2014 CSO40 Security Confab + Awards
 
Sessions at the CSO40 Security Confab + Awards are unlike anything you’ve seen before. Our program of fast-moving, rapid fire presentations delivered by leading security thought leaders demonstrate how forward-thinking organizations are embracing today’s challenges and preparing for the future.

Monday, March 31, 2014
2:00 pm - 5:00 pmRegistration
3:00 pm - 3:05 pmWelcome and Opening Remarks
Bob Bragdon, Publisher, CSO magazine
3:05 pm - 3:23 pmEstablishing an Enterprise-wide Authentication and Authorization Service
Tom Baltis, Deputy Chief Information Security Officer, Blue Cross and Blue Shield of IL, TX, NM, OK, MT
Ray Biondo, Senior Vice President and CISO, Blue Cross and Blue Shield of IL, TX, NM, OK, MT
Pavel Slavin, Senior Director, Risk Management, Blue Cross and Blue Shield of IL, TX, NM, OK, MT
Kapil Assudani, Senior Manager, Technical Security Service Program, Blue Cross and Blue Shield of IL, TX, NM, OK, MT

With 14 million members, Blue Cross and Blue Shield of Illinois, Texas, New Mexico, Oklahoma and Montana (BCBS) is the 4th largest health insurer in the United States. The company’s daily operations are enabled by a vast and highly-diverse IT environment. Among other complexities and nuances, BCBS maintains over 200 web and mobile applications and supports more than 24,000 employees. To better meet its rapidly evolving business needs, the company envisioned and launched the Enterprise Authentication and Authorization Service Development Project focused on establishing a standard, centralized and scalable solution for access management. Faced with growing authentication complexity, chronic control weaknesses, mounting end user frustration and inadequate authorization capabilities, the project aimed to boost employee productivity, reduce operational costs and enhance application security and reliability. Join us to learn how BCBS handily accomplished this substantial feat.

3:23 pm - 3:41 pmDelivering Huge Savings Through a Contemporary Password Reset Program
Bobby Stokes, AVP, IT&S Enterprise Systems, Hospital Corporation of America

Performing 600,000 password resets annually was consuming a considerable amount of resources in the Information Technology and Services (IT&S) organization at HCA, the nation’s leading provider of healthcare services. To decrease the number of resets and improve user experience, a volunteer team of IT, security, product development, field operations and customer support staff rallied together to implement a self-service password reset program. The team set a goal to decrease the number of password resets by 300,000 within twelve months, and while the net cost of the program was minimal, the results were significant. Among the range of strategies, many applications were moved to Active Directory, multiple entry points were created internally and externally to make access readily available, kiosks were provided for resets, fast access was made available on all desktops, and shortcuts were burned into operating system images. Join us to hear more about how it all came together.

3:41 pm - 3:59 pmCSO40 Honoree Session Q&A Panel
Pavel Slavin, Senior Director, Risk Management, Blue Cross and Blue Shield of IL, TX, NM, OK, MT
Bobby Stokes, AVP, IT&S Enterprise Systems, Hospital Corporation of America
Moderator: Bob Bragdon, Publisher, CSO magazine
3:59 pm - 5:15 pmBest Practices in Data Breach Prevention, Detection and Response: A Moderated Workshop
Bob Bragdon, Publisher, CSO magazine
Jamil Farshchi, VP, Global Information Security, Visa

Far beyond just financial risk and liability, data breaches can threaten the hard-earned reputation of your organization and negatively influence customers' willingness to engage in the future. In this interactive workshop, you’ll have an opportunity to network and learn from your expert peers as we discover best practices for data breach preparedness/prevention/detection, incident response, and cleanup. With a real-world scenarios, we'll explore effective approaches you can take home and start using right away.

Sneak Peek: CSO40 workshop moderator and advisory board member, Jamil Farshchi, gives his take on how to defend many attack vectors from the 'problem of one.'


Tuesday, April 1, 2014
8:00 am - 6:45 pmRegistration
8:00 am - 9:00 amNetworking Breakfast

Presented by ForeScout Technologies

9:00 am - 9:05 amOpening Remarks
Bob Bragdon, Publisher, CSO magazine
9:05 am - 9:35 amUncovering Insider Threats to National Security
Doug Thomas, Director, Counterintelligence Operations and Investigations, Lockheed Martin
Robert E. Trono, Vice President and Chief Security Officer, Lockheed Martin

As a global security, aerospace, and information technology company focused on national security, Lockheed Martin takes an aggressive and proactive stance to ensure the safety of its 120,000 employees and integrity of its information and products. Physical and information security have long been major contributors in Lockheed Martin’s ability to accomplish its broad mission. To ensure a security posture fully responsive to evolving threats, Lockheed Martin and its Chief Security Officer established the Office of Counterintelligence Operations (OCIO) in 2011 to proactively and comprehensively identify and mitigate risks associated with theft of Lockheed Martin’s intellectual property and trade secrets. In 2013, OCIO launched an Insider Threat Detection Program (ITDP) that looks for indicators identifying employees at a higher risk of being targeted by foreign intelligence services. Join us to learn about this program and the significant upside it’s creating.

9:35 am - 9:53 amAnalytics, Big Data and Threat Intelligence: Taking an Intelligence-Driven Security Approach
Eric Thompson, IT Threat Strategist, RSA

Within the next two years, big data analytics will impact most of the information security world including network monitoring, user authentication and authorization, identity management, fraud detection and GRC. In a few more years, analytic tools will evolve to enable advanced predictive capabilities and automated real-time controls. While these advancements will bring significant opportunity, integrating them to existing security programs will require organizations to rethink how they develop and execute their information security programs. Join us for this presentation from Eric Thompson, RSA IT Threat Strategist, to learn how you and your peers can prepare for this coming transformation.

9:53 am - 10:11 amKeeping 170,000 Employees Safe Around the Clock and Around the World
Gary Gordon, Senior Manager, Business and Emergency Preparedness Program, Security and Fire Protection, The Boeing Company

With 170,000 employees and 1,000 locations operating across 50 states and 70 countries, The Boeing Company is exposed to countless disruptions that could threaten its people, property assets or supply chain. To increase targeted awareness of these threats, Boeing developed an incident management system – called ThreatNavigator – to protect Boeing’s most valuable asset: its people. This geo-intelligence application overlays real-time risk and threat data with Boeing asset data – like buildings, people, IT assets and suppliers -- to help emergency responders provide a holistic response to an incident or disaster. During an immediate or current incident, process owners can be contacted, their business preparedness plans activated, and Boeing suppliers identified to warn of potential impacts to the supply chain. Integrating risk and threat data from internal and external sources, this web-based system displays the information in Google Maps’ geospatial format with icons showing types of incidents and color coding to indicate the time elapsed since the incident occurred – ultimately providing at-a-glance information from many sources. Join us to learn not only how they’ve put it together, but the benefits they’ve realized.

10:11 am - 10:29 am“See Something, Say Something”
Michele Freadman, Deputy Director, Aviation Security Operations, Massachusetts Port Authority

That’s the mantra of Boston Logan International Airport’s Security Awareness For Everyone (SAFE) Program. Rather than a limited, top-down program developed from airport management’s perspective, SAFE began as a novel approach to mobilize the entire community of airport companies and workers to protect the airport from the dynamic and evolving security threat to aviation. By instilling individual ownership of security, they leverage their proactive workforce as a force multiplier to detect threats at Logan. Uniquely, SAFE involves the front-line employees who help to keep the airport safe every day including gate agents, ticket counter personnel, cleaners, ramp agents, baggage handlers, mechanics, maintenance facilities workers, as well as security, operations, concessions, and contract security personnel. Numerous employees have been recognized by SAFE, among them those who: noticed a passenger’s suspicious behavior leading to the discovery of narcotics secreted in a custom made leg cast and wheel chair; volunteered to move an aircraft to a remote location on the airfield during a bomb threat onboard the aircraft; assisted the Massachusetts State Police in apprehending a violent subject; and stopped an unauthorized individual who accessed a highly sensitive security portal. Join us to see how SAFE has become an integral part of the fabric of the Logan community and is now a part of its culture.

10:29 am - 10:54 amCSO40 Honoree Session Q&A Panel
Michele Freadman, Deputy Director, Aviation Security Operations, Massachusetts Port Authority
Gary Gordon, Senior Manager, Business and Emergency Preparedness Program, Security and Fire Protection, The Boeing Company
Doug Thomas, Director, Counterintelligence Operations and Investigations, Lockheed Martin
Moderator: Joan Goodchild, Editor, CSO magazine and CSOonline.com
10:54 am - 11:24 amNetworking Break
11:24 am - 11:42 amMinimizing Workplace Violence with Information and Physical Security
Errol Brudner, Manager, Protection and Security Services / Emergency Management , Atlantic Health System
Alan Robinson, Director, Protection and Security Services/Emergency Management, Atlantic Health System

Those who manage large health care facilities are often some of the most seasoned at reducing workplace violence. Through their emergency room facilities alone, they have become well-practiced at not only recognizing, but anticipating threats. Atlantic Health System’s Workplace Violence Prevention program employs a wide range of integrated tools and strategies to maintain a safe environment for its employees and constituents -- including education, real-time vetting of visitors, facial recognition, and analytics on real-time crime data in local neighborhoods. Not only has the program reduced violence in its 9 million square feet of facilities, it creates an environment where employees feel safe. Join us to understand how they do it, and how their experience can be applied to any industry.

11:42 am - 12:00 pmProviding Mobile Security Across More than 50 Healthcare Locations
Monique Hart, Manager, Information Security, Children's Healthcare of Atlanta
Stoddard Manikin, Director, Information Systems Security, Children’s Healthcare of Atlanta
Moderator: Bob Bragdon, Publisher, CSO magazine

New mobile capabilities have created greater avenues for physicians and clinical centers to streamline patient care. All of this is enticing hospital employees to use mobile devices to improve the provider/patient care experience, yet all of this increases the risk of information security breaches. To address this, Children's Healthcare of Atlanta (Children's) embarked on their "Mobile Device Policy Implementation Project" to allow physicians and clinical centers to leverage mobile technology while minimizing risks to the organization. This project also provides employees with flexibility in choosing their mobile device, while ensuring appropriate security protocols remain in place to protect Children’s resources and patient data. Join us to learn how they made it all happen.

12:00 pm - 12:18 pmHow to Protect Intellectual Property Across the Enterprise
Tim Upton, President and CEO, TITUS

Data security is not just an IT issue, but a business imperative. As we see continued media coverage of data breaches and security incidents, the inevitable question is: "What are we doing to make sure that doesn't happen to us?" One of the biggest challenges today's organizations face is how to identify and protect sensitive and confidential information — therefore understanding, knowing and identifying your information is the foundation for data security. Join us for this session as we discuss how organizations worldwide are involving their end-users in data classification at the time of content creation as the first step to protecting their most valuable assets — their information. With data classification as the foundation, today's organizations are not only able to reinforce established security policies but also transform end-user behavior and create a sustainable corporate culture for data protection.

12:18 pm - 12:38 pmCSO40 Honoree Session Q&A Panel
Stoddard Manikin, Director, Information Systems Security, Children’s Healthcare of Atlanta
Alan Robinson, Director, Protection and Security Services/Emergency Management, Atlantic Health System
Moderator: Joan Goodchild, Editor, CSO magazine and CSOonline.com
12:38 pm - 1:53 pmNetworking Lunch with Table Topic Discussions Hosted by Selected CSO40 Honorees

Presented by TITUS

1:53 pm - 2:11 pmI said "Know"
Mark Felber CPA, CISA, CISSP, Manager, Information Security Program, Florida Blue
Chris Gay, Director, Information Security Technology and Operations, Florida Blue
Doug Robison, Program Manager, Security Education Program, Florida Blue

The "I said 'Know'" campaign at Florida Blue has two strategic objectives: first, engage and educate Florida Blue employees on how to protect their own personal information assets; second, increase awareness of the appropriate security behaviors that protect the confidentiality, integrity, and availability of Florida Blue's information assets. Vital to the program are the Security Ambassadors -- a direct outreach by the security education program for face-to-face sessions on securing your personal information. Ultimately, the program's common sense approach to educating employees about concepts applicable to their personal lives is designed to create more secure workplace behaviors. Join us to learn more about this program and its measurable results.


Sneak Peek: CSO40 speaker Douglas B. Robison shares his personal story behind Florida Blue’s “I said ‘Know’” campaign.

2:11 pm - 2:29 pmTransforming Your Weakest Security Link Into Your Strongest Asset
Arthur Wang, Supervisor, Information Security and Helpdesk, ReSource Pro
Christopher Watkins, Director, IT Infrastructure and Risk Management, ReSource Pro

Security experts know the weakest link in information security is often the human element. But it can also become the strongest asset. ReSource Pro knew that achieving ISO27001 certification required the organization to quickly implement new measures to ensure compliance by its more than 1,500 employees -- and that this was an opportunity to create a culture of continuous security improvement. In addition, an internal ReSource Pro study discovered that focusing on employee involvement and engagement would have a higher ROI than simply making investments in technology. With this in mind, the organization created a contest to create unprecedented employee engagement, a heightened awareness of security policies, and a culture of community justice – where team members watched out for each other and were empowered to speak out when noticing any breach of policy. Attend this session to understand how it all came together.

2:29 pm - 2:47 pmSecurity Ratings: Measuring Risk Through Security Outcomes
Stephen Boyer, CTO and Co-Founder, BitSight Technologies

Businesses often rely on assessments, questionnaires and audits to understand risk in their own networks and those of third parties. These methods, while insightful, are not evidence based and are prone to bias. So, how can companies extend visibility into dynamic security postures and truly measure security risk? Join us for this session to learn how security ratings can be used to continuously measure performance, and how they can be derived using externally observable information. We’ll also share how organizations can use ratings to arrive at actionable insight and proactively identify, quantify and mitigate risk.

2:47 pm - 3:05 pmReducing Significant Security Hazards with “Hotel in a Cloud”
Michael Patrick, Director End User Services Global Operations Center, Hyatt Hotels Corporation

With more that 500 properties in its portfolio, Hyatt Hotels Corporation found that its property general managers and staff were consuming as many as 40 different systems and applications across reservations, catering, payroll, event management and the like. Not only did this create an incredibly complex technical environment for non-technical employees, staff needed many passwords across these systems, thereby creating a significant security hazard for the organization. Today, new and existing properties consume an integrated, cloud-based system that can be accessed by virtually any small footprint device. Applications are hosted remotely with single sign on. Join us for this session to learn how it all came together.

3:05 pm - 3:23 pmAn Innovative Trusted Cloud Services Model
Jack Baker, Executive Director, Global IT Security, Quintiles Transnational
Jerry Fink, Director, IT Security, Quintiles Transnational

As Quintiles makes increasing use of cloud service providers to host applications and infrastructure, it's found a need to provide security assurance on par with systems hosted on the internal private network. As a result, Quintiles’ Trusted Cloud Services Model was developed to build on Quintiles’ global security framework and application security assessment program — and to extend security controls to cloud service providers within an integrated global security design. Moreover, it gives Quintiles a means of leveraging providers’ security services and to augment those services by extending internal systems and processes. Join us to learn about the model and the benefits Quintiles has realized.

3:23 pm - 3:41 pmIdentity and Access Management for the Real World
Eric Robinson, Regional Sales Director- Identity and Security Management, Dell Software Group

While security, governance and compliance are hot topics today, have we looked closely enough at what it takes to achieve real success with them? The real world has limited budgets, tight deadlines, ever increasing environmental complexity, and a constantly changing security landscape. In this session, Eric Robinson will discuss how to develop an identity and access management approach that works with these realities. The discussion will focus on identity governance, privileged management and access management that doesn't require heavy investments, rigid infrastructure and inflexible technologies — and that can be built on a company’s existing foundation.

3:41 pm - 4:11 pmNetworking Break
4:11 pm - 4:29 pmManaging ERP Security and Data Risks
Kris Kraus, Senior Manager, SAP Security Operations, Astellas US LLC
Kevin O'Toole, Vice President of IT, Astellas US LLC
Anand Pattabiraman, Director, IT, SAP Solution Delivery, Astellas US LLC
Bill Stamos, Associate Director, IT PMO, Astellas US LLC
Scott Zulpo, Senior Director, IT Operations, Astellas US LLC
Moderator: Bob Bragdon, Publisher, CSO magazine

Global pharmaceutical organizations operate in a highly complex environment of regulatory, legal and reputational risks. Compliance challenges involve the Health Insurance Portability and Accountability Act (HIPAA), Foreign Corrupt Practices Act (FCPA) and Food and Drug Administration (FDA) regulations. To achieve the highest level of operational and regulatory compliance, Astellas has made managing security and master data risks in their ERP environment a strategic business goal. This involves several key components including: reducing user access risks by redesigning ERP security roles to closely align each user’s access with their specific job responsibilities; enabling leading practice processes to prevent provisioning of inappropriate access to users; and optimizing the ERP control environment by increasing reliance on preventive security controls to maintain a clean ERP control environment. Join us to understand how they’ve done it.

4:29 pm - 4:47 pmDeveloping Highly-Secure Enterprise Software
Matthias Ems, Global Director IT Security Architecture, Validation + Governance, SAP AG
Fabian Vetter, Project Manager IT Solution Design & Quality Assurance, SAP AG

Today's business relies heavily on software, so identifying and cleansing security issues -- like discovering missing authority checks and potential backdoors, and detecting and remediating compliance violations introduced by insecure coding practices -- are mission-critical. To address this comprehensively across its custom developed Advanced Business Application Programming (ABAP) code, SAP created the ABAP Source Code Project to identify critical security gaps. The project has two key objectives: establish a baseline security level for the existing ABAP-based business applications; and create effective measures to keep the productive systems secure. Join us to learn how SAP leveraged this project to create a more secure development environment for its workforce.

4:47 pm - 5:05 pmHow to Detect a Threat Actor
Jon Ramsey, Chief Technology Officer, Executive Director Dell SecureWorks Counter Threat Unit, Dell SecureWorks

How do you detect the presence of a threat actor and their tradecraft without any knowledge of the actor or their attacks? This question is what led to the development of Foresee. Foresee enables Dell SecureWorks to cost-effectively scale security operations -- equal to or better than what could be achieved by security experts -- to meet the rapidly-growing number and variety of threats. It also provides predictive ability to "foresee" attacks before they occur. Join us to find out how.

5:05 pm - 5:30 pmCSO40 Honoree Session Q&A Panel
Jack Baker, Executive Director, Global IT Security, Quintiles Transnational
Matthias Ems, Global Director IT Security Architecture, Validation + Governance, SAP AG
Chris Gay, Director, Information Security Technology and Operations, Florida Blue
Michael Patrick, Director End User Services Global Operations Center, Hyatt Hotels Corporation
Christopher Watkins, Director, IT Infrastructure and Risk Management, ReSource Pro
Moderator: Joan Goodchild, Editor, CSO magazine and CSOonline.com
6:00 pm - 6:30 pmCSO40 Awards Cocktail Networking Reception (open to all qualified attendees)
6:30 pm - 9:00 pmCSO40 Awards Dinner and Ceremony (open to all qualified attendees)

Wednesday, April 2, 2014
8:00 am - 4:00 pmRegistration
8:00 am - 9:00 amNetworking Breakfast
9:00 am - 9:05 amOpening Remarks
Bob Bragdon, Publisher, CSO magazine
9:05 am - 9:35 amUnderstanding the National Cybersecurity Protection System
Brendan Goode, Director, Network Security Deployment, U.S. Department of Homeland Security

Over the last decade, the federal government has become increasingly focused on the use of information technology and the Internet to efficiently and effectively deliver services to carry out its missions. While all of this has improved services, the federal government has also become increasingly reliant on this IT infrastructure for mission essential functions. Consequently, the federal IT infrastructure has become a high-priority target for sophisticated adversaries. To address these growing threats, the U.S. Department of Homeland Security established the National Cybersecurity Protection System (NCPS) as part of its efforts to upgrade its cybersecurity capabilities and respond to an expanding cybersecurity mission. NCPS – also known as EINSTEIN -- is an integrated system of intrusion detection, analytics, information sharing, and intrusion prevention capabilities. These combined capabilities provide a technological foundation for defending the .gov information technology infrastructure – including federal Civilian Executive Branch departments, agency networks and .gov domain -- against advanced cyber threats. Join us to get an understanding of how this major security initiative works.

9:35 am - 9:53 amHow to Accelerate Your Response To Cyber Attacks
Paul Nguyen, President of Global Cyber Solutions, CSG International

For many organizations, knowledge of an attack comes within just hours of it happening, yet it still takes much longer — sometimes weeks — to respond. Complicating matters further, the average response time is often lengthened because of manual processes required to change security devices. At the same time, smart attackers are using a system of botnets, enabling them to simultaneously attack networks from multiple angles. To defend against these attacks, today's security professional must be empowered to take action quickly to minimize risk exposure and costs. Join us to understand how you can design automated courses of action to replace manual tasks, thereby delivering faster response times and shifting the dynamics of your defense strategies. We'll explore various cybersecurity viewpoints, discuss the security actions you can automate, and evaluate how automation can transform reactive decisions into proactive defensive strategies.

9:53 am - 10:11 amAutomating Compliance for PCI/SOX
Bob Irwin, Director, Governance and Compliance, Comcast Cable

Achieving and maintaining PCI/SOX compliance in today’s complex regulatory and technology environment has become an increasingly tall order. To address this squarely, Comcast created the Comcast Compliance Automation project to drive efficiencies and process improvements for compliance across the company. This program reduces costs by automating controls that were previously manual, and simplifies time spent through use of centralized evidence gathering workflows and notifications. Join us for this session to hear how careful planning, transparent communication and collaboration – combined with senior management’s vision, support and focus – resulted in a quality project delivered on time and within budget.

10:11 am - 10:29 amCompliance Across One of the World’s Largest Networks
Andrew Kotynski, Manager, Information Systems Security CIRT, United States Postal Service, Infrastructure Security Services

The United Stated Postal Service (USPS) must meet PCI, SOX and Federal Cybersecurity regulations for one of the world’s largest networks. Part of the nation’s critical infrastructure, this network supports over 35,000 retail locations, 4,000 business partners, and a network with over 500,000 endpoints. In an environment with over 1,000 network assets -- containing in excess of 300,000 rules and an average of 292 network changes per month — compliance goals might seem insurmountable. Nonetheless, the USPS found a way need to continuously analyze the configurations of its layered network devices, maintain the results of vulnerability scans, identify patching priorities, validate the enforcement of the corporate network security policies, and ensure compliance with PCI DSS standards and Federal regulations. Join us to understand how.

10:29 am - 10:59 amCSO40 Honoree Session Q&A Panel
Brendan Goode, Director, Network Security Deployment, U.S. Department of Homeland Security
Bob Irwin, Director, Governance and Compliance, Comcast Cable
Andrew Kotynski, Manager, Information Systems Security CIRT, United States Postal Service, Infrastructure Security Services
Moderator: Bob Bragdon, Publisher, CSO magazine
10:59 am - 11:29 amNetworking Break
11:29 am - 11:59 amCybercrime: Can We Possibly Hope to Keep Up?
Bob Bragdon, Publisher, CSO magazine

This year’s U.S. State of Cybercrime Survey conducted by CSO found that the cyber security programs of most U.S.-based organizations can't match the persistence, tactical skills, and technological expertise of today’s sophisticated cyber criminals. While the costs and impacts can be severe, most businesses aren’t even doing a good job at measuring the true impact. In this session, CSO Publisher Bob Bragdon — this survey’s principal analyst for more than a decade — will review key findings from this year’s survey and discuss what’s been learned to help better protect your enterprise.

11:59 am - 12:17 pmLeveraging Security and Quality Management Standards to Secure Highly Sensitive Assets
Paul Raines, CISO, UN Development Programme

With sensitive information to protect, the vision of the information security unit of UNDP is to be the premier ICT security organization among non-profit international organizations. While it’s a tall order, achieving this objective provides assurance to UNDP executive management, donors and member nations that it is exercising due diligence in securing UNDP's sensitive assets. To do this, UNDP set forth to follow industry best practices in both the management of security (ISO 27001) and implementing a quality management system (ISO 9001). While one million organizations worldwide follow ISO 9001, only 8,000 follow ISO 27001, and less than 1,000 implement both. Achieving certification under these two standards allows UNDP to ensure continuous improvement, customer satisfaction and unit effectiveness in executing its mission and that security is based on the needs of the organization. Join us to see how they’ve achieved this lofty goal -- and the results.


Sneak Peek: ISO 9001 and security:  What’s quality got to do, got to do with it? Read CSO40 speaker, and 2014 CSO40 award recipient, Paul Raines' response now.

12:17 am - 12:35 pmImproving Software Security Now and Into the Future
Ajoy Kumar, Executive Director and Head of Application Security, UBS

UBS knows that building a software security program across a broad, global development team requires coordination among disparate stakeholders, support of business groups around the globe, process changes that don’t stifle innovation, and alignment of security as an enabler rather than detractor to business lines. As a result, the software security program at UBS addresses -- in a holistic approach -- information security for internally developed and externally developed code, as well as embedding security into the procurement process for third party software products. Composed of four tiers -- governance, policy/process, automation/education, and metrics -- the program’s goal is to improve the security of all software across the company -- starting with high risk applications and expanding into applications of all types. Join us to learn how this approach is heading off security risks now and into the future.

12:35 pm - 12:53 pmCSO40 Honoree Session Q&A Panel
Ajoy Kumar, Executive Director and Head of Application Security, UBS
Paul Raines, CISO, UN Development Programme
Moderator: Bob Bragdon, Publisher, CSO magazine
12:53 pm - 2:10 pmNetworking Lunch with Table Topic Discussions Hosted by Selected CSO40 Honorees
2:10 pm - 2:28 pmHow to Achieve Continuous Monitoring and Mitigation
Scott Gordon, CMO, ForeScout Technologies

While you may have invested in systems and security management to address a burgeoning threat landscape, network complexity, devices, means of access and state changes challenge your IT capacity. Join us for this session as we examine a reference architecture for dynamic monitoring and mitigation. We’ll share how network access control can ensure endpoint integrity and defenses, enhance control context and optimize resources — all of which can improve IT responsiveness and help you achieve continuous compliance.

2:28 pm - 2:46 pmEngaging Trusted Advisors for Global Security Expertise
Devon Bryan, Senior Director, Client and Vendor Security Management, Automatic Data Processing, Inc.

Countless organizations create and engage client advisory boards to gather candid and valuable input from highly motivated experts. ADP realized that within its large and diverse customer base, it has unique access to a global set of security experts and wisdom that could dramatically improve its own security posture – not just for its clients, but for the greater ADP organization and business lines. With this in mind, ADP formalized the ADP Client Security and Privacy Advisory Board to aid in continuous innovation and to synch ADPs security strategy with emerging threats and global privacy and risk trends across a spectrum of industries. Among the many benefits include: an accelerated effort to implement a federated, single sign-on engine across ADP products, thereby reducing the number of passwords at risk in the marketplace, and a formalized effort to make ADPs security operations center more transparent to key client advisors. Join us to understand how the project came together along with its many benefits.

2:46 pm - 3:04 pmDevelopment and Maturation of the Vendor Risk Management Program
Tonya Byers, Director, Information Security, Blue Cross Blue Shield of Michigan
Damon Stokes, Manager, Governance, Risk, Performance, Blue Cross Blue Shield of Michigan

With changes set forth under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, Blue Cross Blue Shield of Michigan (BCBSM) needed to strengthen its security controls for transmitting, storing, and handling protected health information (PHI) and/or other sensitive BCBSM member information. A key part of assessing and implementing these controls involves engaging the many vendors of BSBCM that handle this type of information. BCBSM's requirement is that vendors protect our data, at a minimum, with the same level of security as our internal controls . To ensure this is being done, BCBSM developed a vendor risk management function with the assistance of procurement and other key areas. Today, vendors are required to complete an assessment that is evaluated by key BCBSM stakeholders. Additionally an on-site assessment is performed to vet out any specific details related to our security requirements. If risks are identified, the vendor must remediate them before a contract is signed. Join us to learn how this highly effective program came together, and the upside the organization has realized.

3:04 pm - 3:22 pmSecuring the Next Generation Credit Union with Innovative Redundancy
Stephen Bohlig, Chair, Board of Directors, TruStone Financial
Bob Thompson, SVP, Information Technology, TruStone Financial

While TruStone Financial Federal Credit Union has roots as a 75-year old financial services organization, it has a contemporary focus on the future, and that's vividly apparent in the way it secures its data center operations. What started as an evaluation of all aspects of their business resulted in reengineering that created an innovative and cost-effective way to tackle disaster recovery and business continuance. Join us to learn the strategy and innovation that resulted in real-time, cost-effective redundancy at a remote location 500 miles away.

3:22 pm - 3:52 pmCSO40 Honoree Session Q&A Panel
Devon Bryan, Senior Director, Client and Vendor Security Management, Automatic Data Processing, Inc.
Tonya Byers, Director, Information Security, Blue Cross Blue Shield of Michigan
Bob Thompson, SVP, Information Technology, TruStone Financial
Moderator: Bob Bragdon, Publisher, CSO magazine
3:52 pm - 4:00 pmRecap, Takeaways and Closing Remarks
Bob Bragdon, Publisher, CSO magazine
4:00 pmProgram Concludes