FIVE COMPLETE PROGRAMS CISO Program IT … Gartner Security & Risk Management Summit 2012 June 11 14 National Harbor, MD Strategic road maps to secure the enterprise and reduce risk

Gartner Security & Risk Management Summit 2012June 11 – 14 | National Harbor, MD gartner.com/us/securityrisk

Visit gartner.com/us/securityrisk or call 1 866 405 2511 to register

FIVE COMPLETE PROGRAMS

CISO Program

IT Security

Business Continuity Management

Risk Management and Compliance

New! The Business of IT Security and Risk

2 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD

Strategic road maps to secure the enterprise and reduce riskChallenges abound for those charged with making sure business is secure and resilient in the face of threat and adversity. Enterprises of every stripe face a dangerous threat landscape that is evolving rapidly, thanks to swift-moving trends such as cloud, mobile and social technologies. New anti-fraud, anti-corruption and other regulatory changes pose more challenges. Complexity is rising, big data keeps getting bigger and lean budgets require you deliver more with every investment.

At the same time, as growth returns to the business cycle, risk management culture is growing in sophistication and relevance across the organization. Embracing and managing risk while mitigating vulnerabilities and becoming more resilient becomes a critical discipline for business success.

As the premier gathering of enterprise IT security and risk management executives, the Gartner Security & Risk Management Summit 2012 takes a comprehensive look at the entire spectrum of IT security, business continuity management and risk, including: network and infrastructure security, identity and access management, compliance, privacy, fraud, business continuity management and resilience. This year’s summit offers over 140 sessions and five in-depth, role-based programs:

•CISOProgram

• ITSecurity

•RiskManagementandCompliance

•BusinessContinuityManagement(BCM)

• New! TheBusinessofITSecurityandRisk

HOT TOPICS• Advancedpersistentthreatsand

vulnerabilities

•Securemobileapplications

•Cloudandsecurity

• E-discoveryandinformationgovernance

•Networkandinfrastructuresecurity

•Socialmediaandsecurity

•Crisis/incidentmanagement

•Supplychainriskmanagement

• Identityandaccessmanagement

•Enterpriseriskmanagement

•Regulatorycompliance

•Privacy

EARN CPE CREDITSAttending the summit helps you advance your continuing professional education(CPE).RegisteredparticipantsareeligibletoearnCPEcreditstowardISC2,ISACA,DRII, andIAPPcertificationprograms.Learnmoreatgartner.com/us/securityrisk.

WHAT’S NEW FOR 2012• Additional program added to the agenda! The Business of IT Security and Risk

• New keynote format! Mastermind Interview With Michael Dell, CEO, Dell

• Special CISO-only sessions and networking opportunities

• Special workshop! Implementing BCM Standards for BCM Maturity and Organizational Certification

• Enhanced Risk Management and Compliance Program! New research on legal and regulatory risk trade

• Advanced CISO virtual track! Advanced sessions for those with experience in the CISO role

• New Gartner Magic Quadrant technology evaluations

• More opportunities to interact with vendors! More than 90 solution providers on-site

3Visit gartner.com/us/securityrisk for agenda updates and to register

WHO SHOuLD ATTEND?•CIO,CSO,CISO,CRO,CFO,CCO,CGO,CLO,CPOandCTOtitles

•ITvicepresidentsanddirectors

•Governance,risk,compliance,andprivacy executives, directors and managers

•Seniorbusinessexecutives

•Generalcounsel

•Finance,audit,legalriskandcompliance and regulators

•Enterpriseandoperationalriskmanagers

• Businesscontinuity,disasterrecovery managers

TABLE OF CONTENTS 4 SummitPrograms

5 Virtual and Vertical Tracks

6 Keynote Sessions

7 CISOProgram

9 ITSecurityProgram

12 BCMProgram

14 RiskManagementProgram

16 TheBusinessofITSecurity andRiskProgram

17 Session Descriptions

27 Solution Showcase

30 Agenda at a Glance

33 Registration

Gain practical insight to improve your IT security and risk management strategyIf you’re tasked with protecting critical infrastructure, you’ll benefit tremendously from four days of intensive, practical learning, including how to:

•StructureandmanageeachofyourindividualITriskprograms

•Balanceandcoordinatethoseprograms

•MakeITriskprogramsmoreefficientandeffective

•Selectapproachesandvendorsolutions

•Articulatesecurityandriskrequirementsinbusinesslanguage

• IntegrateBCMwithoverallriskandsecurityprograms

ExCLuSIVE! CISO AND CRO INVITATIONAL PROGRAMSConcurrent with the summit, CISO and CRO Invitational Programs provide a forum for the exploration of top-of-mind leadership, IT security, privacy and risk management issues for CISOs, CSOs and CROs. In these intensive programs, guest executives meet with leading technology providers to exchange ideas and strategies. Participation includes gratis travel, hotel and registration and is by invitation only on a first-come, first-served basis. To learn more and apply, visit gartner.com/us/securityrisk.

BENEFITS OF ATTENDING

By2015,enterpriseswillbeforcedtoimplement

integratedGRCtosupportconvergedITand

corporate governance, as well as improvement

of business performance.2012GartnerPredicts


Five complete programs deliver in-depth insightChaired by experts in each discipline, five distinct agenda programs

facilitate a more targeted learning and networking experience.

CISO ProgramYou’vegotthejob;nowwhat?BeingCISOmeansunderstandingthebigpictureand articulating it clearly to the highest levels of the organization. Critical criteria for success include evaluating enterprise risk, dealing with legal issues and understandingsecurityarchitecture.InrecommendedandexclusiveCISO-onlysessions,newCISOscangetup-to-speedwhileveteransupdatetheirinsights.Andforthosewhoaremoreexperienced,wehaveaddedanAdvancedCISOvirtual track.

IT SecurityBothbusinessandtechnologyissuesaffecthowwellorganizationsprotectthemselves from threats and vulnerabilities, and how effectively they step up toopportunities.Fromthecloudtothenetwork,fromprotectingapplicationsand data to keeping mobile and remote computing safe, security has a direct impact on the bottom line. Here we look at important updates in key trends, big-picturestrategyandtechnicalspecifics.Plus,wetakeadeepdiveintoavarietyof security architecture with our Technical Insights virtual track.

Business Continuity ManagementHow does the enterprise ensure continuing business operations and systems availability when a business interruption occurs anywhere in the organization? In these sessions, we give you the tools to anticipate the unanticipated and work to reinforce a discipline of risk management, response, recovery and resilience in the corporate culture.

Risk Management and ComplianceMeasuringandmanagingrisk,andcomplyingwithavarietyofglobalrules,regulations and laws about financial transactions and privacy, have become critical components of successful operations in the worldwide environment. This program focuses on technologies and strategies to improve governance, manage risk and conform to the letter and spirit of the law.

NEW! The Business of IT Security and Risk How big is the security and risk market for software and services, and who are the market leaders? Where are the innovations coming from? What new threats are being addressed by point solutions? This all-new program looks at this extremely dynamicmarket,presentingthefinancialandstrategicviewsthatCISOs,investorsand media need to make informed evaluations.

SuMMIT PROGRAMS

ANALyST ONE-ON-ONESMeetfacetofacewithaGartneranalyst in up to two personalized 30-minute private appointments to discuss your specific risk management and compliance issues. Walk away with invaluable, tailor-made advice that you can apply to your role and your organization immediately. Preregistration is recommended.

ANALyST-uSER ROuNDTABLESJoin us for a hosted peer group discussion with your end-user peers, moderated by a Gartner analyst lending his or her expertise to assist you. Share the latest best practices among your peers. Preregistration is recommended.

TECHNICAL INSIGHTS SESSIONSThis year’s summit features a virtual track on Technical Insights that provides detailed, technically oriented guidance on architecture and planning considerations for protecting information associated with new devices and service hosting models.


VIRTuAL AND VERTICAL INDuSTRy TRACkS Virtual and vertical industry tracks make it easy to follow a key trend, hot topic or address industry

issues in relevant sessions pulled from across all five conference programs. To further customize any

track,visittheAgendaBuilderatgartner.com/us/securityrisk.

Virtual tracksMobility and SecurityBusiness-criticalsystemanddataissuesemergingfromnewwireless technologies

CybersecurityCybersecurity issues — such as organized teams of hackers — that impact both the private and public sectors

Cloud Computing The new imperative — to know your risk profile, understand the risks cloud computing can create, minimize those risks, and move forward appropriately

PrivacyEmerging technologies that have an impact on privacy, but also those that can help to protect personal information — and how to pay for them

Identity and Access ManagementHowIAMcanevolveandmaturetohelpbusinessesweathertoday’s volatile and rapid change

Managing Legal and Regulatory RiskHow the IT organization can better support the chief legal officer and corporate compliance officer as they face a proliferation of regulation and litigation

Advanced CISOTake your professional development to the next level with sessions to address specific business needs

Technical InsightsExplore the architecture and planning considerations for protecting information associated with new devices and service hosting models

Social MediaWhat can be done about the risks of emerging social media and how do they balance against the opportunities?

Vertical industry tracksFinancial ServicesFightingfraudwhilekeepingonlinebankingseamless and efficient

GovernmentDeveloping cohesive national cybersecurity initiatives in partnership with consumers and the public sector

HealthcareIncreasing quality of service delivery, reducing compliance costs and anticipating healthcare reform while maintaining patient privacy and protecting intellectual property

Energy/UtilitiesEstablishing effective and efficient “smart grid” technology while combating for fraud, cyberattacks and the loss of control

ManufacturingManagingincreasinglyinterconnectedandcomplexcontrolnetworks while reducing costs, maintaining system integrity and protecting proprietary data

MAxIMIzE yOuR ExPERIENCE WITH OuR uNIquE CONFERENCE FEATuRES

First-class peer networkingEngage in informal and structured networking opportunities such as workshops, networking breakfasts by industry, conference receptions and more.

Hands-on workshopsThese small group workshops immerse you in real-world problem solving, with practical take-aways.

TutorialsJoin us for our complimentary preconference sessions to get up-to-speed and gain an overall perspective on security and risk management terms and definitions.

Solution Provider ShowcaseMeet with today’s leading and emerging security and risk management solution providers all under one roof, and get the latest information and demos on new products and services.


kEyNOTE SESSIONSGuest keynotesMastermind Interview With Michael Dell, Chairman and CEO, DellIt’s been over a year since Dell made its move into information security by acquiring SecureWorks, a managed security services provider. The transition from being a stand-alone, pure-play security provider to a unit within a larger IT vendor often causes organizational integration issues or loss of focus, but Dell has had a positive view. What’s on the road map for Dell, how does it see information security and what areitsprospects?ChairmanoftheBoardandCEOMichaelDellanswerstheanalysts’andyourquestions about Dell, security and risk.

Information Security and Technology in General — Problem Solved. You’re Welcome“TheDailyShow”correspondentandPCpersonifiedinthelong-runningMacvs.PCadcampaign,JohnHodgman,hasdoneitall—fromTVandfilmtobest-sellingbooks.HehasbeenseenonHBO’s“BoredtoDeath”and“FlightoftheConchords,”andinmovieslike“Arthur,”“TheInventionofLying” and“BabyMama.”Asanauthor,hisfirstbookwas“TheAreasofMyExpertise,”followedby“MoreInformationThanYouRequire.”Hisfinalbookinthistrilogyoncompleteworldknowledgeis“ThatIsAll.”

Cybersecurity: A View From the White House HowardSchmidtisCybersecurityCoordinatorandSpecialAssistanttothePresident (Accepted),formervicechairofthePresident’sCriticalInfrastructureProtectionBoard,andformerChiefInformationSecurityOfficeratMicrosoftandeBay.HerehediscussestheObamaadministration’sefforttoreducecyberthreats. This includes the administration’s legislative proposals and plans to protect critical infrastructure such as the electric grid, transportation systems and Wall Street, as well as protecting U.S. military defenses and businesses from cyberattacks.

Gartner keynotesOpening Keynote: Strategic Road Maps for IT Security and Risk ManagementA security leader’s mission is to road-map a security strategy and drive operations to effectively and efficiently sustain business performance in dynamic and chaotic environments. This session looks at the overall risk management programs within organizations working toward that goal.

Closing Insights and a Review of “Aha” MomentsBytheendoftheconferenceattendees,sponsorsandGartneranalystseachgainnewinsights,so we conclude the event by sharing what we have learned, or our “aha” moments. Through interviews and social media, the session reveals valuable insights gathered during the week. Gartner analysts each have a few minutes to share their new insights. We then turn to the audience for an open discussion. It is a great way to crystallize ideas to take back to your team, coupled with a touch of humor to close the conference.

Michael DellChairmanandCEODell

Howard SchmidtCybersecurity Coordinator and Special Assistant to thePresident(Accepted)

John HodgmanActor, Author andCorrespondent for “The Daily Show”

Andrew WallsDirectorGartnerResearch

Ray WagnerManaging VicePresidentGartnerResearch


CISO PROGRAM

HOT TOPICS•Enterprisesecurityintelligence

•Business-ITsecurityalignment

•Governanceandpolicysetting

•Privacyregulationspolicy

•Corporateriskmanagement

• Businessvalueofinformationsecurity

• Enterprisesecuritystrategyandarchitecture

•Creatingarisk-awareculture

• Legalimplicationsassociatedwithinformation security

• Advancedanalyticsandoperationalmetrics best practices

You’vegotthejob;nowwhat?BeingaCISOmeanshavingthe

big picture and articulating it clearly and compellingly to the highest

levels of the organization. Evaluating enterprise risk, dealing

with legal issues and comprehending the impact of a security

architecture overlay are all critical criteria for success.

Frommetricsthatmatter,toenterprisedataprotection,toarticulatingthebusiness value of IT security, key topics get in-depth treatment that cover the latest tools, research and insights. The agenda includes a thoughtful mix of practical sessions, such as how to develop key competencies in a new security team, and big-picture insights, including sessions on security as a social science and the importance of trust.

FeaturingexclusivenetworkingeventsforCISOProgramattendeesandplentyofopportunities to put your questions directly to the analysts, this is a rich learning environment designed to help you evaluate, run and improve your security and riskmanagementprograms.Thisyear’sCISOProgramincludesbothfoundationaland advanced sessions to deliver the information you need to succeed at every stage in your career.

Meet the analystsGartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide.

F. Christian ByrnesManagingVicePresident

Rob McMillanDirector

Tom ScholtzVicePresidentandDistinguished Analyst

Jay HeiserVicePresident

Paul E. ProctorVicePresidentandDistinguished Analyst

Jeffrey WheatmanDirector

Through2016,75%ofCISOswhoexperience

publicly disclosed security breaches, and lack

documented, tested response plans, will be fired.2012GartnerPredicts


CISO AGENDAMonday, June 11

10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman

10:15a.m.K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls

CISOThe CISO

11:30 a.m. A1.SecurityandRiskManagementasaSocialScienceTom Scholtz

2:45p.m. K2. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins

5:00p.m. A2.SecurityProgramManagementOverviewF. Christian Byrnes

Tuesday, June 128:15a.m. A3.WhenRiskManagementDoesMoreHarmThanGood:RM101Jay Heiser

10:45a.m. A4. MetricsThatMatterJeffrey Wheatman

2:00 p.m. A5.SecurityandRiskGovernance:It’sMuchMoreThanJustReporting F. Christian Byrnes, Tom Scholtz

4:30 p.m. A6a. NetITOut:ArticulatingtheBusinessValueofInformationSecurityTom Scholtz

4:55p.m. A6b. NetITOut:DevelopingtheKeyCompetenciesoftheNewSecurityTeamTom Scholtz

5:30p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted)

Wednesday, June 138:30 a.m. A7. HowtoRun,GrowandTransformYourRiskandSecurityProgramPaul E. Proctor

11:00 a.m. W1.Workshop:ITScoreForSecurityManagementF. Christian Byrnes

1:30 p.m. A9. OptimizingtheInformationSecurityOrganizationJeffrey Wheatman

4:00 p.m. A10. IgnoreEnterpriseDataProtectionatYourPerilJeffrey Wheatman

5:15p.m. K4. Guest Keynote Information Security and Technology In General — Problem Solved. You’re Welcome John Hodgman, Actor, Author and Correspondent for “The Daily Show”

Thursday, June 148:00 a.m. A11.QuoVadis,CISO?DevelopingaRealisticInfosecManagementStrategy

Rob McMillan, Tom Scholtz9:15a.m. A12. Intelligent Information Governance 2012 Debra Logan

10:30 a.m. A13. Trust:TheElusiveFinalIngredientJay Heiser

11:45a.m. K5. Closing Insights and a Review of “Aha” Moments Ray Wagner

SPECIAL AGENDA FOR CHIEF RISk OFFICER, CHIEF LEGAL OFFICER, CHIEF COMPLIANCE OFFICERCritical business uncertainties like reputational risks, regulatory proliferation and increasing litigation costs all require risk intelligence to support critical business decisions. The technology to support risk management and compliance is also advancing. It must be scalable to the entire enterprise and enable collaboration between multiple risk management activities, such as auditing, legal, finance, IT and compliance functions. Reporting and analytics must be on-demand in order to support business decisions and short-notice requests from regulators. Information governance, e-discovery and controls automation technologies must be in place to prevent problems in the first place, and to automate labor-intensive processes.

To provide insight into critical governance, risk and compliance technologies, Gartner is pleased to offer a special agenda for senior business executives who have risk management, legal and compliance responsibilities.

CISO INVITATIONAL PROGRAM FEATuRES•Directinteractionwithanalysts

• ThelatestresearchontopprioritiesforCISOs

• Boardroomcasestudypresentationswith leading solution providers

• AdvancedCISOvirtualtrackformoreexperiencedCISOs

•C-level-onlyroundtablediscussions

•ExclusiveCISOnetworkingevents

• Keynotes,generalsessionsandaMastermindInterviewwithDellChairmanoftheBoardandCEO,MichaelDell

•Securitymanagementworkshop

CRO INVITATIONAL PROGRAM FEATuRES•Directinteractionwithanalysts

• ThelatestresearchontopprioritiesforCROs

• Boardroomcasestudypresentationswith leading solution providers

•CROroundtablediscussions

•ExclusiveCROnetworkingevents

• Keynotes,generalsessionsandaMastermindInterviewwithDellChairmanoftheBoardandCEO,MichaelDell


IT SECuRITy

HOT TOPICS•Mobileapplicationandsecurity

•Socialmediaandsecurity

•Consumerization

•Advancedpersistentthreats

•Cybersecurity

•Cloudcomputingsecurity

•Securingthevirtualizeddatacenter

•Criticalinfrastructureprotection

• Frauddetection

•Endpointsecurity

Given the complexity and seriousness of today’s threat environment,

it’snowondertheITSecurityProgramincludesmorethan60analyst

sessions that cover everything from privacy to fraud prevention

toemergingtechnologies,andeverythinginbetween.Ourteamof

security analysts will be on-site to meet with attendees, present their

latest research, answer questions and lead roundtable discussions

focusing on today’s most urgent security topics.

You’ll find multiple sessions that cover such rapidly evolving trends as mobile, cloud and social technologies, as well as privacy concerns, consumerization, network access control, the next generation of threats and more. The program agenda features:

•Eightanalyst-userroundtablesonsuchtopicsasprivacy,applicationsecurity and cloud risks

•Fourtutorialsonchoosingsolutions,understandingtrendsandmore

• SixTechnicalInsightssessionsthatdrilldownonbestpracticesincloud, mobile and virtualization

• Newcasestudies,includingTheWorldTradeCenter’sSituationalPlatform,andothers on cybersecurity and creating a secure community cloud

• Plus,threeworkshops,eight“justthefacts”NetITOutsessions,networkingevents and much more

Through 2016, the

financial impact of

cybercrime will grow

10%peryear,dueto

the continuing discovery

of new vulnerabilities.2012GartnerPredicts


MEET THE ANALySTS

Earl PerkinsVicePresident

Tom ScholtzVicePresidentandDistinguished Analyst

Joseph FeimanVicePresidentand GartnerFellow

Andrew WallsDirector

Jay HeiserVicePresident

Tim ZimmermanDirector

Avivah LitanVicePresidentandDistinguished Analyst

Mark NicolettManagingVicePresident

John PescatoreVicePresidentandDistinguished Analyst

Doug SimmonsVicePresident Gartner Consulting

Peter FirstbrookDirector

Vic WheatmanVicePresident

Kelly M. KavanaghPrincipalAnalyst

Neil MacDonaldVicePresidentand GartnerFellow

Lawrence OransVicePresident

Lawrence PingreeDirector

Carsten CasperDirector

Anton ChuvakinDirector

Mario de BoerDirector

Ray WagnerDirector

John GirardVicePresidentandDistinguished Analyst

Greg YoungVicePresident

Gregg KreizmanDirector

Eric MaiwaldVicePresident

Rob McMillanDirector

Eric OuelletVicePresident

Gartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide.

Steve HawaldDirector

Ant AllanVicePresident

Dan BlumVicePresidentandDistinguished Analyst

Perry CarpenterDirector


IT SECuRITy AGENDAMonday, June 1110:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman

10:15a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls

IT SECURITYInfrastructure Protection Secure Business Enablement

11:30 a.m. B1. The Security State of the Cloud Jay Heiser

C1.RoadMap:TheNextGenerationofFirewallsandIPSGreg Young

D1.ProtectingYourNetworkintheEraofBYODLawrence Orans

E1.Higher,Faster,Stronger:ThePerformantIAMProgramAnt Allan

2:45p.m. K2. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins5:00p.m. B2.RoadMap:Operationalizing

Data and Application Defenses Against Hackers and Employees Joseph Feiman

C2.BigDataandSecurity:IntegratingSecurityandOperationsData for Improved IT Intelligence Neil MacDonald

D2.TakingPrivacytotheNextLevelWithaPrivacyProgram Carsten Casper

E2.RoadMap:IAMOperations—TheIAMDataModelEarl Perkins

Tuesday, June 128:15a.m. B3.TheEndpointProtection

PlatformintheAgeofTabletsandClouds Peter Firstbrook

C3.MonitoringUsersforSecurity Intelligence: Threats and OpportunitiesAndrew Walls

D3.RoadMap:OperationalizingEncryption Eric Ouellet

E3.IAMBestPracticesforPlanning,ImplementingandManagingIAMWithin Your Enterprise Perry Carpenter

10:45a.m. B4. Case Study: The World Trade Center’s Situational Awareness PlatformLou Barani, Director of Security, World Trade Center; Moderator: Jeff Vining

C4.MobileSecurityRisksinDepth:How Safe Is the Data on Your Smartphone and Tablet? John Girard, Lawrence Pingree

D4. Technical Insights: OperationalizingPCIDSSCompliance Anton Chuvakin

E4.LayeredFraudPreventionforLand-BasedandMobileComputingAvivah Litan

2:00 p.m. B5.RoadMap:SecureEmailCommunicationsWithPartnersandCustomers Peter Firstbrook

C5. Case Study: DoD’s Approach to Security Testing Ray Letteer, Chief, Cyber Security Division of the U.S. Marine Corps

D5. Technical Insights: Improving Collective Defenses Through Information-Sharing and Threat Intelligence Dan Blum

E5. Why Your Security Awareness ProgramIsDoomed(andWhatYouCanDotoRescueIt) Perry Carpenter, Andrew Walls

4:30 p.m. B6a.NetITOut:BreakingDowntheWalls While Sharing Data Securely Jay Heiser

C6a.NetITOut:Technical Insights—SecuringBrowser-BasedApplications Mario de Boer

D6a.NetITOut:EmergingTechnologiesforPrivacyProtectionandPrivacyManagement Carsten Casper

E6a.NetITOut:One-Time-PasswordHardware Tokens — Going, Going … Not Quite Gone Ant Allan

4:55p.m. B6b.NetITOut:TheDLPProcessIsMoreThanJustaPieceofTechnology Rob McMillan

C6b. NetITOut:RoadMap—Gaining Control of Consumerization Lawrence Orans

D6b.NetITOut:JobSecurityinCloud Era — Will Jobs Stay or Vaporize? Joseph Feiman

E6b.NetITOut:TheUndeathofPKIEric Ouellet


Wednesday, June 138:30 a.m. B7.SIEMforHybridTechnologyand

Services Deployments Kelly M. Kavanagh, Mark Nicolett

C7.TechnicalInsights:MobilityandSecurity—GartnerFieldResearchProjectonMobilityandConsumerization Eric Maiwald

D7.OperationalizeSocialMediatoImproveSecurityPerformanceAndrew Walls

E7. Q&A Session: The Identity and AccessManagementMarketplaceAnt Allan, Perry Carpenter, Gregg Kreizman, Earl Perkins, Ray Wagner

11:00 a.m. B8. Technical Insights: Security MonitoringfortheCloudandintheCloud Anton Chuvakin

C8. Deep Dive Into Internet Infrastructure Attacks Lawrence Orans, John Pescatore

W2.Workshop:ITScoreforPrivacy Carsten Casper

W3.Workshop:ITScoreforIAMPerry Carpenter, Ray Wagner

1:30 p.m. B9.TheNewDangersofMachinetoMachine(M2M)intheEnterpriseTim Zimmerman

C9.RoadMap:PresentingaHardTargettoAttackers:RoadMapsforEffectiveVulnerabilityManagement Mark Nicolett

D9.CaseStudy:TBA E9.ManagingIdentityandAccessinthe Hybrid World Gregg Kreizman

4:00 p.m. B10. TheMobileSecurityBrothersTravelingRoadshow John Girard, John Pescatore

C10. NIST’s National Initiative for CybersecurityEducation(NICE):WhatCIOsNeedtoLeverage Steve Hawald

D10. Technical Insights: SaaS Email Security — Trust Versus Technology Dan Blum

E10. Socrates Was Wrong: A Debate Rob McMillan, Earl Perkins, Tom Scholtz, Andrew Walls, Vic Wheatman


Thursday, June 148:00 a.m. B11. How to Securely Deploy and

ManageWhitelistingtoCounterAdvanced Threats Neil MacDonald

C11. ManageYourSecurityVendorsorBeMangledGreg Young

W4.(8:00–10:00a.m.)Workshop:SecuringtheAccessLayer—IdentifyingtheRightAuthenticationStrategyforBYOD,Contractors,Guests and Employees Lawrence Orans, Tim Zimmerman

E11. Case Study: Securing the DigitalNation—TheNewFrontierofCybersecurity Training and Education Keith Gordon, Senior Vice President, Security and Fraud and Enrollments, Online and Mobile Channels, Bank of America

9:15a.m. B12. Case Study: Toward a Secure Community Cloud for aManufacturingSector Doug Simmons, Gartner Consulting

C12.NetworkSecurityOpenQ&AEric Ahlm, John Girard, Kelly M. Kavanagh, John Pescatore, Greg Young

E12. Technical Insights: Endpoint Virtualization Security Considerations Mario de Boer

10:30 a.m. C13. Technical Insights: Network Security Architecture for Internal PrivateCloudsEric Maiwald

D13. Developing and Implementing aSuperiorMobileDevicePolicy John Girard



BuSINESS CONTINuITy MANAGEMENT

HOT TOPICS•BCM/ITDRMprogrammanagement

• BCMstandardsandorganizationcertification

•Supplychainriskmanagement

•ThebusinesscaseforBCM

•Failingoverintothecloud

•Disasterrecovery

•Continuousapplicationavailability

•Socialsoftwareandrecovery

•Crisisandincidentmanagement

•Emergency/massnotification

•Recoveryplanexercising

The business case for business continuity management has never

been more convincing. Effective enterprise risk management,

response, recovery and resilience are increasingly seen not only as

requirements, but as potentially critical business advantages. In the

BCMprogram,morethanadozenanalystsessionsexaminethe

latest best practices, evolving trends and the burgeoning frontiers

of mobile, social and cloud-based recovery strategies.

SixleadingGartneranalystsspecializinginBCMwillbeonhandtopresenttheirlatest research and answer questions on everything from achieving continuous application availability to recovery in the cloud, teleworking through a disaster, crisis management and much more. The program agenda includes:

• TwoGartnerMagicQuadrantNetITOutsessionsthatcovertheBCMmarketplace for tools and solutions

• Analyst-userroundtablediscussionsonITavailability,socialmediainBCMand recovery exercising

•AtutorialonBCMmaturityandevolution

• PlusworkshoponBCMstandardsandcertificationandBCM-focusednetworking events

Meet the analystsGartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide

Leif EriksenDirector

John P. MorencyVicePresident

Jeff ViningVicePresident

Donna ScottVicePresidentandDistinguished Analyst

Roberta J. WittyVicePresident

John GirardVicePresidentandDistinguished Analyst


BCM AGENDAMonday, June 1110:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management

Andrew Walls

BCMBusiness Continuity Management

11:30 a.m. F1.HowReal-WorldDisastersAreImprovingBusinessResilience:LessonsLearnedSince9/11John P. Morency, Roberta J. Witty

2:45p.m. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins

5:00p.m. F2.CaseStudy:Intel’sResponsetotheFukushimaEarthquake/Tsunami Jeff Selvala, Director, Assembly Test Global Materials, Intel; Roberta J. Witty

Tuesday, June 128:15a.m. F3. Case Study: Teleworking Through a Disaster John Girard, Roberta J. Witty

10:45a.m. F4.CaseStudy:Demographics—AnUnknownBCMRisk Steve Hannah, Manager, Disaster Recovery, Waddell & Reed

2:00 p.m. F5. Crisis/IncidentManagementOverviewLeif Eriksen, Roberta J. Witty

4:30 p.m. F6a. (4:30p.m.)andF6b. (4:55p.m.)NetITOut:BusinessContinuityManagementPlanningMarketsandMagicQuadrantsLeif Eriksen, John Girard, John P. Morency, Roberta J. Witty


Wednesday, June 138:30 a.m. F7. Strategies for Achieving Continuous Application Availability Donna Scott

11:00 a.m. F8.CanIRecoverThroughtheCloud?John P. Morency, Sheila Childs

1:30 p.m. F9.BestPracticesinRecoveryExercisingJohn P. Morency

4:00 p.m. F10.Panel:EducatingBoardsofDirectorsandManagementintheBusinessCaseforBCMModerator: Roberta J. Witty


Thursday, June 148:00 a.m. W5.(8:00–11:30a.m.)Workshop:ImplementingBCMStandardsforBCMMaturityand

OrganizationalCertificationJohn P. Morency, Roberta J. Witty 11:45a.m. K5. Closing Insights and a Review of “Aha” Moments Ray Wagner

New Business Continuity Management program features for 2012Learnthelatestbestpractices,evolvingtrendsandtheburgeoningfrontiersofmobile, social and cloud-based recovery strategies in a program dedicated to your BCMneeds.Featuresinclude:

•10BCM-focusedanalystsessions

• TwoGartnerMagicQuadrantNetITOutsessionscoveringtheBCMmarketplace for tools and solutions

•SixBCM-focusedGartneranalystsavailableforprivateone-on-onemeetings

• Analyst-userroundtablediscussionsonITavailability,socialmediainBCMandrecovery exercising

•AtutorialonBCMmaturityandevolution

• AworkshoponBCMstandardsandcertificationandBCM-focusednetworking events

By2015,30%ofmidsize

businesses will adopt

recovery-in-the-cloud

services to support IT

operations recovery.

By2014,almosthalfof

organizations will have

integrated public social

media services with their

crisis communication

strategies.

2012GartnerPredicts

2012GartnerPredicts


RISk MANAGEMENT AND COMPLIANCE

HOT TOPICS• EnterpriseandITriskmanagement

effectiveness

•Risk-adjustedvaluemanagement

•Creatingkeyriskindicators

•Legalandregulatoryinfogovernance

•E-discovery

•Supportingthechieflegalofficer

•Socialriskmanagement

• Reportingonriskmanagementinitiatives to the board

• Managingriskandcomplianceissueswith big data

•Cloudrisks

A major shift is under way, in which senior business leaders and

boards of directors begin to recognize enterprise risk management

as more than a compliance-driven cost. Today’s risk management

executives are using enterprise risk management strategies to

minimize business risk, support next-generation business needs

and improve business performance.

TheRiskManagementandComplianceProgramfocusesonstrategicissuesinriskmanagement and adds additional emphasis on legal and regulatory risks, including:

• Howtobettercommunicatethebenefitsandobjectivesoftheriskmanagement program to the board and senior business leaders

•Keytrendssuchasgrowingconcernsaroundprivacyanddataprotection

•Newanti-fraudandanti-corruptionlegislation

•Mobility,cloudcomputingandtheirimpactsonsecurityandrisk

•Legalandregulatorygovernancestrategies

Meet the analystsGartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide

By2016,enterprises

thatcombineBPMand

ERMwillachievehigher-

performance business

results than those that

employ them separately.2012GartnerPredicts

French CaldwellVicePresidentand GartnerFellow

Hiranya FernandoSenior Analyst

Andrew FrankVicePresident

Khushbu PratapSenior Analyst

Sheila ChildsManagingVicePresident

Debra LoganVicePresidentandDistinguished Analyst

Ian GlazerDirector

Paul E. ProctorVicePresidentandDistinguished Analyst

John A. WheelerDirector

Jeffrey WheatmanDirector


RISk AGENDAMonday, June 1110:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls

RISK AND COMPLIANCEEnterprise and Operational Risk Management Managing Legal and Compliance Risk

11:30 a.m. G1.RoadMap:Privacy,MarketingandBehaviorTracking—ARiskyMandateAndrew Frank

H1.Lawyers,UsersandITSecurity:TenWaystoWorkTogethertoReduceRiskandImproveGovernance Debra Logan, Jeffrey Wheatman

2:45p.m. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins5:00p.m. G2.TheMissingLink:HowIgnoringBusinessProcessesCanBeFatalforERM

John A. WheelerH2. TheCorporateEthicsGameShow:“Let’sMakeaDeal”or“Jeopardy!”?Joseph E. Schmitz, former DoD IG; John Bace, John Marshall Law School

Tuesday, June 128:15a.m. G3.GeneralSessionUntanglingtheMultimillion-DollarMadoffPonziScheme

David J. Sheehan, Partner, Baker Hostetler; Lew Schwartz, Senior Vice President, General Counsel and Corporate Secretary, Gartner10:45a.m. G4.SevenKeystoSuccessfulandCost-EffectiveRiskOversight

John A. Wheeler H4.Lawyers,UsersandIT:TheIntersectionofLawandTechnologyin2012—Part1.ViewFromtheBenchDebra Logan, Lew Schwartz, Judges Panel

2:00 p.m. G5.GlobalSupplyChainRisk:PerceptionandManagement Hiranya Fernando

H5.Lawyers,UsersandIT:TheIntersectionofLawandTechnologyin 2012—Part2.ViewFromthePractitionersDebra Logan, Lew Schwartz, Outside Panel

4:30 p.m. G6a.NetITOut:TheRealitiesofCyberinsuranceJohn A. Wheeler H6a.NetITOut:ComplianceControls—WhenAreYoursTooOld? Khushbu Pratap

4:55p.m. G6b.NetITOut:SelectingITRiskAssessmentMethodsandTools—AUseCase Approach Paul E. Proctor

H6b. NetITOut:SAS70IsGone—SoWhatAretheAlternatives? French Caldwell


Wednesday, June 138:30 a.m. G7.GeneralSessionEnterpriseandOperationalRiskManagement:DirectorsRoundtable—WhattheBoardWants

French Caldwell, Dale Kutnick, Panelists11:00 a.m. G8.Risk-AdjustedValueManagementPaul E. Proctor H8. Internal Auditors: Why They Do What They Do Khushbu Pratap

1:30 p.m. G9.TechnicalInsights:RoadMap—ManagingMultinationalPrivacyRisksinthe Cloud Ian Glazer

H9. ImprovingYourSocialRiskIQFrench Caldwell

4:00 p.m. G10. SixCIORiskTechniquestoPleaseYourBoardFrench Caldwell H10. ManagingLitigationandRegulatoryRisksofBigDataSheila Childs


Thursday, June 148:00 a.m. W6.Workshop:PolicyCritiqueJay Heiser W7.Workshop:ImplementingCOBIT5Robert Stroud, ISACA’S Strategic

Advisory Council 9:15a.m. W8. (9:15–11:30a.m.)Workshop:CreatingKeyRiskIndicatorsforYour

Company Paul E. ProctorH11. NewLegalMethodsforCollectingCyberinvestigationandSocialMediaEvidence Benjamin Wright, SANS Institute

10:30 a.m. H12. RoadMap:IntelligentInformationGovernance2012Debra Logan


New Risk and Compliance program features for 2012Dividedintotwotracks—EnterpriseandOperationalRiskManagement,andManagingLegalandComplianceRisk—theRiskManagementandComplianceprogram offers:

•25in-depthsessionsandtwogeneralsessions

•CROInvitationalProgram

• Threeworkshops,twoRoadMapsessions,fourNetITOutsessions,andoneTechnical Insights session

• Twoanalyst-userroundtablesfocusedonriskmanagementandcompliance

• 10on-siteGartneranalystsfocusedonriskmanagementandcompliance,available for private one-on-one meetings

•Specialrisk-management-and-compliancenetworkingopportunities


Meet the analysts

NEW! THE BuSINESS OF IT SECuRITy AND RISk

HOT TOPICS•Informationsecurityforecasts

worldwide

•Marketsharesintheinfosecdomain

Mobility,cloudandsocialtechnologieshavetransformedIT,posinga

stupefying array of new security threats and engendering an equally

overwhelming number of new security and risk management options.

In a climate of volatile change, how do you know you are making the

right security and risk management investments?

Newthisyear,TheBusinessofITSecurityandRiskprogramexaminestoday’sdynamic marketplace, the current landscape of market leaders and upstart innovators, as well as how the scenery is likely to change. We take an investor’s financial and strategic view of the market, based on the evaluations of our analysts, the financial community and the media.

Will your current partners see you through into the mobile, social, cloud-based future? Where will the leading innovations come from? Where should you put yourmoney?Featuring10sessionswithleadinganalysts,investors,journalistsand bloggers, this unique program provides extremely important information for CISOsandothersinvestinginsecurityandrisksolutions.

Ruggero ContuPrincipalAnalyst

Eric AhlmDirector

Joseph FeimanVicePresidentand GartnerFellow

Peter FirstbrookDirector

Ramon KrikkenDirector

Lawrence PingreeDirector

Greg YoungVicePresident

John RizzutoVicePresidentand Invest Analyst

Monday, June 1110:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management

Andrew Walls

NEW! BUSINESSThe Business of IT Security and Risk

11:30 a.m. J1.SecurityMarketsWorldwide2012Eric Ahlm, Ruggero Contu

2:45p.m. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins

5:00p.m. J2.ITSecuritySurvey:2011-2012StudyResultsandTrendsAnalysis Ruggero Contu, Lawrence Pingree

Tuesday, June 128:15a.m. J3. Technical Insights: The Art of Saying Yes — Selling Application Security to Architects and

Developers Ramon Krikken10:45a.m. J4.SWOTAnalysis:IBMandHPApplicationandDataSecurityJoseph Feiman

2:00 p.m. J5.SecurityInvestorsPerspectivesPanelAlberto Yepez, Trident Capital Group; Walter Pritchard, Citi Investment Research; John Rizzuto, Gartner Investment; Moderator: Vic Wheatman

4:30 p.m. J6. SecurityMarketGartnerMagicQuadrantOverviewGreg Young


Wednesday, June 138:30 a.m. J7.SecurityJournalistsandBloggersPanelModerator: Greg Young

11:00 a.m. J8.SWOTAnalysis:McAfee,Symantec,CiscoEric Ahlm, Ruggero Contu, Peter Firstbrook

1:30 p.m. J9. Security2020:Technology,BusinessandThreatDiscontinuitiesReshapingITSecurity Neil MacDonald, Lawrence Pingree

4:00 p.m. J10.CaseStudy:IncreasingCollaborationSecurelyWhenMovingtoCloud-BasedApps Joe Fuller, Dominion Enterprises


Thursday, June 1411:45a.m. K5. Closing Insights and a Review of “Aha” Moments Ray Wagner

•Userwants-and-needssurveyresults

•Strengths,weaknesses,opportunitiesandthreat(SWOT)evaluationsonleading IT security and risk vendors

•GartnerMagicQuadranttrends

•Investorsperspectivespanel


SESSION DESCRIPTIONS

CISO PROGRAM TRACk A

The CISOA1. Security and Risk Management as a Social ScienceAs technical security controls are increasingly integrated into the infrastructure fabric, CISOs’focuseswillcontinuetoshifttowardthe behaviors, attitudes and cultures of stakeholders. This presentation highlights how this will impact security leaders, and which actions they should take.Tom Scholtz

A2. Security Program Management OverviewSecurity programs have evolved and continue to mature. This session describes the maturity level characteristics of current information security programs and reviews the Gartner ITScore survey results. F. Christian Byrnes

A3. When Risk Management Does More Harm Than Good: RM 101Riskusedtobeliketheweather—everybodytalked about it, but few did anything about it. While the weather still remains unpredictable, business demands a more predictable approach to IT-related risks. This session helps the new risk manager understand the basic principles of risk management.Jay Heiser

A4. Metrics That Matter Enterprises still continue to create and report on security metrics that have no context and that nobody cares about. The effective metrics program highlights a few key measures with reasonable achievable targets that drive continuous improvement.Jeffrey Wheatman

A5. Security and Risk Governance: It’s Much More Than Just ReportingEffective governance provides accountability, responsibility, authority and assurance. Security and risk governance consists of processes and activities executed and overseen by governance bodies. Their success depends on the effectiveness of the groups tasked with executing them.F. Christian Byrnes, Tom Scholtz

A6a. Net IT Out: Articulating the Business Value of Information SecurityWhile security budgets held up comparatively well during the recession, organizations are shifting their focuses from survival back to growth mode. This requires investment of (still-limited)financialresourcesintoinnovationand growth projects, resulting in increasing pressure on security budgets.Tom Scholtz

A6b. Net IT Out: Developing the Key Competencies of the New Security TeamAs the information security discipline matures, the security-related skills and knowledge of a chief information security officer and his or her teams are taken for granted. However, security professionals who expect to thrive in a dynamic business environment need to continually learn new skills.Tom Scholtz

A7. How to Run, Grow and Transform Your Risk and Security ProgramCreating and formalizing a security and risk program is inexpensive, but developing a mature program requires high-level support, a strategic approach and proper time to execute.Modernenterprisesmustalsoalignwith business needs and address cultural gaps with the non-IT parts of the business.Paul E. Proctor

A9. Optimizing the Information Security Organization StopworryingaboutwheretheCISOreports, and think about how security meets your clients’ needs. Governance, accountability and responsibility can’t be fixed by moving head count. Here, we discuss how organizational changes may or may not impact your information security program’s success. Jeffrey Wheatman

A10. Ignore Enterprise Data Protection at Your PerilClients are missing the big picture when they protect data in technology silos without garnering a clear understanding of the value and risk associated with that data. This session analyzes the real drivers for data protection and provides a survey of some of the available tools to address the problem.Jeffrey Wheatman

A11. Quo Vadis, CISO? Developing a Realistic Infosec Management Strategy“If you aim at nothing, you will hit it.” A realistic strategy is a key component of any information security program. Developing and maintaining a strategy in dynamic-threat, technology and business environments is indeed challenging.Rob McMillan, Tom Scholtz

A12. Intelligent Information Governance 2012We seem to have too much information, but not enough of the right kind. Information governance is technically complex, organizationally challenging and politically sensitive. In this session you gain best practices and lessons learned from early adopters of information governance programs.Debra Logan

A13. Trust: The Elusive Final Ingredient Substantive external sharing only happens when everyone is confident that no harm will be caused. Trust conditions must be enabled before partners access information. Architects must understand social trust mechanisms, enabling external collaboration through the use of data protection technology.Jay Heiser

WORkSHOPSW1. Workshop: ITScore for Security Management Workshop Balancedscorecardsprovidesecurityteamswith critical tools to demonstrate value by identifying and leveraging security’s benefits across multiple business domains. This workshop discusses the building blocks for balanced scorecards for information security and how clients can avoid the hurdles.F. Christian Byrnes

ANALyST-uSER ROuNDTABLEAUR15. Secure Web GatewaysThis session is restricted to attendees with aCISOorequivalenttile,orotherC-levelorsenior management role related to information security. This is a discussion session.F. Christian Byrnes



IT SECuRITy TRACk B

Infrastructure ProtectionB1. The Security State of the CloudWhere does the world stand on cloud computing risks? This presentation provides an overview of the technical and process mechanisms that can be applied to help reduce the risks of cloud computing. Jay Heiser

B2. Road Map: Operationalizing Data and Application Defenses Against Hackers and EmployeesAs attacks become more motivated by money, and as enterprises get better at securing the infrastructure, there’s been a shift to application attacks. Now it is not just hackers but also employees that create serious threats. Addressing new risks, new application and data security market spaces have emerged.Joseph Feiman

B3. The Endpoint Protection Platform in the Age of Tablets and CloudsTests show that current endpoint protection platforms(EPP)donotprovidefullprotectionfrom mass-propagated or targeted attacks. In addition, security teams are grappling with the diversification of the traditional endpoint. Here we compare current and futureEPPrequirements.Peter Firstbrook

B4. Case Study: The World Trade Center’s Situational Awareness PlatformThe security director of the iconic World Trade Center describes best practices, lessons learned and technologies deployed while implementing a situational awareness platform to monitor events and identities in real-time using an integrated command center for correlating data and imagery. Lou Barani, Director of Security, World Trade Center; Moderator: Jeff Vining

B5. Road Map: Secure Email Communications With Partners and CustomersRegulationsanddatatheftareincreasingthe focus on protecting intellectual property

and sensitive information. The most common data exchange solution for most companiesisemail.Organizationsstrugglewith securing email communications to partners, customers and contractors. Peter Firstbrook

B6a. Net IT Out: Breaking Down the Walls While Sharing Data SecurelyOrganizationsneedtopermitemployeesofother companies to have access to sensitive information.Butmultienterprisecollaborationcan’tbesecuredbytraditionalmeans.Learnhow flexible and affordable trust technologies and services are being used to securely share data among enterprises. Jay Heiser

B6b. Net IT Out: The DLP Process Is More Than Just a Piece of TechnologyData loss prevention continues to be a hot topic, and clients continue to face the challenge of seeing beyond the technology to derive value. The key to this is understanding that you need to implement aDLPprocess,andnotjustthetool.Whatdoes this mean? What are the pitfalls?Rob McMillan

B7. SIEM for Hybrid Technology and Services DeploymentsWe get many client calls about options forusingSIEMserviceproviders.Hybriddeployments of technology and services address activities from planning to operations and cover monitoring from corporate data centers to cloud services providers. Here we address use cases supportedwithSIEMservices.Kelly M. Kavanagh, Mark Nicolett

B8. Technical Insights: Security Monitoring for the Cloud and in the Cloud This presentation is about security monitoring for cloud environments as well as about using the cloud-delivered tools for monitoring traditional on-premises IT environments. Do we have to use the cloud to monitor the cloud? What traditional approaches will work?Anton Chuvakin

B9. The New Dangers of Machine to Machine (M2M) in the EnterpriseBy2015therewillbemoreM2Mdevicesthan laptops or tablets. This presentation examines how these devices communicate,

authenticate and access resources across the infrastructure and introduce new security dangers to the enterprise.Tim Zimmerman

B10. The Mobile Security Brothers Traveling Roadshow Repeatingandupdatingthispopularandfun session, the brothers explore critical issues in the rapidly changing world of mobile and wireless computing — but within an audience-interactive game show format withvaluableprizes!John Girard, John Pescatore

B11. How to Securely Deploy and Manage Whitelisting to Counter Advanced ThreatsHere we explore extending a whitelisting paradigm from servers to all endpoints using best-practice techniques such as trusted change, IT operations integration and systematic workload reprovisioning of servers and desktops to pull the rug out from under advanced persistent threats.Neil MacDonald

B12. Case Study: Toward a Secure Community Cloud for a Manufacturing SectorThis case study looks at an industry-specific, secure community cloud environment designed to improve collaboration. We identify the key components and necessary safeguards for tactical and strategic deployment, and project when vendors will support the emerging community cloud concept. Doug Simmons, Gartner Consulting

IT SECuRITy TRACk C

Infrastructure ProtectionC1. Road Map: The Next Generation of Firewalls and IPSThreats continue to advance, and network security defenses must evolve to become effective against advanced targeted threats. Enterprises should require vendors to add next-generation intrusion prevention features to network security products.Greg Young


C2. Big Data and Security: Integrating Security and Operations Data for Improved IT Intelligence IT infrastructures have become increasingly virtualized and complex, with workload mobility in conjunction with the cloud becoming the norm. This presentation provides a framework for using big data to deliver actionable insight and intelligence for security and operations from a sea of data.Neil MacDonald

C3. Monitoring Users for Security Intelligence: Threats and OpportunitiesMonitoringthecommunicationsofemployees(andothers),onbothinternalandexternalsystems, is critical to security intelligence and situational awareness. While leveraging this data to improve security, we must also defend against unfriendly monitoring and data discovery that could be damaging. Andrew Walls

C4. Mobile Security Risks in Depth: How Safe Is the Data on Your Smartphone and Tablet?Lossanddataexposurearetheprimaryrisksorganizations face with mobile devices. Using off-the-shelf forensic tools to analyze typical mobile devices, we demonstrate how data is exposed and unintentionally propagated. The analysts then recommend best-practice defenses.John Girard, Lawrence Pingree


C6a. Net IT Out: Technical Insights — Securing Browser-Based ApplicationsApplications running in Web browsers may beimplementedinHTML4,HTML5andJavaScript, or they may use Java, Silverlight, Flashorotherplatforms.Thissessiondiscusses the client-side risks of running applications in Web browsers, and covers the strengths and weaknesses of the various protections.Mario de Boer

C6b. Net IT Out: Road Map — Gaining Control of ConsumerizationConsumerization is here and IT struggles to keep up. End users have embraced tablets,

smartphones,VoIPandDropbox,givinglittlethoughttosecurity.Reclaimcontroltocreatea secure “consumerized” environment by implementing new technologies and developing reasonable policies and controls. Lawrence Orans

C7. Technical Insights: Mobility and Security — Gartner Field Research on Mobility and ConsumerizationGartner field research identified security issues that arise when introducing consumer devices into the enterprise. We also identified solutions as enterprises deal with the problems. This session presents the results, regarding governance, technical security and management solutions.Eric Maiwald

C8. Deep Dive Into Internet Infrastructure AttacksCracks appear in the Internet’s infrastructure. DDoS attacks have increased in intensity and frequency. Attacks on certificate authoritiesexposeSSL’sfragility.Attacks on the DNS infrastructure can cause large-scale fraud and disrupt trust. We analyze recent attacks and identify solutions. Lawrence Orans, John Pescatore

C9. Presenting a Hard Target to Attackers: Road Maps for Effective Vulnerability ManagementAttackers are improving their ability to find and exploit security weaknesses. The first order of business is to present a hard target. This requires IT security organizations to run operationally effective vulnerability management across multiple cooperating IT operations and application support teams.Mark Nicolett

C10. NIST’s National Initiative for Cybersecurity Education (NICE): What CIOs Need to LeverageNIST’s new cyberframework, the NICE program, defines 31 cybersecurity skill specialty areas in today’s security workforce. ThissessionaddresseshowCIOsandCISOscanleveragetheframework’sbestpractices to save time and money in future IT cyberworkforce planning and development.Steve Hawald

C11. Manage Your Security Vendors or Be MangledThis session presents best practices for deciphering and assessing proposals for security equipment and offerings, as well as the associated discounts you should receive. And what about all your security spending — Is there a way to manage it as a portfolio?Greg Young

C12. Network Security Open Q&AHave a network security problem or issue? Wondering about the next-generation thingie, appliance or “as a service” service? What is coming in network security? How can organizations provide a strong security when the perimeter is essentially porous?Does network security have a future, or does the data, application and infrastructure needhardening?Bringyourquestionstothis open forum with top Gartner network security analysts.Eric Ahlm, John Girard, Kelly M. Kavanagh, John Pescatore, Greg Young

C13. Technical Insights: Network Security Architecture for Internal Private CloudsPrivatecloudschangethedatacenterworld. It is no longer easy to know which application is running on which server. This leads to concerns about how to efficiently move, monitor and control traffic between virtual machines. Enterprises need to rethink network security architecture options.Eric Maiwald

IT SECuRITy TRACk D

Secure Business EnablementD1. Protecting Your Network in the Era of BYODNetworkaccesscontrol(NAC)burstonthescene in 2003 as the answer to Sasser, Blasterandthewormera.Itwasderidedasan overhyped concept. Now that bring your owndevice(BYOD)hasemergedasanunstoppable trend, NAC is back in favor again — this time as a solution for gaining back control of the network.Lawrence Orans


D2. Taking Privacy to the Next Level With a Privacy ProgramLeadingenterprisesavoidpiecemeal, costly and risky approaches to privacy by combining governance, policy, education and incident response aligned with application development, security and risk management forworld-classprivacyprograms.Learnabout privacy by design.Carsten Casper

D3. Road Map: Operationalizing EncryptionEncryptionbenefitssecuritypostures.Butwithout adequately understanding resources, controls and risk mitigation, the ultimate benefit may be no better than before encryption. Here we look at the major categories of data, devices and service considerations when maximizing encryption’s value. Eric Ouellet

D4. Technical Insights: Operationalizing PCI DSS Compliance Here we discuss how to make compliance withthePaymentCardIndustryDataSecurityStandard(PCIDSS)anongoingeffort that is tied to security management, operations and other units. We present guidance on how to remain compliant despite changes in environments.Anton Chuvakin

D5. Technical Insights: Improving Collective Defenses Through Information-Sharing and Threat IntelligenceWhen it comes to getting infected, cyberattacked, or having vulnerabilities, no organization remains untouched. Thousands of security companies build security tools and services, research malware, probe vulnerabilities and try to help organizations with defense or response, but they struggle to connect the dots. Dan Blum

D6a. Net IT Out: Emerging Technologies for Privacy Protection and Privacy ManagementDo you need to share data while preserving privacy? To use public clouds or consolidate global data centers while being compliant with privacy laws? To respond to breaches?

To monitor changes in privacy regulations? This session helps you understand the usefulness of various emerging technologies.Carsten Casper

D6b. Net IT Out: Job Security in Cloud Era — Will Jobs Stay or Vaporize?Cloud is a transformational phenomenon that changes our businesses and our IT organizations. Will cloud transform IT workforce? Will it threaten job security? Joseph Feiman

D7. Operationalize Social Media to Improve Security PerformanceBusinessismovingpasttheexperimentalstage and is actively developing new ways to maximize profits through social media. It is time for security to do the same and use social media to improve security. This presentation explores the opportunities for security improvement through social media.Andrew Walls

D9. Case StudyTBA

D10. Technical Insights: SaaS Email Security — Trust Versus TechnologyEnterprises would love to commoditize email by cutting costs through outsourcing. However, it is a primary channel, carrying sensitive and proprietary content that needs protection.Muchintellectualpropertyresidesinemaildatabases.Outsourcingemail to a SaaS provider raises a number of critical questions.Dan Blum

D13. Developing and Implementing a Superior Mobile Device PolicyMobiledevices,particularlyconsumer-levelproducts, have trampled over the well-crafted policies that companies put in place for trusted worksystems.Businessesmustadaptanddo so quickly, and they must learn to prioritize the basic configuration and security policies that they will need to preserve. John Girard

IT SECuRITy

IT SECuRITy TRACk E

Secure Business EnablementE1. Higher, Faster, Stronger: The Performant IAM ProgramEvery enterprise has to manage workforce, partner and customer identities and the access they get. Not all enterprises are tacklingIAMinitiativestomaximizeIAMvalue to the business through enhanced security and risk management, improved operations or better business outcomes. Ant Allan

E2. Road Map: IAM Operations — The IAM Data ModelGreatIAMoperationsdon’tjusthappen.They’re built on solid infrastructure foundations that include high-fidelity identity data stored and used in a structured manner to deliver access and other identity-based services. This presentation describes this operational infrastructure foundation.Earl Perkins

E3. IAM Best Practices for Planning, Implementing and Managing IAM Within Your EnterpriseWhenitcomestogoodpractices,IAMprograms generate information about what to do and what not to do — from planning anddesign,toproduct/servicechoices,deployment and operations. This session exploreslessonslearnedwhenIAMsolutionshave addressed both business and technical requirements. Perry Carpenter

E4. Layered Fraud Prevention for Land-Based and Mobile ComputingThis presentation proposes five layers for fraud prevention and sets priorities for managing immediate threats, such as malware-based cyberattacks, within a framework of fraud management. What are the five layers for fraud prevention?Avivah Litan



E5. Why Your Security Awareness Program Is Doomed (and What You Can Do to Rescue It)If your awareness program was designed by aguywithpocketprotectors,afreshCISSPand a highlighted NIST 800 series, then you can guarantee that it is obsolete. New approaches draw on advertising, marketing, social engineering and practical magic to build a new context for security awareness.Perry Carpenter, Andrew Walls

E6a. Net IT Out: One-Time-Password Hardware Tokens — Going, Going … Not Quite Gone One-timepassword(OTP)hardwaretokenshave been a staple user authentication methodformorethan25years,buttheyareincreasingly losing out to alternative methods in new and refreshed implementations. This session explores this trend and whether the demise of hardware tokens is inevitable. Ant Allan

E6b. Net IT Out: The Undeath of PKI OnceatthePeakofInflatedExpectations,then as a technology in search of a problem intheTroughofDisillusionment,PKIhasemergedontothePlateauofProductivity inavarietyofstylesincludingPublicKeyOperationsandkeymanagement,addressingveryrealproblems.PKILives!IsPKIstillrelevant in 2012?Eric Ouellet

E7. Q&A Session: The Identity and Access Management Marketplace This open session has no preplanned agenda, noPowerPointandnopretensions.It’savenue where audience members can try to “stump the analysts” or more appropriately raise issues and concerns they face while implementingandoperatingIAMsystems.Ant Allan, Perry Carpenter, Gregg Kreizman, Earl Perkins, Ray Wagner

E9. Managing Identity and Access in the Hybrid WorldUnless you have the luxury of starting with a greenfieldforIAM,youmustmanageidentityin an increasingly hybrid world in which on-premises legacy infrastructures are extended or replaced to support SaaS and mobile endpoints that create new identity islands, complexity and security vulnerabilities. Gregg Kreizman

E10. Socrates Was Wrong: A DebateThis analyst debate examines human nature in the context of information security and properbehavior.Onesidesaysthatpeoplewill always try to do the right thing. The other side says people aren’t that nice and will always do what they can get away with — especially if no one is looking. Rob McMillan, Earl Perkins, Tom Scholtz, Andrew Walls, Vic Wheatman

E11. Case Study: Securing the Digital Nation — The New Frontier of Cybersecurity Training and EducationIn 2011, the U.S. Secret Service Electronic CrimesTaskForcesarrested1,200cyberthieves, responsible for the loss of almost$500million.Lastyear,theObamaadministration released a road map for creating a U.S. cybersecurity workforce. As innovation and interconnectivity in the online and mobile space advances, it is essential for businesses to have an active threat intelligence management process and industrywide knowledge that helps to avoid security risks with planning and layered controls. Keith Gordon will discuss the importance of having a long-term cybersecurity strategy and a short-term remediation plan across all industries.Keith Gordon, Senior Vice President, Security, Fraud and Enrollments, Online and Mobile Channels, Bank of America

E12. Technical Insights: Endpoint Virtualization Security ConsiderationsIncreased mobility and endpoint choices have led organizations to desktop strategies that deploy applications to people, not devices. Endpoint virtualization not only prevents information sprawl but also introduces new risks. Here we focus on the security of various endpoint virtualization technologies.Mario de Boer

TuTORIALST1. FedRAMP Focus: Government Strategies for Secure Use of CloudGovernments worldwide are evaluating cloud-based services to improve services whilesaving.FedRAMPisaU.S.government

process for rapidly certifying the security of such services. Will this program be successful, and if so, how will corporations address their concerns when it comes to cloud services?John Pescatore

T2. Best Practices for Owning Your Airwaves to Provide Security, Maximize Performance and Mitigate InterferenceEnterprises are looking at a tsunami of wireless devices and technologies, from Bluetooth3.0to802.11ntoLTEandcellular. This presentation looks at each, along with usage scenarios to provide a framework for a best practices policy.Tim Zimmerman

T3. Top Security Trends and Take-Aways for 2012 and 2013With continuing trends in cloud, consumerization, mobility and the next big thing, the way IT is delivered is changing. Each brings new threats and breaks old security processes. Here we review the top 2012-2013 security hot topics to map the trends.Ray Wagner

T4. IAM RFP: Choosing the Best Solutions for Your Business Oneofthemostfrequentlyaskedquestionsby Gartner clients is whether there are samplerequestsforproposal(RFPs)forIAMproducts and services available to use as a starting point in their efforts. This tutorial exploresabasictemplatefordifferentIAMtechnologies to aid planning.Earl Perkins

WORkSHOPSW2. Workshop: ITScore for PrivacyPrivacygetsevermorecomplex.Howdoorganizations know they are doing enough? How do they know they are not doingtoomuch?Measuringprivacyisanemerging discipline. In this workshop, we introduce the Gartner ITScore assessment forprivacy.Bringyourlaptoptorunyourown assessment.Carsten Casper


W3. Workshop: ITScore for IAM IAMleadersusethisGartnerassessmenttoevaluatetheirIAMeffortsagainstkeymaturityindicators. This helps determine which aspects of a maturity level are most important and how to advance. Immature programs are likely to be inefficient, ineffective and unable to deliver full business value.Perry Carpenter, Ray Wagner

W4. Workshop: Securing the Access Layer — Identifying the Right Authentication Strategy for BYOD, Contractors, Guests and EmployeesNetwork access requires changes to manage mobility and new devices. Understanding usage, devices and risk profiles are first steps. This workshop helps build a strategy by outlining option s associated with authentication to corporate, guest access or limited access networks.Lawrence Orans, Tim Zimmerman

ANALyST-uSER ROuNDTABLESAUR1. Where Did I Leave My Privacy? With mobile technologies and widespread surveillance, losing your privacy is easier than ever. Share lessons learned on location privacy with other participants.Ian Glazer

AUR2. Application Security ConcernsPackagedandcustom-developedapplications often have vulnerabilities. Findingandmitigatingweaknessesconsumes time, effort, energy and money. Here security professionals, application developers and others discuss the risky business of relying on applications with potentially hidden problems.Neil MacDonald

AUR3. Content-Aware DLP for Organizations on the MoveData loss prevention has received attention as a way of keeping sensitive information from “leaking” from an organization, but implementation has been more difficult than estimated. This is particularly true as mobilityisintroduced.Peersdiscusstheirexperiences in this facilitated roundtable.Eric Ouellet

AUR4. Lessons Learned From Securing My Home NetworkShare your war stories with other attendees about how you have secured your home network. Come prepared to whiteboard your design and discuss your favorite products and solutions. Who knows, you may even learn something that you can applyinyourcorporatenetwork!Lawrence Orans

AUR5. DMZ DesignDynamic trends such as virtualization, Webservices,XMLfirewallsandaccesstonew mashups can open perimeter holes. ThedefinitionoftheDMZhaschanged. This group of peers discuss design challenges and current thinking of how DMZswillbearchitectedinthefuture.Greg Young

AUR9. Security in Healthcare HIPAAhasbeenaroundforoveradecade,yet healthcare providers still wrestle with the needforprotectingpatientdata.Further,there are concerns that medical devices may be vulnerable to attack. Those involved speak to their experiences and concerns.Mark Nicolett, Paul E. Proctor

AUR10. Security in the Public Sector Federal,StateandLocalgovernmentsfaceresource constraints, unfunded mandates, and pressures from constituents for safe and secure access to sensitive data. What are security and risk professionals doing to cope with this environment?Gregg Kreizman, John Pescatore

AUR11. Application Security Testing Complex software security testing can be challenging as every SAST, DAST and IAST vendorpurportstocovertheOWASPtop10, and claim their products are more accurate and easier to use than others. In this facilitated session, we look at which tools are strong and weak, and how they are best used.Ramon Krikken

AUR12. Security in Utilities and EnergyAs part of the critical infrastructure, utilities and energy companies have unique responsibilities. Enterprise security for business systems is as important to these entities as it is to any, but there are special

requirements associated with SCADA networks and other parts of operational technologies used that need a specific focus. Here industry peers share their perspectives and findings.Earl Perkins

AUR17. Outsourcing Security Organizationsoftenoutsourcesecurityfunctions to managed security service providers and other outsourcers. How far can they go in handing off critical defensive mechanisms, and which should they maintain in house? Join a group of peers in addressing this ongoing question.Kelly M. Kavanagh

AUR18. Dealing With Cloud Risks As new audit standards go into effect, it’s harder than ever to know whether cloud vendorshaveadequatecontrols.Learnfromfellow participants what their best practices are for managing cloud risks.Jay Heiser

BCM TRACk F

Business Continuity ManagementF1. How Real-World Disasters Are Improving Business Resilience: Lessons Learned Since 9/11Earthquake in Japan, Australian flooding, tornadoes and other major disasters remind us that closing our eyes and clicking our heels will not bring a return to normalcy. How can lessons learned across the broad range of business delivery services improve yourBCMprogram?John P. Morency, Roberta J. Witty

F2. Case Study: Intel’s Response to the Fukushima Earthquake/TsunamiInteldiscussestheimpactoftheMarch2011Fukushimaearthquake/tsunamionitssupplychain operations and the resulting changes to their business and IT systems that will make them more resilient in the future.Jeff Selvala, Director, Assembly Test Global Materials, Intel; Roberta J. Witty



F3. Case Study: Teleworking Through A DisasterTelework(doingone’sjobviaremoteaccess)could be your business lifeline when the bridge is out, the storm is blowing or the earth is shaking. Here we offer examples of companies that put telework into practice during major disruptive events and provide tips for success in your organization.John Girard, Roberta J. Witty

F4. Case Study: Demographics — An Unknown BCM RiskThebusinessworldisfacedwithlegal/regulatory, strategic, and financial risks, but demographic risk has largely been ignored. Forexample,wehaveanagingworkforce.This session helps you understand how demographics affect your company and identifies solutions strategies.Steve Hannah, Manager, Disaster Recovery, Waddell & Reed

F5. Crisis/Incident Management OverviewBusinessinterruptionsoccuratamorerapid pace than ever before. Awareness of these events is taking its toll on company reputations. Here we discuss best practices forcrisis/incidentmanagementprogramsthat keep management in line and ensure a viable supply chain.Leif Eriksen, Roberta J. Witty

F6a. Net IT Out: Business Continuity Management Planning Markets and Magic QuadrantsTheBCMsoftwaremarketiscomposedofthreemaincategories:emergency/massnotification,BCMplanningandcrisis/incidentmanagement tools. This session and the next both provide the latest market analysis of these tools so that organizations can make the right tool choice for their needs. Leif Eriksen, John Girard, John P. Morency, Roberta J. Witty

F6b. Net IT Out (continued): Business Continuity Management Planning Markets and Magic QuadrantsLeif Eriksen, John Girard, John P. Morency, Roberta J. Witty

F7. Strategies for Achieving Continuous Application AvailabilityContinuous application availability — eliminating planned and unplanned

downtime — is expensive and only justified for the most mission-critical applications. We analyze techniques and architectures to help achieve continuous availability while assessing people- and process-critical success factors.Donna Scott

F8. Can I Recover Through the Cloud? Given the number of cloud-specific alternatives, organizations can now evaluate how a cloud-centric approach can improve the efficiency, effectiveness and economics of IT resilience. We discuss product and service choices, cloud-based recovery and early adopter implementation lessons. John P. Morency, Sheila Childs

F9. Best Practices in Recovery ExercisingExercisingITDRMplansisa“mustdo”activity. Increasing time and resource costs are underscoring the need for more efficient approaches. This session discusses the software and management approaches now used by Gartner clients to improve exercise scope, execution and results.John P. Morency

F10. Panel: Educating Boards of Directors and Management in the Business Case for BCMInvesting in response, recovery, restoration and resilience is in the organization’s best interests but can fall on deaf management ears. How do you make a compelling case for the business to continue in case of disruptionwithoutFUD?Inthispanel,seasonedBCMexpertsdescribetheirapproaches. Moderator: Roberta J. Witty

TuTORIALST5. BCM Maturity: Where We Are, Where We Should Be Going OrganizationsarematuringBCMprogramsacross all industries as the threat of business interruptions rise. Using results of the BCMITScore,thissessionreviewswhereorganizations are across eight dimensions

ofBCMprogrammanagement,whereweshould be in the next five years and how to get there.John P. Morency, Roberta J. Witty

WORkSHOPSW5. Workshop: Implementing BCM Standards for BCM Maturity and Organizational CertificationThis three-hour workshop will review and comparethemostcommonBCMstandards,provide best practices for using them for organization certification, and then have attendees participate in a standards implementation exercise.John P. Morency, Roberta J. Witty

RISk MANAGEMENT AND COMPLIANCE TRACk G

Enterprise and Operational Risk ManagementG1. Road Map: Privacy, Marketing and Behavior Tracking — A Risky MandateBasedonaGartnerInnovationInsightnoteon the business of behavior tracking and its IT implications, we explain why marketing will face pressure to increase behavior trackingactivities(andsocialmediamonitoringandengagement)andwhatthoseresponsiblefor privacy should be doing about it.Andrew Frank

G2. The Missing Link: How Ignoring Business Processes Can Be Fatal for ERMByunderstandingbusinessobjectives and the processes underlying them, risk managers can gain insight to emerging risks across IT and the business. This presentation highlights business process management components that can bolster a company’s risk management program without added investment.John A. Wheeler

G4. Seven Keys to Successful and Cost-Effective Risk OversightGiven heightened regulatory scrutiny and increased liability, board members are looking


SESSION DESCRIPTIONSto senior business and IT leaders to make major improvements in how companies manage risk. This presentation outlines a practical solution in the form of seven keys to successful and cost-effective risk oversight. John A. Wheeler

G5. Global Supply Chain Risk: Perception and ManagementTomorrow’s profitability is built on today’s risk management capabilities in an uncertain world.Modernsupplychainsarecomplexand exposed to many risks, such as commodity shortages, natural disasters, supply disruptions and external pressure from consumers,government,andNGOs.Discuss!Hiranya Fernando

G6a. Net IT Out: The Realities of CyberinsuranceRiskmanagerstodayaresearchingforwaysto minimize exposure to financial losses that result from information security breaches. This presentation explores the use of cyberinsurance as a potential loss mitigation strategy and discusses what companies should consider before purchasing a policy.John A. Wheeler

G6b. Net IT Out: Selecting IT Risk Assessment Methods and Tools — A Use Case ApproachEffectiveITriskassessment(RA)dependson managing a toolbox of assessment techniques and applying the most appropriate technique on a case-by-case basis. This presentation provides practical advice onselectingRAmethodsandtools,andonoptimizing the utilization of the same.Paul E. Proctor

G8. Risk-Adjusted Value ManagementRisk-AdjustedValueManagement™isaGartner methodology that bridges the risk/businessperformanceknowledge gaps. Using leading indicators of risk and performance,CIOs,CROsandCISOs can improve their relevance, budget justifications, and decision making. Paul E. Proctor

G9. Technical Insights: Road Map — Managing Multinational Privacy Risks in the CloudAs the use of cloud-based services increases, it is likely that even those organizations that

thought they operated entirely within a single jurisdiction will find that their business, transactions and data all cross boundaries. It’s critical to manage the privacy issues that can arise as a result.Ian Glazer

G10. Six CIO Risk Techniques to Please Your BoardCorporate directors are under pressure to improve their risk management oversight. IT leaders can adopt six risk management techniques that will improve the value of their risk management reporting to the board.French Caldwell

RISk MANAGEMENT AND COMPLIANCE TRACk H

Managing Legal and Compliance RiskH1. Lawyers, Users and IT Security: Ten Ways to Work Together to Reduce Risk and Improve Governance Information governance initiatives are increasing in number and scope, but the involvement of IT security and risk management is nonexistent or minimal. Learnhowtoworktogether,setcommonobjectives and achieve security, risk and compliance objectives.Debra Logan, Jeffrey Wheatman

H2. The Corporate Ethics Game Show: “Let’s Make a Deal” or “Jeopardy!”? Just because it’s legal to do, is it right? What if doing the right thing is bad for the enterprise? Does doing the right thing have anROI?ITsecurityprofessionals,riskmanagers and compliance coordinators face vexing moral dilemmas more than they want. This panel parses several real-life ethical scenarios, suggests appropriate courses of action, and fosters second thoughts for the next time you face a “What do I do?” moment. Joseph E. Schmitz, former DoD IG; John Bace, Guest Lecturer, John Marshall Law School

H4. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 — Part 1. View From the BenchE-discovery has become ever more burdensome and expensive, with the cost of individual cases sometimes exceeding that of what used to comprise the total annual U.S. e-discovery cost. Have the amended rules of civil procedure failed against the rising tide of data that shows no signs of abating?Debra Logan, Lew Schwartz, Judges Panel

H5. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 — Part 2. View From the PractitionersE-discovery has become ever more burdensome and expensive, with the cost of individual cases sometimes exceeding that of what used to comprise the total annual U.S. e-discovery cost. Have the amended rules of civil procedure failed against the rising tide of data that shows no signs of abating?Debra Logan, Lew Schwartz, Outside Panel

H6a. Net IT Out: Compliance Controls — When Are Yours Too Old?Manyorganizationsareinacontinuousprogram of maintaining controls that more or less function only to serve auditors and regulators. There are various control types, and each warrants a periodic re-evaluation based on changes in business requirements, compliance initiatives and risk tolerances.Khushbu Pratap

H6b. Net IT Out: SAS 70 Is Gone — So What Are the Alternatives?SAS 70, the audit standard once used to report on IT service providers’ and cloud vendors’ compliance-related controls, has now been replaced by SSAE 16. This transition is an opportunity for service providers and their customers to re-evaluate which internal controls assurances are truly needed.French Caldwell

H8. Internal Auditors: Why They Do What They DoWhile audits may help correct and improve business functions and practices, they may not always adequately cover the most


important risks, obligations and business requirements. A sound audit program can helpcontributetoROIfromcompliance and risk management efforts. Khushbu Pratap

H9. Improving Your Social Risk IQ Whenever there is a gap between public expectations and management’s attention to an issue there are social risks, and those risksaregrowingdaily.By2015,anyglobal enterprise, private or public sector, that does not improve its social risk intelligence will fail.French Caldwell

H10. Managing Litigation and Regulatory Risks of Big DataRegulatoryproliferationande-discoveryreadiness have led to IT being more frequently involved in supporting data management activities. Challenges run from building the right team, to interpreting regulatory requirements, to policy development, to selectingthesolutionsforGRCandinformation governance.Sheila Childs

H11. New Legal Methods for Collecting Cyberinvestigation and Social Media EvidenceThe source of evidence for digital investigationsischanging.Previously,digitalevidence was extracted from hardware in the possession of the investigator. Today, that evidence is increasingly found on the Weborinthecloud.BenjaminWrightofSANSshareshow(andhownot)tocaptureand preserve cyberevidence. Benjamin Wright, Attorney, SANS Institute Instructor: Law of Data Security and Investigations

H12. Road Map: Intelligent Information Governance 2012We seem to have too much information, but not enough of the right kind. Information governance is technically complex, organizationally challenging and politically sensitive. In this session you gain best practices and lessons learned from early adopters of information governance programs.Debra Logan

WORkSHOPSW6. Workshop: Policy Critique In this workshop we examine and discuss examples of actual policy text, looking for typical weaknesses and deciding as a group whether the topic is practical to address through policy, and whether the text is likely to be effective. Attendees are encouraged to bring their own examples for group review.Jay Heiser

W7. Workshop: Implementing COBIT 5COBIT5isamajorstrategicimprovementfor providing the next generation of ISACA guidance on the governance and management of enterprise information and technology(IT)assets.LearnfromISACA’sexpertshowtoimplementCOBIT5inyour enterprise.Robert Stroud, ISACA’s Strategic Advisory Council

W8. Workshop: Creating Key Risk Indicators for Your CompanyThis 90-minute workshop follows the conceptsfromthesession“UsingKeyRiskIndicatorstoInfluenceBusinessDecisionMaking”tohelpyoudevelopyourownsetoforganization-specificKPIsandKRIs.Paul E. Proctor

GENERAL SESSIONSG3. Untangling the Multimillion-Dollar Madoff Ponzi SchemeSince2008,BakerHostetler’sDavidJ.Sheehan has overseen the litigation and case management of the liquidation of BernardL.MadoffInvestmentSecuritiesLLCaschiefcounseltoSecuritiesInvestorProtectionActTrustee,IrvingPicard.Withover 1,000 lawsuits filed seeking more than $100 billion, the unraveling of the fraud is a challenging mission that requires thorough investigations of global banking practices, financial instruments and feeder fund machinations, among countless other

issues stemming from the largest and most complex financial fraud case in history. David J. Sheehan, Partner, Baker Hostetler; Lew Schwartz, Senior Vice President, General Counsel and Corporate Secretary, Gartner

G7. Enterprise and Operational Risk Management: Directors Roundtable — What the Board WantsClosing the gap between board expectations for risk management, IT organization views, and what is within the possibleforGRCtechnologiesischallengingfor most enterprises. This is a high impact panelwithboardmembers,CIOsand other senior executives and advisors from major corporations.French Caldwell; Dale Kutnick, Gartner Executive Programs; Panelists

ANALyST-uSER ROuNDTABLESAUR8. Supply Chain RisksWith business uncertainty unabated, natural disasters and new regulations, supply chains are under pressure. Share lessons learned with fellow participants.Hiranya Fernando

AUR13. Audit Horror StoriesWhat’s your most outrageous auditor demand? Sit around the campfire with fellow participants, and share audit horror stories and lessons learned on negotiating with auditors.Khushbu Pratap

AUR14. IT AvailabilityIn this roundtable discussion, Gartner clients share their experiences and learn from each other in the broad arena of IT resiliency. Topics may include best practices and critical success factors in the areas of continuous application availability, measuring availability, service-level agreements, disaster recovery testing, data center resiliency strategy and failover/failback.Donna Scott


SESSION DESCRIPTIONSNEW PROGRAM!

THE BuSINESS OF IT SECuRITy AND RISk TRACk JJ1. Security Markets Worldwide 2012This session explores security markets, their growth forecasts and pending priorities, and ways the market landscape is changing.Eric Ahlm, Ruggero Contu

J2. IT Security Survey: 2011-2012 Study Results and Trends AnalysisIn this session we review the results of our most recent security survey data, collected atGartnerSecurity&RiskSummit2011,including the top-of-mind technologies and buying behaviors of the participants.Ruggero Contu, Lawrence Pingree

J3. Technical Insights: The Art of Saying Yes — Selling Application Security to Architects and DevelopersDevelopers feel security too often says “no,” making projects late and over budget. Selling to architects and developers is challenging, but hidden inside application security are tools that make development easier and faster. Knowing how to articulate domain specific benefits makes the sale easier.Ramon Krikken

J4. SWOT Analysis: IBM and HP Application and Data SecurityLargeITproviderssuchasIBMandHPhave a variety of security tools, professional services and solutions. Here we examine

their application and data security profiles in terms of their strengths, weaknesses, opportunitiesandthreats(SWOT).Joseph Feiman

J5. Security Investors Perspectives PanelThis investment capital panel discussion will bring security investment firms together into a room to discover the “under the hood” details from within the confines of the information security market investment community.Alberto Yepez, Trident Capital Group; Walter Pritchard, Citi Investment Research; John Rizzuto, Gartner Investment; Moderator: Vic Wheatman

J6. Security Market Gartner Magic Quadrant OverviewIn this session, discover the latest Gartner MagicQuadrantsandgetarundownofthelatest major players in the security market, how they compete and what has changed.Greg Young

J7. Security Journalists and Bloggers PanelGartner analysts and new media reporters, bloggers and tweeters compare notes on the direction of security, how traditional and social media roles are interacting with the industry and threat-makers, and what is healthy or unwell about security communications today.Moderator: Greg Young

J8. SWOT Analysis: McAfee, Symantec, Cisco While many identify Cisco as providing security solutions, it has historically been a network company.McAfeeisnowpartofIntel.Symantec has branched out from security. What are these companies’ prospects going forward, and what will be their impact on investors?Eric Ahlm, Ruggero Contu, Peter Firstbrook

J9. Security 2020: Technology, Business and Threat Discontinuities Reshaping IT SecurityToday’s information security infrastructure security is static, overpriced and ill-suited to protect against ever-advancing threats. We explore technology and threat discontinuities that will force information security vendors to radically rethink how they approach security over the next five years.Neil MacDonald, Lawrence Pingree

J10. Case Study: Increasing Collaboration Securely When Moving to Cloud-Based AppsHowcanCIOswhoarenotnecessarilysecurity experts become comfortable with cloud-based service? This presentation from marketing services company Dominion Enterprises explains how cloud-based email and document sharing works from a security standpoint, and how concerns about storing important documents in the cloud can be addressed securely. Joe Fuller, Vice President and CIO, Dominion Enterprise

By2016,40%of

enterprises will make

proof of independent

security testing a

precondition for using

any type of cloud service.2012GartnerPredicts


SOLuTION SHOWCASE

Cisco(NASDAQ:CSCO)istheworldwideleaderinnetworkingthattransformshowpeopleconnect,communicateandcollaborate.Ciscosecuritybalances protection and power to deliver highly secure collaboration. With Cisco security, customers can connect, communicate, and conduct business securely while protecting users, information, applications, and the network. Cisco pervasive security can help minimize security and complianceITrisk,reduceITadministrativeburden,andlowerTCO.InformationaboutCiscosecuritycanbefoundatwww.cisco.com/go/security

Delllistenstocustomersanddeliversworldwideinnovativetechnologyandbusinesssolutionstheytrustandvalue.Recognizedasanindustryleader by top analysts, Dell SecureWorks provides world-class information security services to help organizations of all sizes protect their IT assets, comply with regulations and reduce security costs. Thousands of customers around the world and an expert research team allow Dell SecureWorkstoidentifyandprotectagainstemergingthreatsfaster.Ourdeepsecurityexpertise,flexibledeliveryoptionsandcommitmenttoserviceexcellencemakeDellSecureWorksapremierproviderofManagedSecurity,ThreatIntelligenceandSecurityandRiskConsultingservices. www.secureworks.com

Google’s cloud computing solutions allow you to dramatically lower IT costs and increase productivity, security and reliability. Google Apps is a 100%websuiteofapplicationsthatincludesGmail,GoogleCalendar,GoogleDocsandSpreadsheets,GoogleSites,andmore.GooglePostiniservices help make email systems more secure, compliant and reliable by blocking spam and malware before they reach your networks, by providing encryption and archiving to help meet compliance requirements, and by offering email continuity. www.google.com

Foundedin1999,Qualysistheleadingproviderofcloud-basedinformationsecurityandcompliancesolutionswith5,500+customersin85countries,including50oftheForbesGlobal100.TheQualyscloud-basedplatformandintegratedsuiteofapplicationshelpsbusinessessimplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications. www.qualys.com

RSA,TheSecurityDivisionofEMC,isthepremierproviderofsecurity,riskandcompliancemanagementsolutionsforbusinessacceleration.RSAhelpsorganizationssolvetheirmostcomplexandsensitivesecuritychallengesbybringingvisibilityandtrusttomillionsofuseridentities,thetransactionstheyperformandthedatathatisgenerated.RSAdeliversidentityassurance,encryption&keymanagement,SIEM,Data LossPrevention,ContinuousNetworkMonitoring,andFraudProtectionwithindustryleadingeGRCcapabilitiesandrobustconsultingservices.www.RSA.com

Symantecisagloballeaderinprovidingsecurity,storageandsystemsmanagementsolutionstohelpourcustomers–fromconsumersandsmallbusinessestothelargestglobalorganizations–secureandmanagetheirinformation-drivenworldagainstmorerisksatmorepoints,morecompletelyandefficiently.Oursoftwareandservicesprotectcompletely,inwaysthatcanbeeasilymanagedandwithcontrolsthatcanbeenforcedautomatically–enablingconfidencewhereverinformationisusedorstored.www.symantec.com

Terremark, a Verizon Company, is a leader in transforming and securing enterprise-class IT on a global scale. Terremark sets the standard for IT deployments with advanced infrastructure and managed service offerings that deliver the scale, security, and reliability necessary to meet the demanding requirements of enterprises worldwide. With a global network of data centers and a comprehensive portfolio of secure solutions, Terremark helps enterprise and government executives realize the power of the cloud today. www.terremark.com

Websense,Inc.(NASDAQ:WBSN),agloballeaderinunifiedWebsecurity,emailsecurity,anddatalossprevention(DLP)solutions,deliversthebest content security for modern threats at the lowest total cost of ownership to tens of thousands of organizations worldwide. Distributed throughpartnersanddeliveredassoftware,applianceandSecurity-as-a-Service(SaaS),WebsensehelpsorganizationsleverageWeb2.0andcloud communication, while protecting from advanced persistent threats, preventing confidential data loss and enforcing security policies. www.websense.com/content/home.aspx

AT&T Inc. is a global leader in communications, with operating subsidiaries providing services under the AT&T brand. AT&T is a recognized leader in Business-relatedvoiceanddataservices,includingglobalIPservices,hosting,applications,andmanagedservices.IntheUnitedStates,Businessesof all sizes, all over the world, deploy these AT&T services to improve productivity, manage overall costs, and position themselves to take advantage of future technology enhancements.

CheckPointSoftwareTechnologies,theworldwideleaderinsecuringtheInternet,istheonlyvendortodeliverTotalSecurityfornetworks,dataandendpoints,unifiedunderasinglemanagementframework.CheckPoint’sdynamicSoftwareBladearchitecturedeliverssecure,flexiblesimplesolutionsthat can be fully customized to meet the exact security needs of any organization or environment. Current customers include tens of thousands of businessesandorganizationsofallsizesincludingallFortune100companies.

CORESecurityistheleadingproviderofpredictivesecurityintelligencesolutions.Wehelpmorethan1,400customersworldwidepreemptcriticalsecuritythreatsandmoreeffectivelycommunicatebusinessrisk.Ouraward-winningenterprisesolutionsarebackedbyover15yearsofexpertisefromthecompany’sCoreLabsresearchcenter.Learnmoreatwww.coresecurity.com

Astheworld’slargestinformationtechnologycompany,IBMhas100yearsofleadershipinhelpingbusinessandgovernmentorganizationsinnovate.IBM’ssecurityportfolioprovidesthesecurityintelligencetohelporganizationsholisticallyprotectitspeople,infrastructure,dataandapplicationswithsolutionsforidentity/accessmanagement,databaseandnetworksecurity,risk/endpointmanagement,andmore.www.ibm.com/security

Today’s leading solution providers and top innovators in the security, risk management

and business continuity management space will be on-site with the most informed

representatives, ready to answer your questions. Get the research, ask your questions,

streamline the vetting process and leave with a shortlist you can act on immediately.

PREMIER SPONSORS

PLATINuM SPONSORS

Sponsors as of April 3, 2012 and subject to change


SOLuTION SHOWCASE

JuniperNetworksisinthebusinessofnetworkinnovation.Fromdevicestodatacenters,fromconsumerstocloudproviders,JuniperNetworksdelivers the software, silicon and communications that transform the experience and economics of networking. Additional information can be found at JuniperNetworks(www.juniper.net).

KasperskyLabistheworld’slargestprivately-heldInternetSecuritycompany,providingcomprehensiveprotectionagainstallformsofITthreatssuchas viruses, spyware, hackers and spam. The company’s products provide in-depth computer defense for more than 300 million systems around the globe, including home and mobile users, small and medium sized businesses and large enterprises. Kaspersky technology is also incorporated inside the products and services of nearly 100 of industry leading IT, networking, communications and applications solution vendors.

McAfee,awhollyownedsubsidiaryofIntelCorporation(NASDAQ:INTC),istheworld’slargestdedicatedsecuritytechnologycompany.McAfeeprovidessystem,network,andmobilesecuritysolutionsthatallowuserstosafelyconnecttotheInternet,browse,andshoponline.Backedbyglobalthreat intelligence, our innovative products empower home users and organizations by enabling them to prove compliance, protect data, prevent disruptions,identifyvulnerabilities,andmonitorandimprovetheirsecurity.McAfeeisrelentlesslyfocusedonconstantlyfindingnewwaystokeepourcustomers safe.

Recenteventsprovethatnetworkswillbecompromiseddespitestate-of-the-artdefenses...IntroducingNeuSentry™byNeustar,aservicethatdetects data breaches that other security tools miss, then generates real-time alarms that enable customers to mitigate damages caused by those breaches.NeuSentry™-TheNewLayerinCybersecurityInformationAssurance.

Oracle(NASDAQ:ORCL)istheworld’smostcomplete,open,andintegratedbusinesssoftwareandhardwaresystemscompany.FormoreinformationaboutOracle,visitoracle.com.

PaloAltoNetworksisthenetworksecuritycompany.Itsnext-generationfirewallsenableunprecedentedvisibilityandgranularpolicycontrolofapplications and content at up to 20Gbps with no performance degradation. Its firewalls accurately identify and control applications regardless of port, protocol,evasivetacticorSSLencryption,andscancontenttostopthreatsandpreventdataleakage.PaloAltoNetworksextendsthissamenetworksecuritytoremoteuserswithGlobalProtectandcombatstargetedmalwarewithWildFire.

QuestOneIdentitySolutionssimplifyidentityandaccessmanagementtoincreasecompliance,securityandefficiency.Ourmodularyetintegratedapproach features a broad portfolio of award-winning solutions that simplify access governance, user activity monitoring, privileged account managementandidentityadministration.Unliketraditionalframeworksolutions,QuestOneprovidesgranularenforcementacrossheterogeneoussystemswith360-degreebusinessvisibility–andrapidtimetovalue!LearnwhyQuestOneearnedSCMagazine’shighestfive-starRECOMMENDEDratingorvisitwww.quest.com/identity-management.

Foundedin2002,SecuniaistheleadingproviderofITsecuritysolutionsthathelpbusinessesandprivateindividualsgloballymanageandcontrolvulnerability threats and risks across their networks and endpoints. Secunia plays an important role in the IT security ecosystem, and is the preferred supplierforenterprisesandgovernmentagenciesworldwide,countingFortune500andGlobal2000businessesamongitscustomerbase.

Solutionary reduces the information security and compliance burden, delivering flexible managed security services that align with client goals, enhancing organizations’ existing security program, infrastructure and personnel. Services are based on experienced security professionals, data-driven and actionable threat intelligence, and the ActiveGuard service platform that provide expert security and compliance management. Solutionary works as an extension of clients’ internal teams, providing industry-leading customer service, thought leadership, years of innovation and proprietary certifications that exceed industry standards.

GuidedbyitsvisionofDynamicSecurityfortheGlobalNetwork,SonicWALLdevelopsadvancedintelligentnetworksecurityanddataprotectionsolutionsthatadaptasorganizationsevolveandasthreatsevolve.Trustedbyenterprisesworldwide,SonicWALLsolutionsaredesignedtodetectandcontrol applications and protect networks from intrusions and malware attacks through award-winning hardware, software and virtual appliance-based solutions.Formoreinformation,visithttp://www.sonicwall.com/

Sourcefire,Inc.(Nasdaq:FIRE)isaworldleaderinintelligentcybersecuritysolutions.SourcefireistransformingthewayGlobal2000organizationsandgovernmentagenciesmanageandminimizenetworksecurityrisks.Sourcefire’sNext-GenerationIPS™,Next-GenerationFirewall™,virtual,andanti-virus/malwaresolutionsequipcustomerswithanefficientandeffectivelayeredsecuritydefense-protectingnetworkassetsbefore,duringandafteranattack.Today,thenameSourcefirehasgrownsynonymouswithinnovationandcybersecurityintelligence.Formoreinformation:http://www.sourcefire.com.

Splunk®Inc.providestheengineformachinedata™.Splunksoftwarecollects,indexesandharnessesthemachinedatacontinuouslygeneratedbythe websites, applications, servers, networks and mobile devices that power business. Splunk software enables organizations to act on massive streamsofreal-timeandhistoricalmachinedata.Morethan3,300customersinover75countriesuseSplunkEnterprisetogainoperationalintelligence that deepens business understanding, improves service and uptime, reduces cost and mitigates cyber-security risk.

TrendMicroIncorporated,aglobalcloudsecurityleader,createsaworldsafeforexchangingdigitalinformationwithInternetcontent,securityandthreat management solutions. We deliver top-ranked client, server, and cloud-based security to fit customer and partner needs, stop threats faster, and protectdatainphysical,virtualizedandcloudenvironments.PoweredbytheTrendMicro™SmartProtectionNetwork™infrastructure,ourtechnology,products,andservicesstopthreatswheretheyemerge.Formoreinformation,visitwww.trendmicro.com.

TripwireisaleadingglobalproviderofITsecurityandcomplianceautomationsolutions.TripwireVIA™,thecomprehensivesuiteofindustry-leadingfileintegrity, policy compliance and log and event management solutions, is the way organizations proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation.

Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutionstobusinessesandgovernmententitiesthroughouttheworld.Trustwavehashelpedthousandsoforganizations-rangingfromFortune500businesses and large financial institutions to small and medium-sized retailers-manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe,Africa,AsiaandAustralia.Formoreinformation,visithttps://www.trustwave.com.

PLATINuM SPONSORS

RELEVANT . INTELLIGENT . SECURITY


21st Century Software, Inc.

Absolute Software Corp.

AccessData Group

ActivIdentity Inc.

Agiliance

AirWatch

Alert Enterprise Inc.

Approva an Infor affiliate

Aveksa

BeyondTrustSoftware

Bit9,Inc.

BlueCoatSystems

BoozAllenHamilton

BradfordNetworks

BreakingPoint

Centrify

CloudLock

CloudPassage

ControlPanelGRC

COOPSystems

Courion Corporation

Critical Watch

Cyber-Ark Software

Cyveillance, a QinetiQ Company

Damballa

Digital Defense, Inc.

Fiberlink

FireEye,Inc.

FireMon

FischerInternationalIdentity

ForeScoutTechnologies,Inc.

Fortinet

FoxT

Hitachi ID Systems, Inc.

HPEnterpriseSecurity

Imperva

Lancope

LogRhythm,Inc.

Lumension®

M86Security

Mandiant

MetricStream

Mimecast

ModuloLLC

nCircle

NetIQ

NSFOCUS

Okta

PhishMeIncorporated

PhoneFactor

Rapid7

RedSealNetworks,Inc.

Rsam

SailPoint

SecureAuth Corporation

SilverbackMDM

Skybox Security, Inc.

Solera Networks

SSH Communications Security

Tenable Network Security, Inc.

ThomsonReuters

TrustSphere

Tufin Technologies

Venafi, Inc.

Verdasys

VMware

Vormetric, Inc.

Xceedium, Inc.

ZixCorp

SILVER SPONSORS

MEDIA PARTNERS

Veracodeprovidestheworld’sleadingApplicationRiskManagementPlatform.VeracodeSecurityReview’spatentedandprovencloud-basedcapabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Veracode was founded with one simple mission in mind: to make it simple and cost-effective for organizations to accurately identify and manage application security risk. www.veracode.com

Foundedin2001,WhiteHatSecurityprovidesend-to-endsolutionsforWebsecurity.Thecompany’scloudtechnologyplatformandleadingsecurityengineers turn verified security intelligence into actionable insights for customers. Through a combination of core products and strategic partnerships, WhiteHat Security provides complete Web security at a scale unmatched in the industry. WhiteHat Sentinel, the company’s flagship product line, is the website security solution of choice, covering thousands of websites in every industry including ecommerce, finance and healthcare. www.whitehatsec.com

PLATINuM SPONSORS

Technology Evaluation Centers

BECOME A SPONSOR

Stephen GibertoniSales Director+1 203 316 [email protected]

Silas ManteAccount Manager+1 203 316 [email protected]

John ForcinoAccount Manager+1 203 316 [email protected]

David SorkinSenior Account Manager+1 203 316 [email protected]

Krista WayAccount Manager+1 203 316 [email protected]

Sunday, June 104:00 p.m. Registration

Monday, June 117:00 a.m. Registration8:30 a.m. T1. FedRAMP Focus: Government Strategies for Secure Use

of Cloud John PescatoreT2. Best Practices for Owning Your Airwaves to Provide Security, Maximize Performance and Mitigate Interference Tim Zimmerman

T3. Top Security Trends and Take-Aways for 2012 and 2013 Ray Wagner

T4. IAM RFP: Choosing the Best Solutions for Your Business Earl Perkins

T5. BCM Maturity: Where We Are, Where We Should Be Going John P. Morency, Roberta J. Witty

10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman (10:15 a.m.) K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls

CISO IT SECURITY BCM RISK AND COMPLIANCE BUSINESS OF SECURITY AND RISKThe CISO Infrastructure Protection Secure Business Enablement Business Continuity Management Enterprise and Operational Risk Management Managing Legal and Compliance Risk The Business of IT Security and Risk

11:30 a.m. A1. Security and Risk Management as a Social Science Tom Scholtz

B1. The Security State of the Cloud Jay Heiser C1. Road Map: The Next Generation of Firewalls and IPS Greg Young

D1. Protecting Your Network in the Era of BYOD Lawrence Orans

E1. Higher, Faster, Stronger: The Performant IAM Program Ant Allan

F1. How Real-World Disasters Are Improving Business Resilience: Lessons Learned Since 9/11 John P. Morency, Roberta J. Witty

G1. Road Map: Privacy, Marketing and Behavior Tracking — A Risky Mandate Andrew Frank

H1. Lawyers, Users and IT Security: Ten Ways to Work Together to Reduce Risk and Improve Governance Debra Logan, Jeffrey Wheatman

J1. Security Markets Worldwide 2012 Eric Ahlm, Ruggero Contu

12:30 p.m. Attendee Lunch and Solution Showcase Dessert Reception

1:00 p.m. Theater Presentations

2:45 p.m. K2. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins3:45 p.m. Solution Provider Sessions

5:00 p.m. A2. Security Program Management Overview F. Christian Byrnes

B2. Road Map: Operationalizing Data and Application Defenses Against Hackers and Employees Joseph Feiman

C2. Big Data and Security: Integrating Security and Operations Data for Improved IT Intelligence Neil MacDonald

D2. Taking Privacy to the Next Level With a Privacy Program Carsten Casper

E2. Road Map: IAM Operations — The IAM Data Model Earl Perkins

F2. Case Study: Intel’s Response to the Fukushima Earthquake/Tsunami Jeff Selvala, Director, Assembly Test Global Materials, Intel; Roberta J. Witty

G2. The Missing Link: How Ignoring Business Processes Can Be Fatal for ERM John A. Wheeler

H2. The Corporate Ethics Game Show: “Let’s Make a Deal” or “Jeopardy!”? Joseph E. Schmitz, former DoD IG; John Bace, John Marshall Law School

J2. IT Security Survey: 2011-2012 Study Results and Trends Analysis Ruggero Contu, Lawrence Pingree

6:00 p.m. Solution Showcase Evening Reception

Tuesday, June 127:00 a.m. Registration Breakfast by Role and Industry

8:15 a.m. A3. When Risk Management Does More Harm Than Good: RM 101 Jay Heiser

B3. The Endpoint Protection Platform in the Age of Tablets and Clouds Peter Firstbrook

C3. Monitoring Users for Security Intelligence: Threats and Opportunities Andrew Walls

D3. Road Map: Operationalizing Encryption Eric Ouellet E3. IAM Best Practices for Planning, Implementing and Managing IAM Within Your Enterprise Perry Carpenter

F3. Case Study: Teleworking Through a Disaster John Girard, Roberta J. Witty

G3. General Session Untangling the Multimillion-Dollar Madoff Ponzi Scheme David J. Sheehan, Partner, Baker Hostetler; Lew Schwartz, Senior Vice President, General Counsel and Corporate Secretary, Gartner

J3. Technical Insights: The Art of Saying Yes — Selling Application Security to Architects and Developers Ramon Krikken

9:30 a.m. Solution Provider Sessions10:45 a.m. A4. Metrics That Matter Jeffrey Wheatman B4. Case Study: The World Trade Center’s Situational

Awareness Platform Lou Barani, Director of Security, World Trade Center; Moderator: Jeff Vining

C4. Mobile Security Risks in Depth: How Safe Is the Data on Your Smartphone and Tablet? John Girard, Lawrence Pingree

D4. Technical Insights: Operationalizing PCI DSS Compliance Anton Chuvakin

E4. Layered Fraud Prevention for Land-Based and Mobile Computing Avivah Litan

F4. Case Study: Demographics — An Unknown BCM Risk Steve Hannah, Manager, Disaster Recovery, Waddell & Reed

G4. Seven Keys to Successful and Cost-Effective Risk Oversight John A. Wheeler

H4. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 — Part 1. View From the Bench Debra Logan, Lew Schwartz, Judges Panel

J4. SWOT Analysis: IBM and HP Application and Data Security Joseph Feiman

11:45 a.m. Solution Showcase Lunch Theater Presentations2:00 p.m. A5. Security and Risk Governance: It’s Much More Than

Just Reporting F. Christian Byrnes, Tom ScholtzB5. Road Map: Secure Email Communications With Partners and Customers Peter Firstbrook


D5. Technical Insights: Improving Collective Defenses Through Information-Sharing and Threat Intelligence Dan Blum

E5. Why Your Security Awareness Program Is Doomed (and What You Can Do to Rescue It) Perry Carpenter, Andrew Walls

F5. Crisis/Incident Management Overview Leif Eriksen, Roberta J. Witty

G5. Global Supply Chain Risk: Perception and Management Hiranya Fernando

H5. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 — Part 2. View From the Practitioners Debra Logan, Lew Schwartz, Outside Panel

J5. Security Investors Perspectives Panel Alberto Yepez, Trident Capital Group; Walter Pritchard, Citi Investment Research; John Rizzuto, Gartner Investment; Moderator: Vic Wheatman

3:15 p.m. Solution Provider Sessions

4:30 p.m. A6a. Net IT Out: Articulating the Business Value of Information Security Tom Scholtz

B6a. Net IT Out: Breaking Down the Walls While Sharing Data Securely Jay Heiser

C6a. Net IT Out: Technical Insights — Securing Browser-Based Applications Mario de Boer

D6a. Net IT Out: Emerging Technologies for Privacy Protection and Privacy Management Carsten Casper

E6a. Net IT Out: One-Time-Password Hardware Tokens — Going, Going … Not Quite Gone Ant Allan

F6a. (4:30 p.m.) and F6b. (4:55 p.m.) Net IT Out: Business Continuity Management Planning Markets and Magic Quadrants Leif Eriksen, John Girard, John P. Morency, Roberta J. Witty

G6a. Net IT Out: The Realities of Cyberinsurance John A. Wheeler

H6a. Net IT Out: Compliance Controls — When Are Yours Too Old? Khushbu Pratap

J6. Security Market Gartner Magic Quadrant Overview Greg Young

4:55 p.m. A6b. Net IT Out: Developing the Key Competencies of the New Security Team Tom Scholtz

B6b. Net IT Out: The DLP Process Is More Than Just a Piece of Technology Rob McMillan

C6b. Net IT Out: Road Map — Gaining Control of Consumerization Lawrence Orans

D6b. Net IT Out: Job Security in Cloud Era — Will Jobs Stay or Vaporize? Joseph Feiman

E6b. Net IT Out: The Undeath of PKI Eric Ouellet G6b. Net IT Out: Selecting IT Risk Assessment Methods and Tools — A Use Case Approach Paul E. Proctor

H6b. Net IT Out: SAS 70 Is Gone — So What Are the Alternatives? French Caldwell

5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted)

Wednesday, June 137:00 a.m. Registration

7:30 a.m. Breakfast With the Analysts

8:30 a.m. A7. How to Run, Grow and Transform Your Risk and Security Program Paul E. Proctor

B7. SIEM for Hybrid Technology and Services Deployments Kelly M. Kavanagh, Mark Nicolett

C7. Technical Insights: Mobility and Security — Gartner Field Research Project on Mobility and Consumerization Eric Maiwald

D7. Operationalize Social Media to Improve Security Performance Andrew Walls

E7. Q&A Session: The Identity and Access Management Marketplace Ant Allan, Perry Carpenter, Gregg Kreizman, Earl Perkins, Ray Wagner

F7. Strategies for Achieving Continuous Application Availability Donna Scott

G7. General Session Enterprise and Operational Risk Management: Directors Roundtable — What the Board Wants French Caldwell, Dale Kutnick, Panelists

J7. Security Journalists and Bloggers Panel Moderator: Greg Young

9:45 a.m. Solution Provider Sessions

11:00 a.m. W1. Workshop: ITScore For Security Management F. Christian Byrnes

B8. Technical Insights: Security Monitoring for the Cloud and in the Cloud Anton Chuvakin

C8. Deep Dive Into Internet Infrastructure Attacks Lawrence Orans, John Pescatore

W2. Workshop: ITScore for Privacy Carsten Casper W3. Workshop: ITScore for IAM Perry Carpenter, Ray Wagner

F8. Can I Recover Through the Cloud? John P. Morency, Sheila Childs

G8. Risk-Adjusted Value Management Paul E. Proctor H8. Internal Auditors: Why They Do What They Do Khushbu Pratap

J8. SWOT Analysis: McAfee, Symantec, Cisco Eric Ahlm, Ruggero Contu, Peter Firstbrook

12:00 p.m. Solution Showcase Lunch and Theater Presentations Exhibits and Theater Presentations

1:30 p.m. A9. Optimizing the Information Security Organization Jeffrey Wheatman

B9. The New Dangers of Machine to Machine (M2M) in the Enterprise Tim Zimmerman

C9. Presenting a Hard Target to Attackers: Road Maps for Effective Vulnerability Management Mark Nicolett

D9. Case Study: TBA E9. Managing Identity and Access in the Hybrid World Gregg Kreizman

F9. Best Practices in Recovery Exercising John P. Morency G9. Technical Insights: Road Map — Managing Multinational Privacy Risks in the Cloud Ian Glazer

H9. Improving Your Social Risk IQ French Caldwell J9. Security 2020: Technology, Business and Threat Discontinuities Reshaping IT Security Neil MacDonald, Lawrence Pingree

2:45 p.m. Solution Provider Sessions

4:00 p.m. A10. Ignore Enterprise Data Protection at Your Peril Jeffrey Wheatman

B10. The Mobile Security Brothers Traveling Roadshow John Girard, John Pescatore

C10. NIST’s National Initiative for Cybersecurity Education (NICE): What CIOs Need to Leverage Steve Hawald

D10. Technical Insights: SaaS Email Security — Trust Versus Technology Dan Blum

E10. Socrates Was Wrong: A Debate Rob McMillan, Andrew Walls, Earl Perkins, Tom Scholtz, Vic Wheatman

F10. Panel: Educating Boards of Directors and Management in the Business Case for BCM Moderator: Roberta J. Witty

G10. Six CIO Risk Techniques to Please Your Board French Caldwell

H10. Managing Litigation and Regulatory Risks of Big Data Sheila Childs

J10. Case Study: Increasing Collaboration Securely When Moving to Cloud-Based Apps Joe Fuller, Dominion Enterprises

5:15 p.m. K4. Guest Keynote Information Security and Technology In General — Problem Solved. You’re Welcome John Hodgman, Actor, Author and Correspondent for “The Daily Show”

6:15 p.m. Summit Party — VIP Boat Cruise

Thursday, June 147:30 a.m. Registration Breakfast by Industry and Role

8:00 a.m. A11. Quo Vadis, CISO? Developing a Realistic Infosec Management Strategy Rob McMillan, Tom Scholtz

B11. How to Securely Deploy and Manage Whitelisting to Counter Advanced Threats Neil MacDonald

C11. Manage Your Security Vendors or Be Mangled Greg Young

W4. (8 – 10 a.m.) Workshop: Securing the Access Layer — Identifying the Right Authentication Strategy for BYOD, Contractors, Guests and Employees Lawrence Orans, Tim Zimmerman

E11. Case Study: Securing the Digital Nation — The New Frontier of Cybersecurity Training and Education Keith Gordon, Senior Vice President, Security and Fraud and Enrollments, Online and Mobile Channels, Bank of America

W5. (8:00 – 11:30 a.m.) Workshop: Implementing BCM Standards for BCM Maturity and Organizational Certification John P. Morency, Roberta J. Witty

W6. Workshop: Policy Critique Jay Heiser W7. (8:00 – 9:00 a.m.) Workshop: Implementing COBIT 5 Robert Stroud, ISACA’s Strategy Advisory Council

9:15 a.m. A12. Road Map: Intelligent Information Governance 2012 Debra Logan

B12. Case Study: Toward a Secure Community Cloud for a Manufacturing Sector Doug Simmons, Gartner Consulting

C12. Network Security Open Q&A Eric Ahlm, John Girard, Kelly M. Kavanagh, John Pescatore, Greg Young

E12. Technical Insights: Endpoint Virtualization Security Considerations Mario de Boer

W8. (9:15 – 11:30 a.m.) Workshop: Creating Key Risk Indicators for Your Company Paul E. Proctor

H11. New Legal Methods for Collecting Cyberinvestigation and Social Media Evidence Benjamin Wright, SANS Institute

10:30 a.m. A13. Trust: The Elusive Final Ingredient Jay Heiser C13. Technical Insights: Network Security Architecture for Internal Private Clouds Eric Maiwald

D13. Developing and Implementing a Superior Mobile Device Policy John Girard

H12. Road Map: Intelligent Information Governance 2012 Debra Logan

11:45 a.m. K5. Closing Insights and a Review of “Aha” Moments Ray Wagner

Agenda as of April 3, 2012, and subject to changeAGENDA AT A GLANCE

REGISTRATION

EARLy-BIRD DISCOuNT ExTENDED!

Save $300 when you register by April 20.

Early-bird price: $1,995Standardprice:$2,295Public-sectorprice:$1,895

3 easy ways to register Web: gartner.com/us/securityrisk

Email: [email protected]

Phone: 18664052511

Gartner clientsA Gartner ticket covers all four days of the summit. Contact your account manager or email [email protected] to register using a ticket.

Bring your team and save! We’vedesignedaprogramthatwillhelpteamsoffourto25maximizethesummitexperience while on-site and long after the event is over.

Team Benefits•TeammeetingwithaGartneranalyst(endusersonly)•Role-basedagendas• On-siteteamcontact:Workwithasinglepointofcontactforon-site

team deliverables •Complimentaryregistrations

Complimentary Registrations•1complimentaryregistrationrewardwith3paidregistrations•2complimentaryregistrationrewardswith5paidregistrations•3complimentaryregistrationrewardswith7paidregistrations

To register a team please email [email protected] or contact your Gartner account manager.

Become a Gartner client Phone: +12033161111

Email: [email protected]

SPECIAL GARTNER HOTEL ROOM RATE

$240pernight(plustax)atthe Gaylord National

A limited supply of rooms are available at a special government rate of $229.

Gaylord National Hotel and Convention Center201 Waterfront StreetNational Harbor, MD 20745Phone: +1 301 965 4000gaylordhotels.com


PresortedStandard

U.S.PostagePAID

Gartner

Gartner, Inc.56 Top Gallant RoadStamford, CT 06902-7700

PO Box 29307 Shawnee, KS 66201

Change Service Requested

Gartner Security & Risk Management Summit 2012June 11 – 14 | National Harbor, MD gartner.com/us/securityrisk

CONNECT WITH GARTNERGLOBAL SECuRITy & RISk MANAGEMENT EVENTSGartner Security & Risk Management Summit 2012 July16–17|Sydney,Australia

Gartner Security & Risk Management Summit 2012 September19–20|London,U.K.

ConnectwiththeGartnerSecurity&RiskManagementSummit2012onTwitterandLinkedIn.

#gartnersecurity

GartnerSecurity&RiskManagement(xChange)

©2012Gartner,Inc.and/oritsaffiliates.Allrightsreserved.Gartnerisaregisteredtrademark ofGartner,Inc.oritsaffiliates.Risk-AdjustedValueManagementisatrademarkofGartneror itsaffiliates.Formoreinformation,[email protected].

Prioritycode

3 EASy WAyS TO REGISTERWeb:gartner.com/us/securityriskEmail: [email protected] Phone:18664052511

Intelligence for today’s business-critical IT security and risk management function

Scan for more information!

Documents

FIVE COMPLETE PROGRAMS CISO Program IT … Gartner Security & Risk Management Summit 2012 June 11 14 National Harbor, MD Strategic road maps to secure the enterprise and reduce risk