Each year, the CSO50 awards honor organizations for a security project or initiative that demonstrates innovation and outstanding business value in security. Winners will be recognized in a ceremony that will take place at the CSO50 Conference + Awards, on May 1-3, 2017 at The Scottsdale Resort at McCormick Ranch in Scottsdale, Ariz. Below is the list of our 2017 winners.\n\nVoya FinancialProof of information security\n\nThe financial services industry\u2019s information security practices are under tight scrutiny by auditors, regulators, clients and vendors. Voya Financial faced increasing challenges to provide security information and evidence to these groups in an efficient manner while maintaining quality and consistency.\n\nVoya implemented a tool called GEAR (Guidance for Evidence, Artifacts and Responses), a highly searchable database for internal auditors that provides accurate and current information, and gives Voya an end-to-end view of its control posture and compliance with policy.\n\nPrior efforts to create the database focused primarily on the questions that auditors might ask. Different auditors could word the question differently, resulting in individualized responses. The new approach focuses on the answers \u2013 taking the position that controls are what they are. If Voya understands the control being asked about, it can supply the answer quickly and easily.\n\nProject leaders say the tool has sparked a significant culture change within the audit reponse team as it moves away from \u201creacting to audits\u201d to proactively reporting on the effectiveness of controls.\n\nViewpostCagey \u2013 Financial Crime Insight Mapping\n\nKnowing good customers from cybercriminals is key for any financial institution. The security, fraud and financial crimes teams at B2B payment platform Viewpost developed software, called Cagey that analyzes all customers based on their risk, financial crime status and relationships with other companies. The software then displays who may be someone they want to watch, take off the platform, or allow to continue transacting business.\n\nThe Viewpost team created a unified financial crime platform that graphically displays all customers and their risk score on the platform, their relationship with other vendors and buyers, their association with bad customers tied with improper transactions, their association with fraudsters, and those who have been taken off the platform. All cyber, fraud, anti-money laundering, and other company risk data is pulled together, analyzed and displayed in color format so that the company can predict who is at risk of committing a financial crime or who is already a fraudster.\n\nAs a result, the graphical display map has cut down fraud and is beating banks in reporting this information by two to three days.\n\nUSAAIdentity and Access Management Lifecycle Management\n\nAt insurance company USAA, many events over a worker\u2019s career can affect the type and level of access they have to company information \u2013 a promotion, termination or a move to another department. These manual changes often took five days to implement, not to mention the time needed to ensure that these changes wouldn\u2019t impact customer service.\n\nThe Identity and Access Management (IAM) Lifecycle Management program established automated processes to create new worker accounts and provide basic accesses immediately, monitor and react to transfers that occur within the organization, and ensure that terminated worker accounts are quickly.\n\nUSAA workers are now productive within minutes of on-boarding, and workers do not retain privileged accesses when they transfer from one position to another.\n\nWhen a worker is terminated, the system automaticallly removes privileged accesses in near real-time, as well as when an employee is transferred into a role to another.\n\nToday the five-day, manual IAM process has been reduced to less than 15 minutes.\n\nUnited Nations International Computing CentreUNICC Continuous Security Improvement Suite\n\nIn 2013, the United Nations acknowledged that information technology has helped advance its ability to bring peace, prosperity and dignity to the world. The next challenge was to explore how the United Nations family could protect those gains and create a more secure cyber environment.\n\nThe UNICC Continuous Security Improvement Suite project began in late 2014 to deliver on those goals. The project has four components -- One ICTbox is a rapidly deployable modular infrastructure for UN field offices with built-in security controls. Common Secure is a cyber security information-sharing\/threat analysis community network. Common Connect allows UN agencies to collaborate and share information assets. Information Security Governance and Operations offers IS advisory support and operational solutions for smaller UN agencies to implement and manage ISMS standards and processes.\n\nUNICC\u2019s information security solutions have enabled partner agencies to share information security resources and has reduced the cost of building solutions from scratch for all UN agencies.\n\nUnited AirlinesBug Bounty Program\n\nUnited Airlines manages over 93 million Mileage Plus accounts containing hundreds of millions of miles. Customers\u2019 miles are valuable not only to them, but also to malicious outsiders intent on stealing and converting the miles to other products, such as travel or consumer electronic equipment.\n\nTo stop the cyber thieves, United invited the world\u2019s most creative and skilled white hat hackers to its Bug Bounty program, which offers compensation in the form of miles to those who find and report security bugs on United.com and other web properties before the bad guys do. The program has proven to be a rapid method to identify highly difficult-to-discover code defects, and for a modest cost to United.\n\nThe program\u2019s success is measured more by cost avoidance as opposed to ROI, according to United. With the average cost of a data breach at about $154 per record lost, United says that creative approaches such as the Bug Bounty program are required to manage risk and reduce potential costs, while providing enhanced protections for United customers.\n\nTransUnionTransUnion Enterprise Security Ratings Platform\n\nAs a service provider to many financial institutions, insurance companies, health care organizations and government agencies, TransUnion's information security program is constantly being evaluated.\n\nTo meet customers\u2019 stringent requirements, TransUnion launched its Enterprise Security Ratings Platform, which gathers terabytes of data from security sensors around the world and provides insight to indicators of compromise, infected machines, improper configuration, poor security hygiene and harmful user behavior. The data is analyzed to determine the severity, frequency and duration of incidents and then mapped to known networks, resulting in an overall security rating for each selected organization.\n\nThe ratings provide continous insight into each organization's security posture and is used in TransUnion's third-party security program, self-assessment exercises, security benchmarking, and mergers and acquisition activities.\n\nThe platform has resulted in improved security, transparency and efficiency. SRP enables TransUnion to monitor as many as 10-times more service providers on a continuous basis. SRP generates benchmarking reports that compare TransUnion's security posture to its competitors, and it improves efficiency without increasing headcount.\n\nThe Nature ConservancySecurity Analysis Architecture Project\n\nTimely knowledge of cyber attacks on The Nature Conservancy are the cornerstone of risk operations. Without accurate knowledge of attack profiles, many tasks become impossible, such as managing risk, determining what to secure and identifying layered controls.\n\nRather than relying on instinct, TNC opted for data-driven decisions. Its Technology and Information Services team developed a comprehensive security analysis architecture. The solution contains two components -- a sensor infrastructure that is embedded at field offices, and a centrally managed log\/visualization infrastructure, which serves as the focusing system for aggregation, parsing, visualization and analysis.\n\nDeveloping such a sophisticated system is financially challenging for most non-profits. TNC used white box servers, repurposed consumer gaming devices as sensors, and leveraged open source or free tools to accomplish this task.\n\nSensors have been deployed to field offices across the U.S. These sensors captured approximately 65,000 unique indicators that will be used to create concise executive level reports for the first time, which will help them measure risk exposure and drive its cybersecurity direction.\n\nThe Mitre CorporationATT&CK\n\nThe key to a successful cyber defense is understanding an attacker\u2019s tactics and techniques. MITRE has developed an adversary playbook called ATT&CK, which stands for Adversarial Tactics, Techniques and Common Knowledge. It\u2019s a way for defenders to fight cyber invaders after they gain access to a network\u2019s perimeter. ATT&CK is Mitre\u2019s first detailed battle plan for understanding how cyber adversaries get into a network, and what they do after they\u2019re in \u2013 identifying and categorizing an intruder\u2019s every move inside the network. In addition, ATT&CK addresses how an organizations\u2019 technologies and information can confront the attack.\n\nProject leaders say organizations benefit from the ATT&CK tool by having a reference point model to align with their current defenses. Organizations can use ATT&CK to create a blueprint for monitoring and assessment, to build a metrics platform, to determine cyber investments, and for continuous improvement of its cyber battle plan.\n\nState of Missouri Office of AdministrationUsing Public Data to Alert Organizations of Vulnerabilities\n\nBorrowing a page from a hacker who infiltrated a university\u2019s vulnerable Web-connected devices to disseminate hate speech, The Missouri Office of Cyber Security (OCS) started formulating how it could use the same technique to identify vulnerable systems on the Internet for good purposes.\n\nOCS launched a program to identify vulnerable, Internet connected systems belonging not to just state and local governments, but also to businesses, utilities, and academic institutions across Missouri.\n\nUsing Censys.io, a publicly available research platform that scours the entire Internet and indexes devices, open ports, the services exposed, OCS has been identifying vulnerable systems statewide.\n\nOCS finds vulnerable systems based on banner feedback and running services. Data is reviewed and cross referenced against the American Registry for Internet Numbers (ARIN) to obtain contact information for every system identified. OCS then sends a notification to all impacted organizations. To date the program has identified thousands of software programs with expired support, and antiquated protocols that invite intruders at 161 entities and on 10,300 devices.\n\nState of MichiganMichigan Cyber Disruption Response Plan\n\nThe State of Michigan detects tens of thousands of attempts to infiltrate its government network every day. As a global hub for automotive design and manufacturing, and the home of three major research universities, it\u2019s easy to see why cybersecurity and disruption planning are top priorities. To keep pace with evolving cyber threats, Michigan developed the Cyber Disruption Response Plan \u2013 the first state to develop such a blueprint, which allows Michigan to establish a common framework though which all private sector and local government partners can easily and effectively protect their IT systems.\n\nThe CDRP provides Michigan\u2019s emergency management and information technology personnel, as well as stakeholders, with a plan to coordinate preparedness, response and recovery activities related to large-scale or long-duration cyber disruption. In the past, communication between the state and organizations during a cyber incident was minimal and disjointed \u2013 sometimes taking weeks for organizations to share that an incident had occurred. CDRP closes those gaps and facilitates a more open dialogue on cyber-related concerns and emerging threats.\n\nSallie MaeReducing Insider Threats with Risk Analytics\n\nSome 69% of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders during the last 12 months, according to Accenture.\n\nAt student loan company Sallie Mae, insider threats have been amplified by increasing employee turnover and more contract-based positions. To combat the problem, Sallie Mae adopted a new approach that combines machine learning, analytics and predictive anomaly detection to user behavior and access privileges that can detect and protect against insider threats, as well as external attacks that use compromised insider credentials.\n\nSallie Mae deployed a user behavior and entity analytics platform from Gurucul. The technology first identified outlier access, orphan and dormant accounts. Next, it was used to monitor user activity to identify anomalous behavior in both on-premises IT resources and in cloud environments. If a user downloads a confidential document under abnormal circumstances, for instance, investigators can search all other users who also accessed it to uncover events which might involve multiple actors. Excess and misaligned access to data has been reduced by up to 40%.\n\nRapid7Access Management Automation\n\nManaging employees\u2019 access to company systems gets more complicated every day as the number of user devices and entry points grows.\n\nData analytics solutions firm Rapid7 was struggling with two aspects of identity and access management. Both manual access reviews and manual access provisioning\/deprovisioning were extremely time consuming. They didn\u2019t scale and left room for error. Rapid7\u2019s IT and IS teams developed Access Hero and ReTAP (Remote Temporal Access Protocol) \u2013 two homegrown tools that leverage automation to save the organization over 160 hours a year. Both tools were built in Ruby, back-ended by a PostgreSQL database in the cloud. The tools also reduce the company\u2019s risk exposure by ensuring access to critical business applications is limited only to users who need it.\n\nAs Rapid7 continues to add more applications and users to its organization, the number of hours saved will scale along with them.\n\nQuest DiagnosticsCapture the Flag to Improve Secure Coding Techniques\n\nQuest Diagnostics used to spend days training its developers on secure coding techniques only to reap modest improvements. Some developers didn\u2019t use what was taught to them and others quickly slipped back into old habits. The company needed a creative approach to engage its developers and get them to retain and continually use those techniques. The solution was a Capture the Flag event that made training less tedious and more fun, while achieving optimal results.\n\nContestants try to break into a simulated web site, under an added Super Bowl-like atmosphere. Each day, 885 IT staff received a sports update of scores and humorous \u201cexpert\u201d analysis cheering on the 63 developers competing. The competition has spurred contestants to push even harder for that extra edge, organizers say. Some nine out of 10 of contestants performed additional outside research to better their performance.\n\nThe event, along to monthly lunch-and-learn programs, has resulted in a 60% drop in new vulnerabilities reaching production applications.\n\nProQuestSIFT Fraud Detection\n\nProQuest provides content, such as periodicals, newspapers and dissertations, to researchers and academics who are searching for information.\n\nThe company has seen a significant rise in fraudulent access of its content across the information industry. Libraries and other customers often rely on IP-based authentication to an entire university or public library network as the means to gait access to the content they license, but authentication was a wildcard. Most fraud engines are built to deal with financial fraud. For content search engines, a more complex set of rules, permutations and approaches was required.\n\nProQuest created SIFT, a fraud-detection and prevention engine focused on content-specific use cases that looks at historically "normal" user usage, and learns and evolves its definition of normal usage as customers continue to use the system. It then provides a credit score-like report to subscribing applications giving them an indication of the validity of any requests for content.\n\nAfter one year with SIFT, ProQuest has reduced fraudulent content loss and related security incidents.\n\nNexteer AutomotiveNEXTINTRUST Identity Lifecycle Management\n\nLike many companies, Nexteer Automotive wanted to minimize the risk of intellectual property loss and strengthen its enterprise security. A risk assessment conducted in late 2015 showed that the most critical risks involved employee onboarding and off-boarding, cloud computing governance and intellectual property protection. The company embarked on a identity lifecycle management project, called NEXTINTRUST.\n\nNexteer first restructured and optimized its Active Directory, and then the company acquired and deployed Okta as its identity lifecycle management tool.\n\nToday Nexteer is working to integrate its Human Resource Information Systems and Active Directory to automatically create HRIS mastered accounts in the Active Directory and provision into Okta connected applications.\n\nThe project gives employees secure access via multi-factor authentication, and increases user productivity and security. It eliminates the need to remember multiple passwords and minimizes bad practices, such as writing passwords on sticky notes. Project leaders say the company realized ROI in less than a year.\n\nMonsantoCreating a Cybersecurity Culture that Protects Digital Assets\n\nNearly half of all security breaches are the result of human error, according to a 2014 study. Monsanto was looking to deter those internal errors through education and awareness, so it created a "Human Sensor Network" that proactively identifies and reports potential threats.\n\nSeven awareness campaigns were developed to address awareness gaps, and training content was translated into 18 languages to reach its global audience.\n\nAmong the program\u2019s components, Monsanto implemented a global phishing simulation campaign to provide training on how to recognize and report malicious email. It developed a new, simplified information security portal to better engage users globally. To expand the program\u2019s reach further, the company built a global network of volunteer champions to assist in delivering key awareness messages in areas language may vary. It also established a corporate ISO mailbox and an internal social media page for employees to interact directly with ISO.\n\nPhishing simulations resulted in a 350% improvement in click rates and a 255% improvement in report rate. General reporting of suspicious email increased by 2,500%.\n\nMastercardMastercard Phishing Tournament\n\nThe Mastercard Phishing Tournament was designed to engage employees to actively look for spam and social engineering messages in their mailboxes and report them for further investigation. Each email reported is scored based on a variety of factors, and monetary awards are given each quarter to the highest-scoring participant.\n\nFlagged messages receive special attention. Many systems merely block the sender and flag the messages to the email provider. Through the Mastercard Phishing Tournament, flagged messages are sent to Mastercard\u2019s security operations center, allowing the team to look for new versions of malware, examine senders and identify trends.\n\nThe tournament gives Mastercard additional soldiers in the security fight. By using a positive approach instead of the traditional testing and re-training programs, Mastercard is turning employees into active members of the information security team.\n\nSince the beginning of the Phishing Tournament, Mastercard has seen a 313% increase in the number of emails reported.\n\nLos Angeles World Airport Business Continuity Information Security\n\nAs one of the busiest airport in the U.S., LAX is a key part of critical infrastructure in the City of Los Angeles. To expand its protections, LAWA implemented a formal Business Continuity Process in 2013 to ensure that it could response to emergencies and crises in a timely manner, as well as manage financial and operational risks, and avoid business and operational disruptions.\n\nThe project involved implementing and integrating LAWA\u2019s Cyber Incident Response capability and Business Continuity\/Disaster Recovery capability. The RSA Archer platform was deployed to enhance collaboration between these two disparate functions. Data collected during the business-impact analysis process was used to determine critical business processes and the technology that supports them. This information was used to calculate the priority of incidents and help provide awareness of the impacted systems to include their priority and dependencies. From the incident response side, the crises response process was activated directly from the Incident Response team allowing for faster recovery.\n\nKimberly-Clark CorporationProtect K-C & Me\n\nAt Kimberly-Clark, information security is the responsibility of all workers. To strengthen its human firewall and increase workers\u2019 understanding of security principles, the company developed Protect K-C & Me, a global, corporate-wide information security awareness program.\n\nIn 2016, the program launched more than 30 global campaigns, including five separate Cybersecurity Awareness Month activities and events, social engineering campaigns, promotional swag distribution, training and the website launch. The program touched every employee worldwide with relevant messaging, gamification of awareness training, and a live keynote presentation by Frank Abagnale, author and subject of the movie, \u201cCatch Me If You Can,\u201d which was viewed at regional watch parties at locations globally.\n\nAmong the results, the awareness program has distributed 320,000 phishing emails globally in 17 languages to determine the susceptibility to cybercriminals looking to infiltrate the K-C network through phishing attack. Test results showed the company has reduced risk by 12%.\n\nJohn Muir HealthInformation Security Network Visibility\n\nDuring a risk and threat assessment of its networks in 2015, John Muir Health, a 1,000- bed health system in San Francisco, determined that it couldn\u2019t identify who was connecting to their network and whether suspicious activity was occurring on it. New CISO Tom August worked with the organization\u2019s leadership, industry peers and federal law enforcement to identify solutions that would provide visibility over the entire network.\n\nAugust first had to gain a clear understanding of the enterprise\u2019s risk appetite for information security issues, which he gained through a series of discussions with board committees and executive leaders across the organization. August also created a broad platform that allows transparency into suspicious activity throughout the entire network. The health system leveraged the size and newness of each vendor to drive them to work with each other to ensure tight integration \u2013 and also integrate through the Cisco PxGrid. \n\nToday John Muir Health is able to see across nearly all segments of their network. It\u2019s now working to establish a self-aware, self-healing network that can immediately identify, validate and react to imminent technology-based threats.\n\nJackson Health SystemCybersecurity via Intra-network Visibility \n\nJackson Health System declined to include a summary of their award-winning project due to privacy concerns.\n\nIndian Health ServiceIndian Health Service\u2019s Cybersecurity Program\n\nIndian Health Service wanted to establish a world-class cybersecurity program in support of a vast health care network serving about 2.2 million American Indians and Alaska Natives that spans over 679 hospitals, clinics and health stations across 38 states and 567 sovereign nations.\n\nUnder a new CISO, IHS first restructured its functional capabilities and reporting structures. Next, IHS transferred the Division of Information Security employees from Albuquerque, NM to Rockville, Md., allowing the program to recruit cybersecurity experts from a broader talent pool. The transformation led to the creation of seven cybersecurity functional areas to address the breadth of cybersecurity needs.\n\nAs a result, the IHS has made huge strides towards innovation and substantial support for field offices and Tribal Nations by developing new and revamped functions while collaborating with health care providers. These include improved secure methods of transferring patient care data, automated logging and pharmacy dispensers, threat management, engagement and awareness training, program standardization and alignment, 24\/7 incident response and vulnerability management.\n\nINC ResearchSecurity Training Improves Flexibility and Reduces Costs\n\nIn the learning-intensive and highly regulated environment of pharmaceutical clinical trials, training programs are a way of life. But at INC Research, there is great sensitivity to each additional minute of training \u2013 even for cybersecurity -- that was required of its 7,000+ global employees.\n\nCorporate executive management asked that the all-hand security training program be reduced by 50% from its full hour of training annually delivered in one solid block of uninterrupted time. The information security team tightened up the existing program to focus on compliance imperatives and validation of understanding and content mastery within a new delivery model of two 15-minute sessions delivered six months apart. This model eliminated awareness topics and other helpful-but-informal guidance.\n\nClasses now focus only on key statutory, regulatory and policy-based requirements and imperatives that must be covered annually with validity checks for all employees. It includes mastery checks for understanding, saving over 3,500 resource hours annually. The program is augmented with two-minute monthly hot-topic security awareness messages delivered via email, and continuous security messaging on the intranet home page.\n\nHorizon Blue Cross Blue Shield of New JerseyDomain Security Platform\n\nStaying one step ahead of cyber criminals poses challenges for most health care organizations. Horizon Blue Cross Blue Shield of New Jersey implemented the Domain Security Platform, which automatically identifies, monitors and blocks potentially malicious, newly registered external domains and websites likely to pose an elevated risk.\n\nA homegrown solution identifies within two seconds newly registered domains being accessed from within its internal network and then monitors and blocks them as needed. All Domain Name System query information from endpoints is collected through the Horizon BCBSNJ network with the help of the ExtraHop analytics platform and Blue Coat cybersecurity and network management. Using Splunk, the organization can track via dashboard the total number of domains analyzed over time, the number of newly registered domains identified and the number blocked during a measured period.\n\nIn the first three months of operation, the platform was able to analyze 50,000+ unique domains. Of these, 412 were classified as newly created domains that warranted further investigation.\n\nHITRUST Business Associate CouncilHITRUST Business Associate Awareness Program\n\nHealth care organizations rely on legions of third-party vendors to handle everything from logistics to human resources, software development and financial recordkeeping. They drive efficiencies and lower costs, but they also pose potential risk to security, privacy and compliance.\n\nThe HITRUST Business Associate Council was already established to drive innovation throughout the third-party vendor supply chain while advancing practices for mitigating cybersecurity risk. So when new legislation extended the responsibilities of security and compliance to these third-party providers, the Council invited BA\u2019s to help develop an approach that would meet their needs.\n\nAmong their challenges, half of the BA\u2019s surveyed completed 100 to more than 1,000 third-party assessments annually, spending more than 10,000 hours a year. HITRUST studied the privacy and security requirements of organizations including ISO, NIST and PCI, and distilled them into a single, evolving assessment process, providing a standardized framework and tools for organizations to administer assessments. Next, the Council came up with a three-part program to overcome adoption issues and improve industry-wide understanding of the new regulations. The program is expected to not only improve cybersecurity, but also drive down costs, improve client satisfaction and inspire customer confidence.\n\nHershey CompanyGlobal Identity Governance Initiative\n\nAs the Hershey Company expands globally, so too does its need to keep critical applications safe via a global identity governance infrastructure. Hershey recognized that a more integrated, automated and policy-driven approach to identity and access management would improve governance, eliminate unnecessary costs and give the company more agility in operations as it pursues new markets and partnerships around the world. The identity governance roll-out would need to scale and support a very diverse mix of legacy, mobile, cloud-based, IoT and other IT assets.\n\nIn just one year, Hershey completed its global identity governance project. Project leaders attribute part of the project\u2019s success to their ability to quickly gained buy-in from executives and board members by identifying how the project could alleviate constraints on Hershey\u2019s worldwide operations caused by existing, siloed ID processes.\n\nToday Hershey can quickly on-board new employees and applications from acquired companies \u2013 a process that used to take weeks and sometimes months. SOX compliance is also easier with reporting tools that automatically generate monthly reports on who has access to what across all Hershey systems.\n\nHealth Management SystemsAsset Management on Steroids (AMOS)\n\nOne of the fundamentals of asset management is first knowing exactly what assets you have to secure. In 2014, members of the Health Management Systems security organization recognized an information gap between security incidences on physical assets and understanding precisely how business processes were being affected.\n\nDisparate processes and technologies for gathering asset information resulted in confusion over where to find accurate information, uncertainty about where processes integrated, and a lack of clarity about the relationships between systems that increased downtime and the number of outages.\n\nThe Asset Management on Steroids project was born. AMOS ensures the consistency of information used for risk management, business operations reporting and procurement services. It requires groups to document their processes, eliminate information silos and establish standards.\n\nToday information gaps have been closed. The operations center uses the asset information in its ServiceNow platform to facilitate monthly maintenance processes, and the security organization can accurately identify owners of assets to ensure they\u2019re quickly notified or responded to when system outages occur.\n\nGrand Canyon UniversityA New Take on an Old Problem \u2013 GCU\u2019s Cybersecurity Awareness Program\n\nGrand Canyon University\u2019s IT Security department has developed a cybersecurity awareness program that improved employees\u2019 ability to treat suspicious emails, phone calls and websites with an appropriate level of skepticism. Knowing that positive reinforcement is more effective than negative \u201cgotcha\u201d moments, GCU employed positive steps to replace inaction with action.\n\nIn-person training has been reduced to 15 minutes in total and is augmented with brief, regular communications designed to engage and entertain while encouraging employees to take the desired action of submitting questionable items to the IT Security department. The GCU Phishing Derby caps off the awareness campaign. Timed to coincide with National Cybersecurity Awareness Month, the Derby starts with three weeks of phishing awareness tips and ends with a week-long event that offers employees a chance to win prizes for catching phishing scams. \n\nEmployee awareness has improved while decreasing instances of successful phishing and malware attacks, resulting in cost savings and increased employee productivity. What\u2019s more, employees now regularly reach out to the IT security department for guidance and clarification on all things cyber.\n\nGoDaddyProtect API\n\nDomain name company GoDaddy has created a way to give owners of an application the control to mitigate traffic they have detected as bad, and then either drop or mitigate that traffic as needed. Protect API protects applications and services through automatic calls of an API service.\n\nProtect API also makes it possible to automate the creation of mitigations and blackholes by exposing the mitigation appliances as a service through a REST API. This allows the owners of services, infrastructure and applications who know their traffic patterns best to identify malicious traffic and mitigate it before an outage occurs.\n\nProtect API can also be used by other departments because it eliminates the traditional model of having to call a security operations center or CSIRT to handle an attack.\n\nSince Protect API has been implemented, about 2,000 DDoS attacks have been automatically mitigated per month, or an average of 120-150 attacks per day. Protect API's blackhole feature has allowed internal departments to automatically mitigated brute force attacks against their applications, reducing application latency and resource usage by blocking the attack upstream automatically.\n\nGenpactDLP 2.0\n\nData leakage prevention (DLP) is a technology aimed at stemming the loss of sensitive information. Genpact\u2019s old DLP processes were creating a lot of false positives causing inefficiencies in the process. It also felt that reporting to senior management could be improved, so the former unit of General Electric implemented DLP 2.0\n\nFirst, it leveraged its expertise in Lean Six Sigma methodologies to reduce the number of false alerts, fine-tune its detection policies and enhance the overall coverage.\n\nBeyond DLP\u2019s technical capabilities, the company also wanted to use it to drive culture transformation and change employee behavior. Using the software\u2019s alerting feature, whenever a user tries to send confidential information on a personal account, he\/ she will get a pop-up notification asking him to be sure the transmission is for business purposes.\n\nDetailed reporting tools allow Genpact to dig deeper into each employee\u2019s online behavior, and allows IT managers to send targeted communication to high risk user groups, view metrics on response times, and improve the total time from response to resolution.\n\nThis project achieved a 63% reduction in the total alerts generated by the DLP system and a 25% reduction in the actual incidents.\n\nFood and Drug AdministrationSystems Management Center: Integrating the FDA\u2019s Cybersecurity and Network Operations Centers\n\nThe FDA\u2019s IT infrastructure faces persistent security threats, especially with the growth of cloud technologies and mobile devices that give new opportunities for malicious actors, trusted insiders, foreign governments and transnational criminal organizations to exploit sensitive information.\n\nTo increase its cyber defenses, the FDA Office of Information Management and Technology integrated its cybersecurity and network operations centers to form the Systems Management Center \u2013 a non-traditional approach for the public sector.\n\nUnder the SMC construct, three teams were developed. A Tools and Alerts team handles incident management notifications and includes network, system and application monitoring tools. The Network and Infrastructure team coordinates triage and responses to incidents. The Cybersecurity Operations team monitors incident response, conducts cybersecurity analysis and proactively addresses imminent threats to prevent risk exposure and disruption.\n\nToday the SMC provides near real-time cybersecurity capabilities and risk management methodologies to protect sensitive data and information systems. Project leaders say it has also become a model for collaboration and transparency across the entire FDA enterprise.\n\nFlowserve Corp.Modernizing Infrastructure Security Through Micro-Segmentation\n\nFlowserve, producer of engineered seals, pumps and vales, provides services to some of the most essential organizations in the nation, including nuclear and military facilities. As threats to critical infrastructure increased, Flowserve decided to take a different approach to modernizing its security posture to protect heavily regulated production facilities that provide services to nuclear and military facilities, as well as services to other mission-critical commercial environments such as oil and gas production.\n\nFlowserve leveraged micro-segmentation software to isolate its most important and regulated environments. Micro-segmentation works across a heterogeneous environment, rather than using traditional physical segmentation which relies on firewalls, VLANs and physical infrastructure. The approach allowed the security team to load software onto network devices, with a single management console coupled with bits of code that run on IP devices. This allowed system managers to layer on controls that decide who gets to do what, and easily enforce those rules at the network packet level.\n\nWorkers now have access to data on a need-to-know basis, and endpoints are protected from unauthorized users.\n\nFICOBuild Security In and Measure Success\n\nCredit score company FICO has come to know that getting security right requires more than just the technical pieces of reporting issues that are found and fixing them. It believes security also encompasses business, social and organizational aspects.\n\nTo fully embrace these synergies, FICO implemented the Build Security in Maturity Model framework that allows the company to measure its program against peers, make improvements across the software lifecycle and monitor its risk posture.\n\nThe BSIMM framework captures and makes available an overall understanding of the diverse software initiatives and methodologies in the organization. It provides a yard stick for describing the most important elements of a software security initiative and allows FICO to measure different methodologies or those that operate at different scales.\n\nProject leaders say the framework has created a common vocabulary that allows all development teams to reach across silos and disrupt the reliance on \u201ctribal knowledge.\u201d What\u2019s more, the average time to correct critical and high-priority issues has been reduced from 32 days to 5 days.\n\nEsriSOC Reinvigoration \u2013 Increase Efficiency of SOC Operations\n\nEsri, the geospatial technology organization, has implemented a portfolio of security products to protect the many diverse digital assets of both the company and its customers. The portfolio identifies more than 10,000 incidents\/alerts per week. This presents the company with significant challenges when trying to analyze and respond to these alerts with limited resources and time.\n\nEsri set out to increase its efficiency in responding to alerts and to reduce costs in its security operations center. The organization acomplished its goal by harmonizing multiple automation capabilities. For instance, the automation added with the Demisto platform, which automates security operations and incident management processes, complements Esri\u2019s existing SIEM and network monitoring solutions, improving efficiency for the SOC team.\n\nProject leaders say that automating the mundane tasks allows human analysts to focus on decision-making vs. collecting evidence. This reduces a major portion of the time that Esri teams would spend running separate tools and performing repetitive tasks.\n\nWith automation and collaboration, the volume of alerts that require active human review has been reduced from 10,000 per week to about 500.\n\nEducational Testing Service\n\nSecuring the Software Development Lifecycle\n\nETS develops, administers and scores more than 50 million tests annually in over 180 countries across 9,000 locations worldwide.\n\nResults of ETS educational tests affect eligibility for scholarships and acceptance to universities. For professionals, obtaining critical professional certifications hinges on test results. To keep systems safe, ETS set out to identify and eliminate security flaws. This critical step was the start of new approach to a comprehensive enterprise security program.\n\nETS developed a systematic and repeatable process that helps the company detect and correct vulnerabilities and security flaws in the software it develops. The process was created with the input of many software developers, and it treats security vulnerabilities the same way that developers routinely treat software defects. Rather than leading developers to consider security as something separate from software development, this approach integrated security into the standard, daily tasks of developers -- finding and fixing bugs. This made removing security vulnerabilities seem less foreign to them.\n\nThe project significantly reduced ETS\u2019 security risks by integrating new services and tools into the ETS software development process.\n\nDepartment of Homeland SecurityAutomated Indicator Sharing\n\nIn January 2015, the White House directed the Department of Homeland Security to develop automated indicator sharing as a way for private sector entities and government departments and agencies to share cyber threat indicators, such as malicious IP addresses or the sender address of a phishing email.\n\nDHS moved quickly to develop Automated Indicator Sharing and rolled out its initial offering in November 2015. AIS receives, sanitizes and redistributes indicators and defensive measures, allowing participants to identify and mitigate cyber threats in real-time.\n\nDHS leaders say the project\u2019s goal is to commoditize cyber threat indicators and enable everyone to be better protected against cyber attacks. That would mean adversaries can only use an attack once, which increases their costs and ultimately reduces the prevalence of cyber attacks.\n\nWhen Congress passed the Cybersecurity Act of 2015 in December 2015 with some new and more specific requirements, the system was modified again. While AIS won\u2019t eliminate sophisticated cyber threats, leaders say, it will allow companies and federal agencies to concentrate more on them by clearing away less sophisticated attacks.\n\nCreative Artists AgencyLeveraging Operational Intelligence and User Behavior Analytics to Migrate to the Cloud\n\nCreative Artists Agency declined to include a summary of their award-winning project due to privacy concerns.\n\nCelgene Corp.Data Loss Prevention\n\nGlobal biopharmaceutical company Celgene was looking to reduce its cybersecurity risk, protect sensitive information, classify vast amounts data and determine who has access to it.\n\nProject leader Michael Stanley and his team launched the data loss prevention project, which included a governance model, a new strategy and new technology to address defined requirements for identifying sensitive data at rest, data in use and data in motion.\n\nThe project required an unprecedented amount of collaboration among core business groups in identifying their data and defining its appropriate use \u2013 a difficult task considering the biopharmaceutical environment is highly collaborative and is constantly sharing new data. The team leveraged technology to help identify and track the movement of sensitive information, and distinguish who has access to the information to ensure its security.\n\nSo far, DLP has been embraced by business units. As the number of identified sensitive documents has increased, the incidence of inappropriate use, such as confidential information sent to a personal email account, has decreased.\n\nCancer Treatment Centers of America\n\nWe ARE Safe \u2013 Information Security Awareness and Training\n\nThe leaders at Cancer Treatment Centers of America believe that information security is an extension of patient safety. Security technologies protect its assets, but the key defense is educating employees about cyber attacks and creating a culture of safety. CTCA\u2019s enterprise-wide initiative, \u201cWe ARE Safe -- Accountable, Reliable, Empowered,\u201d is the framework for addressing incident response through security awareness training. The program develops essential competencies and establishes a process to stay ahead of potential breaches.\n\nIt also fosters an employee culture that\u2019s \u201chighly reliable\u201d for safety \u2013 meaning achieving and sustaining a high performing organization with an internally driven safety focus -- paying more attention, communicating more clearly and thinking more cautiously.\n\nProject leaders say the program has enabled CTCA to treat information security with the same degree of seriousness as preventing infection. Over a 10-month period, the number of messages flagged by users, and added to anti-SPAM tools increased from one or two per month, to five to 10 per week.\n\nBNY MellonSmart Docs Cyber Custodian\n\nThe US home loan system is underpinned by hundred of millions of collateral documents. BNY Mellon is required to control and manage these documents throughout the term of a loan. The previous process for managing documents had weak tracking capabilities and a manual audit procedure.\n\nSmart Docs Cyber Custodian automates the identification and management of collateralized loan documents -- combining the internet of things technology with digitization for compliance and risk management. The adoption of Smart Docs ensures that collateral files are transferred in a timely manner and all impacted parties are able to quickly obtain the documents when needed.\n\nThe new approach involves scanning the documents into a designated electronic cabinet location. The physical document is afixed with an RIFD tag so it can be tracked as it moves throughout BNY Mellon. The project reduces the manual handling of documents for verification and certification by 70%, reducing labor expense and preventing document loss.\n\nBlue Cross and Blue Shield of North CarolinaManaged File Transfer Realignment\n\nBlue Cross and Blue Shield of North Carolina is part of a highly regulated industry with many business and trading partners with whom it shares data. Like most companies, BCBSNC developed governance processes on the intake side of new file transfers, but lacked the same level of controls to ensure the transfers were decommissioned when no longer needed.\n\nIts Managed File Transfers Recertification project was initiated to recertify all existing transfers and develop a sustainable, automated model for the future that leverages existing processes and technology used for certifying user access.\n\nThe challenge was to automate a tedious and ineffective process and align it with existing effective business processes. By improving how the file transfer information was cataloged, BCBSNC developed a master file capable of integrating with its existing IAM tool.\n\nOnce the master file repository was complete, a feed was established between the repository and its IAM tool. This provided business owners a simpler means of attesting to their file transfers. The result is a sustainable workflow to prevent manual recertification that provides increased visibility into BCBSNC\u2019s file transfers.\n\nThe Blackstone GroupAutomating Malware Investigations\n\nAs a global investment firm with more than 21 offices around the world, Blackstone and its security team see 30 to 40 malware alerts in a single day. Blackstone\u2019s incident response team investigates each malware alert as if a compromise has already occurred, a process that requires 30 to 45 minutes to fully address each alert if done manually. Automation was the answer, but despite Blackstone\u2019s own expertise in scripting and automation, developing this capability across a large set of security vendors became difficult to maintain. As each vendor changed the API for their product, the automation scripts also had to change.\n\nBlackstone selected Phantom as its security automation and orchestration platform. The platform integrates existing security technologies and provides a layer of connective tissue between otherwise disparate systems. The project has reduced the time required for Blackstone\u2019s response team to investigate malware alerts. The automated malware investigations now take about 45 seconds, freeing the team to focus on analysis and resolution.\n\nBeebe HealthcareOrganizational Security Management\n\nBeebe Healthcare, a nonprofit healthcare system in Lewes, Del., establishing a dedicated security team in March 2015 to focus on all areas of cybersecurity threats, compliance, risk assessment and mitigation, effectively going from 0-100 mph in a very short time. The team has improved security awareness, threat reduction, and proactive incident response efforts for the health care system.\n\nAmong its successes, the team established a security awareness and training program that included a phishing assessment in addition to personal, departmental and community outreach. The goal was to identify employees\u2019 risk profile for phishing susceptibility. The initial assessment showed that more than 29% of the employees would fall for a well-crafted phishing email and were unaware of reporting or handling procedures. In one year, with the IT security department's active training, new employee orientation and continued resilience testing, employees\u2019 "phish risk" percentage dropped to 8%.\n\nBanesco Banco Universal, VenezuelaSecuring Internet Banking Transactions\n\nBanesco Banco Universal, Venezuela\u2019s largest bank, needed a centralized system to prevent, monitor and ensure the security of its online banking service in real time.\n\nThe security team at Banesco Banco designed, developed and implemented an application, called the Predictive Console, that integrates the online banking system with databases, legacy systems and other monitoring systems. Team leaders say the project was based on the concept of a security model applied in layers, allowing a simple solution to integrate and improve coverage in the prevention and control of fraud events. This tool does not require modifications to the business logic, and it reuse existing security mechanisms to strengthen the effectiveness and functionality of the solution. It uses a risk engine based on the behavior of customers, using connections and financial profiles.\n\nWith the solution in place, Banesco Banco saw fraud reduced by 75% from 2015 to 2016, and the number of fraud events decreased by 84%.\n\nAT&TStorm 2.0 Threat Analytics Platform\n\nTelecom giant AT&T has come up with a next-generation threat analytics platform that transitions to big data technology, collects a broader dataset, increases performance and adds analytical capabilities. The platform's mission is to utilize this data to collect events, detect security threats, initiate remediation and, ultimately, protect AT&T and its network from compromise and malicious activity.\n\nThe Storm 2.0 Threat Analytics Platform project involved a custom big data implementation. The project team designed a Hadoop-based cluster, creating a unique big data stack. The team then implemented this stack in a 110 data-node cluster and successfully migrated more than 5 billion records per day to the new platform.\n\nThe team integrated existing threat management tools, including HP\u2019s ArcSight SIEM, the proprietary AT&T Malicious Entity Database, Anomali's ThreatStream and the internal AT&T RCloud analytical library. This created a platform that acts as an ecosystem of security threat analytics.\n\nAstraZenecaCloud Control Point\n\nAstraZeneca, a global pharmaceutical company operating in over 100 countries, put collaboration at the center of its IT security strategy with a secure, global cloud collaboration platform. The challenge then became how to keep track of what data is in the cloud, where is it going, and who can access it?\n\nThe security team enlisted Skyhigh Networks\u2019 cloud access security broker as a central control point for all cloud traffic, sanctioned and unsanctioned. AstraZeneca uses Zscaler as their inline proxy to monitor web traffic across users, devices and locations and to protect employees from malicious or compromised sites. Skyhigh integrates with Zscaler to process proxy logs and provide visibility into AstraZeneca\u2019s cloud usage, as well as the individual risk ratings of each service.\n\nToday the IT department has granular visibility into every kilobyte of data sent to the cloud and control with data loss and collaboration policies. At the same time, they removed the need for VPN access. Employees, patients and medical professionals worldwide can securely share data in the cloud.\n\nAmkor TechnologyRansomware Inoculation\n\nAmkor Technology, a semiconductor services provider, needed a way to prevent ransomware from becoming a weekly fire-fighting event. \n\nAmkor InfoSec group embarked on a project to mitigate damage from future ransomware campaigns and allow for quicker recovery. Amkor first analyzed the way ransomware, a highly scripted attack virus, performed after detonation, then it tailored a solution that both retarded the effects of ransomware and allowed for easier and faster recovery. Similar to an inoculation, the solution doesn\u2019t prevent the infection, but rather blunts the virus\u2019s capabilities and allows for faster recovery.\n\nAmong the project\u2019s features, the group created a GPO that will block common Ransomware command execution after detonation within Windows OS. It also created a new policy on the centralized storage device blocking encryption commands utilizing the most common encryption extensions used by ransomware. On the recovery side, Amkor ensured that all critical data is on shared directories, which are snapshotted every four hours to allow for a worst-case, four-hour data loss.\n\nProject leaders say this is a program most companies can implement with little money and one that makes them immune from 99% of the known ransomware.\n\nAflacDucking Threats \u2013 Aflac\u2019s Automated Threat Intelligence Control System\n\nAflac witnessed a significant increase in the volume and velocity of new security threats. So the insurance provider embarked on a mission to create a custom-built threat intelligence system capable of consuming large amounts of threat data and, in turn, use that data to protect the environment and inform security decisions.\n\nPart of the solution involved maximizing the use of API integration. The threat intelligence platform uses APIs to communicate and share information between platforms. Numerous APIs push data between systems that otherwise would have had to be manually loaded in batch. With this approach, the system has been able to automatically consume threat data, assign confidence ratings and deploy it to security infrastructure block lists.\n\nPartnering closely with Splunk, Aflac was also able to integrate its threat intelligence data with its user behavioral analytics solution to enrich its advanced analytics.\n\nWithin a six-month period in 2016, the threat intelligence system has blocked more than two million connections, with fewer than one dozen false positives.\n\nAECOMImproving Employees\u2019 Ability to Spot Phishing Emails by 300% in 18 Months\n\nWhen engineering firm AECOM first measured the phishing awareness aptitude of its 100,000 employees, almost 30% of them failed to identify the scams. In response, the firm designed a phishing awareness program that focused on raising awareness, reducing the fail rate, helping employees understand how to get help and to feel no shame about coming clean when inadvertently clicking on phishing emails.\n\nFor the next 18 months, its education and awareness campaigns would focus wholeheartedly on phishing, with a few other topics sprinkled in to help keep content fresh. Project leaders say the entire campaign came at very little cost but required a huge amount of dedication, creativity and influence across the company. All channels were coordinated by leveraging the influence of the CISO, executive support in business lines and regions, collaboration with internal communications and marketing, befriending the graphics team and soliciting help from every corner of the organization.\n\nAs a result, AECOM reduced its phishing fail rate from 29.9% to 6.7%.\n\nInternational Association of Certified ISAOs\n\nFind out more about IACI's award winning project in our story IACI's neighborhood watch is a new approach to information sharing.