2018 Agenda

 

The CSO50 Conference agenda reveals a wide variety of security executives presenting the projects that won their organizations CSO50 Awards for 2018. They’ll present how their projects came to fruition, how they’ve delivered business value, and key takeaways you can leverage for your organization. (Please note that exact session times on the agenda are subject to slight adjustment.)

(Enter a keyword to search for)
1:30pm - 6:00pm REGISTRATION OPEN
3:00pm - 3:10pm WELCOME AND OPENING REMARKS

Bob Bragdon, SVP & Publisher, CSO

3:10pm - 3:28pm REIMAGINING SECURITY TO CHANGE TEAM CULTURE

With 39,000 employees, Xerox is an $11 billion technology company providing leading-edge document technology, services, software and supplies for graphic communication and office printing environments. To adapt to evolving markets and drive innovation for better solutions, it became critical for Xerox’s security services organization to operate in lock step with the company’s vision. Join us for this session to learn how the organization successfully “reimagined” Xerox’s Global Security Services organization and successfully cultivated changes in team culture to improve results.

Alissa Johnson, CISO, Xerox
Cynthia Ricci, Organizational Effectiveness Manager, Xerox

3:28pm - 3:46pm TRANSFORMING THE SECURITY ORGANIZATION FOR A MODERNIZED CORPORATE STRATEGY

Serving 23 million customers with 40,000 employees across 16 European countries, innogy SE is addressing the new requirements of a decarbonized, decentralized and digital energy world. As conventional power plants are being shut down due to economic performance, profits are shrinking and cost saving measures become critical. For innogy SE, this meant reinventing the organization’s approach to energy — and for the innogy SE security team, it meant reducing costs by 25% while maintaining the highest security standards for the organization moving forward. Join us for this session to learn how the security organization transformed itself and leverages a matrix structure across security governance and a center of expertise for operational security management.

Florian Haacke, CSO, innogy SE

3:46pm - 4:04pm CREATING RISK STANDARDS ACROSS MEMBER COMPANIES TO PROTECT THE BRAND

Providing dental insurance coverage in all 50 states, Puerto Rico and other United States territories, Delta Dental Plans Association is a not-for-profit network of 39 companies providing groups and individuals with cost-effective dental insurance and customer service.  The organization sees security as an increasing threat to the Delta Dental brand, yet across member companies, there was no set of standards or comprehensive and uniform security message.  Working with key strategic leaders across the member companies, the organization finalized a set of security standards and security roadmap for all member companies.  Join us to learn how this reduces risk and provides member companies with economies of purchasing scale for security products and services.

4:04pm - 4:22pm Container and Cloud-Native Architectures: The Modern-Day Labyrinth

IT and security teams are embracing microservices, container and server-less projects at a breakneck speed. Along the way, they’re uncovering new considerations, including whether security products understand orchestrators like Kubernetes or OpenShift, how to maintain visibility and control of container sprawl, and key security capabilities needing deployment at each phase of the dev-to-runtime lifecycle. Join us for this session as we discuss how container security requires a different approach, and share challenges and best practices from real-world deployments.

Ali Golshan, Co-founder and CTO, StackRox

4:22pm - 4:45pm THE SECURITY ORGANIZATION AND LEADERSHIP: A Q&A PANEL DISCUSSION

Florian Haacke, CSO, innogy SE
Fred Kwong, CISO, Delta Dental Plans Association
Cynthia Ricci, Organizational Effectiveness Manager, Xerox
Moderator: Derek Hulitzky, VP, Content Development and Strategy, IDG Communications

4:45pm - 5:45pm MANAGING THE CONTROLS YOU CAN’T INFLUENCE: A MODERATED WORKSHOP

Those who manage security are faced with a constant challenge:  How do you effectively manage critically important security controls when so many of them aren’t within your control — or even your influence?  Take application development as an example; development initiatives and teams can be some of the largest sources of vulnerabilities to the organization, but CISOs and their security teams have little or no control over vast software development efforts and infrastructure.  And with the Equifax breach, the vulnerabilities originated with the web team – an area where the security group had no oversight and limited influence.  Given these kinds of paradoxes — which seem to be expanding rather than contracting — what strategies can CISOs and IT executives leverage to exert the controls they need?  Who’s successfully mastering control of this burning challenge?  And what can you learn from your peers about how to not only survive — but thrive — in these circumstances?  Join us for this moderated and interactive workshop for answers to these questions and more.

Chester Lui, Head of Americas Chrome Customer Engineers, Google
Bob Bragdon, SVP & Publisher, CSO (moderator)

5:45pm - 6:45pm WELCOME RECEPTION
7:30am - 5:30pm REGISTRATION OPEN
8:30am - 8:35am OPENING REMARKS

Bob Bragdon, SVP & Publisher, CSO

8:35am - 8:53am LEVERAGING TECHNOLOGY TO CONNECT ASSOCIATES TO SECURITY

Prudential Financial, Inc. (NYSE:PRU), a financial services leader with more than $1 trillion of assets under management as of September 30, 2017, has operations in the United States, Asia, Europe, and Latin America. Prudential’s diverse and talented employees are committed to helping individual and institutional customers grow and protect their wealth through a variety of products and services, including life insurance, annuities, retirement-related services, mutual funds and investment management. Prudential is committed to providing uninterrupted service to our customers, protecting the assets they have entrusted with us and safeguarding our associates & resources. To support those commitments, Prudential Global Security launched a mobile application to provide employees with relevant safety & security information, and reinforce a strong security culture. The mobile app, called Prudential Global Security Connect, allows associates to receive relevant security alerts and to familiarize themselves with the best practices on the go, which goes a long way towards creating a safe and secure workplace. Bringing safety and security information to an employee’s mobile device delivered a new communication tool that helps employees plan, report and respond to emergency situations.

Lori Hennon-Bell, Vice President and Chief Security Officer, Prudential Financial

8:53am - 9:11am MANAGING CHANGE TO ACHIEVE BETTER CYBERSECURITY AWARENESS

In business since 1933, and now employing more than 12,000 people around the world, Finning is the world’s largest dealer of Caterpillar heavy-industry equipment. To improve its cybersecurity posture, Finning’s IT security team implemented a global cybersecurity awareness campaign designed to: 1) enable employees to better identify and respond to potential cybersecurity incidents; and 2) elevate a cybersecurity culture so it’s as routine as their already-pervasive health and safety environment. Join us to learn how they’ve rolled this program out in multiple languages and geographies, and why it’s become a valuable lesson in managing change.

Nickolas Hilderman, Senior Security Analyst, Finning International
Bart Ludwig, Manager, Identity & Access Management, Finning International

9:11am - 9:29am UNDERSTANDING AND PREPARING FOR NEW CYBERSECURITY REGULATIONS: ARE YOU READY?

With increased connectivity and cloud services use come an increased risk to data and privacy breaches.  All of this has stirred an influx of regulations introduced by federal and state regulators, including the European Union’s General Data Protection Regulation (GDPR) which will affect most US-based organizations.   While the New York State Department of Financial Services is the most stringent state regulation to pass so far, it’s most likely just the beginning.  How are you ensuring your organization is equipped to meet these increasing regulations, while preparing for those still to come?  Join us for this session to learn how.

Uzi Yair, Co-founder, GTB Technologies

9:29am - 9:47am CREATING MEASURABLE RESULTS BY DELIVERING NEARLY ONE MILLION TARGETED SECURITY LESSONS

Covering more than 70,000 square miles, the state of Missouri is home for nearly six million people and is ranked 18 in population among the 50 United States. To elevate among the Office of Administration, Office of Cyber Security’s (OCS) 40,000 employees an ability to address security threats beyond simply consuming passive, annual training, OCS began deploying targeted, focused, and interactive lessons each month. Since inception of this new program, nearly one million individual lessons have been delivered, tracked and gamified to the individual — and participation and results have been graded and shared throughout state government. Join us to learn how they’ve demonstrated excellence and innovation by enabling a powerful security control: the human intrusion detection system.

Mike Roling, CISO, State of Missouri, Office of Administration

9:47am - 10:05am LEVERAGING WIDESPREAD AWARENESS TO REDUCE THE COST OF PHISHING ATTACKS

The Cleveland Metropolitan School District is the second largest school district in the State of Ohio, serving students across 82 square miles with a rigorous curriculum that considers the individual learning styles, program preferences and academic capabilities of each student. After 74 employees in the district received a phishing email and provided their payroll user names and passwords – all of which resulted in a substantial financial cost — the district realized that 7,500 staff and 40,000 students needed to be more knowledgeable cyber-citizens. Join us to learn how the district implemented a district-wide security awareness program that dramatically reduces their costs related to phishing attacks.

Robert Zellers, Director of IT Security, Cleveland Metropolitan School District

10:05am - 10:30am SECURITY AWARENESS AND TRAINING: A Q&A PANEL DISCUSSION

Lori Hennon-Bell, Vice President and Chief Security Officer, Prudential Financial
Nickolas Hilderman, Senior Security Analyst, Finning International
Mike Roling, CISO, State of Missouri, Office of Administration
Robert Zellers, Director of IT Security, Cleveland Metropolitan School District
Moderator: Bob Bragdon, SVP & Publisher, CSO

10:30am - 10:55am NETWORKING BREAK
10:55am - 11:25am THINK YOUR NETWORK IS SAFE? CHECK ALL OF YOUR ENDPOINTS

While you invest time, resources and millions of dollars in protecting endpoints and network perimeter, are you addressing one of the largest footprints on your network? While printers and other endpoints may not be front-of-mind as primary security threats, this infrastructure may be allowing hackers and malware to take the easy route to your network and data. Join us for this session where we’ll share examples of breaches and how some of the most secure organizations are still lagging in overall security for critical endpoints like printers. We’ll also share best practices on how to most-effectively secure these critical endpoints.

Michael Howard, Chief Security Advisor and Practice Manager, HP

11:25am - 11:43am LEVERAGING SECURITY INTELLIGENCE FOR IMPROVED INCIDENT RESPONSE

With 78,000 employees in 20 countries, Genpact is a global professional services firm that manages digitally-enabled intelligent operations for Global Fortune 500 companies. Recognizing that sophisticated threat actors pose significant risks to Genpact, the organization developed a plan to enhance their situational awareness and incident response capabilities. Join us for this session to learn how their modernized security intelligence and incident response capabilities have enhanced their investigation and forensics capabilities, and improve their detection and response times with automation.

Vivek Attri, Senior Manager & Cyber Defense Center Leader, Genpact

11:43am - 12:01pm REDUCING CYBERSECURITY RISKS THROUGH AUTOMATION

Founded by Benjamin Franklin in 1751, the University of Pennsylvania (Penn) is a private Ivy League research university located in Philadelphia, Pennsylvania.  Penn’s mission — teaching, research and service — requires Information Security solutions that foster openness, collaboration and freedom of expression.  Due to its unique mission and user base of 45,000, Penn experiences as many as 10,000 Tier 1 information security events each year.  Join us for this session to learn how Penn reduced cybersecurity risks by automating its security operations center (SOC) while creating new efficiencies and saving money.

Joshua Beeman, CISO, University of Pennsylvania

12:01pm - 12:19pm WORK SMART AND STAY SAFE WITH CHROME ENTERPRISE

Work smart and stay safe with proactive protections, granular policy controls and continuous vulnerability management from Google Chrome Enterprise. Protect users and data at every cloud entry point with Chrome OS Verified Boot, Browser and OS controls, Google Play managed apps, and security modules built into every device. Each layer of Chrome OS’s vertically integrated stack reinforces security, while system-wide auto-updates future-proof your business.

Chester Lui, Head of Americas Chrome Customer Engineers, Google

12:19pm - 1:30pm NETWORKING LUNCH WITH TABLE TOPIC DISCUSSIONS
  • Transforming Security Data Operations into Enterprise Business Intelligence
    Hosted by Arizona State University
  • Incident Response: Do You Have Your Play Books and Communications Ready?
    Hosted by Finicity
  • Deploying an Automated Threat Hunting Platform
    Hosted by HBO Latin America
  • Big Data Security
    Hosted by Micron Technology, Inc.
  • The Security Awareness Training Program
    Hosted by Rainforest Alliance
  • The Deception Project
    Hosted by The Home Depot
  • Cyber-Incident Detection and Response
    Hosted by United Nations Development Programme
1:30pm - 1:48pm DETECTING AND REACTING TO 750 MILLION SPAM AND PHISHING MESSAGES A YEAR

As the single largest university in the United States, Arizona State University (ASU) serves more than 100,000 active students across its campuses and the world — with about 70,000 of those located on the five main campuses in the greater Phoenix area. Along with students, the university also hosts 20,000 additional staff, faculty and administration. With a campus IT infrastructure spanning networks, data centers, cloud environments, endpoints, applications, websites, security technologies and more, ASU sought a platform to manage the enormous and constantly growing number of security- and IT operations-related log files vital to finding both security vulnerabilities and threats, as well as remediating common business operations problems like connectivity. Join us for this session to learn how ASU uses Splunk and other security tools to rapidly detect and react to more than 750 million spam and phishing messages annually in addition to many other security related events that occur at ASU.

Marty Idaszak, Lead Architect, Arizona State University

1:48pm - 2:06pm PROACTIVELY MINIMIZING INSIDER THREATS WITH MACHINE LEARNING

GE Aviation is a global provider of jet and turboprop engines, components, integrated digital, avionics, electrical power and mechanical systems for commercial, military, business and general aviation aircraft. Since GE Aviation leverages cutting edge designs, light and strong materials, and advanced manufacturing processes, protecting intellectual property is top priority for their business. To improve data loss prevention, the GE Aviation data security team created an insider threat tool leveraging an indicator correlation methodology that locates users who produce critical risk based alerts. Join us for this session to find how GE Aviation successfully implements machine learning algorithms to examine a monthly average of 1.5 billion raw events across 160 risk indicators.

Eric Ridder, Director of Cyber Security, GE Aviation
Gordon Meyers, Sr. Staff Cyber Security Researcher, GE Aviation

2:06pm - 2:24pm SAFEGUARDING PRIVILEGED ACCESS WITH BEHAVIORAL ANALYTICS

Aetna is one of the nation’s leading diversified health care benefits companies, serving more than 44 million people with information and resources to help them make informed healthcare decisions. With such a large potential attack surface, Aetna was concerned that its on premises and cloud resources were vulnerable to insider threat risks and external account compromise – all of which could lead to privileged access right abuse and data exfiltration. Moreover, the sheer volume of alerts send to security teams were not risk ranked, which forced teams to randomly select which cases to remediate first. Join us for this session to learn how Aetna became the first organization in the healthcare sector to implement behavioral analytics for consumer authentication and access – and how it now enables 80 percent of users to access their information with just their fingerprint.

Kurt Lieber, Vice President & CISO, Global Security, Aetna

2:24pm - 2:52pm SECURITY INTELLIGENCE, AUTOMATION AND MACHINE LEARNING: A Q&A PANEL DISCUSSION

Vivek Attri, Senior Manager, Information Security, Genpact
Joshua Beeman, CISO, University of Pennsylvania
Marty Idaszak, Lead Architect, Arizona State University
Kurt Lieber, Executive Director, Security Risk Management, Identity and Access Management, Security Program Office, Aetna
Moderator: Derek Hulitzky, VP, Content Development and Strategy, IDG Communications

2:52pm - 3:10pm FINDING THE HIDDEN WEAKNESSES IN YOUR SUPPLY CHAIN

What do cybercriminals do when large financial institutions have well resourced cybersecurity? They target lesser protected software vendors that supply them. With more attacks expected to exploit financial institutions in the coming year, Kaspersky Lab’s Kurt Baumgartner discusses the value of Advanced Persistent Threat (APT) reporting and the new trends in banking backdoors, ransomware, cryptominers, and supply chain attacks.

Kurt Baumgartner, Principal Security Researcher, Global Research & Analysis Team, Kaspersky Lab

3:10pm - 3:40pm NETWORKING BREAK
3:40pm - 3:58pm LEVERAGING CULTURE TO ACHIEVE RAPID SERVICE ORGANIZATION CONTROL (SOC) COMPLIANCE

Founded in 1999, Finicity is in the business of providing financial data aggregation and consumer financial wellness solutions. In March 2016, a large consumer financial organization approached Finicity to participate in Series-B funding for expansion, however, Finicity would have to achieve Service Organization Control (SOC) compliance within six months, and successfully adopt security controls to pass scrutiny by multiple financial institutions and security organizations. Join us for this session to learn how the Finicity team secured additional funding by rapidly adopting a culture of mission-critical security and implementing state-of-the-art infrastructure – all of which now withstands the scrutiny of several top ten financial institutions.

James King, SVP & CSO, Finicity

3:58pm - 4:16pm PROMOTING SECURITY CAREERS THROUGH EDUCATION AND GOVERNMENT COLLABORATION

Founded in 1966, and governed by Michigan’s public universities, Merit Network is a non-profit, member-owned organization that operates America’s longest-running regional research and education network. Like countless places around the world, Michigan’s business community faces cyber security threats along with challenges surrounding economic and talent development for the state. To address this, the Governor’s High School Cyber Challenge was created to spark interest among high school students to fill the cyber security talent pipeline and help prepare key industries build a workforce strategy to face the cyber threat landscape. Designed to challenge students’ skills across computer science, information technology and cyber security, a three-round competition culminated at the governor’s annual North American International Cyber Summit. Join us for this session to learn how this grassroots effort to promote security careers challenged 564 Michigan students from across 188 competing teams.

Joe Adams, VP, Research and Cyber Security, Merit Network

4:16pm - 4:34pm BUILDING A SECURITY ORGANIZATION FROM THE GROUND UP

Lennar has built a reputation as one of America’s smartest and most innovative companies in real estate, financial services, property development, and capital management – and is supported by seven lines of business, more than 8,000 associates, and 900 locations across 17 U.S. states.  With growth across all business units, stakeholders and the Board of Directors recognized that ignoring security could be detrimental to the growth of the company.  With this in mind, Lennar appointed a CISO and built a security program around three pillars: security awareness, risk reduction, and reduction of friction.  Join us for this session to learn how Lennar’s security program has made the entire organization more agile and prepared for the future.

Juan Gomez-Sanchez, CSO, Lennar

4:34pm - 4:52pm SECURITY AWARENESS TRAINING: A CISO’S JOURNEY FROM DOUBTER TO BELIEVER

Whether budgets are robust or restrictive, infosec teams are often skeptical about diverting dollars away from technical tools so they can better fund awareness training.  Fortune 500 CISO Alan Levine felt the same — until a nation-state attack on his organization led him to reexamine employees’ roles in cybersecurity and the value of defense-in-depth strategies at users’ desktops.  Join us to hear how Alan’s journey with awareness training went from skeptic to advocate.

Alan Levine, Cyber Security Advisor, Wombat Security Technologies

4:52pm - 5:17pm BUILDING THE SECURITY ORGANIZATION TO MEET BUSINESS NEEDS: A Q&A PANEL DISCUSSION

Joe Adams, VP, Research and Cyber Security, Merit Network
James King, SVP & CSO, Finicity
Juan Gomez-Sanchez, CSO, Lennar
Moderator: Bob Bragdon, SVP & Publisher, CSO

5:17pm - 5:35pm JD.COM SECURITY INTELLIGENCE AND ANALYTICS: FROM BIG DATA TO BIG IMPACT

Tony Lee, CISO, JD.com

5:35pm - 5:40pm CLOSING REMARKS

Bob Bragdon, SVP & Publisher, CSO

8:00am - 7:00pm REGISTRATION OPEN
9:00am - 9:05am OPENING REMARKS

Bob Bragdon, SVP & Publisher, CSO

9:05am - 9:23am STONEWALLING RANSOMWARE BEFORE IT HITS PRODUCTION ASSETS

With research, exploration, and problem solving, Polaris Alpha provides engineering and tools designed to protect the warfighter and allied communities. Like many organizations targeted by ransomware, Polaris Alpha knows it can face significant mitigation and recovery costs across not only data and productivity loss, but fixes and possible regulatory penalties. With that in mind, the organization began to apply the concept of honeypots to delay and detect a ransomware infection. Join us for this session to learn how their STONEWALL project uses deception technology to create a ransomware defendable network that chokes and slows down a threat, thereby allowing security teams to be alerted before the ransomware attacks production assets.

Eric Schlesinger, CISO, Polaris Alpha

9:23am - 9:41am FANNIE MAE’S JOURNEY TO DEVSECOPS

Fannie Mae partners with lenders to create housing opportunities for families across the country — and helps make the 30-year fixed-rate mortgage and affordable rental housing possible for millions of Americans. To support this mission, Fannie Mae must support robust security practices throughout the organization. For years, Fannie Mae has aimed toward: 1) conducting cyber security assessments earlier in the development lifecycle; and 2) engaging business partners in the review and mitigation of cyber security risks. Through DevSecOps, Fannie Mae has now reached that goal — and stakeholders from development, operations, and cyber security now monitor, analyze, test, and proactively determine and fix vulnerabilities earlier in the development lifecycle. Join us for this session to see how DevSecOps has helped to dramatically increase code quality standards and reduce the vulnerabilities at Fannie Mae.

Stephanie Derdouri, Director Vulnerability Management, Information Security, Fannie Mae
Carlos Rojas, Director Operations and Technology, Fannie Mae

9:41am - 9:59am FISSION AND FUSION WITH IDENTITY AND SECURITY: NEW OPPORTUNITIES FOR ADVANCED INCIDENT RESPONSE

Infosec challenges continue to mount, yet most enterprises would admit they are overwhelmed.  Big data, analytics and automation technologies are here, but progress is hampered by immature technology, staffing challenges and elusive confidence with operational patterns.  Join us for this session where we’ll review data forking and combination strategies that — when applied to mature identity management and security technologies — address these challenges and provide a pathway to progress.  We’ll cover how to exchange identity and security context to maximize situational awareness, leverage the precision of serialized identity, and tap the organizational hierarchy to verify business context and accelerate automation confidence.

Joe Gottlieb, Senior Vice President, Corporate Development, SailPoint

9:59am - 10:17am ASSESSING AND IMPROVING PHYSICAL SECURITY FOR CRITICAL INFRASTRUCTURE

The American Public Power Association (APPA) is the voice of not-for-profit, community-owned utilities that power 2,000 towns and cities nationwide. While many security guidelines are available from the North American Electric Reliability Corporation (NERC) and other critical infrastructure sectors, public power utilities need a physical security guideline more focused on their needs. That’s why the APPA created a comprehensive guideline designed to help the owners and operators of over 2,000 community-and state-owned electric utilities better ensure the safety and security of their company’s personnel, critical assets, and information. Join us for this session to learn how the APPA’s new guidebook of physical security measures and leading practices can help mitigate threats, vulnerabilities, and potential attacks – and ultimately contributes to a more resilient power grid.

Sam Rozenberg, Engineering Services Security Manager, American Public Power Association

10:17am - 10:45am NETWORKING BREAK
10:45am - 11:15am RETHINKING CYBERSECURITY FOR THE DIGITAL TRANSFORMATION ERA

The pace of technology change is challenging traditional cybersecurity strategies. Not long ago, clouds and mobility forced organizations to rethink their security and network architectures. And when most network traffic was destined for the data center, it made sense to backhaul all traffic over a hub-and-spoke network protected by a ‘castle-and-moat’ security model. But with today’s massive investments in SaaS applications, moving internal applications to private clouds for unfettered access requires a new approach. As the Internet becomes the corporate network, how do you adapt your security? And how can your moves to the cloud be made more secure? Join us for answers to these questions and more.

zscaler-corporate-brochure

Jay Chaudhry, Chief Executive Officer and Founder, Zscaler

Alex Philips, CIO, National Oilwell Varco (NOV)

11:15am - 11:33am THE ART OF CYBER DECEPTION

Founded in 1978, The Home Depot is the world’s largest home improvement retailer operating more than 2,200 stores across North America. With the intent of “expecting the unexpected” the Home Depot’s security strategy leveraged cyber deception as an early breach and behavioral anomaly detection system. The advanced deception and early detection systems not only helped establish visibility into an entities’ networks to understand vulnerabilities but also became an integral part of The Home Depot’s M&A due diligence to ensure security and integrity of systems and networks interconnecting with the company network. Join us for this session to learn how their deception initiative reduced false alarms and solves the “needle in a haystack problem,” thereby allowing them to focus on what they need to know — including comprehensive forensics to remediate the threat.

Sarath Geethakumar, Sr. Director, Information Security, The Home Depot

11:33am - 11:51am PROVIDING TRANSPARENCY TO CYBER-THREAT READINESS AND SITUATIONAL-RESPONSE STAKEHOLDERS

With 39,000 employees, Xerox is an $11 billion technology company providing leading-edge document technology, services, software and supplies for graphic communication and office printing environments. Like most organizations, Xerox experiences increasing demand from concerned customers, executives, partners, and board members, to demonstrate cyber-threat awareness and ability to respond in real-time. To meet this challenge, they created the Xerox Enterprise Cyber Threat Management Portal — a custom-designed solution that provides intelligence-driven, cyber-threat readiness and situational-response task workflow management. Join us for this session to learn how this system responds in real time to disseminate bulletins from the CISO’s organization to a defense-in-depth matrix “playbook” of global IT and security operations teams and business focal points.

Alissa Johnson, CISO, Xerox
Del Russ, Director, Security Intelligence Center, Xerox

11:51am - 12:16pm MODERNIZING CYBERSECURITY: A Q&A PANEL DISCUSSION

Stephanie Derdouri, Director Vulnerability Management, Information Security, Fannie Mae
Sarath Geethakumar, Sr. Director, Information Security, The Home Depot
Sam Rozenberg, Engineering Services Security Manager, American Public Power Association
Del Russ, Director, Security Intelligence Center, Xerox
Eric Schlesinger, CISO, Polaris Alpha
Moderator: Derek Hulitzky, VP, Content Development and Strategy, IDG Communications

12:16pm - 12:34pm THE WORLD OF MOBILE APPS: WHY MOBILE SECURITY IS NOW MISSION CRITICAL

Not long ago, most information was stored on PCs or servers behind protected firewalls.  Today, data has moved to the cloud and is accessed by mobile apps, therefore security in this new world must adapt to trusted access and mobile devices.  Join us for this session as we dive into the state of mobile security and how organizations can enable cross-platform security protection without compromising productivity.

Aaron Cockerill, Chief Strategy Officer, Lookout

12:34pm - 1:45pm NETWORKING LUNCH WITH TABLE TOPIC DISCUSSIONS
  • Rationalizing Core Security Services and Tools
    Hosted by Albertsons Companies  
  • Maturity Assessment of Cybersecurity Risk and Controls
    Hosted by Bank of the Ozarks    
  • The Cyber Security Skills Shortage with Operational Technology (OT)
    Hosted by CLP Holdings Limited
  • Cyber Threat Intelligence
    Hosted by Ellie Mae
  • Managing Risk
    Hosted by Kimberly-Clark Corporation  
  • Creating Security for the Speed of Business
    Hosted by Lennar
  • Missouri’s Cybersecurity Awareness Program
    Hosted by State of Missouri, Office of Administration 
1:45pm - 2:03pm ADOPTING MODERN PRACTICES FOR IMPROVED CLOUD SECURITY

Cox Automotive is transforming the way the world buys, sells and owns cars with digital marketing, financial, retail and wholesale solutions across the global automotive ecosystem. As the company continues to move internally developed Internet-facing applications – like Autotrader.com and KBB.com — into cloud environments, it needed a better solution to manage how to implement, monitor, and audit controls across security, architecture, and operations — ultimately to meet its compliance, legal and regulatory requirements. Join us for this session to understand how their new cloud monitoring technologies not only discovered hundreds of sub-optimal configurations, privileged access, and vulnerabilities, but enabled fresh visibility to prioritize and remediate findings.

John Sewall, Director, Security Engineering, Cox Automotive

2:03pm - 2:21pm THREE STRATEGIES TO PROTECT INTELLECTUAL PROPERTY

Your business is built on intellectual property (IP).  In fact, IP can constitute more than 80 percent of a particular company’s value.  Losing this data – all created by users and stored on the endpoint – can result in lost productivity, threated competitive position, and ultimately, potential business collapse.  Join us for this session as we discuss why the conventional approach to data security can fall short — and the steps you can take to identify and mitigate threats without impeding user productivity and business growth.

Rob Juncker, SVP, Product Development, Code42

2:21pm - 2:39pm LEVERAGING SECURITY INTELLIGENCE FOR IMPROVED SUPPLIER RISK MANAGEMENT

The Allstate Corporation is the nation’s largest publicly held personal lines insurer, protecting 16 million households from uncertainties through auto, home, life and other insurance. As the threat landscape evolves, Allstate proactively rebuilt its supplier security risk management process to safeguard all customer, agent, and employee information. To improve their existing supplier security risk management function, the team rebuilt their procurement, privacy and information security process to incorporate industry best practices, frameworks and procedures. Join us to hear how this effort reduced their supplier risk while increasing their visibility into their supplier’s security posture.

Derek Morford, Business Information Security Officer, Allstate

2:39pm - 2:57pm NEW RULES, BETTER TOOLS AND STRATEGIC PARTNERS: TECHNOLOGIES AND TOYS FOR THE INFOSEC BAT CAVE

Albertsons Companies is the third largest food and drug retailer in the United States operating 20 store brands across 37 states and the District of Columbia. To maximize investments in security, the organization embarked on a journey to review the tools, technologies and strategic partners required to support existing and future requirements. This project became unique because it covered not only information security, but the need to protect regulatory and legal information in a highly complex environment. Join us for this session to learn how the project created cost savings while adjusting the organization’s predominately compliance-oriented framework to one that covers controls, capabilities and services mapped to tools and technologies across legacy, cloud and IoT.

Stanley “Stash” Jarocki, Director, Information Risk, Compliance and Federated Identity Access Management, Albertsons Companies

2:57pm - 3:15pm AI for Cyber Defense: The Shift to Self-Learning, Self-Defending Networks

The fight is no longer at the perimeter. In the new era of cyber-threats, machines fight machines on the battleground of corporate networks and no human security team can keep pace. From high-speed global ransomware attacks to sophisticated threats that disguise themselves on a network for months before taking action, these attacks call for a change in the way we protect our most critical assets. Self-learning, self-defending systems are now being deployed to secure complex enterprise networks across all environment types – ranging from physical, virtual, and cloud, all the way through to IoT and industrial control systems. Known as ‘immune system’ defense, this approach uncovers threats that have already penetrated the network border and then automatically fights back. Unlike legacy approaches that rely on rules or signatures, immune system security learns and responds autonomously, enables the security team to focus on high-value tasks, and can counter even fast-moving, automated attackers. Join us for this session as we explore: why legacy approaches, like rules and signatures, are proving inadequate in the face of the current threat landscape; how AI and machine learning can automate threat detection and response and, in the process, buy back time for security teams; and real-world examples of detected threats, from fast moving ransomware to hacked fish tanks.

Jesse Hood, Regional Director, Darktrace

3:15pm - 3:40pm MINIMIZING CLOUD AND THIRD-PARTY RISKS: A Q&A PANEL DISCUSSION

Stash Jarocki, Director, Information Risk and Identity Access Management, Albertsons Companies
Derek Morford, Business Information Security Officer, Allstate
John Sewall, Director, Information Security, Cox Automotive
Moderator: Bob Bragdon, SVP & Publisher, CSO

3:40pm - 4:05pm NETWORKING BREAK
4:05pm - 4:23pm DECEPTION-BASED THREAT DETECTION: MYTHS AND REALITIES

In today’s world where advanced threats and insiders demonstrate that they can evade security prevention systems, in-network threat visibility and detection are considered critical security infrastructure. That said, there are myths and realities about the effectiveness of deception for detecting advanced threats – and there are specific strategies for operational management efficiency and key use cases that are driving adoption. Join us for this session where you’ll hear about real-world deployment experiences, the value customers are realizing, and what pen test Red Teams are saying about deception-based threat detection.

Carolyn Crandall, Chief Deception Officer, Attivo Networks

4:23pm - 4:41pm ASSESSING THE MATURITY OF CYBERSECURITY RISK AND CONTROLS

Headquartered in Little Rock, Arkansas, Bank of the Ozarks conducts banking operations through 252 offices across 9 states and, based on asset size, has been recognized as a top performing bank in the United States for seven consecutive years. The bank nonetheless had no appropriate mechanism to assess their cyber risk posture, nor was there any appropriate mechanism to assess the efficacy of its cybersecurity controls. To address this head on, they set out to establish a repeatable method to assess 149 critical security sub-controls and to measure the inherent and residual risk to the organization. Join us for this session to learn how their new assessment procedures improved the maturity ratings of the vast majority of controls – and all within the risk appetite defined by the board of directors.

Brian Fricke, CISO, Bank of the Ozarks

4:41pm - 4:59pm CREATING A PROACTIVE, RISK-AWARE CULTURE ACROSS A GLOBAL ORGANIZATION

With 42,000 employees worldwide, Kimberly-Clark sells leading brands in more than 175 countries. To better assess and control threats to Kimberly-Clark’s critical information systems and to reduce its risk profile, the organization implemented a corporate-wide risk management framework. Designed to develop a proactive, risk-aware culture, this new framework includes an automated tool to drive efficiency in managing risk, enhance risk communications and increase agility in risk response. Join us for this session to learn how this global effort aims to standardize risk management practices for consistent, risk-based decision-making at all levels within Kimberly-Clark.

Laura Jones, Risk Manager, Cybersecurity & Assurance, Kimberly-Clark Corporation
Tom Sullivan, Senior Manager, Cybersecurity Risk and Compliance, Kimberly-Clark Corporation

4:59pm - 5:17pm BUILDING A RISK DASHBOARD FOR A HIGHLY-DECENTRALIZED ORGANIZATION

Bridgewater Associates manages about $160 billion for approximately 350 of the largest and most sophisticated global institutional clients including public and corporate pension funds, university endowments, charitable foundations, supranational agencies, sovereign wealth funds, and central banks.  Their entrepreneurial model means all business units — each facing unique challenges and risks as they pursue their mission– are fully empowered to manage their departments in a decentralized way.  While this operating approach optimizes many aspects of their business, it also makes it uniquely difficult to know and understand their aggregate risks across the enterprise, and then make informed executive decisions based on those risks.  Join us for this session to learn about the risk dashboard they developed that provides an interactive, single pane of glass showing real-time, multi-domain views into more than 500 different risk scenarios.

Rick Patterson, Head of Security Operations, Bridgewater Associates

5:17pm - 5:40pm RISK AND COMPLIANCE STRATEGIES: A Q&A PANEL DISCUSSION

Brian Fricke, CISO, Bank of the Ozarks
Rick Patterson, Head of Security Operations, Bridgewater Associates
Tom Sullivan, Senior Manager, Cybersecurity Risk and Compliance, Kimberly-Clark Corporation
Moderator: Bob Bragdon, SVP & Publisher, CSO

5:40pm - 5:45pm CLOSING REMARKS

Bob Bragdon, SVP & Publisher, CSO

7:00pm - 7:30pm CSO50 AWARDS COCKTAIL RECEPTION
7:30pm - 9:30pm CSO50 AWARDS DINNER & CEREMONY