ISE® Southeast Project Award Nominees 2019

aarons
Project Phalanx: Shifting Left in Application Security
Executive Sponsor: Almir Hadzialjevic, VP, Enterprise Risk and Security
Project Team: Jeremy Brooks (Lead Security Engineer, Application Security), Eric Simmons (Developer, Security Champion), David Nolan (Directory, Information Security), Kevin Leclair (Director, Software Engineering), Edwin Deliz (Manager, QA), Anthony Burk (Automation Engineer, QA), Alex Gonzalez (Automation Engineer, QA), Ashley Lee (Manager, Software Engineering), Cliff Jacobson (Manager, Software Engineering), Will Moore (Manager, Development Operations)
Location: Atlanta, GA

The Application Security team at Aaron’s partnered with QA, Development, and Development Operations to create a platform that enables the seamless integration of application security into Aaron’s S-SDLC and development technologies. This initiative focused on delivering faster feedback to the development teams by providing self-service processes and automation that drastically accelerate the discovery and remediation of application security defects.

aflac
Ducking an Identity Crisis with Real-Time Fraud Alerting
Executive Sponsor: Tim Callahan, Senior Vice President, Global Security Officer
Project Team: Matthew Harper (Director, Cyber Crime Prevention), Adam Miller (Senior Consultant, Cyber Crime Prevention), Nic Clark (Cyber Crime Prevention Engineer), Hailey Armstrong (Cyber Crime Prevention Analyst), Veena Harish (Project Manager), Prabhas Singh (Consultant)
Location: Columbus, GA

Criminals are taking advantage of Aflac’s transition from a legacy serving model to a digital-first environment via Account Takeover (ATO) and other techniques. To protect Aflac policyholder data while enabling the digital transformation, Aflac leveraged in-place security technology (Splunk) and real-time channel/servicing data (call center, online, claims and client master) to create a flexible analytics platform that can flag suspicious activity in real time and alert business partners in fraud, claims operations and security to take corrective action. The project delivered real-time visibility across all aspects of Aflac core individual business units and ID validation infrastructure.

black knight
Digital Executive Risk Committee (“Digital ERC”)
Executive Sponsor: Joshua McDermott, SVP, Enterprise Risk Management
Project Team: John Steele (Senior Manager, Enterprise Risk Management), Sarah Stills (Enterprise Risk Analyst), Ben Davis (Enterprise Risk Analyst), Jonathan Chase (Enterprise Risk Analyst), Matt Cordle (Enterprise Risk Analyst)
Location: Jacksonville, FL

The Digital ERC project improves senior executive risk decision making by providing timely and accurate cyber risk information to members of Black Knight’s Executive Risk Committee (ERC) via interactive risk dashboards. Members of the ERC previously had to rely on static and often out-of-date PowerPoint slides to receive updates on the Company’s information security program to drive risk decision making. With the Digital ERC dashboards, ERC members can review real-time information (including drill-down capability) on the Company’s threat and vulnerability posture, security incidents, status of Identity and Access Management controls and the Security Awareness program.

bcbs florida
IAM Consolidation: Identity Governance Selection | Consolidation & Unified Privileged Access & Management (UPAM)
Executive Sponsor: John Armga, Director, Enterprise Threat Management, Guidewell
Project Team: Nancy Darveau (Sr IT Security Architect), David Lyle (Infosec Admin), Charity Sparato (Infosec PM)
Location: Jacksonville, FL

What started as an enterprise implementation of CA PAM became the means and mechanism for simplifying Administrator access to 10,000 privileged accounts across 29 sensitive applications, 5 user stores and 220 servers. Now, rather than juggling multiple logins, Administrators can use their primary login to access privileged accounts on application, backend and database servers, whether Windows, *Nix or mainframe systems. Password complexity, rotation, vaulting, check-in/check-out, and session recording and 2FA are all automated and enforced based on a central policy. Whereas before there was little accountability or tracking, now privileged access and accounts are strictly controlled and governed.

first data
First Data Application Security Program
Executive Sponsor: Pam Gott, Vice President of Global Cyber Security & Fraud
Project Team: Neil Schloth (Manager, Application Security Team), John Van Houten (Security Engineer II), Saltworks Security Team Members
Location: Atlanta, GA

First Data develops software and systems that are used globally to manage credit card transactions globally. Security of these transactions is critical to the success of First Data’s business. By implementing a world class application security program that is fully integrated into the software development lifecycle, First Data ensured application are being developed in the most secure manner possible while not slowing the delivery of business value by development teams.

suntrust
Cyber Security Operations Program Enhancement
Executive Sponsor: Damon Ross, SVP, Head of Head of Cybersecurity Operations – Enterprise Security & Resiliency
Project Team: Larry Barksdale (GVP, Head of Digital Forensics and Incident Response), Xavier Ashe (VP, Delivery Manager | Cybersecurity Engineering and Delivery), Will Davis III (Enterprise Security Architect), Shanny Venkatarangan (Security Services Delivery Manager)
Location: Atlanta, GA

In January 2018, the SunTrust Cybersecurity division began insourcing its Cybersecurity Operations teams in order to further improve its ability to detect and respond to cybersecurity threats and incidents. This effort consisted of hiring a large group of qualified employees, IT investment, and recalibration of business processes to reflect the new organizational structure. As of December 2018, the Cybersecurity Operations unit is now performing on a 24x7 basis for its threat monitoring teams with plans to grow threat intelligence, counterintelligence, and incident response more fully in 2019. The high performance of this team is an important factor to fulfilling SunTrust’s purpose of improving clients’ financial confidence.

tractor supply
Identity Access Portfolio
Executive Sponsor: Shane Callahan, Director of Information Security – BCP\DR
Project Team: Christine Jones (Senior Specialist, Kyle Yoches (Specialist), Chris Eng (Specialist), Jamie Blake (Analyst), Michael Browning (Manager, IAM)
Location: Brentwood, TN

Tractor Supply Company embarked on a journey to revamp its Identity Management program, incorporating Privileged Access Management (PAM), Single Sign-On (SSO), and credential management. In the latter two use cases the company was replacing solutions already in place, and instituting an additional multi-factor authentication solution to limit risk on critical systems. While vendor consolidation was a secondary consideration, the primary consideration was more advanced features and functionality to elevate its security posture and create a better user experience for TSC’s 28,000 employees.

tractor supply
Security Awareness Program
Executive Sponsor: Shane Callahan, Director of Information Security – BCP\DR
Project Team: Don Marsee (Manager Risk and Compliance), Jamie Blake (Security Analyst), Balaji Mudradi (Sr Security Analyst)
Location: Brentwood, TN

The Risk and Compliance team, using several off-the-shelf and custom tools, found creative and innovative ways to measurably reduce risk in the Tractor Supply environment by elevating awareness and understanding. This includes professional level custom videos, phishing exercises, print and digital awareness campaigns, mandatory training and several other avenues of communication and testing. This program has shown results in reduced malicious email clicks, reduced malware and increased users reporting malicious activity. Due to the light hearted nature of the programs, the topics are often discussed at the “water cooler” and easily relatable.