For session abstracts, please scroll down.

Mon., April 8

1:30pm – 6:00pm Registration Open
3:00pm – 4:30pm CSO50 Winner Presentations
4:30pm – 5:30pm CSO50 Interactive Workshop
5:30pm – 6:30pm Networking Reception

Tues., April 9

7:30am – 5:30pm Registration Open
8:30am – 12:15pm CSO50 Winner Presentations
12:15pm – 1:30pm Lunch with Table Discussions
1:30pm – 5:00pm CSO50 Winner Presentations

Wed., April 10

8:00am – 7:00pm Registration Open
9:00am – 12:30pm CSO50 Winner Presentations
12:30pm – 2:00pm Lunch with Table Discussions
2:00pm – 5:30pm CSO50 Winner Presentations
7:00pm – 7:30pm CSO50 Awards Cocktail Reception
7:30pm – 9:30pm CSO50 Awards Dinner & Ceremony

Conference Sessions

CSO is pleased to announce that the following sessions will be presented by award-winning organizations at our CSO50 Conference + Awards.  We continue to add newly confirmed sessions to this page, so please revisit for updates.


Synthesizing the Top Security Compliance Standards for Efficiency

Prasant Vadlamudi, Director, Technology GRC, Adobe

Founded in 1982 and now employing more than 19,000 worldwide, Adobe provides tools to design and deliver digital experiences to a spectrum of producers ranging from emerging artists to global brands. In the process of analyzing the top industry security compliance standards, certifications and regulations like SOC2, ISO27001, PCI DSS, HIPAA – all of which represent more than a thousand different controls – Adobe synthesized and boiled them down to about 200 controls Adobe calls the Common Controls Framework (CCF). Join us for this session to learn how CCF’s comprehensive set of security activities and compliance controls enables Adobe’s engineering, product operations, infrastructure and applications teams to achieve improved compliance with security certifications, standards and regulations.


Creating Compliance Visibility Across Varied Teams and Infrastructures

Christer Edwards, Computer Scientist, Software Development, Adobe

Founded in 1982 and now employing more than 19,000 worldwide, Adobe provides tools to design and deliver digital experiences to a spectrum of producers ranging from emerging artists to global brands. To help facilitate faster adoption with security controls across Adobe, which become a challenge with the company’s many acquisitions in recent years, the team needed a tool to handle security auditing and compliance that scaled across many teams with varying infrastructures. After trying a few third-party vendors, the Adobe security team was struggling to get the data they needed with the performance they required. Join us for this session to hear why and how they built HubbleStack — named after the Hubble telescope – to give the security team a window to the complexities of cloud-based infrastructure.


Creating a Comprehensive and Global Third-Party Risk Program

Phani Dasari, VP, Global Third Party Risk Management, ADP

Founded nearly 70 years ago, ADP is a comprehensive global provider of cloud-based human capital management (HCM) solutions that unite HR, payroll, talent, time, tax and benefits administration, as well as business outsourcing services, analytics and compliance expertise. ADP’s enterprise risk organization identified third-party risk as a critical potential risk requiring all relevant organizations across ADP to focus on identifying and reducing third-party risk. To meet this objective, ADP has advanced its third-party assurance efforts from localized in the organization to a connected global program with end-to-end automation, allowing enhanced tracking of all vendor engagements and proactive identification of risks related to third-party engagements. Join us for this session to learn how ADP now leverages a combination of business engagement, synergies between the global security organization and procurement and contract management organizations to implement standards, governance, processes and tools.


Reducing the Risk of Known Vulnerabilities

Jason Cathey, CISO, Bank OZK

Founded in 1903 as a small community bank, Bank OZK has grown to more than 250 offices in ten states. Shortly after implementing a newly established vulnerability management standard that includes time to remediation and vulnerability scan schedules, the bank realized its patch program, standard configurations and software life cycle management wasn’t as effective as they believed. Join us for this session to learn how they reduced the risk of known vulnerabilities by targeting remediation efforts based on asset criticality and severity of vulnerability.


Streamlining Third-Party Risk Management with Automation

Siobhan Hunter, Director, IT Governance, Risk and Compliance, Blue Cross NC

Since 1933, Blue Cross and Blue Shield of North Carolina (Blue Cross NC) has offered its customers high quality health insurance at a competitive price – and today is a fully taxed, not-for-profit North Carolina company employing more than 4,700 North Carolinians and serving more than 3.89 million customers. Like many companies operating in a highly regulated industry and relying upon multiple third party relationships, Blue Cross NC’s third-party risk management process was highly manual, inefficient, carried a substantial administrative overhead, and often failed to deliver timely results for our internal business stakeholders. To modernize, Blue Cross NC redesigned the program by integrating their managed service provider’s offerings with Blue Cross NC’s governance, risk and compliance platform. Join us for this session to learn how their innovative approach automates much of their third-party risk management process, enabling the organization to succeed in managing security due diligence and governance comprehensively and efficiently.


Protecting Devices in Remote Parts of the World

Joel Urbanowicz, Director, Information Security and ICT Operations, Catholic Relief Services

Catholic Relief Services (CRS) was founded in 1943 by the Catholic Bishops of the United States to serve World War II survivors in Europe, and today reaches more than 130 million people in more than 100 countries on five continents. Due to environmental circumstances – like internet connectivity, volatile political situations, and diversity in patch management styles of ICT professionals located around the world – unmet patch management was creating security exposure. Moreover, many of these countries — Ethiopia, DR Congo, Central African Republic and Sudan among others – don’t have adequate terrestrial network infrastructure, necessitating the use of very expensive and heavily constrained satellite network services. All of this introduced significant challenges for end user device management since visibility into what was happening in field offices was often difficult, and bandwidth so constrained as to make Windows patching nearly impossible. Join us for this session to learn how the CRS environment is now better protected, patch management is properly organized and users have streamlined experience regardless of their remote location in the world.