For session abstracts, please scroll down.

Mon., April 8

1:30pm – 6:00pm Registration Open
3:00pm – 4:30pm CSO50 Winner Presentations
4:30pm – 5:30pm CSO50 Interactive Workshop
5:30pm – 6:30pm Networking Reception

Tues., April 9

7:30am – 5:30pm Registration Open
8:30am – 12:15pm CSO50 Winner Presentations
12:15pm – 1:30pm Lunch with Table Discussions
1:30pm – 5:00pm CSO50 Winner Presentations

Wed., April 10

8:00am – 7:00pm Registration Open
9:00am – 12:30pm CSO50 Winner Presentations
12:30pm – 2:00pm Lunch with Table Discussions
2:00pm – 5:30pm CSO50 Winner Presentations
7:00pm – 7:30pm CSO50 Awards Cocktail Reception
7:30pm – 9:30pm CSO50 Awards Dinner & Ceremony

Conference Sessions

CSO is pleased to announce that the following sessions will be presented by award-winning organizations at our CSO50 Conference + Awards.  We continue to add newly confirmed sessions to this page, so please revisit for updates.


Synthesizing the Top Security Compliance Standards for Efficiency

Prasant Vadlamudi, Director, Technology GRC, Adobe

Founded in 1982 and now employing more than 19,000 worldwide, Adobe provides tools to design and deliver digital experiences to a spectrum of producers ranging from emerging artists to global brands. In the process of analyzing the top industry security compliance standards, certifications and regulations like SOC2, ISO27001, PCI DSS, HIPAA – all of which represent more than a thousand different controls – Adobe synthesized and boiled them down to about 200 controls Adobe calls the Common Controls Framework (CCF). Join us for this session to learn how CCF’s comprehensive set of security activities and compliance controls enables Adobe’s engineering, product operations, infrastructure and applications teams to achieve improved compliance with security certifications, standards and regulations.


Creating Compliance Visibility Across Varied Teams and Infrastructures

Christer Edwards, Computer Scientist, Software Development, Adobe

Founded in 1982 and now employing more than 19,000 worldwide, Adobe provides tools to design and deliver digital experiences to a spectrum of producers ranging from emerging artists to global brands. To help facilitate faster adoption with security controls across Adobe, which become a challenge with the company’s many acquisitions in recent years, the team needed a tool to handle security auditing and compliance that scaled across many teams with varying infrastructures. After trying a few third-party vendors, the Adobe security team was struggling to get the data they needed with the performance they required. Join us for this session to hear why and how they built HubbleStack — named after the Hubble telescope – to give the security team a window to the complexities of cloud-based infrastructure.


Creating a Comprehensive and Global Third-Party Risk Program

Phani Dasari, VP, Global Third Party Risk Management, ADP

Founded nearly 70 years ago, ADP is a comprehensive global provider of cloud-based human capital management (HCM) solutions that unite HR, payroll, talent, time, tax and benefits administration, as well as business outsourcing services, analytics and compliance expertise. ADP’s enterprise risk organization identified third-party risk as a critical potential risk requiring all relevant organizations across ADP to focus on identifying and reducing third-party risk. To meet this objective, ADP has advanced its third-party assurance efforts from localized in the organization to a connected global program with end-to-end automation, allowing enhanced tracking of all vendor engagements and proactive identification of risks related to third-party engagements. Join us for this session to learn how ADP now leverages a combination of business engagement, synergies between the global security organization and procurement and contract management organizations to implement standards, governance, processes and tools.


Predicting and Preventing Fraudulent Activity

Matthew Harper, Director, Cyber Crime Prevention, Aflac

Founded in 1955, today’s Aflac is a Fortune 500 company providing financial protection to more than 50 million people worldwide.  Using Account Take Over (ATO) and other techniques, criminals are taking advantage of Aflac’s transition from a legacy serving model to a digital-first environment.  To protect Aflac policyholder data while enabling digital transformation, Aflac has chosen to leverage in-place security technology and real-time channel/servicing data – including from call centers, online, claims, and client master data — to create a flexible analytics platform that can flag suspect activity in real-time — and alert business partners in fraud, claims operations, and security to take corrective action.  Join us for this session to learn how Aflac now investigates fraudulent claims more efficiently, and can predict and prevent fraudulent activity before a loss incurs.


Securing Sensitive and Encrypted Data and Transactions

Bobby Julka, SVP, Access and Identity Engineering, Bank of America

With more than 36 million active digital banking users, Bank of America is one of the world’s leading financial institutions, serving individual consumers, small and middle-market businesses and large corporations with a full range of banking, investing, asset management and other financial and risk management products and services.  At Bank of America, data encryption is a vital part of securing sensitive information, and in their large-scale encryption systems, one of the biggest engineering challenges is generating and managing encryption keys.  Hardware Security Modules (HSMs) are used by financial services and other firms seeking high assurance to secure sensitive, encrypted data and transactions, but typically require custom setup, hardware, and integration.  Join us for this session to understand how Bank of America leverages HSMs for a six-figure cost saving per application, and can reduce a six-month or more project coding effort to just a few weeks.


Reducing the Risk of Known Vulnerabilities

Jason Cathey, CISO, Bank OZK

Founded in 1903 as a small community bank, Bank OZK has grown to more than 250 offices in ten states. Shortly after implementing a newly established vulnerability management standard that includes time to remediation and vulnerability scan schedules, the bank realized its patch program, standard configurations and software life cycle management wasn’t as effective as they believed. Join us for this session to learn how they reduced the risk of known vulnerabilities by targeting remediation efforts based on asset criticality and severity of vulnerability.


Optimizing Third-Party Risk Management with Automation

Siobhan Hunter, Director, IT Governance, Risk and Compliance, Blue Cross NC

Since 1933, Blue Cross and Blue Shield of North Carolina (Blue Cross NC) has offered its customers high quality health insurance at a competitive price – and today is a fully taxed, not-for-profit North Carolina company employing more than 4,700 North Carolinians and serving more than 3.89 million customers. Like many companies operating in a highly regulated industry and relying upon multiple third party relationships, Blue Cross NC’s third-party risk management process was highly manual, inefficient, carried a substantial administrative overhead, and often failed to deliver timely results for our internal business stakeholders. To modernize, Blue Cross NC redesigned the program by integrating their managed service provider’s offerings with Blue Cross NC’s governance, risk and compliance platform. Join us for this session to learn how their innovative approach automates much of their third-party risk management process, enabling the organization to succeed in managing security due diligence and governance comprehensively and efficiently.


Mitigating Risk with Ongoing Cybersecurity Risk Assessment

Scott Moser, CISO, Caesars Entertainment

Since its beginning in Reno, Nevada, in 1937, Caesars Entertainment has grown through development of new resorts, expansions and acquisitions, and today is the world’s most diversified casino-entertainment provider and the most geographically diverse U.S. casino-entertainment company.  To better manage cybersecurity risk, Caesars Entertainment conducted an enterprise cybersecurity risk assessment to identify, analyze, prioritize, and recommend actions to mitigate risk below business tolerance levels.  Innovative areas of the project included the risk scoring system used to measure risk, the pairing of risks against an assessment of National Institute of Standards and Technology (NIST) Cybersecurity Framework security controls, and the engagement of business leaders.  Join us for this session to learn the benefits of this program and how the CISO and CIO use it to provide cybersecurity reports to the board of directors’ audit committee and address risk mitigation.


Protecting Devices in Remote Parts of the World

Joel Urbanowicz, Director, Information Security and ICT Operations, Catholic Relief Services

Catholic Relief Services (CRS) was founded in 1943 by the Catholic Bishops of the United States to serve World War II survivors in Europe, and today reaches more than 130 million people in more than 100 countries on five continents. Due to environmental circumstances – like internet connectivity, volatile political situations, and diversity in patch management styles of ICT professionals located around the world – unmet patch management was creating security exposure. Moreover, many of these countries — Ethiopia, DR Congo, Central African Republic and Sudan among others – don’t have adequate terrestrial network infrastructure, necessitating the use of very expensive and heavily constrained satellite network services. All of this introduced significant challenges for end user device management since visibility into what was happening in field offices was often difficult, and bandwidth so constrained as to make Windows patching nearly impossible. Join us for this session to learn how the CRS environment is now better protected, patch management is properly organized and users have streamlined experience regardless of their remote location in the world.


Improving Vulnerability Management for the Fifth Largest City in the United States

Todd Therrien, Interim CISO, City of Phoenix

The City of Phoenix is a municipality that serves the 5th largest city in the U.S. with a population of more than 1.4 million. As the city experienced rapid growth in the last decade, it was determined that the vulnerability management of the municipality’s security and networks was too disjointed, decentralized and ad hoc at best – and management had very little insight into issues, workloads or bottlenecks preventing vulnerabilities from being remediated. With effective management in mind, the city of Phoenix’s Information Technology Services team focused on consolidating and centralizing its network vulnerability management by incorporating cloud-based technology, utilizing specialized software and workflow to help eliminate detected risks, adopt, new standards and change existing business and legal contract practices. Join us for this session to learn how the team can now better monitor current vulnerabilities, remediated items, response time and persistent items.


Building Safe, Secure and Resilient Critical Infrastructure

Steve Worley, SCADA Security Manager, City of Raleigh

The City of Raleigh, North Carolina, is the state capital and the second largest city in the state after Charlotte.  The City of Raleigh Public Utilities Department is committed to building a safer, more secure and more resilient critical infrastructure for its constituency. With existing threats to destroy, incapacitate, or exploit control systems, the city’s security team needed the ability to immediately detect any changes made to their industrial control network – and to identify all assets within the network, gather configuration information from all assets and generate logical topographies for them.  Join us for this session to learn how they accomplished this and realized more visibility and control, along with scale, speed and cost effectiveness.


Improving Threat Intelligence, Detection, and Response for Cloud Workloads

Dan Constantino, Director, Security Operations, Cox Automotive

With 40,000 auto dealer clients across five continents, Cox Automotive’s most notable family of brands within its 25 businesses includes Autotrader,, Dealertrack, KBB (Kelley Blue Book), Manheim, NextGear Capital, VinSolutions, vAuto, Xtime and Clutch Technologies. To better defend against cybersecurity threats impacting Cox Automotive, the organization set out to improve security capabilities with threat intelligence, detection, and response for cloud workloads. Join us for this session to hear how to elevate your Cloud Security Program and learn how automation has improved the efficiency, effectiveness, and speed of phishing incident remediation from 60 minutes to just 10. Dan will also cover how cloud alerting capabilities enables them to identify misuse of cloud resources (like cryptocurrency mining) before they incur a large cost from their cloud provider.


Adaptive Third Party Risk Assurance

Kay Naidu, Director, Cyber Risk Assurance, Delta Dental of California

An estimated 60% of cyber data breaches originate at third parties according to a recent Ponemon report. As more risk-aware organizations have strengthened their cyber risk management, adversaries have shifted focus to business partner ecosystems that historically have weaker defenses. To better manage these challenges, Delta Dental of California has recently built an adaptable data-driven third party risk assurance capability.

Previously, the organization lacked visibility into business relationships with over 1000 third parties, many with access to personal information of 33 million consumers. This new capability provides a comprehensive understanding of our third party cyber security risk, which enables informed decision making, enhances customer trust, and protects the Delta Dental brand. It uses an innovative approach that tailors rigor and frequency of testing based on the impact and nature of each business relationship. Join us to learn how we identified needed third party capabilities triggered by the evolving cyber threat landscape and developed a self-modifying testing process that relies on threat intelligence to more efficiently use valuable talent.


Creating a Best-in-Class Privacy Program

Gregory Anderson, Data Protection Officer, Lexmark International

Founded in 1991 and serving organizations in more than 170 countries, Lexmark is a global leader in imaging and output technology solutions and managed print services.  Mandated by the CIO and managed by the CISO, Lexmark set out to create a best-in-class privacy program to bring structure to existing ad hoc processes — and affect culture change and raise awareness across 10,000 employees in more than 50 countries.  Under a newly appointed Data Protection Officer, the Privacy@Lexmark project launched an innovative awareness and training campaign embraced across the enterprise.  Join us for this session to learn how it created meaningful results without requiring significant investment or impacting to day-to-day operations.


Reducing Risk with Just in Time Awareness Training

Seth Fogie, Director, Information Security, Penn Medicine

Penn Medicine is one of the world’s leading academic medical centers, dedicated to the related missions of medical education, biomedical research, and excellence in patient care – and consists of the Raymond and Ruth Perelman School of Medicine at the University of Pennsylvania (founded in 1765 as the nation’s first medical school) and the University of Pennsylvania Health System.  As a leading academic medical center in the United States, Penn Medicine must maintain a secure technology environment ensuring the privacy and secure data of patients and colleagues.  To further their vigilance, they created a platform to deliver just in time awareness (JITA) security education to reduce internal employee Internet technology security risk.  Join us for this session to learn how they’ve reduced security risk with awareness training by targeting the dangers of an employee’s potential behavior before using web technology.