Monday, March 31, 2014 | ||||
2:00 pm - 5:00 pm | Registration | |||
3:00 pm - 3:05 pm | Welcome and Opening Remarks Bob Bragdon, Publisher, CSO magazine | |||
3:05 pm - 3:23 pm | Establishing an Enterprise-wide Authentication and Authorization Service Tom Baltis, Deputy Chief Information Security Officer, Blue Cross and Blue Shield of IL, TX, NM, OK, MT Ray Biondo, Senior Vice President and CISO, Blue Cross and Blue Shield of IL, TX, NM, OK, MT Pavel Slavin, Senior Director, Risk Management, Blue Cross and Blue Shield of IL, TX, NM, OK, MT Kapil Assudani, Senior Manager, Technical Security Service Program, Blue Cross and Blue Shield of IL, TX, NM, OK, MT With 14 million members, Blue Cross and Blue Shield of Illinois, Texas, New Mexico, Oklahoma and Montana (BCBS) is the 4th largest health insurer in the United States. The company’s daily operations are enabled by a vast and highly-diverse IT environment. Among other complexities and nuances, BCBS maintains over 200 web and mobile applications and supports more than 24,000 employees. To better meet its rapidly evolving business needs, the company envisioned and launched the Enterprise Authentication and Authorization Service Development Project focused on establishing a standard, centralized and scalable solution for access management. Faced with growing authentication complexity, chronic control weaknesses, mounting end user frustration and inadequate authorization capabilities, the project aimed to boost employee productivity, reduce operational costs and enhance application security and reliability. Join us to learn how BCBS handily accomplished this substantial feat. | |||
3:23 pm - 3:41 pm | Delivering Huge Savings Through a Contemporary Password Reset Program Bobby Stokes, AVP, IT&S Enterprise Systems, Hospital Corporation of America Performing 600,000 password resets annually was consuming a considerable amount of resources in the Information Technology and Services (IT&S) organization at HCA, the nation’s leading provider of healthcare services. To decrease the number of resets and improve user experience, a volunteer team of IT, security, product development, field operations and customer support staff rallied together to implement a self-service password reset program. The team set a goal to decrease the number of password resets by 300,000 within twelve months, and while the net cost of the program was minimal, the results were significant. Among the range of strategies, many applications were moved to Active Directory, multiple entry points were created internally and externally to make access readily available, kiosks were provided for resets, fast access was made available on all desktops, and shortcuts were burned into operating system images. Join us to hear more about how it all came together. | |||
3:41 pm - 3:59 pm | CSO40 Honoree Session Q&A Panel Pavel Slavin, Senior Director, Risk Management, Blue Cross and Blue Shield of IL, TX, NM, OK, MT Bobby Stokes, AVP, IT&S Enterprise Systems, Hospital Corporation of America Moderator: Bob Bragdon, Publisher, CSO magazine | |||
3:59 pm - 5:15 pm | Best Practices in Data Breach Prevention, Detection and Response: A Moderated Workshop Bob Bragdon, Publisher, CSO magazine Jamil Farshchi, VP, Global Information Security, Visa Far beyond just financial risk and liability, data breaches can threaten the hard-earned reputation of your organization and negatively influence customers' willingness to engage in the future. In this interactive workshop, you’ll have an opportunity to network and learn from your expert peers as we discover best practices for data breach preparedness/prevention/detection, incident response, and cleanup. With a real-world scenarios, we'll explore effective approaches you can take home and start using right away. Sneak Peek: CSO40 workshop moderator and advisory board member, Jamil Farshchi, gives his take on how to defend many attack vectors from the 'problem of one.' |
Tuesday, April 1, 2014 | ||||
8:00 am - 6:45 pm | Registration | |||
8:00 am - 9:00 am | Networking Breakfast Presented by ForeScout Technologies | |||
9:00 am - 9:05 am | Opening Remarks Bob Bragdon, Publisher, CSO magazine | |||
9:05 am - 9:35 am | Uncovering Insider Threats to National Security Doug Thomas, Director, Counterintelligence Operations and Investigations, Lockheed Martin Robert E. Trono, Vice President and Chief Security Officer, Lockheed Martin As a global security, aerospace, and information technology company focused on national security, Lockheed Martin takes an aggressive and proactive stance to ensure the safety of its 120,000 employees and integrity of its information and products. Physical and information security have long been major contributors in Lockheed Martin’s ability to accomplish its broad mission. To ensure a security posture fully responsive to evolving threats, Lockheed Martin and its Chief Security Officer established the Office of Counterintelligence Operations (OCIO) in 2011 to proactively and comprehensively identify and mitigate risks associated with theft of Lockheed Martin’s intellectual property and trade secrets. In 2013, OCIO launched an Insider Threat Detection Program (ITDP) that looks for indicators identifying employees at a higher risk of being targeted by foreign intelligence services. Join us to learn about this program and the significant upside it’s creating. | |||
9:35 am - 9:53 am | Analytics, Big Data and Threat Intelligence: Taking an Intelligence-Driven Security Approach Eric Thompson, IT Threat Strategist, RSA Within the next two years, big data analytics will impact most of the information security world including network monitoring, user authentication and authorization, identity management, fraud detection and GRC. In a few more years, analytic tools will evolve to enable advanced predictive capabilities and automated real-time controls. While these advancements will bring significant opportunity, integrating them to existing security programs will require organizations to rethink how they develop and execute their information security programs. Join us for this presentation from Eric Thompson, RSA IT Threat Strategist, to learn how you and your peers can prepare for this coming transformation. | |||
9:53 am - 10:11 am | Keeping 170,000 Employees Safe Around the Clock and Around the World Gary Gordon, Senior Manager, Business and Emergency Preparedness Program, Security and Fire Protection, The Boeing Company With 170,000 employees and 1,000 locations operating across 50 states and 70 countries, The Boeing Company is exposed to countless disruptions that could threaten its people, property assets or supply chain. To increase targeted awareness of these threats, Boeing developed an incident management system – called ThreatNavigator – to protect Boeing’s most valuable asset: its people. This geo-intelligence application overlays real-time risk and threat data with Boeing asset data – like buildings, people, IT assets and suppliers -- to help emergency responders provide a holistic response to an incident or disaster. During an immediate or current incident, process owners can be contacted, their business preparedness plans activated, and Boeing suppliers identified to warn of potential impacts to the supply chain. Integrating risk and threat data from internal and external sources, this web-based system displays the information in Google Maps’ geospatial format with icons showing types of incidents and color coding to indicate the time elapsed since the incident occurred – ultimately providing at-a-glance information from many sources. Join us to learn not only how they’ve put it together, but the benefits they’ve realized. | |||
10:11 am - 10:29 am | “See Something, Say Something” Michele Freadman, Deputy Director, Aviation Security Operations, Massachusetts Port Authority That’s the mantra of Boston Logan International Airport’s Security Awareness For Everyone (SAFE) Program. Rather than a limited, top-down program developed from airport management’s perspective, SAFE began as a novel approach to mobilize the entire community of airport companies and workers to protect the airport from the dynamic and evolving security threat to aviation. By instilling individual ownership of security, they leverage their proactive workforce as a force multiplier to detect threats at Logan. Uniquely, SAFE involves the front-line employees who help to keep the airport safe every day including gate agents, ticket counter personnel, cleaners, ramp agents, baggage handlers, mechanics, maintenance facilities workers, as well as security, operations, concessions, and contract security personnel. Numerous employees have been recognized by SAFE, among them those who: noticed a passenger’s suspicious behavior leading to the discovery of narcotics secreted in a custom made leg cast and wheel chair; volunteered to move an aircraft to a remote location on the airfield during a bomb threat onboard the aircraft; assisted the Massachusetts State Police in apprehending a violent subject; and stopped an unauthorized individual who accessed a highly sensitive security portal. Join us to see how SAFE has become an integral part of the fabric of the Logan community and is now a part of its culture. | |||
10:29 am - 10:54 am | CSO40 Honoree Session Q&A Panel Michele Freadman, Deputy Director, Aviation Security Operations, Massachusetts Port Authority Gary Gordon, Senior Manager, Business and Emergency Preparedness Program, Security and Fire Protection, The Boeing Company Doug Thomas, Director, Counterintelligence Operations and Investigations, Lockheed Martin Moderator: Joan Goodchild, Editor, CSO magazine and CSOonline.com | |||
10:54 am - 11:24 am | Networking Break | |||
11:24 am - 11:42 am | Minimizing Workplace Violence with Information and Physical Security Errol Brudner, Manager, Protection and Security Services / Emergency Management , Atlantic Health System Alan Robinson, Director, Protection and Security Services/Emergency Management, Atlantic Health System Those who manage large health care facilities are often some of the most seasoned at reducing workplace violence. Through their emergency room facilities alone, they have become well-practiced at not only recognizing, but anticipating threats. Atlantic Health System’s Workplace Violence Prevention program employs a wide range of integrated tools and strategies to maintain a safe environment for its employees and constituents -- including education, real-time vetting of visitors, facial recognition, and analytics on real-time crime data in local neighborhoods. Not only has the program reduced violence in its 9 million square feet of facilities, it creates an environment where employees feel safe. Join us to understand how they do it, and how their experience can be applied to any industry. | |||
11:42 am - 12:00 pm | Providing Mobile Security Across More than 50 Healthcare Locations Monique Hart, Manager, Information Security, Children's Healthcare of Atlanta Stoddard Manikin, Director, Information Systems Security, Children’s Healthcare of Atlanta Moderator: Bob Bragdon, Publisher, CSO magazine New mobile capabilities have created greater avenues for physicians and clinical centers to streamline patient care. All of this is enticing hospital employees to use mobile devices to improve the provider/patient care experience, yet all of this increases the risk of information security breaches. To address this, Children's Healthcare of Atlanta (Children's) embarked on their "Mobile Device Policy Implementation Project" to allow physicians and clinical centers to leverage mobile technology while minimizing risks to the organization. This project also provides employees with flexibility in choosing their mobile device, while ensuring appropriate security protocols remain in place to protect Children’s resources and patient data. Join us to learn how they made it all happen. | |||
12:00 pm - 12:18 pm | How to Protect Intellectual Property Across the Enterprise Tim Upton, President and CEO, TITUS Data security is not just an IT issue, but a business imperative. As we see continued media coverage of data breaches and security incidents, the inevitable question is: "What are we doing to make sure that doesn't happen to us?" One of the biggest challenges today's organizations face is how to identify and protect sensitive and confidential information — therefore understanding, knowing and identifying your information is the foundation for data security. Join us for this session as we discuss how organizations worldwide are involving their end-users in data classification at the time of content creation as the first step to protecting their most valuable assets — their information. With data classification as the foundation, today's organizations are not only able to reinforce established security policies but also transform end-user behavior and create a sustainable corporate culture for data protection. | |||
12:18 pm - 12:38 pm | CSO40 Honoree Session Q&A Panel Stoddard Manikin, Director, Information Systems Security, Children’s Healthcare of Atlanta Alan Robinson, Director, Protection and Security Services/Emergency Management, Atlantic Health System Moderator: Joan Goodchild, Editor, CSO magazine and CSOonline.com | |||
12:38 pm - 1:53 pm | Networking Lunch with Table Topic Discussions Hosted by Selected CSO40 Honorees Presented by TITUS | |||
1:53 pm - 2:11 pm | I said "Know" Mark Felber CPA, CISA, CISSP, Manager, Information Security Program, Florida Blue Chris Gay, Director, Information Security Technology and Operations, Florida Blue Doug Robison, Program Manager, Security Education Program, Florida Blue The "I said 'Know'" campaign at Florida Blue has two strategic objectives: first, engage and educate Florida Blue employees on how to protect their own personal information assets; second, increase awareness of the appropriate security behaviors that protect the confidentiality, integrity, and availability of Florida Blue's information assets. Vital to the program are the Security Ambassadors -- a direct outreach by the security education program for face-to-face sessions on securing your personal information. Ultimately, the program's common sense approach to educating employees about concepts applicable to their personal lives is designed to create more secure workplace behaviors. Join us to learn more about this program and its measurable results. Sneak Peek: CSO40 speaker Douglas B. Robison shares his personal story behind Florida Blue’s “I said ‘Know’” campaign. | |||
2:11 pm - 2:29 pm | Transforming Your Weakest Security Link Into Your Strongest Asset Arthur Wang, Supervisor, Information Security and Helpdesk, ReSource Pro Christopher Watkins, Director, IT Infrastructure and Risk Management, ReSource Pro Security experts know the weakest link in information security is often the human element. But it can also become the strongest asset. ReSource Pro knew that achieving ISO27001 certification required the organization to quickly implement new measures to ensure compliance by its more than 1,500 employees -- and that this was an opportunity to create a culture of continuous security improvement. In addition, an internal ReSource Pro study discovered that focusing on employee involvement and engagement would have a higher ROI than simply making investments in technology. With this in mind, the organization created a contest to create unprecedented employee engagement, a heightened awareness of security policies, and a culture of community justice – where team members watched out for each other and were empowered to speak out when noticing any breach of policy. Attend this session to understand how it all came together. | |||
2:29 pm - 2:47 pm | Security Ratings: Measuring Risk Through Security Outcomes Stephen Boyer, CTO and Co-Founder, BitSight Technologies Businesses often rely on assessments, questionnaires and audits to understand risk in their own networks and those of third parties. These methods, while insightful, are not evidence based and are prone to bias. So, how can companies extend visibility into dynamic security postures and truly measure security risk? Join us for this session to learn how security ratings can be used to continuously measure performance, and how they can be derived using externally observable information. We’ll also share how organizations can use ratings to arrive at actionable insight and proactively identify, quantify and mitigate risk. | |||
2:47 pm - 3:05 pm | Reducing Significant Security Hazards with “Hotel in a Cloud” Michael Patrick, Director End User Services Global Operations Center, Hyatt Hotels Corporation With more that 500 properties in its portfolio, Hyatt Hotels Corporation found that its property general managers and staff were consuming as many as 40 different systems and applications across reservations, catering, payroll, event management and the like. Not only did this create an incredibly complex technical environment for non-technical employees, staff needed many passwords across these systems, thereby creating a significant security hazard for the organization. Today, new and existing properties consume an integrated, cloud-based system that can be accessed by virtually any small footprint device. Applications are hosted remotely with single sign on. Join us for this session to learn how it all came together. | |||
3:05 pm - 3:23 pm | An Innovative Trusted Cloud Services Model Jack Baker, Executive Director, Global IT Security, Quintiles Transnational Jerry Fink, Director, IT Security, Quintiles Transnational As Quintiles makes increasing use of cloud service providers to host applications and infrastructure, it's found a need to provide security assurance on par with systems hosted on the internal private network. As a result, Quintiles’ Trusted Cloud Services Model was developed to build on Quintiles’ global security framework and application security assessment program — and to extend security controls to cloud service providers within an integrated global security design. Moreover, it gives Quintiles a means of leveraging providers’ security services and to augment those services by extending internal systems and processes. Join us to learn about the model and the benefits Quintiles has realized. | |||
3:23 pm - 3:41 pm | Identity and Access Management for the Real World Eric Robinson, Regional Sales Director- Identity and Security Management, Dell Software Group While security, governance and compliance are hot topics today, have we looked closely enough at what it takes to achieve real success with them? The real world has limited budgets, tight deadlines, ever increasing environmental complexity, and a constantly changing security landscape. In this session, Eric Robinson will discuss how to develop an identity and access management approach that works with these realities. The discussion will focus on identity governance, privileged management and access management that doesn't require heavy investments, rigid infrastructure and inflexible technologies — and that can be built on a company’s existing foundation. | |||
3:41 pm - 4:11 pm | Networking Break | |||
4:11 pm - 4:29 pm | Managing ERP Security and Data Risks Kris Kraus, Senior Manager, SAP Security Operations, Astellas US LLC Kevin O'Toole, Vice President of IT, Astellas US LLC Anand Pattabiraman, Director, IT, SAP Solution Delivery, Astellas US LLC Bill Stamos, Associate Director, IT PMO, Astellas US LLC Scott Zulpo, Senior Director, IT Operations, Astellas US LLC Moderator: Bob Bragdon, Publisher, CSO magazine Global pharmaceutical organizations operate in a highly complex environment of regulatory, legal and reputational risks. Compliance challenges involve the Health Insurance Portability and Accountability Act (HIPAA), Foreign Corrupt Practices Act (FCPA) and Food and Drug Administration (FDA) regulations. To achieve the highest level of operational and regulatory compliance, Astellas has made managing security and master data risks in their ERP environment a strategic business goal. This involves several key components including: reducing user access risks by redesigning ERP security roles to closely align each user’s access with their specific job responsibilities; enabling leading practice processes to prevent provisioning of inappropriate access to users; and optimizing the ERP control environment by increasing reliance on preventive security controls to maintain a clean ERP control environment. Join us to understand how they’ve done it. | |||
4:29 pm - 4:47 pm | Developing Highly-Secure Enterprise Software Matthias Ems, Global Director IT Security Architecture, Validation + Governance, SAP AG Fabian Vetter, Project Manager IT Solution Design & Quality Assurance, SAP AG Today's business relies heavily on software, so identifying and cleansing security issues -- like discovering missing authority checks and potential backdoors, and detecting and remediating compliance violations introduced by insecure coding practices -- are mission-critical. To address this comprehensively across its custom developed Advanced Business Application Programming (ABAP) code, SAP created the ABAP Source Code Project to identify critical security gaps. The project has two key objectives: establish a baseline security level for the existing ABAP-based business applications; and create effective measures to keep the productive systems secure. Join us to learn how SAP leveraged this project to create a more secure development environment for its workforce. | |||
4:47 pm - 5:05 pm | How to Detect a Threat Actor Jon Ramsey, Chief Technology Officer, Executive Director Dell SecureWorks Counter Threat Unit, Dell SecureWorks How do you detect the presence of a threat actor and their tradecraft without any knowledge of the actor or their attacks? This question is what led to the development of Foresee. Foresee enables Dell SecureWorks to cost-effectively scale security operations -- equal to or better than what could be achieved by security experts -- to meet the rapidly-growing number and variety of threats. It also provides predictive ability to "foresee" attacks before they occur. Join us to find out how. | |||
5:05 pm - 5:30 pm | CSO40 Honoree Session Q&A Panel Jack Baker, Executive Director, Global IT Security, Quintiles Transnational Matthias Ems, Global Director IT Security Architecture, Validation + Governance, SAP AG Chris Gay, Director, Information Security Technology and Operations, Florida Blue Michael Patrick, Director End User Services Global Operations Center, Hyatt Hotels Corporation Christopher Watkins, Director, IT Infrastructure and Risk Management, ReSource Pro Moderator: Joan Goodchild, Editor, CSO magazine and CSOonline.com | |||
6:00 pm - 6:30 pm | CSO40 Awards Cocktail Networking Reception (open to all qualified attendees) | |||
6:30 pm - 9:00 pm | CSO40 Awards Dinner and Ceremony (open to all qualified attendees) |
Wednesday, April 2, 2014 | ||||
8:00 am - 4:00 pm | Registration | |||
8:00 am - 9:00 am | Networking Breakfast | |||
9:00 am - 9:05 am | Opening Remarks Bob Bragdon, Publisher, CSO magazine | |||
9:05 am - 9:35 am | Understanding the National Cybersecurity Protection System Brendan Goode, Director, Network Security Deployment, U.S. Department of Homeland Security Over the last decade, the federal government has become increasingly focused on the use of information technology and the Internet to efficiently and effectively deliver services to carry out its missions. While all of this has improved services, the federal government has also become increasingly reliant on this IT infrastructure for mission essential functions. Consequently, the federal IT infrastructure has become a high-priority target for sophisticated adversaries. To address these growing threats, the U.S. Department of Homeland Security established the National Cybersecurity Protection System (NCPS) as part of its efforts to upgrade its cybersecurity capabilities and respond to an expanding cybersecurity mission. NCPS – also known as EINSTEIN -- is an integrated system of intrusion detection, analytics, information sharing, and intrusion prevention capabilities. These combined capabilities provide a technological foundation for defending the .gov information technology infrastructure – including federal Civilian Executive Branch departments, agency networks and .gov domain -- against advanced cyber threats. Join us to get an understanding of how this major security initiative works. | |||
9:35 am - 9:53 am | How to Accelerate Your Response To Cyber Attacks Paul Nguyen, President of Global Cyber Solutions, CSG International For many organizations, knowledge of an attack comes within just hours of it happening, yet it still takes much longer — sometimes weeks — to respond. Complicating matters further, the average response time is often lengthened because of manual processes required to change security devices. At the same time, smart attackers are using a system of botnets, enabling them to simultaneously attack networks from multiple angles. To defend against these attacks, today's security professional must be empowered to take action quickly to minimize risk exposure and costs. Join us to understand how you can design automated courses of action to replace manual tasks, thereby delivering faster response times and shifting the dynamics of your defense strategies. We'll explore various cybersecurity viewpoints, discuss the security actions you can automate, and evaluate how automation can transform reactive decisions into proactive defensive strategies. | |||
9:53 am - 10:11 am | Automating Compliance for PCI/SOX Bob Irwin, Director, Governance and Compliance, Comcast Cable Achieving and maintaining PCI/SOX compliance in today’s complex regulatory and technology environment has become an increasingly tall order. To address this squarely, Comcast created the Comcast Compliance Automation project to drive efficiencies and process improvements for compliance across the company. This program reduces costs by automating controls that were previously manual, and simplifies time spent through use of centralized evidence gathering workflows and notifications. Join us for this session to hear how careful planning, transparent communication and collaboration – combined with senior management’s vision, support and focus – resulted in a quality project delivered on time and within budget. | |||
10:11 am - 10:29 am | Compliance Across One of the World’s Largest Networks Andrew Kotynski, Manager, Information Systems Security CIRT, United States Postal Service, Infrastructure Security Services The United Stated Postal Service (USPS) must meet PCI, SOX and Federal Cybersecurity regulations for one of the world’s largest networks. Part of the nation’s critical infrastructure, this network supports over 35,000 retail locations, 4,000 business partners, and a network with over 500,000 endpoints. In an environment with over 1,000 network assets -- containing in excess of 300,000 rules and an average of 292 network changes per month — compliance goals might seem insurmountable. Nonetheless, the USPS found a way need to continuously analyze the configurations of its layered network devices, maintain the results of vulnerability scans, identify patching priorities, validate the enforcement of the corporate network security policies, and ensure compliance with PCI DSS standards and Federal regulations. Join us to understand how. | |||
10:29 am - 10:59 am | CSO40 Honoree Session Q&A Panel Brendan Goode, Director, Network Security Deployment, U.S. Department of Homeland Security Bob Irwin, Director, Governance and Compliance, Comcast Cable Andrew Kotynski, Manager, Information Systems Security CIRT, United States Postal Service, Infrastructure Security Services Moderator: Bob Bragdon, Publisher, CSO magazine | |||
10:59 am - 11:29 am | Networking Break | |||
11:29 am - 11:59 am | Cybercrime: Can We Possibly Hope to Keep Up? Bob Bragdon, Publisher, CSO magazine This year’s U.S. State of Cybercrime Survey conducted by CSO found that the cyber security programs of most U.S.-based organizations can't match the persistence, tactical skills, and technological expertise of today’s sophisticated cyber criminals. While the costs and impacts can be severe, most businesses aren’t even doing a good job at measuring the true impact. In this session, CSO Publisher Bob Bragdon — this survey’s principal analyst for more than a decade — will review key findings from this year’s survey and discuss what’s been learned to help better protect your enterprise. | |||
11:59 am - 12:17 pm | Leveraging Security and Quality Management Standards to Secure Highly Sensitive Assets Paul Raines, CISO, UN Development Programme With sensitive information to protect, the vision of the information security unit of UNDP is to be the premier ICT security organization among non-profit international organizations. While it’s a tall order, achieving this objective provides assurance to UNDP executive management, donors and member nations that it is exercising due diligence in securing UNDP's sensitive assets. To do this, UNDP set forth to follow industry best practices in both the management of security (ISO 27001) and implementing a quality management system (ISO 9001). While one million organizations worldwide follow ISO 9001, only 8,000 follow ISO 27001, and less than 1,000 implement both. Achieving certification under these two standards allows UNDP to ensure continuous improvement, customer satisfaction and unit effectiveness in executing its mission and that security is based on the needs of the organization. Join us to see how they’ve achieved this lofty goal -- and the results. Sneak Peek: ISO 9001 and security: What’s quality got to do, got to do with it? Read CSO40 speaker, and 2014 CSO40 award recipient, Paul Raines' response now. | |||
12:17 am - 12:35 pm | Improving Software Security Now and Into the Future Ajoy Kumar, Executive Director and Head of Application Security, UBS UBS knows that building a software security program across a broad, global development team requires coordination among disparate stakeholders, support of business groups around the globe, process changes that don’t stifle innovation, and alignment of security as an enabler rather than detractor to business lines. As a result, the software security program at UBS addresses -- in a holistic approach -- information security for internally developed and externally developed code, as well as embedding security into the procurement process for third party software products. Composed of four tiers -- governance, policy/process, automation/education, and metrics -- the program’s goal is to improve the security of all software across the company -- starting with high risk applications and expanding into applications of all types. Join us to learn how this approach is heading off security risks now and into the future. | |||
12:35 pm - 12:53 pm | CSO40 Honoree Session Q&A Panel Ajoy Kumar, Executive Director and Head of Application Security, UBS Paul Raines, CISO, UN Development Programme Moderator: Bob Bragdon, Publisher, CSO magazine | |||
12:53 pm - 2:10 pm | Networking Lunch with Table Topic Discussions Hosted by Selected CSO40 Honorees | |||
2:10 pm - 2:28 pm | How to Achieve Continuous Monitoring and Mitigation Scott Gordon, CMO, ForeScout Technologies While you may have invested in systems and security management to address a burgeoning threat landscape, network complexity, devices, means of access and state changes challenge your IT capacity. Join us for this session as we examine a reference architecture for dynamic monitoring and mitigation. We’ll share how network access control can ensure endpoint integrity and defenses, enhance control context and optimize resources — all of which can improve IT responsiveness and help you achieve continuous compliance. | |||
2:28 pm - 2:46 pm | Engaging Trusted Advisors for Global Security Expertise Devon Bryan, Senior Director, Client and Vendor Security Management, Automatic Data Processing, Inc. Countless organizations create and engage client advisory boards to gather candid and valuable input from highly motivated experts. ADP realized that within its large and diverse customer base, it has unique access to a global set of security experts and wisdom that could dramatically improve its own security posture – not just for its clients, but for the greater ADP organization and business lines. With this in mind, ADP formalized the ADP Client Security and Privacy Advisory Board to aid in continuous innovation and to synch ADPs security strategy with emerging threats and global privacy and risk trends across a spectrum of industries. Among the many benefits include: an accelerated effort to implement a federated, single sign-on engine across ADP products, thereby reducing the number of passwords at risk in the marketplace, and a formalized effort to make ADPs security operations center more transparent to key client advisors. Join us to understand how the project came together along with its many benefits. | |||
2:46 pm - 3:04 pm | Development and Maturation of the Vendor Risk Management Program Tonya Byers, Director, Information Security, Blue Cross Blue Shield of Michigan Damon Stokes, Manager, Governance, Risk, Performance, Blue Cross Blue Shield of Michigan With changes set forth under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, Blue Cross Blue Shield of Michigan (BCBSM) needed to strengthen its security controls for transmitting, storing, and handling protected health information (PHI) and/or other sensitive BCBSM member information. A key part of assessing and implementing these controls involves engaging the many vendors of BSBCM that handle this type of information. BCBSM's requirement is that vendors protect our data, at a minimum, with the same level of security as our internal controls . To ensure this is being done, BCBSM developed a vendor risk management function with the assistance of procurement and other key areas. Today, vendors are required to complete an assessment that is evaluated by key BCBSM stakeholders. Additionally an on-site assessment is performed to vet out any specific details related to our security requirements. If risks are identified, the vendor must remediate them before a contract is signed. Join us to learn how this highly effective program came together, and the upside the organization has realized. | |||
3:04 pm - 3:22 pm | Securing the Next Generation Credit Union with Innovative Redundancy Stephen Bohlig, Chair, Board of Directors, TruStone Financial Bob Thompson, SVP, Information Technology, TruStone Financial While TruStone Financial Federal Credit Union has roots as a 75-year old financial services organization, it has a contemporary focus on the future, and that's vividly apparent in the way it secures its data center operations. What started as an evaluation of all aspects of their business resulted in reengineering that created an innovative and cost-effective way to tackle disaster recovery and business continuance. Join us to learn the strategy and innovation that resulted in real-time, cost-effective redundancy at a remote location 500 miles away. | |||
3:22 pm - 3:52 pm | CSO40 Honoree Session Q&A Panel Devon Bryan, Senior Director, Client and Vendor Security Management, Automatic Data Processing, Inc. Tonya Byers, Director, Information Security, Blue Cross Blue Shield of Michigan Bob Thompson, SVP, Information Technology, TruStone Financial Moderator: Bob Bragdon, Publisher, CSO magazine | |||
3:52 pm - 4:00 pm | Recap, Takeaways and Closing Remarks Bob Bragdon, Publisher, CSO magazine | |||
4:00 pm | Program Concludes |