historically have weaker defenses. To better manage these challenges, Delta Dental of California has recently built an adaptable data-driven third party risk assurance capability.

Previously, the organization lacked visibility into business relationships with over 1000 third parties, many with access to personal information of 33 million consumers. This new capability provides a comprehensive understanding of our third party cyber security risk, which enables informed decision making, enhances customer trust, and protects the Delta Dental brand. It uses an innovative approach that tailors rigor and frequency of testing based on the impact and nature of each business relationship. Join us to learn how we identified needed third party capabilities triggered by the evolving cyber threat landscape and developed a self-modifying testing process that relies on threat intelligence to more efficiently use valuable talent.

View Presentation

Leveraging Machine Learning to Mitigate Phishing and Malware

Roberto Sponchioni, Manager, Threat Engineering and Detection, DocuSign

More than 450,000 customers and hundreds of millions of users in over 180 countries use DocuSign’s eSignature to automate how they prepare, sign, act on, and manage agreements.  Offering a SaaS application that relies on email transmission, the organization understands that phishing is its biggest security threat and that automating URL classification is an effective weapon against cyber criminals as it provides a quick response that reduces the impact on the global cybersecurity ecosystem.  To stay ahead of this threat, DocuSign’s detection and prevention technology, Pescatore, was created to be a real-time URL classifier that helps DocuSign’s Cybersecurity Center of Excellence leverage automation to mitigate phishing and malware attacks in a matter of minutes.  Join us for this session to learn how Pescatore analyzes URLs within seconds using machine learning algorithms, static detections, and reputation systems with a high degree of reliability, to classify and immediately execute protection commands.

View Presentations

Modernizing the Workplace with Stress-Free Approaches

Alex Rountree, Principal Enterprise Architect, Dropbox

The fast-paced digital era promises greater workplace productivity and flexibility, yet many IT organizations can’t keep up with the demands to enable the benefits.  But there are ways.  Join us for this session as we focus on best practices for managing user demands, modern tools that employees are quick to adopt with greater satisfaction, and ways to make it all happen with less stress on the IT team.

Securing Endpoints with Analytics and a Proven Framework

Michael Howard, Head of Worldwide Security Practice, HP, Inc.

As the number of connected devices continues to increase, so does the number of potential vulnerabilities. By 2020, there will be 2.8 billion connected devices, all of which could create security blind spots for organizations. How can security professionals expand their security measures to protect this ever-expanding attack surface?  Join us for this session where we’ll draw on real-world examples to explain how to understand and defend against the next wave of hackers, use data analytics and a proven framework to secure endpoint devices, and identify existing gaps in endpoint security.

View Presentation

Stealing Rembrandts: The True Story of International Art Theft

Anthony Amore, Director of Security and Chief Investigator, Isabella Stewart Gardner Museum

Art theft is a multi-billion dollar per year illicit industry, and the world’s most significant heists share one thing in common: the priceless works of Rembrandt. The great Dutch Master’s paintings are known for their value by everyone, from high school dropouts to museum curators. While Hollywood has portrayed the theft of high-value paintings as the work of dashing, likeable thieves working to steal art for evil, reclusive geniuses, in fact that’s nothing like the reality of art theft. Instead, it’s much more interesting. Join us for this special keynote session as Anthony Amore takes us behind the scenes of the most notorious of these heists, telling the true story of art crime from the conception of the crime to the recovery of the art.

Something Worth Fighting For: Crowdsourcing Security Awareness

Brian Roberts, Global Communications and Information Security Awareness Lead, Lear Corporation

Ranked 148 on the Fortune 500, Lear Corporation is a leading supplier of automotive seating and electrical, and employs 169,000 people in 39 countries. Faced with the substantial challenges of engaging a global population with critical education, Lear realized that success required more than bland, company policies. By shifting their messaging to that of an empowering, moral imperative (using multiple channels, innovative content and creative incentives to sustain interest), Lear achieved a remarkable response. When Lear marketed InfoSec as a unifying and bridge-building mission to protect people, they spurred a worldwide movement of volunteers. Join us for an informative session, where the unique approach of the Lear Security Awareness and Training (LSAT) program will be explored.

Creating a Best-In-Class Privacy Program

Gregory Anderson, Data Protection Officer, Lexmark International

Founded in 1991 and serving organizations in more than 170 countries, Lexmark is a global leader in imaging and output technology solutions and managed print services.  Mandated by the CIO and managed by the CISO, Lexmark set out to create a best-in-class privacy program to bring structure to existing ad hoc processes — and affect culture change and raise awareness across 10,000 employees in more than 50 countries.  Under a newly appointed Data Protection Officer, the Privacy@Lexmark project launched an innovative awareness and training campaign embraced across the enterprise.  Join us for this session to learn how it created meaningful results without requiring significant investment or impacting to day-to-day operations.

Securing Critical Infrastructure Across the Maritime and Port Community

Christy Coffey, VP, Member Services, The Maritime & Port Security ISAO, Inc.

Led by maritime and port stakeholders, the Maritime & Port Security ISAO (MPS-ISAO), working in collaboration with the U.S. Department of Homeland Security and the United States Coast Guard, is recognized nationally and internationally as the Information Sharing and Analysis Organization (ISAO) for maritime and port critical infrastructure. In 2016, the MPS-ISAO operationalized, establishing headquarters at the International Association of Certified ISAOs, IACI-CERT, Global Situational Awareness Center, NASA/Kennedy Space Center to support the Maritime and Port critical infrastructure nationally and internationally, and to establish a national ISAO model of sector and cross-sector cooperation and coordination in collaboration with government. The MPS-ISAO, led by the private-sector immediately began to bring together the maritime and port community to advance sector cybersecurity leadership through critical insight and thought exchange in support of the MPS-ISAO’s mission – all of which led to the establishment of the MPS-ISAO Advisory Board. Join this session to learn about how the MPS-ISAO has implemented a collaborative, community-based approach to bring cybersecurity resilience to the Maritime Industry.  Case studies will be discussed.

View Presentation

Transforming Cybersecurity and Enabling Digital Transformation

Bernd Huber, VP, Enterprise Cybersecurity, Northwestern Mutual

When a long-established, legacy company takes on a significant transformation, innovation must permeate everything it does—including cybersecurity. As Northwestern Mutual, a leader in the financial services industry for more than 160 years, has moved on the path to transformation, its digital platform has required an innovative approach to security to match the digital innovation taking place elsewhere in the organization. To create a seamless digital experience for its clients and financial representatives, the company had to step away from piecemeal security practices and implement a new security platform designed to integrate smoothly with the rest of their digital platform. In this session, you will see how their solution, an Enterprise Cyberfusion Platform, allowed them to move beyond past siloed efforts and embrace a more holistic approach to cybersecurity. This has streamlined the number and variety of tools they use to protect vital data, systems, and applications as they provide financial security for their 4.5 million clients.

Reducing Risk with Just In Time Awareness Training

Seth Fogie, Director, Information Security, Penn Medicine

Penn Medicine is one of the world’s leading academic medical centers, dedicated to the related missions of medical education, biomedical research, and excellence in patient care – and consists of the Raymond and Ruth Perelman School of Medicine at the University of Pennsylvania (founded in 1765 as the nation’s first medical school) and the University of Pennsylvania Health System.  As a leading academic medical center in the United States, Penn Medicine must maintain a secure technology environment ensuring the privacy and secure data of patients and colleagues.  To further their vigilance, they created a platform to deliver just in time awareness (JITA) security education to reduce internal employee Internet technology security risk.  Join us for this session to learn how they’ve reduced security risk with awareness training by targeting the dangers of an employee’s potential behavior before using web technology.

Evolving the Security Strategy for Growth

Eric Schlesinger, Global Director and CISO, Polaris Alpha

With research, exploration and problem solving, Polaris Alpha provides engineering and tools designed to protect the warfighter and allied communities.  Continued escalation of cyber-attacks against the organization — along with fevered adoption of new technologies, heightened regulatory scrutiny, and a hyper-connected business environment — meant they needed to change their existing security strategy from just simply implementing tools to incorporating a much broader set of activities.  At the same time, the organization was growing quickly and dramatically.  Join us for this session to learn how they evolved their culture, frameworks and processes to deliver a robust set of services through governance, risk management, compliance and user education, to now have an improved focus on attack and exposure prevention, breach detection and incident response with continuous monitoring and data analytics.

View Presentation

Securing Your Last Line of Defense: A People-Centric Approach to Security Awareness Training

Dale Zabriskie, Evangelist, Security Awareness Training, Proofpoint

The roadmap of your IT environment is full of twists, turns, roadblocks, and potholes. Those with access are navigating a perilous journey — often without explicit security awareness training to help identify warning signs along the way. With the vast majority of breaches targeting people rather than systems, it’s a sobering fact that — according to Proofpoint’s research — close to 40% of users can’t even define what “phishing” is. If not properly trained to spot phishing attempts, users become your greatest risk, clicking on malicious links that enable malware or expose confidential information. Join us for this session as we discuss best practices for adopting a people-centered, risk reduction approach to security awareness training that can transform your users from risky into ready navigators.

View Presentation

Creating Cybersecurity Visibility Across Business Areas and IT

Greg Murray, CISO, Rogers Communications

Founded in 1960 and recognized as one of Canada’s Top 100 Employers, Rogers is a leading diversified Canadian communications and media company. Rogers is Canada’s largest provider of wireless voice and data communications services and one of Canada’s leading providers of cable television, high-speed Internet and telephony services to consumers and businesses. Rogers recognized an opportunity to promote a cultural transformation of Cyber Security that fostered collaboration across Rogers and embedded security safeguards into Rogers products and services. This project encompassed cross-functional alignment, process efficiencies and simplified security requirements to enhance the security risk management framework. Join us for this session to learn how this holistic approach to cyber security is designed to protect information assets.

Cyber Resiliency: How to Focus Holistically, and Well Beyond Data Protection

Sean Curran, Senior Director, Security and Infrastructure, West Monroe Partners

Key trends are conspiring to create unprecedented threat exposure for today’s businesses across: the interdependence of actors in the digital ecosystem; growth to an estimated 8.4 billion IoT devices; and siloed, understaffed, and under-budgeted IT and security departments.  All of this helps explain why a recent survey ranks cybersecurity as today’s top business concern — even ahead of recession worries. Despite heightened security awareness in the C-suite, many executives remain unprepared to protect their businesses by focusing narrowly on just data protection.  Join us for this session where we’ll show the benefits of focusing holistically on overall resiliency, how that enables more awareness of potential threats and risks, and how to create a more resilient business model going forward.

View Presentation