Mon., February 26

1:30pm – 6:00pm Registration Open
3:00pm – 4:30pm CSO50 Winner Presentations
4:30pm – 5:30pm CSO50 Interactive Workshop
5:30pm – 6:30pm Networking Reception

Tues., February 27

7:30am – 5:30pm Registration Open
8:30am – 12:15pm CSO50 Winner Presentations
12:15pm – 1:30pm Lunch with Table Discussions
1:30pm – 5:00pm CSO50 Winner Presentations

Wed., February 28

8:00am – 7:00pm Registration Open
9:00am – 12:30pm CSO50 Winner Presentations
12:30pm – 2:00pm Lunch with Table Discussions
2:00pm – 5:30pm CSO50 Winner Presentations
7:00pm – 7:30pm CSO50 Awards Cocktail Reception
7:30pm – 9:30pm CSO50 Awards Dinner & Ceremony

Conference Sessions

CSO is pleased to announce that the following sessions will be presented by award-winning organizations at our CSO50 Conference + Awards.  We continue to add newly confirmed sessions to this page, so please revisit for updates.

 

Safeguarding Privileged Access with Behavioral Analytics

Kurt Lieber, Executive Director, Security Risk Management, Identity and Access Management, Security Program Office, Aetna

Aetna is one of the nation’s leading diversified health care benefits companies, serving more than 44 million people with information and resources to help them make informed healthcare decisions. With such a large potential attack surface, Aetna was concerned that its on premises and cloud resources were vulnerable to insider threat risks and external account compromise – all of which could lead to privileged access right abuse and data exfiltration. Moreover, the sheer volume of alerts send to security teams were not risk ranked, which forced teams to randomly select which cases to remediate first. Join us for this session to learn how Aetna became the first organization in the healthcare sector to implement behavioral analytics for consumer authentication and access – and how it now enables 80 percent of users to access their information with just their fingerprint.


Leveraging Security Intelligence for Improved Supplier Risk Management

Derek Morford, Business Information Security Officer, Allstate

The Allstate Corporation is the nation’s largest publicly held personal lines insurer, protecting 16 million households from uncertainties through auto, home, life and other insurance. As the threat landscape evolves, Allstate proactively rebuilt its supplier security risk management process to safeguard all customer, agent, and employee information. To improve their existing supplier security risk management function, the team rebuilt their procurement, privacy and information security process to incorporate industry best practices, frameworks and procedures. Join us to hear how this effort reduced their supplier risk while increasing their visibility into their supplier’s security posture.


Assessing and Improving Physical Security for Critical Infrastructure

Sam Rozenberg, Engineering Services Security Manager, American Public Power Association

The American Public Power Association (APPA) is the voice of not-for-profit, community-owned utilities that power 2,000 towns and cities nationwide. While many security guidelines are available from the North American Electric Reliability Corporation (NERC) and other critical infrastructure sectors, public power utilities need a physical security guideline more focused on their needs. That’s why the APPA created a comprehensive guideline designed to help the owners and operators of over 2,000 community-and state-owned electric utilities better ensure the safety and security of their company’s personnel, critical assets, and information. Join us for this session to learn how the APPA’s new guidebook of physical security measures and leading practices can help mitigate threats, vulnerabilities, and potential attacks – and ultimately contributes to a more resilient power grid.


Assessing the Maturity of Cybersecurity Risk and Controls

Brian Fricke, CISO, Bank of the Ozarks

Headquartered in Little Rock, Arkansas, Bank of the Ozarks conducts banking operations through 252 offices across 9 states and, based on asset size, has been recognized as a top performing bank in the United States for seven consecutive years. The bank nonetheless had no appropriate mechanism to assess their cyber risk posture, nor was there any appropriate mechanism to assess the efficacy of its cybersecurity controls. To address this head on, they set out to establish a repeatable method to assess 149 critical security sub-controls and to measure the inherent and residual risk to the organization. Join us for this session to learn how their new assessment procedures improved the maturity ratings of the vast majority of controls – and all within the risk appetite defined by the board of directors.


Adopting Modern Practices for Improved Cloud Security

John Sewall, Director, Information Security, Cox Automotive

Cox Automotive is transforming the way the world buys, sells and owns cars with digital marketing, financial, retail and wholesale solutions across the global automotive ecosystem. As the company continues to move internally developed Internet-facing applications – like Autotrader.com and KBB.com — into cloud environments, it needed a better solution to manage how to implement, monitor, and audit controls across security, architecture, and operations — ultimately to meet its compliance, legal and regulatory requirements. Join us for this session to understand how their new cloud monitoring technologies not only discovered hundreds of sub-optimal configurations, privileged access, and vulnerabilities, but enabled fresh visibility to prioritize and remediate findings.


Fannie Mae’s Journey to DevSecOps

Fannie Mae partners with lenders to create housing opportunities for families across the country — and helps make the 30-year fixed-rate mortgage and affordable rental housing possible for millions of Americans. To support this mission, Fannie Mae must support robust security practices throughout the organization. For years, Fannie Mae has aimed toward: 1) conducting cyber security assessments earlier in the development lifecycle; and 2) engaging business partners in the review and mitigation of cyber security risks. Through DevSecOps, Fannie Mae has now reached that goal — and stakeholders from development, operations, and cyber security now monitor, analyze, test, and proactively determine and fix vulnerabilities earlier in the development lifecycle. Join us for this session to see how DevSecOps has helped to dramatically increase code quality standards and reduce the vulnerabilities at Fannie Mae.


Leveraging Culture to Achieve Rapid Service Organization Control (SOC) Compliance

Jim King, CSO, Finicity

Founded in 1999, Finicity is in the business of providing financial data aggregation and consumer financial wellness solutions. In March 2016, a large consumer financial organization approached Finicity to participate in Series-B funding for expansion, however, Finicity would have to achieve Service Organization Control (SOC) compliance within six months, and successfully adopt security controls to pass scrutiny by multiple financial institutions and security organizations. Join us for this session to learn how the Finicity team secured additional funding by rapidly adopting a culture of mission-critical security and implementing state-of-the-art infrastructure – all of which now withstands the scrutiny of several top ten financial institutions.


Managing Change to Achieve Better Cybersecurity Awareness

Suzie Smibert, Global Director, Enterprise Architecture and CISO, Finning International
Nickolas Hilderman, Senior Security Analyst, Finning International

In business since 1933, and now employing more than 12,000 people around the world, Finning is the world’s largest dealer of Caterpillar heavy-industry equipment. To improve its cybersecurity posture, Finning’s IT security team implemented a global cybersecurity awareness campaign designed to: 1) enable employees to better identify and respond to potential cybersecurity incidents; and 2) elevate a cybersecurity culture so it’s as routine as their already-pervasive health and safety environment. Join us to learn how they’ve rolled this program out in multiple languages and geographies, and why it’s become a valuable lesson in managing change.


Proactively Minimizing Insider Threats with Machine Learning

GE Aviation is a global provider of jet and turboprop engines, components, integrated digital, avionics, electrical power and mechanical systems for commercial, military, business and general aviation aircraft. Since GE Aviation leverages cutting edge designs, light and strong materials, and advanced manufacturing processes, protecting intellectual property is top priority for their business. To improve data loss prevention, the GE Aviation data security team created an insider threat tool leveraging an indicator correlation methodology that locates users who produce critical risk based alerts. Join us for this session to find how GE Aviation successfully implements machine learning algorithms to examine a monthly average of 900 billion raw events across 160 risk indicators.


Creating a Proactive, Risk-Aware Culture Across a Global Organization

Laura Jones, Risk Manager, Cybersecurity & Assurance, Kimberly Clark Corporation
Tom Sullivan, Senior Manager, Cybersecurity Risk and Compliance, Kimberly-Clark Corporation

With 42,000 employees worldwide, Kimberly-Clark sells leading brands in more than 175 countries. To better assess and control threats to Kimberly-Clark’s critical information systems and to reduce its risk profile, the organization implemented a corporate-wide risk management framework. Designed to develop a proactive, risk-aware culture, this new framework includes an automated tool to drive efficiency in managing risk, enhance risk communications and increase agility in risk response. Join us for this session to learn how this global effort aims to standardize risk management practices for consistent, risk-based decision-making at all levels within Kimberly-Clark.


Promoting Security Careers Through Education and Government Collaboration

Joe Adams, VP, Research and Cyber Security, Merit Network

Founded in 1966, and governed by Michigan’s public universities, Merit Network is a non-profit, member-owned organization that operates America’s longest-running regional research and education network. Like countless places around the world, Michigan’s business community faces cyber security threats along with challenges surrounding economic and talent development for the state. To address this, the Governor’s High School Cyber Challenge was created to spark interest among high school students to fill the cyber security talent pipeline and help prepare key industries build a workforce strategy to face the cyber threat landscape. Designed to challenge students’ skills across computer science, information technology and cyber security, a three-round competition culminated at the governor’s annual North American International Cyber Summit. Join us for this session to learn how this grassroots effort to promote security careers challenged 564 Michigan students from across 188 competing teams.


Stonewalling Ransomware Before It Hits Production Assets

Eric Schlesinger, CISO, Polaris Alpha

With research, exploration, and problem solving, Polaris Alpha provides engineering and tools designed to protect the warfighter and allied communities. Like many organizations targeted by ransomware, Polaris Alpha knows it can face significant mitigation and recovery costs across not only data and productivity loss, but fixes and possible regulatory penalties. With that in mind, the organization began to apply the concept of honeypots to delay and detect a ransomware infection. Join us for this session to learn how their STONEWALL project uses deception technology to create a ransomware defendable network that chokes and slows down a threat, thereby allowing security teams to be alerted before the ransomware attacks production assets.


Providing Transparency to Cyber-Threat Readiness and Situational-Response Stakeholders

Alissa Johnson, CISO, Xerox

Xerox is an $11 billion technology company committed to accelerating business whether paper or digital. It’s 39,000 employees are focused on automating, personalizing, packaging, analyzing and securing information for small and mid-size businesses, large enterprises, governments, graphic communications providers, and the partners who serve them. Like most organizations, Xerox experiences increasing demand from concerned customers, executives, partners, and board members, to demonstrate cyber-threat awareness and ability to respond in real-time. To meet this challenge, they created the Xerox Enterprise Cyber Threat Management Portal — a custom-designed solution that provides intelligence-driven, cyber-threat readiness and situational-response task workflow management. Join us for this session to learn how this system responds in real time to disseminate bulletins from the CISO’s organization to a defense-in-depth matrix “playbook” of global IT and security operations teams and business focal points.
Do you have any suggested edits to theses draft?


Reimagining Security to Change Team Culture

Alissa Johnson, CISO, Xerox

Xerox is an $11 billion technology company committed to accelerating business whether paper or digital. It’s 39,000 employees are focused on automating, personalizing, packaging, analyzing and securing information for small and mid-size businesses, large enterprises, governments, graphic communications providers, and the partners who serve them. To adapt to evolving markets and drive innovation for better solutions, it became critical for Xerox’s security services organization to operate in lock step with the company’s vision. Join us for this session to learn how the organization successfully “reimagined” Xerox’s Global Security Services organization and successfully cultivated changes in team culture to improve results.