The task of securing an organization’s data and systems has become increasingly complex. It has also become more critical, as organizations increasingly digitize their business operations.
Security leaders have risen to the challenge, implementing innovative programs that strengthen defenses and increase organizational resilience.
To highlight this work, the CSO Awards annually recognizes security projects that demonstrate outstanding security leadership and business value. For this year’s awards, CSO honors 57 projects that go above and beyond. These projects address the full spectrum of security work today, solving for challenges in everything from identity and access management to securing AI.
Here, we profile seven of those award-winning initiatives, chosen as representatives of the transformative work happening in security today.
BMHCC adopts risk-based approach to vulnerability management
Organization: Baptist Memorial Health Care Corp. (BMHCC)
Project: Risk Rated, Ranked, Remediated: A Strategic Security Transformation
Security leader: Seth Fogie, Director of Information Security
Seth Fogie, director of information security at Baptist Memorial Health Care Corp., wanted to make the Memphis, Tenn.-based healthcare system’s vulnerability management program more about strategic risk reduction and remediation.
The initiative built on what BMHCC had in place, which centered on scanning networks and devices for vulnerabilities that IT teams at BMHCC’s numerous entities would then patch as needed.
Reviews of this process, which happened regularly, showed the work wasn’t making as much progress in risk reduction as the security team wanted. So around mid-2024 Fogie and the BMHCC security team implemented a strategic, risk-based remediation model to ensure actual risk reduction.
Fogie started by giving IT teams in each of BMHCC’s entities regular reports that ranked vulnerabilities based on a risk score, directing the teams to focus on the top three vulnerabilities each week.
“We start with the largest risk and work our way down,” Fogie explains, adding that vulnerabilities at the enterprise level where handled the same way by corporate IT.
To ensure success, Fogie worked with the various IT teams to align security needs with IT workflows. “We came to the agreement that I’m only going to put so many things on the list for them to focus on, and the list would [require] a top-level-down remediation effort,” he says.
Fogie’s risk-based remediation model also showed where patching efforts weren’t working as expected, enabling security and IT teams to address those issues. The approach has yielded significant results with a 70% risk reduction within the first year.
The security team is now maturing its vulnerability management approach, adding more automation and artificial intelligence to the program.
FSU tackles third-party risk with tighter vendor management program
Organization: Florida State University
Project: Third-Party Risk Management Program
Security leader: Bill Hunkapiller, CISO
Officials at Florida State University wanted to ensure that data shared with outside entities was well protected. To achieve that, CISO Bill Hunkapiller and his team revamped its third-party risk management program so that the university could more thoroughly identify, assess, and mitigate risks associated with external vendors and partners.
The primary objectives of the project were to ensure the security and compliance of third-party services, protect sensitive university data, and maintain operational continuity. Keith Bennett and Jeremy Anderson, IT security and privacy risk managers at FSU, built this new third-party risk management program in six months by first identifying the data elements most relevant to FSU’s security needs and then creating a unique methodology, assessment tool, and scoring mechanism based on FSU’s third-party vendor management standard.
The risk management program now requires third parties to submit results of an independent security audit, a SOC 2 audit, or a Higher Education Community Vendor Assessment Toolkit (HECVAT) security review. The program also requires an attack surface management scan of third parties, and it includes enhanced vendor compliance through improved contractual language and ongoing monitoring.
Hunkapiller notes that FSU can use the program and its assessment process to negotiate with third parties, asking them to address security deficiencies before doing business with them.
“Now we’re able to reduce that risk with the vendors who are hosting our data,” Hunkapiller says.
Anderson says FSU turned away one vendor after it identified security gaps, and Hunkapiller says FSU turned away another vendor whose assessments revealed the vendor was not addressing a shortcoming that had previously been identified.
FSU is expanding the use of the program, Hunkapiller says, to assess a wider swath of third parties, not just those that handle sensitive data or provide mission-critical services.
Hunkapiller and his team are also improving the program, making it more rigorous and adding automaton and artificial intelligence to make it more efficient.
Marvell transforms its multicloud security posture
Organization: Marvell
Project: Transforming Marvell’s Cloud Vulnerability Management
Security leader: Derek Hardy, CSO
Marvell faced a common challenge with multicloud environments: the fragmentation of tools, which introduced gaps in visibility, policy alignment, patch management, and overall process consistency.
“This complexity stretched resources, slowed response, and limited efficiency,” says Marvell CSO Derek Hardy.
To address that visibility issue, Hardy transformed the company’s cloud vulnerability management program by “consolidating into a unified platform — a true single pane of glass — backed by strong executive sponsorship, clearly defined processes, and close cross-team collaboration.”
The work, completed in a few quarters, ensured consistency, improved efficiency, and closed gaps that penetration tests had missed. It also accelerated remediation, reduced critical risks to zero, and elevated the company’s overall security posture.
“This initiative not only safeguarded our data but also reinforced trust with our customers and partners by ensuring scalable, secure operations across the cloud,” Hardy says, adding that it ensures “our cloud infrastructure meets the highest security standards.”
The core security team partnered closely with IT, cloud operations, and business stakeholders to gain alignment with organizational priorities as well as to ensure accountability in addressing vulnerabilities.
“Every function was required to play a role, whether in identifying exposures, implementing remediation measures, or ensuring that business processes reinforced security best practices,” Hardy explains.
The unified vulnerability management system is fully deployed across Marvell’s multicloud environment, and the security team continues to refine processes, automate reporting, and expand integrations to strengthen its impact over time.
“Our focus is on continuous improvement — expanding automation, deepening integration with business units, and scaling the framework as Marvell’s cloud footprint grows,” Hardy says. “This ensures security remains embedded in our digital transformation journey.”
Mastercard launches internal conference to promote secure coding practices
Organization: Mastercard
Project: The Security Conference Initiative
Security leader: Michael Lashlee, CSO
In 2022 Mastercard launched its Security Conference Initiative to emphasize the importance of secure coding practices. The goal was to teach software developers to create more secure, resilient software by embedding security within the software development lifecycle.
Founded by the company’s Security Champions, members of the Secure Software Development Lifecycle team, and the Business Security Enablement Guild, the initiative — a periodic event — engages developers through hands-on experiences such as interactive coding challenges and live attack simulations to enhance their secure coding skills and raise their awareness of secure software development lifecycle principles.
Additionally, it fosters collaboration between the software development community and security teams, promotes shared responsibility for security, builds technical expertise, and drives cultural change.
“The biggest benefit is scaling the culture of security by providing an all-hands-towards-secure-coding interactive learning experience,” says Swarali Kulkarni, lead product owner at Mastercard.
Kulkarni notes that the conference covers a wide range of topics, from executive briefings and industry insights to workshops and competitive tournaments, “creating a well-rounded and impactful experience for everyone involved.”
The initiative leans on Secure Code Warrior and Cyberange training platforms to deliver a gamified experience, which has both measurable and required minimal time commitments (two days, with three to four hours each day). The platforms support more than 50 programming languages and provide a range of metrics to assess secure coding accuracy, monitor learning hours, track the number of code flaws resolved, and more.
To date, there have been five conferences, each attended by more than 400 participants from Mastercard’s software development community. Each conference is specifically tailored for programs within Mastercard that express interest in participating, Kulkarni says.
Penn Medicine modernizes it threat detection program
Organization: Penn Medicine
Project: Cyber Threat Detection Overhaul
Security leader: Julian Mihai, CTO
Penn Medicine had installed a top-of-the-line security information and event management (SIEM) solution nearly a decade ago, but the security team recognized a few years ago that the on-premises system could no longer match the speed at which attacks now evolve.
“Now threats can change by the hour, so detection very quickly is paramount today. That was the driver to rethink and retool our detection technology,” says CTO Julian Mihai.
Mihai and his team implemented a new cloud-based SIEM solution in 2024, deploying an innovative constellation of MITRE ATT&CK models to guide strategic and tactical direction of the threat detection program.
“It was a complete redesign, and everything that was legacy was decommissioned,” Mihai says.
Jesse Whyte, director of cybersecurity defense, says the initiative required changes not only in the technology but in people and processes, too. Security staff had to be trained to adopt a “threat intelligence first” approach that focused on evolving threats and how to use new threat intelligence for detection.
The security team also had to implement the right governance to prevent unnecessarily quarantining a critical system. And they had to ensure the egress pipelines could support the volume of data going to the cloud-based SIEM solution.
“The biggest challenge was managing spend, [as a] modern SIEM solutions license is based on the amount of data that is ingested. We needed to create a data-ingestion layer that provided opportunities for us to prune data as it entered the data lake, all while increasing the overall consumption and managing the run-rate of the project,” Whyte explains.
The cloud-native SIEM solution and Penn Medicine’s modernized security operations have delivered impressive results. The team now works seamlessly with its managed security service provider to ensure 24/7 coverage — and it has been freed to “work higher in the stack,” Whyte says, as AI and automation handle routine incidents and tasks.
Critically, the security team’s time to detect and time to contain have been drastically slashed, with PennMed reporting improvements of more than 550% for each.
TIAA builds AI tools to accelerate threat hunting and remediation
Organization: TIAA
Project: HUNT (Hyper-Automated Unified Network Threat Hunting)
Security leader: Sastry Durvasula, Chief Operating, Information, and Digital Officer
Security leaders at TIAA formally review and refresh their priorities every year as part of the company’s 3-year-old Cyber 2.0 initiative. In 2024, they decided to focus on enhancing their use of artificial intelligence to counter cyberthreats that were increasingly fueled by AI.
The result: a new capability called Hyper-Automated Unified Network Threat Hunting.
HUNT reduces the risk of undetected threats using innovative AI and machine learning models with a 60-minute maximum detection time. It is built on existing commercial tools with tailored telemetry collection that consolidates suspicious activity across TIAA’s cloud infrastructure.
HUNT goes after what Sastry Durvasula, TIAA’s chief operating, information, and digital officer, calls “sleeper cells” — those threats that hide in an environment, sending signals back to threat actors and waiting for them to activate an attack.
Durvasula, who oversees security, points out how difficult these threats are to detect and how much manual work has traditionally been needed to identify them in an enterprise environment. Durvasula and his team saw AI as key to reducing that manual work and boosting effectiveness and efficiency.
With no commercial solution that met TIAA’s needs available, TIAA built its own.
TIAA teams designed the tool in 2024, building and training the AI/ML models to look for patterns that indicate threats. HUNT, which sits on top of existing tools and uses industry tools, including MITRE ATT&CK framework, notifies an analyst when it detects a threat so the analyst can deactivate the threat.
Rolled out in early 2025, HUNT now reduces the time and resources needed to detect and remediate. “It significantly strengthens our cyber posture,” Durvasula says, adding that he and his team plan to add more automation and intelligence, including generative AI, with the goal of using agentic AI to fully automate threat detection and response.
Walmart enlists AI to proactively identify branded phishing sites at scale
Organization: Walmart
Project: Phishface
Security leader: Jerry Geisler, EVP and CISO
Identifying true threats from the large volume of signals is a challenge familiar to most security functions. To address this, Walmart’s Cyber Intelligence (CI) team created Phishface, a proprietary phishing detection machine learning model trained to identify webpages visually similar to Walmart-branded login pages.
“The volume and influx of brand-abuse websites that were manually processed by the CI team is what initiated the project,” says Jason O’Dell, vice president of security operations.
The CI team built a model that would ingest a feed of domains/websites and identify business-branded websites that could be further fed into detective controls. Once the POC was completed, the CI team transferred Phishface to the SecOps Dev team.
“The primary function of the project was to reduce the volume of signals for probable threats, aiding analysts in identifying potentially harmful and brand-abusing websites,” O’Dell explains, adding that it has delivered “a substantial increase in analyst efficiency and effectiveness.”
“In the past, analysts faced an overwhelming volume of information that was nearly impossible to review in a timely manner. This project rendered that flow of data into a manageable volume, allowing a small team of analysts to efficiently provide timely reviews,” he adds.
The project reduced the number of items by approximately 98.5% on average, enabling analysts to redirect their efforts to higher-priority strategic activities. It has also achieved a 98% level of accuracy, directly enhancing analyst productivity and resource allocation, says Gavin Clark, group director of security operations, threat detection.
Phishface is having a significant impact, O’Dell says, “giving the organization the ability to identify malicious sites quickly, at scale, and feeding that data to other detective controls for near real-time actions. Such a model can analyze web pages rapidly, screen thousands of webpages continuously and adapt to new phishing pages without manual updates. In short, it is shifting detection posture from reactive cleanup to proactive prevention.”
No Responses