Upload
trinhduong
View
219
Download
1
Embed Size (px)
Citation preview
Gartner Security & Risk Management Summit 2012June 11 – 14 | National Harbor, MD gartner.com/us/securityrisk
Visit gartner.com/us/securityrisk or call 1 866 405 2511 to register
FIVE COMPLETE PROGRAMS
CISO Program
IT Security
Business Continuity Management
Risk Management and Compliance
New! The Business of IT Security and Risk
2 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
Strategic road maps to secure the enterprise and reduce riskChallenges abound for those charged with making sure business is secure and resilient in the face of threat and adversity. Enterprises of every stripe face a dangerous threat landscape that is evolving rapidly, thanks to swift-moving trends such as cloud, mobile and social technologies. New anti-fraud, anti-corruption and other regulatory changes pose more challenges. Complexity is rising, big data keeps getting bigger and lean budgets require you deliver more with every investment.
At the same time, as growth returns to the business cycle, risk management culture is growing in sophistication and relevance across the organization. Embracing and managing risk while mitigating vulnerabilities and becoming more resilient becomes a critical discipline for business success.
As the premier gathering of enterprise IT security and risk management executives, the Gartner Security & Risk Management Summit 2012 takes a comprehensive look at the entire spectrum of IT security, business continuity management and risk, including: network and infrastructure security, identity and access management, compliance, privacy, fraud, business continuity management and resilience. This year’s summit offers over 140 sessions and five in-depth, role-based programs:
•CISOProgram
• ITSecurity
•RiskManagementandCompliance
•BusinessContinuityManagement(BCM)
• New! TheBusinessofITSecurityandRisk
HOT TOPICS• Advancedpersistentthreatsand
vulnerabilities
•Securemobileapplications
•Cloudandsecurity
• E-discoveryandinformationgovernance
•Networkandinfrastructuresecurity
•Socialmediaandsecurity
•Crisis/incidentmanagement
•Supplychainriskmanagement
• Identityandaccessmanagement
•Enterpriseriskmanagement
•Regulatorycompliance
•Privacy
EARN CPE CREDITSAttending the summit helps you advance your continuing professional education(CPE).RegisteredparticipantsareeligibletoearnCPEcreditstowardISC2,ISACA,DRII, andIAPPcertificationprograms.Learnmoreatgartner.com/us/securityrisk.
WHAT’S NEW FOR 2012• Additional program added to the agenda! The Business of IT Security and Risk
• New keynote format! Mastermind Interview With Michael Dell, CEO, Dell
• Special CISO-only sessions and networking opportunities
• Special workshop! Implementing BCM Standards for BCM Maturity and Organizational Certification
• Enhanced Risk Management and Compliance Program! New research on legal and regulatory risk trade
• Advanced CISO virtual track! Advanced sessions for those with experience in the CISO role
• New Gartner Magic Quadrant technology evaluations
• More opportunities to interact with vendors! More than 90 solution providers on-site
3Visit gartner.com/us/securityrisk for agenda updates and to register
WHO SHOuLD ATTEND?•CIO,CSO,CISO,CRO,CFO,CCO,CGO,CLO,CPOandCTOtitles
•ITvicepresidentsanddirectors
•Governance,risk,compliance,andprivacy executives, directors and managers
•Seniorbusinessexecutives
•Generalcounsel
•Finance,audit,legalriskandcompliance and regulators
•Enterpriseandoperationalriskmanagers
• Businesscontinuity,disasterrecovery managers
TABLE OF CONTENTS 4 SummitPrograms
5 Virtual and Vertical Tracks
6 Keynote Sessions
7 CISOProgram
9 ITSecurityProgram
12 BCMProgram
14 RiskManagementProgram
16 TheBusinessofITSecurity andRiskProgram
17 Session Descriptions
27 Solution Showcase
30 Agenda at a Glance
33 Registration
Gain practical insight to improve your IT security and risk management strategyIf you’re tasked with protecting critical infrastructure, you’ll benefit tremendously from four days of intensive, practical learning, including how to:
•StructureandmanageeachofyourindividualITriskprograms
•Balanceandcoordinatethoseprograms
•MakeITriskprogramsmoreefficientandeffective
•Selectapproachesandvendorsolutions
•Articulatesecurityandriskrequirementsinbusinesslanguage
• IntegrateBCMwithoverallriskandsecurityprograms
ExCLuSIVE! CISO AND CRO INVITATIONAL PROGRAMSConcurrent with the summit, CISO and CRO Invitational Programs provide a forum for the exploration of top-of-mind leadership, IT security, privacy and risk management issues for CISOs, CSOs and CROs. In these intensive programs, guest executives meet with leading technology providers to exchange ideas and strategies. Participation includes gratis travel, hotel and registration and is by invitation only on a first-come, first-served basis. To learn more and apply, visit gartner.com/us/securityrisk.
BENEFITS OF ATTENDING
By2015,enterpriseswillbeforcedtoimplement
integratedGRCtosupportconvergedITand
corporate governance, as well as improvement
of business performance.2012GartnerPredicts
4 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
Five complete programs deliver in-depth insightChaired by experts in each discipline, five distinct agenda programs
facilitate a more targeted learning and networking experience.
CISO ProgramYou’vegotthejob;nowwhat?BeingCISOmeansunderstandingthebigpictureand articulating it clearly to the highest levels of the organization. Critical criteria for success include evaluating enterprise risk, dealing with legal issues and understandingsecurityarchitecture.InrecommendedandexclusiveCISO-onlysessions,newCISOscangetup-to-speedwhileveteransupdatetheirinsights.Andforthosewhoaremoreexperienced,wehaveaddedanAdvancedCISOvirtual track.
IT SecurityBothbusinessandtechnologyissuesaffecthowwellorganizationsprotectthemselves from threats and vulnerabilities, and how effectively they step up toopportunities.Fromthecloudtothenetwork,fromprotectingapplicationsand data to keeping mobile and remote computing safe, security has a direct impact on the bottom line. Here we look at important updates in key trends, big-picturestrategyandtechnicalspecifics.Plus,wetakeadeepdiveintoavarietyof security architecture with our Technical Insights virtual track.
Business Continuity ManagementHow does the enterprise ensure continuing business operations and systems availability when a business interruption occurs anywhere in the organization? In these sessions, we give you the tools to anticipate the unanticipated and work to reinforce a discipline of risk management, response, recovery and resilience in the corporate culture.
Risk Management and ComplianceMeasuringandmanagingrisk,andcomplyingwithavarietyofglobalrules,regulations and laws about financial transactions and privacy, have become critical components of successful operations in the worldwide environment. This program focuses on technologies and strategies to improve governance, manage risk and conform to the letter and spirit of the law.
NEW! The Business of IT Security and Risk How big is the security and risk market for software and services, and who are the market leaders? Where are the innovations coming from? What new threats are being addressed by point solutions? This all-new program looks at this extremely dynamicmarket,presentingthefinancialandstrategicviewsthatCISOs,investorsand media need to make informed evaluations.
SuMMIT PROGRAMS
ANALyST ONE-ON-ONESMeetfacetofacewithaGartneranalyst in up to two personalized 30-minute private appointments to discuss your specific risk management and compliance issues. Walk away with invaluable, tailor-made advice that you can apply to your role and your organization immediately. Preregistration is recommended.
ANALyST-uSER ROuNDTABLESJoin us for a hosted peer group discussion with your end-user peers, moderated by a Gartner analyst lending his or her expertise to assist you. Share the latest best practices among your peers. Preregistration is recommended.
TECHNICAL INSIGHTS SESSIONSThis year’s summit features a virtual track on Technical Insights that provides detailed, technically oriented guidance on architecture and planning considerations for protecting information associated with new devices and service hosting models.
5Visit gartner.com/us/securityrisk for agenda updates and to register
VIRTuAL AND VERTICAL INDuSTRy TRACkS Virtual and vertical industry tracks make it easy to follow a key trend, hot topic or address industry
issues in relevant sessions pulled from across all five conference programs. To further customize any
track,visittheAgendaBuilderatgartner.com/us/securityrisk.
Virtual tracksMobility and SecurityBusiness-criticalsystemanddataissuesemergingfromnewwireless technologies
CybersecurityCybersecurity issues — such as organized teams of hackers — that impact both the private and public sectors
Cloud Computing The new imperative — to know your risk profile, understand the risks cloud computing can create, minimize those risks, and move forward appropriately
PrivacyEmerging technologies that have an impact on privacy, but also those that can help to protect personal information — and how to pay for them
Identity and Access ManagementHowIAMcanevolveandmaturetohelpbusinessesweathertoday’s volatile and rapid change
Managing Legal and Regulatory RiskHow the IT organization can better support the chief legal officer and corporate compliance officer as they face a proliferation of regulation and litigation
Advanced CISOTake your professional development to the next level with sessions to address specific business needs
Technical InsightsExplore the architecture and planning considerations for protecting information associated with new devices and service hosting models
Social MediaWhat can be done about the risks of emerging social media and how do they balance against the opportunities?
Vertical industry tracksFinancial ServicesFightingfraudwhilekeepingonlinebankingseamless and efficient
GovernmentDeveloping cohesive national cybersecurity initiatives in partnership with consumers and the public sector
HealthcareIncreasing quality of service delivery, reducing compliance costs and anticipating healthcare reform while maintaining patient privacy and protecting intellectual property
Energy/UtilitiesEstablishing effective and efficient “smart grid” technology while combating for fraud, cyberattacks and the loss of control
ManufacturingManagingincreasinglyinterconnectedandcomplexcontrolnetworks while reducing costs, maintaining system integrity and protecting proprietary data
MAxIMIzE yOuR ExPERIENCE WITH OuR uNIquE CONFERENCE FEATuRES
First-class peer networkingEngage in informal and structured networking opportunities such as workshops, networking breakfasts by industry, conference receptions and more.
Hands-on workshopsThese small group workshops immerse you in real-world problem solving, with practical take-aways.
TutorialsJoin us for our complimentary preconference sessions to get up-to-speed and gain an overall perspective on security and risk management terms and definitions.
Solution Provider ShowcaseMeet with today’s leading and emerging security and risk management solution providers all under one roof, and get the latest information and demos on new products and services.
6 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
kEyNOTE SESSIONSGuest keynotesMastermind Interview With Michael Dell, Chairman and CEO, DellIt’s been over a year since Dell made its move into information security by acquiring SecureWorks, a managed security services provider. The transition from being a stand-alone, pure-play security provider to a unit within a larger IT vendor often causes organizational integration issues or loss of focus, but Dell has had a positive view. What’s on the road map for Dell, how does it see information security and what areitsprospects?ChairmanoftheBoardandCEOMichaelDellanswerstheanalysts’andyourquestions about Dell, security and risk.
Information Security and Technology in General — Problem Solved. You’re Welcome“TheDailyShow”correspondentandPCpersonifiedinthelong-runningMacvs.PCadcampaign,JohnHodgman,hasdoneitall—fromTVandfilmtobest-sellingbooks.HehasbeenseenonHBO’s“BoredtoDeath”and“FlightoftheConchords,”andinmovieslike“Arthur,”“TheInventionofLying” and“BabyMama.”Asanauthor,hisfirstbookwas“TheAreasofMyExpertise,”followedby“MoreInformationThanYouRequire.”Hisfinalbookinthistrilogyoncompleteworldknowledgeis“ThatIsAll.”
Cybersecurity: A View From the White House HowardSchmidtisCybersecurityCoordinatorandSpecialAssistanttothePresident (Accepted),formervicechairofthePresident’sCriticalInfrastructureProtectionBoard,andformerChiefInformationSecurityOfficeratMicrosoftandeBay.HerehediscussestheObamaadministration’sefforttoreducecyberthreats. This includes the administration’s legislative proposals and plans to protect critical infrastructure such as the electric grid, transportation systems and Wall Street, as well as protecting U.S. military defenses and businesses from cyberattacks.
Gartner keynotesOpening Keynote: Strategic Road Maps for IT Security and Risk ManagementA security leader’s mission is to road-map a security strategy and drive operations to effectively and efficiently sustain business performance in dynamic and chaotic environments. This session looks at the overall risk management programs within organizations working toward that goal.
Closing Insights and a Review of “Aha” MomentsBytheendoftheconferenceattendees,sponsorsandGartneranalystseachgainnewinsights,so we conclude the event by sharing what we have learned, or our “aha” moments. Through interviews and social media, the session reveals valuable insights gathered during the week. Gartner analysts each have a few minutes to share their new insights. We then turn to the audience for an open discussion. It is a great way to crystallize ideas to take back to your team, coupled with a touch of humor to close the conference.
Michael DellChairmanandCEODell
Howard SchmidtCybersecurity Coordinator and Special Assistant to thePresident(Accepted)
John HodgmanActor, Author andCorrespondent for “The Daily Show”
Andrew WallsDirectorGartnerResearch
Ray WagnerManaging VicePresidentGartnerResearch
7Visit gartner.com/us/securityrisk for agenda updates and to register
CISO PROGRAM
HOT TOPICS•Enterprisesecurityintelligence
•Business-ITsecurityalignment
•Governanceandpolicysetting
•Privacyregulationspolicy
•Corporateriskmanagement
• Businessvalueofinformationsecurity
• Enterprisesecuritystrategyandarchitecture
•Creatingarisk-awareculture
• Legalimplicationsassociatedwithinformation security
• Advancedanalyticsandoperationalmetrics best practices
You’vegotthejob;nowwhat?BeingaCISOmeanshavingthe
big picture and articulating it clearly and compellingly to the highest
levels of the organization. Evaluating enterprise risk, dealing
with legal issues and comprehending the impact of a security
architecture overlay are all critical criteria for success.
Frommetricsthatmatter,toenterprisedataprotection,toarticulatingthebusiness value of IT security, key topics get in-depth treatment that cover the latest tools, research and insights. The agenda includes a thoughtful mix of practical sessions, such as how to develop key competencies in a new security team, and big-picture insights, including sessions on security as a social science and the importance of trust.
FeaturingexclusivenetworkingeventsforCISOProgramattendeesandplentyofopportunities to put your questions directly to the analysts, this is a rich learning environment designed to help you evaluate, run and improve your security and riskmanagementprograms.Thisyear’sCISOProgramincludesbothfoundationaland advanced sessions to deliver the information you need to succeed at every stage in your career.
Meet the analystsGartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide.
F. Christian ByrnesManagingVicePresident
Rob McMillanDirector
Tom ScholtzVicePresidentandDistinguished Analyst
Jay HeiserVicePresident
Paul E. ProctorVicePresidentandDistinguished Analyst
Jeffrey WheatmanDirector
Through2016,75%ofCISOswhoexperience
publicly disclosed security breaches, and lack
documented, tested response plans, will be fired.2012GartnerPredicts
8 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
CISO AGENDAMonday, June 11
10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman
10:15a.m.K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls
CISOThe CISO
11:30 a.m. A1.SecurityandRiskManagementasaSocialScienceTom Scholtz
2:45p.m. K2. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins
5:00p.m. A2.SecurityProgramManagementOverviewF. Christian Byrnes
Tuesday, June 128:15a.m. A3.WhenRiskManagementDoesMoreHarmThanGood:RM101Jay Heiser
10:45a.m. A4. MetricsThatMatterJeffrey Wheatman
2:00 p.m. A5.SecurityandRiskGovernance:It’sMuchMoreThanJustReporting F. Christian Byrnes, Tom Scholtz
4:30 p.m. A6a. NetITOut:ArticulatingtheBusinessValueofInformationSecurityTom Scholtz
4:55p.m. A6b. NetITOut:DevelopingtheKeyCompetenciesoftheNewSecurityTeamTom Scholtz
5:30p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted)
Wednesday, June 138:30 a.m. A7. HowtoRun,GrowandTransformYourRiskandSecurityProgramPaul E. Proctor
11:00 a.m. W1.Workshop:ITScoreForSecurityManagementF. Christian Byrnes
1:30 p.m. A9. OptimizingtheInformationSecurityOrganizationJeffrey Wheatman
4:00 p.m. A10. IgnoreEnterpriseDataProtectionatYourPerilJeffrey Wheatman
5:15p.m. K4. Guest Keynote Information Security and Technology In General — Problem Solved. You’re Welcome John Hodgman, Actor, Author and Correspondent for “The Daily Show”
Thursday, June 148:00 a.m. A11.QuoVadis,CISO?DevelopingaRealisticInfosecManagementStrategy
Rob McMillan, Tom Scholtz9:15a.m. A12. Intelligent Information Governance 2012 Debra Logan
10:30 a.m. A13. Trust:TheElusiveFinalIngredientJay Heiser
11:45a.m. K5. Closing Insights and a Review of “Aha” Moments Ray Wagner
SPECIAL AGENDA FOR CHIEF RISk OFFICER, CHIEF LEGAL OFFICER, CHIEF COMPLIANCE OFFICERCritical business uncertainties like reputational risks, regulatory proliferation and increasing litigation costs all require risk intelligence to support critical business decisions. The technology to support risk management and compliance is also advancing. It must be scalable to the entire enterprise and enable collaboration between multiple risk management activities, such as auditing, legal, finance, IT and compliance functions. Reporting and analytics must be on-demand in order to support business decisions and short-notice requests from regulators. Information governance, e-discovery and controls automation technologies must be in place to prevent problems in the first place, and to automate labor-intensive processes.
To provide insight into critical governance, risk and compliance technologies, Gartner is pleased to offer a special agenda for senior business executives who have risk management, legal and compliance responsibilities.
CISO INVITATIONAL PROGRAM FEATuRES•Directinteractionwithanalysts
• ThelatestresearchontopprioritiesforCISOs
• Boardroomcasestudypresentationswith leading solution providers
• AdvancedCISOvirtualtrackformoreexperiencedCISOs
•C-level-onlyroundtablediscussions
•ExclusiveCISOnetworkingevents
• Keynotes,generalsessionsandaMastermindInterviewwithDellChairmanoftheBoardandCEO,MichaelDell
•Securitymanagementworkshop
CRO INVITATIONAL PROGRAM FEATuRES•Directinteractionwithanalysts
• ThelatestresearchontopprioritiesforCROs
• Boardroomcasestudypresentationswith leading solution providers
•CROroundtablediscussions
•ExclusiveCROnetworkingevents
• Keynotes,generalsessionsandaMastermindInterviewwithDellChairmanoftheBoardandCEO,MichaelDell
9Visit gartner.com/us/securityrisk for agenda updates and to register
IT SECuRITy
HOT TOPICS•Mobileapplicationandsecurity
•Socialmediaandsecurity
•Consumerization
•Advancedpersistentthreats
•Cybersecurity
•Cloudcomputingsecurity
•Securingthevirtualizeddatacenter
•Criticalinfrastructureprotection
• Frauddetection
•Endpointsecurity
Given the complexity and seriousness of today’s threat environment,
it’snowondertheITSecurityProgramincludesmorethan60analyst
sessions that cover everything from privacy to fraud prevention
toemergingtechnologies,andeverythinginbetween.Ourteamof
security analysts will be on-site to meet with attendees, present their
latest research, answer questions and lead roundtable discussions
focusing on today’s most urgent security topics.
You’ll find multiple sessions that cover such rapidly evolving trends as mobile, cloud and social technologies, as well as privacy concerns, consumerization, network access control, the next generation of threats and more. The program agenda features:
•Eightanalyst-userroundtablesonsuchtopicsasprivacy,applicationsecurity and cloud risks
•Fourtutorialsonchoosingsolutions,understandingtrendsandmore
• SixTechnicalInsightssessionsthatdrilldownonbestpracticesincloud, mobile and virtualization
• Newcasestudies,includingTheWorldTradeCenter’sSituationalPlatform,andothers on cybersecurity and creating a secure community cloud
• Plus,threeworkshops,eight“justthefacts”NetITOutsessions,networkingevents and much more
Through 2016, the
financial impact of
cybercrime will grow
10%peryear,dueto
the continuing discovery
of new vulnerabilities.2012GartnerPredicts
10 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
MEET THE ANALySTS
Earl PerkinsVicePresident
Tom ScholtzVicePresidentandDistinguished Analyst
Joseph FeimanVicePresidentand GartnerFellow
Andrew WallsDirector
Jay HeiserVicePresident
Tim ZimmermanDirector
Avivah LitanVicePresidentandDistinguished Analyst
Mark NicolettManagingVicePresident
John PescatoreVicePresidentandDistinguished Analyst
Doug SimmonsVicePresident Gartner Consulting
Peter FirstbrookDirector
Vic WheatmanVicePresident
Kelly M. KavanaghPrincipalAnalyst
Neil MacDonaldVicePresidentand GartnerFellow
Lawrence OransVicePresident
Lawrence PingreeDirector
Carsten CasperDirector
Anton ChuvakinDirector
Mario de BoerDirector
Ray WagnerDirector
John GirardVicePresidentandDistinguished Analyst
Greg YoungVicePresident
Gregg KreizmanDirector
Eric MaiwaldVicePresident
Rob McMillanDirector
Eric OuelletVicePresident
Gartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide.
Steve HawaldDirector
Ant AllanVicePresident
Dan BlumVicePresidentandDistinguished Analyst
Perry CarpenterDirector
11Visit gartner.com/us/securityrisk for agenda updates and to register
IT SECuRITy AGENDAMonday, June 1110:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman
10:15a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls
IT SECURITYInfrastructure Protection Secure Business Enablement
11:30 a.m. B1. The Security State of the Cloud Jay Heiser
C1.RoadMap:TheNextGenerationofFirewallsandIPSGreg Young
D1.ProtectingYourNetworkintheEraofBYODLawrence Orans
E1.Higher,Faster,Stronger:ThePerformantIAMProgramAnt Allan
2:45p.m. K2. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins5:00p.m. B2.RoadMap:Operationalizing
Data and Application Defenses Against Hackers and Employees Joseph Feiman
C2.BigDataandSecurity:IntegratingSecurityandOperationsData for Improved IT Intelligence Neil MacDonald
D2.TakingPrivacytotheNextLevelWithaPrivacyProgram Carsten Casper
E2.RoadMap:IAMOperations—TheIAMDataModelEarl Perkins
Tuesday, June 128:15a.m. B3.TheEndpointProtection
PlatformintheAgeofTabletsandClouds Peter Firstbrook
C3.MonitoringUsersforSecurity Intelligence: Threats and OpportunitiesAndrew Walls
D3.RoadMap:OperationalizingEncryption Eric Ouellet
E3.IAMBestPracticesforPlanning,ImplementingandManagingIAMWithin Your Enterprise Perry Carpenter
10:45a.m. B4. Case Study: The World Trade Center’s Situational Awareness PlatformLou Barani, Director of Security, World Trade Center; Moderator: Jeff Vining
C4.MobileSecurityRisksinDepth:How Safe Is the Data on Your Smartphone and Tablet? John Girard, Lawrence Pingree
D4. Technical Insights: OperationalizingPCIDSSCompliance Anton Chuvakin
E4.LayeredFraudPreventionforLand-BasedandMobileComputingAvivah Litan
2:00 p.m. B5.RoadMap:SecureEmailCommunicationsWithPartnersandCustomers Peter Firstbrook
C5. Case Study: DoD’s Approach to Security Testing Ray Letteer, Chief, Cyber Security Division of the U.S. Marine Corps
D5. Technical Insights: Improving Collective Defenses Through Information-Sharing and Threat Intelligence Dan Blum
E5. Why Your Security Awareness ProgramIsDoomed(andWhatYouCanDotoRescueIt) Perry Carpenter, Andrew Walls
4:30 p.m. B6a.NetITOut:BreakingDowntheWalls While Sharing Data Securely Jay Heiser
C6a.NetITOut:Technical Insights—SecuringBrowser-BasedApplications Mario de Boer
D6a.NetITOut:EmergingTechnologiesforPrivacyProtectionandPrivacyManagement Carsten Casper
E6a.NetITOut:One-Time-PasswordHardware Tokens — Going, Going … Not Quite Gone Ant Allan
4:55p.m. B6b.NetITOut:TheDLPProcessIsMoreThanJustaPieceofTechnology Rob McMillan
C6b. NetITOut:RoadMap—Gaining Control of Consumerization Lawrence Orans
D6b.NetITOut:JobSecurityinCloud Era — Will Jobs Stay or Vaporize? Joseph Feiman
E6b.NetITOut:TheUndeathofPKIEric Ouellet
5:30p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted)
Wednesday, June 138:30 a.m. B7.SIEMforHybridTechnologyand
Services Deployments Kelly M. Kavanagh, Mark Nicolett
C7.TechnicalInsights:MobilityandSecurity—GartnerFieldResearchProjectonMobilityandConsumerization Eric Maiwald
D7.OperationalizeSocialMediatoImproveSecurityPerformanceAndrew Walls
E7. Q&A Session: The Identity and AccessManagementMarketplaceAnt Allan, Perry Carpenter, Gregg Kreizman, Earl Perkins, Ray Wagner
11:00 a.m. B8. Technical Insights: Security MonitoringfortheCloudandintheCloud Anton Chuvakin
C8. Deep Dive Into Internet Infrastructure Attacks Lawrence Orans, John Pescatore
W2.Workshop:ITScoreforPrivacy Carsten Casper
W3.Workshop:ITScoreforIAMPerry Carpenter, Ray Wagner
1:30 p.m. B9.TheNewDangersofMachinetoMachine(M2M)intheEnterpriseTim Zimmerman
C9.RoadMap:PresentingaHardTargettoAttackers:RoadMapsforEffectiveVulnerabilityManagement Mark Nicolett
D9.CaseStudy:TBA E9.ManagingIdentityandAccessinthe Hybrid World Gregg Kreizman
4:00 p.m. B10. TheMobileSecurityBrothersTravelingRoadshow John Girard, John Pescatore
C10. NIST’s National Initiative for CybersecurityEducation(NICE):WhatCIOsNeedtoLeverage Steve Hawald
D10. Technical Insights: SaaS Email Security — Trust Versus Technology Dan Blum
E10. Socrates Was Wrong: A Debate Rob McMillan, Earl Perkins, Tom Scholtz, Andrew Walls, Vic Wheatman
5:15p.m. K4. Guest Keynote Information Security and Technology In General — Problem Solved. You’re Welcome John Hodgman, Actor, Author and Correspondent for “The Daily Show”
Thursday, June 148:00 a.m. B11. How to Securely Deploy and
ManageWhitelistingtoCounterAdvanced Threats Neil MacDonald
C11. ManageYourSecurityVendorsorBeMangledGreg Young
W4.(8:00–10:00a.m.)Workshop:SecuringtheAccessLayer—IdentifyingtheRightAuthenticationStrategyforBYOD,Contractors,Guests and Employees Lawrence Orans, Tim Zimmerman
E11. Case Study: Securing the DigitalNation—TheNewFrontierofCybersecurity Training and Education Keith Gordon, Senior Vice President, Security and Fraud and Enrollments, Online and Mobile Channels, Bank of America
9:15a.m. B12. Case Study: Toward a Secure Community Cloud for aManufacturingSector Doug Simmons, Gartner Consulting
C12.NetworkSecurityOpenQ&AEric Ahlm, John Girard, Kelly M. Kavanagh, John Pescatore, Greg Young
E12. Technical Insights: Endpoint Virtualization Security Considerations Mario de Boer
10:30 a.m. C13. Technical Insights: Network Security Architecture for Internal PrivateCloudsEric Maiwald
D13. Developing and Implementing aSuperiorMobileDevicePolicy John Girard
11:45a.m. K5. Closing Insights and a Review of “Aha” Moments Ray Wagner
12 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
BuSINESS CONTINuITy MANAGEMENT
HOT TOPICS•BCM/ITDRMprogrammanagement
• BCMstandardsandorganizationcertification
•Supplychainriskmanagement
•ThebusinesscaseforBCM
•Failingoverintothecloud
•Disasterrecovery
•Continuousapplicationavailability
•Socialsoftwareandrecovery
•Crisisandincidentmanagement
•Emergency/massnotification
•Recoveryplanexercising
The business case for business continuity management has never
been more convincing. Effective enterprise risk management,
response, recovery and resilience are increasingly seen not only as
requirements, but as potentially critical business advantages. In the
BCMprogram,morethanadozenanalystsessionsexaminethe
latest best practices, evolving trends and the burgeoning frontiers
of mobile, social and cloud-based recovery strategies.
SixleadingGartneranalystsspecializinginBCMwillbeonhandtopresenttheirlatest research and answer questions on everything from achieving continuous application availability to recovery in the cloud, teleworking through a disaster, crisis management and much more. The program agenda includes:
• TwoGartnerMagicQuadrantNetITOutsessionsthatcovertheBCMmarketplace for tools and solutions
• Analyst-userroundtablediscussionsonITavailability,socialmediainBCMand recovery exercising
•AtutorialonBCMmaturityandevolution
• PlusworkshoponBCMstandardsandcertificationandBCM-focusednetworking events
Meet the analystsGartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide
Leif EriksenDirector
John P. MorencyVicePresident
Jeff ViningVicePresident
Donna ScottVicePresidentandDistinguished Analyst
Roberta J. WittyVicePresident
John GirardVicePresidentandDistinguished Analyst
13Visit gartner.com/us/securityrisk for agenda updates and to register
BCM AGENDAMonday, June 1110:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management
Andrew Walls
BCMBusiness Continuity Management
11:30 a.m. F1.HowReal-WorldDisastersAreImprovingBusinessResilience:LessonsLearnedSince9/11John P. Morency, Roberta J. Witty
2:45p.m. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins
5:00p.m. F2.CaseStudy:Intel’sResponsetotheFukushimaEarthquake/Tsunami Jeff Selvala, Director, Assembly Test Global Materials, Intel; Roberta J. Witty
Tuesday, June 128:15a.m. F3. Case Study: Teleworking Through a Disaster John Girard, Roberta J. Witty
10:45a.m. F4.CaseStudy:Demographics—AnUnknownBCMRisk Steve Hannah, Manager, Disaster Recovery, Waddell & Reed
2:00 p.m. F5. Crisis/IncidentManagementOverviewLeif Eriksen, Roberta J. Witty
4:30 p.m. F6a. (4:30p.m.)andF6b. (4:55p.m.)NetITOut:BusinessContinuityManagementPlanningMarketsandMagicQuadrantsLeif Eriksen, John Girard, John P. Morency, Roberta J. Witty
5:30p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted)
Wednesday, June 138:30 a.m. F7. Strategies for Achieving Continuous Application Availability Donna Scott
11:00 a.m. F8.CanIRecoverThroughtheCloud?John P. Morency, Sheila Childs
1:30 p.m. F9.BestPracticesinRecoveryExercisingJohn P. Morency
4:00 p.m. F10.Panel:EducatingBoardsofDirectorsandManagementintheBusinessCaseforBCMModerator: Roberta J. Witty
5:15p.m. K4. Guest Keynote Information Security and Technology In General — Problem Solved. You’re Welcome John Hodgman, Actor, Author and Correspondent for “The Daily Show”
Thursday, June 148:00 a.m. W5.(8:00–11:30a.m.)Workshop:ImplementingBCMStandardsforBCMMaturityand
OrganizationalCertificationJohn P. Morency, Roberta J. Witty 11:45a.m. K5. Closing Insights and a Review of “Aha” Moments Ray Wagner
New Business Continuity Management program features for 2012Learnthelatestbestpractices,evolvingtrendsandtheburgeoningfrontiersofmobile, social and cloud-based recovery strategies in a program dedicated to your BCMneeds.Featuresinclude:
•10BCM-focusedanalystsessions
• TwoGartnerMagicQuadrantNetITOutsessionscoveringtheBCMmarketplace for tools and solutions
•SixBCM-focusedGartneranalystsavailableforprivateone-on-onemeetings
• Analyst-userroundtablediscussionsonITavailability,socialmediainBCMandrecovery exercising
•AtutorialonBCMmaturityandevolution
• AworkshoponBCMstandardsandcertificationandBCM-focusednetworking events
By2015,30%ofmidsize
businesses will adopt
recovery-in-the-cloud
services to support IT
operations recovery.
By2014,almosthalfof
organizations will have
integrated public social
media services with their
crisis communication
strategies.
2012GartnerPredicts
2012GartnerPredicts
14 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
RISk MANAGEMENT AND COMPLIANCE
HOT TOPICS• EnterpriseandITriskmanagement
effectiveness
•Risk-adjustedvaluemanagement
•Creatingkeyriskindicators
•Legalandregulatoryinfogovernance
•E-discovery
•Supportingthechieflegalofficer
•Socialriskmanagement
• Reportingonriskmanagementinitiatives to the board
• Managingriskandcomplianceissueswith big data
•Cloudrisks
A major shift is under way, in which senior business leaders and
boards of directors begin to recognize enterprise risk management
as more than a compliance-driven cost. Today’s risk management
executives are using enterprise risk management strategies to
minimize business risk, support next-generation business needs
and improve business performance.
TheRiskManagementandComplianceProgramfocusesonstrategicissuesinriskmanagement and adds additional emphasis on legal and regulatory risks, including:
• Howtobettercommunicatethebenefitsandobjectivesoftheriskmanagement program to the board and senior business leaders
•Keytrendssuchasgrowingconcernsaroundprivacyanddataprotection
•Newanti-fraudandanti-corruptionlegislation
•Mobility,cloudcomputingandtheirimpactsonsecurityandrisk
•Legalandregulatorygovernancestrategies
Meet the analystsGartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide
By2016,enterprises
thatcombineBPMand
ERMwillachievehigher-
performance business
results than those that
employ them separately.2012GartnerPredicts
French CaldwellVicePresidentand GartnerFellow
Hiranya FernandoSenior Analyst
Andrew FrankVicePresident
Khushbu PratapSenior Analyst
Sheila ChildsManagingVicePresident
Debra LoganVicePresidentandDistinguished Analyst
Ian GlazerDirector
Paul E. ProctorVicePresidentandDistinguished Analyst
John A. WheelerDirector
Jeffrey WheatmanDirector
15Visit gartner.com/us/securityrisk for agenda updates and to register
RISk AGENDAMonday, June 1110:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls
RISK AND COMPLIANCEEnterprise and Operational Risk Management Managing Legal and Compliance Risk
11:30 a.m. G1.RoadMap:Privacy,MarketingandBehaviorTracking—ARiskyMandateAndrew Frank
H1.Lawyers,UsersandITSecurity:TenWaystoWorkTogethertoReduceRiskandImproveGovernance Debra Logan, Jeffrey Wheatman
2:45p.m. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins5:00p.m. G2.TheMissingLink:HowIgnoringBusinessProcessesCanBeFatalforERM
John A. WheelerH2. TheCorporateEthicsGameShow:“Let’sMakeaDeal”or“Jeopardy!”?Joseph E. Schmitz, former DoD IG; John Bace, John Marshall Law School
Tuesday, June 128:15a.m. G3.GeneralSessionUntanglingtheMultimillion-DollarMadoffPonziScheme
David J. Sheehan, Partner, Baker Hostetler; Lew Schwartz, Senior Vice President, General Counsel and Corporate Secretary, Gartner10:45a.m. G4.SevenKeystoSuccessfulandCost-EffectiveRiskOversight
John A. Wheeler H4.Lawyers,UsersandIT:TheIntersectionofLawandTechnologyin2012—Part1.ViewFromtheBenchDebra Logan, Lew Schwartz, Judges Panel
2:00 p.m. G5.GlobalSupplyChainRisk:PerceptionandManagement Hiranya Fernando
H5.Lawyers,UsersandIT:TheIntersectionofLawandTechnologyin 2012—Part2.ViewFromthePractitionersDebra Logan, Lew Schwartz, Outside Panel
4:30 p.m. G6a.NetITOut:TheRealitiesofCyberinsuranceJohn A. Wheeler H6a.NetITOut:ComplianceControls—WhenAreYoursTooOld? Khushbu Pratap
4:55p.m. G6b.NetITOut:SelectingITRiskAssessmentMethodsandTools—AUseCase Approach Paul E. Proctor
H6b. NetITOut:SAS70IsGone—SoWhatAretheAlternatives? French Caldwell
5:30p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted)
Wednesday, June 138:30 a.m. G7.GeneralSessionEnterpriseandOperationalRiskManagement:DirectorsRoundtable—WhattheBoardWants
French Caldwell, Dale Kutnick, Panelists11:00 a.m. G8.Risk-AdjustedValueManagementPaul E. Proctor H8. Internal Auditors: Why They Do What They Do Khushbu Pratap
1:30 p.m. G9.TechnicalInsights:RoadMap—ManagingMultinationalPrivacyRisksinthe Cloud Ian Glazer
H9. ImprovingYourSocialRiskIQFrench Caldwell
4:00 p.m. G10. SixCIORiskTechniquestoPleaseYourBoardFrench Caldwell H10. ManagingLitigationandRegulatoryRisksofBigDataSheila Childs
5:15p.m. K4. Guest Keynote Information Security and Technology In General — Problem Solved. You’re Welcome John Hodgman, Actor, Author and Correspondent for “The Daily Show”
Thursday, June 148:00 a.m. W6.Workshop:PolicyCritiqueJay Heiser W7.Workshop:ImplementingCOBIT5Robert Stroud, ISACA’S Strategic
Advisory Council 9:15a.m. W8. (9:15–11:30a.m.)Workshop:CreatingKeyRiskIndicatorsforYour
Company Paul E. ProctorH11. NewLegalMethodsforCollectingCyberinvestigationandSocialMediaEvidence Benjamin Wright, SANS Institute
10:30 a.m. H12. RoadMap:IntelligentInformationGovernance2012Debra Logan
11:45a.m. K5. Closing Insights and a Review of “Aha” Moments Ray Wagner
New Risk and Compliance program features for 2012Dividedintotwotracks—EnterpriseandOperationalRiskManagement,andManagingLegalandComplianceRisk—theRiskManagementandComplianceprogram offers:
•25in-depthsessionsandtwogeneralsessions
•CROInvitationalProgram
• Threeworkshops,twoRoadMapsessions,fourNetITOutsessions,andoneTechnical Insights session
• Twoanalyst-userroundtablesfocusedonriskmanagementandcompliance
• 10on-siteGartneranalystsfocusedonriskmanagementandcompliance,available for private one-on-one meetings
•Specialrisk-management-and-compliancenetworkingopportunities
16 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
Meet the analysts
NEW! THE BuSINESS OF IT SECuRITy AND RISk
HOT TOPICS•Informationsecurityforecasts
worldwide
•Marketsharesintheinfosecdomain
Mobility,cloudandsocialtechnologieshavetransformedIT,posinga
stupefying array of new security threats and engendering an equally
overwhelming number of new security and risk management options.
In a climate of volatile change, how do you know you are making the
right security and risk management investments?
Newthisyear,TheBusinessofITSecurityandRiskprogramexaminestoday’sdynamic marketplace, the current landscape of market leaders and upstart innovators, as well as how the scenery is likely to change. We take an investor’s financial and strategic view of the market, based on the evaluations of our analysts, the financial community and the media.
Will your current partners see you through into the mobile, social, cloud-based future? Where will the leading innovations come from? Where should you put yourmoney?Featuring10sessionswithleadinganalysts,investors,journalistsand bloggers, this unique program provides extremely important information for CISOsandothersinvestinginsecurityandrisksolutions.
Ruggero ContuPrincipalAnalyst
Eric AhlmDirector
Joseph FeimanVicePresidentand GartnerFellow
Peter FirstbrookDirector
Ramon KrikkenDirector
Lawrence PingreeDirector
Greg YoungVicePresident
John RizzutoVicePresidentand Invest Analyst
Monday, June 1110:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management
Andrew Walls
NEW! BUSINESSThe Business of IT Security and Risk
11:30 a.m. J1.SecurityMarketsWorldwide2012Eric Ahlm, Ruggero Contu
2:45p.m. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins
5:00p.m. J2.ITSecuritySurvey:2011-2012StudyResultsandTrendsAnalysis Ruggero Contu, Lawrence Pingree
Tuesday, June 128:15a.m. J3. Technical Insights: The Art of Saying Yes — Selling Application Security to Architects and
Developers Ramon Krikken10:45a.m. J4.SWOTAnalysis:IBMandHPApplicationandDataSecurityJoseph Feiman
2:00 p.m. J5.SecurityInvestorsPerspectivesPanelAlberto Yepez, Trident Capital Group; Walter Pritchard, Citi Investment Research; John Rizzuto, Gartner Investment; Moderator: Vic Wheatman
4:30 p.m. J6. SecurityMarketGartnerMagicQuadrantOverviewGreg Young
5:30p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted)
Wednesday, June 138:30 a.m. J7.SecurityJournalistsandBloggersPanelModerator: Greg Young
11:00 a.m. J8.SWOTAnalysis:McAfee,Symantec,CiscoEric Ahlm, Ruggero Contu, Peter Firstbrook
1:30 p.m. J9. Security2020:Technology,BusinessandThreatDiscontinuitiesReshapingITSecurity Neil MacDonald, Lawrence Pingree
4:00 p.m. J10.CaseStudy:IncreasingCollaborationSecurelyWhenMovingtoCloud-BasedApps Joe Fuller, Dominion Enterprises
5:15p.m. K4. Guest Keynote Information Security and Technology In General — Problem Solved. You’re Welcome John Hodgman, Actor, Author and Correspondent for “The Daily Show”
Thursday, June 1411:45a.m. K5. Closing Insights and a Review of “Aha” Moments Ray Wagner
•Userwants-and-needssurveyresults
•Strengths,weaknesses,opportunitiesandthreat(SWOT)evaluationsonleading IT security and risk vendors
•GartnerMagicQuadranttrends
•Investorsperspectivespanel
17Visit gartner.com/us/securityrisk for agenda updates and to register
SESSION DESCRIPTIONS
CISO PROGRAM TRACk A
The CISOA1. Security and Risk Management as a Social ScienceAs technical security controls are increasingly integrated into the infrastructure fabric, CISOs’focuseswillcontinuetoshifttowardthe behaviors, attitudes and cultures of stakeholders. This presentation highlights how this will impact security leaders, and which actions they should take.Tom Scholtz
A2. Security Program Management OverviewSecurity programs have evolved and continue to mature. This session describes the maturity level characteristics of current information security programs and reviews the Gartner ITScore survey results. F. Christian Byrnes
A3. When Risk Management Does More Harm Than Good: RM 101Riskusedtobeliketheweather—everybodytalked about it, but few did anything about it. While the weather still remains unpredictable, business demands a more predictable approach to IT-related risks. This session helps the new risk manager understand the basic principles of risk management.Jay Heiser
A4. Metrics That Matter Enterprises still continue to create and report on security metrics that have no context and that nobody cares about. The effective metrics program highlights a few key measures with reasonable achievable targets that drive continuous improvement.Jeffrey Wheatman
A5. Security and Risk Governance: It’s Much More Than Just ReportingEffective governance provides accountability, responsibility, authority and assurance. Security and risk governance consists of processes and activities executed and overseen by governance bodies. Their success depends on the effectiveness of the groups tasked with executing them.F. Christian Byrnes, Tom Scholtz
A6a. Net IT Out: Articulating the Business Value of Information SecurityWhile security budgets held up comparatively well during the recession, organizations are shifting their focuses from survival back to growth mode. This requires investment of (still-limited)financialresourcesintoinnovationand growth projects, resulting in increasing pressure on security budgets.Tom Scholtz
A6b. Net IT Out: Developing the Key Competencies of the New Security TeamAs the information security discipline matures, the security-related skills and knowledge of a chief information security officer and his or her teams are taken for granted. However, security professionals who expect to thrive in a dynamic business environment need to continually learn new skills.Tom Scholtz
A7. How to Run, Grow and Transform Your Risk and Security ProgramCreating and formalizing a security and risk program is inexpensive, but developing a mature program requires high-level support, a strategic approach and proper time to execute.Modernenterprisesmustalsoalignwith business needs and address cultural gaps with the non-IT parts of the business.Paul E. Proctor
A9. Optimizing the Information Security Organization StopworryingaboutwheretheCISOreports, and think about how security meets your clients’ needs. Governance, accountability and responsibility can’t be fixed by moving head count. Here, we discuss how organizational changes may or may not impact your information security program’s success. Jeffrey Wheatman
A10. Ignore Enterprise Data Protection at Your PerilClients are missing the big picture when they protect data in technology silos without garnering a clear understanding of the value and risk associated with that data. This session analyzes the real drivers for data protection and provides a survey of some of the available tools to address the problem.Jeffrey Wheatman
A11. Quo Vadis, CISO? Developing a Realistic Infosec Management Strategy“If you aim at nothing, you will hit it.” A realistic strategy is a key component of any information security program. Developing and maintaining a strategy in dynamic-threat, technology and business environments is indeed challenging.Rob McMillan, Tom Scholtz
A12. Intelligent Information Governance 2012We seem to have too much information, but not enough of the right kind. Information governance is technically complex, organizationally challenging and politically sensitive. In this session you gain best practices and lessons learned from early adopters of information governance programs.Debra Logan
A13. Trust: The Elusive Final Ingredient Substantive external sharing only happens when everyone is confident that no harm will be caused. Trust conditions must be enabled before partners access information. Architects must understand social trust mechanisms, enabling external collaboration through the use of data protection technology.Jay Heiser
WORkSHOPSW1. Workshop: ITScore for Security Management Workshop Balancedscorecardsprovidesecurityteamswith critical tools to demonstrate value by identifying and leveraging security’s benefits across multiple business domains. This workshop discusses the building blocks for balanced scorecards for information security and how clients can avoid the hurdles.F. Christian Byrnes
ANALyST-uSER ROuNDTABLEAUR15. Secure Web GatewaysThis session is restricted to attendees with aCISOorequivalenttile,orotherC-levelorsenior management role related to information security. This is a discussion session.F. Christian Byrnes
18 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
SESSION DESCRIPTIONS
IT SECuRITy TRACk B
Infrastructure ProtectionB1. The Security State of the CloudWhere does the world stand on cloud computing risks? This presentation provides an overview of the technical and process mechanisms that can be applied to help reduce the risks of cloud computing. Jay Heiser
B2. Road Map: Operationalizing Data and Application Defenses Against Hackers and EmployeesAs attacks become more motivated by money, and as enterprises get better at securing the infrastructure, there’s been a shift to application attacks. Now it is not just hackers but also employees that create serious threats. Addressing new risks, new application and data security market spaces have emerged.Joseph Feiman
B3. The Endpoint Protection Platform in the Age of Tablets and CloudsTests show that current endpoint protection platforms(EPP)donotprovidefullprotectionfrom mass-propagated or targeted attacks. In addition, security teams are grappling with the diversification of the traditional endpoint. Here we compare current and futureEPPrequirements.Peter Firstbrook
B4. Case Study: The World Trade Center’s Situational Awareness PlatformThe security director of the iconic World Trade Center describes best practices, lessons learned and technologies deployed while implementing a situational awareness platform to monitor events and identities in real-time using an integrated command center for correlating data and imagery. Lou Barani, Director of Security, World Trade Center; Moderator: Jeff Vining
B5. Road Map: Secure Email Communications With Partners and CustomersRegulationsanddatatheftareincreasingthe focus on protecting intellectual property
and sensitive information. The most common data exchange solution for most companiesisemail.Organizationsstrugglewith securing email communications to partners, customers and contractors. Peter Firstbrook
B6a. Net IT Out: Breaking Down the Walls While Sharing Data SecurelyOrganizationsneedtopermitemployeesofother companies to have access to sensitive information.Butmultienterprisecollaborationcan’tbesecuredbytraditionalmeans.Learnhow flexible and affordable trust technologies and services are being used to securely share data among enterprises. Jay Heiser
B6b. Net IT Out: The DLP Process Is More Than Just a Piece of TechnologyData loss prevention continues to be a hot topic, and clients continue to face the challenge of seeing beyond the technology to derive value. The key to this is understanding that you need to implement aDLPprocess,andnotjustthetool.Whatdoes this mean? What are the pitfalls?Rob McMillan
B7. SIEM for Hybrid Technology and Services DeploymentsWe get many client calls about options forusingSIEMserviceproviders.Hybriddeployments of technology and services address activities from planning to operations and cover monitoring from corporate data centers to cloud services providers. Here we address use cases supportedwithSIEMservices.Kelly M. Kavanagh, Mark Nicolett
B8. Technical Insights: Security Monitoring for the Cloud and in the Cloud This presentation is about security monitoring for cloud environments as well as about using the cloud-delivered tools for monitoring traditional on-premises IT environments. Do we have to use the cloud to monitor the cloud? What traditional approaches will work?Anton Chuvakin
B9. The New Dangers of Machine to Machine (M2M) in the EnterpriseBy2015therewillbemoreM2Mdevicesthan laptops or tablets. This presentation examines how these devices communicate,
authenticate and access resources across the infrastructure and introduce new security dangers to the enterprise.Tim Zimmerman
B10. The Mobile Security Brothers Traveling Roadshow Repeatingandupdatingthispopularandfun session, the brothers explore critical issues in the rapidly changing world of mobile and wireless computing — but within an audience-interactive game show format withvaluableprizes!John Girard, John Pescatore
B11. How to Securely Deploy and Manage Whitelisting to Counter Advanced ThreatsHere we explore extending a whitelisting paradigm from servers to all endpoints using best-practice techniques such as trusted change, IT operations integration and systematic workload reprovisioning of servers and desktops to pull the rug out from under advanced persistent threats.Neil MacDonald
B12. Case Study: Toward a Secure Community Cloud for a Manufacturing SectorThis case study looks at an industry-specific, secure community cloud environment designed to improve collaboration. We identify the key components and necessary safeguards for tactical and strategic deployment, and project when vendors will support the emerging community cloud concept. Doug Simmons, Gartner Consulting
IT SECuRITy TRACk C
Infrastructure ProtectionC1. Road Map: The Next Generation of Firewalls and IPSThreats continue to advance, and network security defenses must evolve to become effective against advanced targeted threats. Enterprises should require vendors to add next-generation intrusion prevention features to network security products.Greg Young
19Visit gartner.com/us/securityrisk for agenda updates and to register
C2. Big Data and Security: Integrating Security and Operations Data for Improved IT Intelligence IT infrastructures have become increasingly virtualized and complex, with workload mobility in conjunction with the cloud becoming the norm. This presentation provides a framework for using big data to deliver actionable insight and intelligence for security and operations from a sea of data.Neil MacDonald
C3. Monitoring Users for Security Intelligence: Threats and OpportunitiesMonitoringthecommunicationsofemployees(andothers),onbothinternalandexternalsystems, is critical to security intelligence and situational awareness. While leveraging this data to improve security, we must also defend against unfriendly monitoring and data discovery that could be damaging. Andrew Walls
C4. Mobile Security Risks in Depth: How Safe Is the Data on Your Smartphone and Tablet?Lossanddataexposurearetheprimaryrisksorganizations face with mobile devices. Using off-the-shelf forensic tools to analyze typical mobile devices, we demonstrate how data is exposed and unintentionally propagated. The analysts then recommend best-practice defenses.John Girard, Lawrence Pingree
C5. Case Study: DoD’s Approach to Security Testing Ray Letteer, Chief, Cyber Security Division of the U.S. Marine Corps
C6a. Net IT Out: Technical Insights — Securing Browser-Based ApplicationsApplications running in Web browsers may beimplementedinHTML4,HTML5andJavaScript, or they may use Java, Silverlight, Flashorotherplatforms.Thissessiondiscusses the client-side risks of running applications in Web browsers, and covers the strengths and weaknesses of the various protections.Mario de Boer
C6b. Net IT Out: Road Map — Gaining Control of ConsumerizationConsumerization is here and IT struggles to keep up. End users have embraced tablets,
smartphones,VoIPandDropbox,givinglittlethoughttosecurity.Reclaimcontroltocreatea secure “consumerized” environment by implementing new technologies and developing reasonable policies and controls. Lawrence Orans
C7. Technical Insights: Mobility and Security — Gartner Field Research on Mobility and ConsumerizationGartner field research identified security issues that arise when introducing consumer devices into the enterprise. We also identified solutions as enterprises deal with the problems. This session presents the results, regarding governance, technical security and management solutions.Eric Maiwald
C8. Deep Dive Into Internet Infrastructure AttacksCracks appear in the Internet’s infrastructure. DDoS attacks have increased in intensity and frequency. Attacks on certificate authoritiesexposeSSL’sfragility.Attacks on the DNS infrastructure can cause large-scale fraud and disrupt trust. We analyze recent attacks and identify solutions. Lawrence Orans, John Pescatore
C9. Presenting a Hard Target to Attackers: Road Maps for Effective Vulnerability ManagementAttackers are improving their ability to find and exploit security weaknesses. The first order of business is to present a hard target. This requires IT security organizations to run operationally effective vulnerability management across multiple cooperating IT operations and application support teams.Mark Nicolett
C10. NIST’s National Initiative for Cybersecurity Education (NICE): What CIOs Need to LeverageNIST’s new cyberframework, the NICE program, defines 31 cybersecurity skill specialty areas in today’s security workforce. ThissessionaddresseshowCIOsandCISOscanleveragetheframework’sbestpractices to save time and money in future IT cyberworkforce planning and development.Steve Hawald
C11. Manage Your Security Vendors or Be MangledThis session presents best practices for deciphering and assessing proposals for security equipment and offerings, as well as the associated discounts you should receive. And what about all your security spending — Is there a way to manage it as a portfolio?Greg Young
C12. Network Security Open Q&AHave a network security problem or issue? Wondering about the next-generation thingie, appliance or “as a service” service? What is coming in network security? How can organizations provide a strong security when the perimeter is essentially porous?Does network security have a future, or does the data, application and infrastructure needhardening?Bringyourquestionstothis open forum with top Gartner network security analysts.Eric Ahlm, John Girard, Kelly M. Kavanagh, John Pescatore, Greg Young
C13. Technical Insights: Network Security Architecture for Internal Private CloudsPrivatecloudschangethedatacenterworld. It is no longer easy to know which application is running on which server. This leads to concerns about how to efficiently move, monitor and control traffic between virtual machines. Enterprises need to rethink network security architecture options.Eric Maiwald
IT SECuRITy TRACk D
Secure Business EnablementD1. Protecting Your Network in the Era of BYODNetworkaccesscontrol(NAC)burstonthescene in 2003 as the answer to Sasser, Blasterandthewormera.Itwasderidedasan overhyped concept. Now that bring your owndevice(BYOD)hasemergedasanunstoppable trend, NAC is back in favor again — this time as a solution for gaining back control of the network.Lawrence Orans
20 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
D2. Taking Privacy to the Next Level With a Privacy ProgramLeadingenterprisesavoidpiecemeal, costly and risky approaches to privacy by combining governance, policy, education and incident response aligned with application development, security and risk management forworld-classprivacyprograms.Learnabout privacy by design.Carsten Casper
D3. Road Map: Operationalizing EncryptionEncryptionbenefitssecuritypostures.Butwithout adequately understanding resources, controls and risk mitigation, the ultimate benefit may be no better than before encryption. Here we look at the major categories of data, devices and service considerations when maximizing encryption’s value. Eric Ouellet
D4. Technical Insights: Operationalizing PCI DSS Compliance Here we discuss how to make compliance withthePaymentCardIndustryDataSecurityStandard(PCIDSS)anongoingeffort that is tied to security management, operations and other units. We present guidance on how to remain compliant despite changes in environments.Anton Chuvakin
D5. Technical Insights: Improving Collective Defenses Through Information-Sharing and Threat IntelligenceWhen it comes to getting infected, cyberattacked, or having vulnerabilities, no organization remains untouched. Thousands of security companies build security tools and services, research malware, probe vulnerabilities and try to help organizations with defense or response, but they struggle to connect the dots. Dan Blum
D6a. Net IT Out: Emerging Technologies for Privacy Protection and Privacy ManagementDo you need to share data while preserving privacy? To use public clouds or consolidate global data centers while being compliant with privacy laws? To respond to breaches?
To monitor changes in privacy regulations? This session helps you understand the usefulness of various emerging technologies.Carsten Casper
D6b. Net IT Out: Job Security in Cloud Era — Will Jobs Stay or Vaporize?Cloud is a transformational phenomenon that changes our businesses and our IT organizations. Will cloud transform IT workforce? Will it threaten job security? Joseph Feiman
D7. Operationalize Social Media to Improve Security PerformanceBusinessismovingpasttheexperimentalstage and is actively developing new ways to maximize profits through social media. It is time for security to do the same and use social media to improve security. This presentation explores the opportunities for security improvement through social media.Andrew Walls
D9. Case StudyTBA
D10. Technical Insights: SaaS Email Security — Trust Versus TechnologyEnterprises would love to commoditize email by cutting costs through outsourcing. However, it is a primary channel, carrying sensitive and proprietary content that needs protection.Muchintellectualpropertyresidesinemaildatabases.Outsourcingemail to a SaaS provider raises a number of critical questions.Dan Blum
D13. Developing and Implementing a Superior Mobile Device PolicyMobiledevices,particularlyconsumer-levelproducts, have trampled over the well-crafted policies that companies put in place for trusted worksystems.Businessesmustadaptanddo so quickly, and they must learn to prioritize the basic configuration and security policies that they will need to preserve. John Girard
IT SECuRITy
IT SECuRITy TRACk E
Secure Business EnablementE1. Higher, Faster, Stronger: The Performant IAM ProgramEvery enterprise has to manage workforce, partner and customer identities and the access they get. Not all enterprises are tacklingIAMinitiativestomaximizeIAMvalue to the business through enhanced security and risk management, improved operations or better business outcomes. Ant Allan
E2. Road Map: IAM Operations — The IAM Data ModelGreatIAMoperationsdon’tjusthappen.They’re built on solid infrastructure foundations that include high-fidelity identity data stored and used in a structured manner to deliver access and other identity-based services. This presentation describes this operational infrastructure foundation.Earl Perkins
E3. IAM Best Practices for Planning, Implementing and Managing IAM Within Your EnterpriseWhenitcomestogoodpractices,IAMprograms generate information about what to do and what not to do — from planning anddesign,toproduct/servicechoices,deployment and operations. This session exploreslessonslearnedwhenIAMsolutionshave addressed both business and technical requirements. Perry Carpenter
E4. Layered Fraud Prevention for Land-Based and Mobile ComputingThis presentation proposes five layers for fraud prevention and sets priorities for managing immediate threats, such as malware-based cyberattacks, within a framework of fraud management. What are the five layers for fraud prevention?Avivah Litan
SESSION DESCRIPTIONS
21Visit gartner.com/us/securityrisk for agenda updates and to register
E5. Why Your Security Awareness Program Is Doomed (and What You Can Do to Rescue It)If your awareness program was designed by aguywithpocketprotectors,afreshCISSPand a highlighted NIST 800 series, then you can guarantee that it is obsolete. New approaches draw on advertising, marketing, social engineering and practical magic to build a new context for security awareness.Perry Carpenter, Andrew Walls
E6a. Net IT Out: One-Time-Password Hardware Tokens — Going, Going … Not Quite Gone One-timepassword(OTP)hardwaretokenshave been a staple user authentication methodformorethan25years,buttheyareincreasingly losing out to alternative methods in new and refreshed implementations. This session explores this trend and whether the demise of hardware tokens is inevitable. Ant Allan
E6b. Net IT Out: The Undeath of PKI OnceatthePeakofInflatedExpectations,then as a technology in search of a problem intheTroughofDisillusionment,PKIhasemergedontothePlateauofProductivity inavarietyofstylesincludingPublicKeyOperationsandkeymanagement,addressingveryrealproblems.PKILives!IsPKIstillrelevant in 2012?Eric Ouellet
E7. Q&A Session: The Identity and Access Management Marketplace This open session has no preplanned agenda, noPowerPointandnopretensions.It’savenue where audience members can try to “stump the analysts” or more appropriately raise issues and concerns they face while implementingandoperatingIAMsystems.Ant Allan, Perry Carpenter, Gregg Kreizman, Earl Perkins, Ray Wagner
E9. Managing Identity and Access in the Hybrid WorldUnless you have the luxury of starting with a greenfieldforIAM,youmustmanageidentityin an increasingly hybrid world in which on-premises legacy infrastructures are extended or replaced to support SaaS and mobile endpoints that create new identity islands, complexity and security vulnerabilities. Gregg Kreizman
E10. Socrates Was Wrong: A DebateThis analyst debate examines human nature in the context of information security and properbehavior.Onesidesaysthatpeoplewill always try to do the right thing. The other side says people aren’t that nice and will always do what they can get away with — especially if no one is looking. Rob McMillan, Earl Perkins, Tom Scholtz, Andrew Walls, Vic Wheatman
E11. Case Study: Securing the Digital Nation — The New Frontier of Cybersecurity Training and EducationIn 2011, the U.S. Secret Service Electronic CrimesTaskForcesarrested1,200cyberthieves, responsible for the loss of almost$500million.Lastyear,theObamaadministration released a road map for creating a U.S. cybersecurity workforce. As innovation and interconnectivity in the online and mobile space advances, it is essential for businesses to have an active threat intelligence management process and industrywide knowledge that helps to avoid security risks with planning and layered controls. Keith Gordon will discuss the importance of having a long-term cybersecurity strategy and a short-term remediation plan across all industries.Keith Gordon, Senior Vice President, Security, Fraud and Enrollments, Online and Mobile Channels, Bank of America
E12. Technical Insights: Endpoint Virtualization Security ConsiderationsIncreased mobility and endpoint choices have led organizations to desktop strategies that deploy applications to people, not devices. Endpoint virtualization not only prevents information sprawl but also introduces new risks. Here we focus on the security of various endpoint virtualization technologies.Mario de Boer
TuTORIALST1. FedRAMP Focus: Government Strategies for Secure Use of CloudGovernments worldwide are evaluating cloud-based services to improve services whilesaving.FedRAMPisaU.S.government
process for rapidly certifying the security of such services. Will this program be successful, and if so, how will corporations address their concerns when it comes to cloud services?John Pescatore
T2. Best Practices for Owning Your Airwaves to Provide Security, Maximize Performance and Mitigate InterferenceEnterprises are looking at a tsunami of wireless devices and technologies, from Bluetooth3.0to802.11ntoLTEandcellular. This presentation looks at each, along with usage scenarios to provide a framework for a best practices policy.Tim Zimmerman
T3. Top Security Trends and Take-Aways for 2012 and 2013With continuing trends in cloud, consumerization, mobility and the next big thing, the way IT is delivered is changing. Each brings new threats and breaks old security processes. Here we review the top 2012-2013 security hot topics to map the trends.Ray Wagner
T4. IAM RFP: Choosing the Best Solutions for Your Business Oneofthemostfrequentlyaskedquestionsby Gartner clients is whether there are samplerequestsforproposal(RFPs)forIAMproducts and services available to use as a starting point in their efforts. This tutorial exploresabasictemplatefordifferentIAMtechnologies to aid planning.Earl Perkins
WORkSHOPSW2. Workshop: ITScore for PrivacyPrivacygetsevermorecomplex.Howdoorganizations know they are doing enough? How do they know they are not doingtoomuch?Measuringprivacyisanemerging discipline. In this workshop, we introduce the Gartner ITScore assessment forprivacy.Bringyourlaptoptorunyourown assessment.Carsten Casper
22 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
W3. Workshop: ITScore for IAM IAMleadersusethisGartnerassessmenttoevaluatetheirIAMeffortsagainstkeymaturityindicators. This helps determine which aspects of a maturity level are most important and how to advance. Immature programs are likely to be inefficient, ineffective and unable to deliver full business value.Perry Carpenter, Ray Wagner
W4. Workshop: Securing the Access Layer — Identifying the Right Authentication Strategy for BYOD, Contractors, Guests and EmployeesNetwork access requires changes to manage mobility and new devices. Understanding usage, devices and risk profiles are first steps. This workshop helps build a strategy by outlining option s associated with authentication to corporate, guest access or limited access networks.Lawrence Orans, Tim Zimmerman
ANALyST-uSER ROuNDTABLESAUR1. Where Did I Leave My Privacy? With mobile technologies and widespread surveillance, losing your privacy is easier than ever. Share lessons learned on location privacy with other participants.Ian Glazer
AUR2. Application Security ConcernsPackagedandcustom-developedapplications often have vulnerabilities. Findingandmitigatingweaknessesconsumes time, effort, energy and money. Here security professionals, application developers and others discuss the risky business of relying on applications with potentially hidden problems.Neil MacDonald
AUR3. Content-Aware DLP for Organizations on the MoveData loss prevention has received attention as a way of keeping sensitive information from “leaking” from an organization, but implementation has been more difficult than estimated. This is particularly true as mobilityisintroduced.Peersdiscusstheirexperiences in this facilitated roundtable.Eric Ouellet
AUR4. Lessons Learned From Securing My Home NetworkShare your war stories with other attendees about how you have secured your home network. Come prepared to whiteboard your design and discuss your favorite products and solutions. Who knows, you may even learn something that you can applyinyourcorporatenetwork!Lawrence Orans
AUR5. DMZ DesignDynamic trends such as virtualization, Webservices,XMLfirewallsandaccesstonew mashups can open perimeter holes. ThedefinitionoftheDMZhaschanged. This group of peers discuss design challenges and current thinking of how DMZswillbearchitectedinthefuture.Greg Young
AUR9. Security in Healthcare HIPAAhasbeenaroundforoveradecade,yet healthcare providers still wrestle with the needforprotectingpatientdata.Further,there are concerns that medical devices may be vulnerable to attack. Those involved speak to their experiences and concerns.Mark Nicolett, Paul E. Proctor
AUR10. Security in the Public Sector Federal,StateandLocalgovernmentsfaceresource constraints, unfunded mandates, and pressures from constituents for safe and secure access to sensitive data. What are security and risk professionals doing to cope with this environment?Gregg Kreizman, John Pescatore
AUR11. Application Security Testing Complex software security testing can be challenging as every SAST, DAST and IAST vendorpurportstocovertheOWASPtop10, and claim their products are more accurate and easier to use than others. In this facilitated session, we look at which tools are strong and weak, and how they are best used.Ramon Krikken
AUR12. Security in Utilities and EnergyAs part of the critical infrastructure, utilities and energy companies have unique responsibilities. Enterprise security for business systems is as important to these entities as it is to any, but there are special
requirements associated with SCADA networks and other parts of operational technologies used that need a specific focus. Here industry peers share their perspectives and findings.Earl Perkins
AUR17. Outsourcing Security Organizationsoftenoutsourcesecurityfunctions to managed security service providers and other outsourcers. How far can they go in handing off critical defensive mechanisms, and which should they maintain in house? Join a group of peers in addressing this ongoing question.Kelly M. Kavanagh
AUR18. Dealing With Cloud Risks As new audit standards go into effect, it’s harder than ever to know whether cloud vendorshaveadequatecontrols.Learnfromfellow participants what their best practices are for managing cloud risks.Jay Heiser
BCM TRACk F
Business Continuity ManagementF1. How Real-World Disasters Are Improving Business Resilience: Lessons Learned Since 9/11Earthquake in Japan, Australian flooding, tornadoes and other major disasters remind us that closing our eyes and clicking our heels will not bring a return to normalcy. How can lessons learned across the broad range of business delivery services improve yourBCMprogram?John P. Morency, Roberta J. Witty
F2. Case Study: Intel’s Response to the Fukushima Earthquake/TsunamiInteldiscussestheimpactoftheMarch2011Fukushimaearthquake/tsunamionitssupplychain operations and the resulting changes to their business and IT systems that will make them more resilient in the future.Jeff Selvala, Director, Assembly Test Global Materials, Intel; Roberta J. Witty
SESSION DESCRIPTIONS
23Visit gartner.com/us/securityrisk for agenda updates and to register
F3. Case Study: Teleworking Through A DisasterTelework(doingone’sjobviaremoteaccess)could be your business lifeline when the bridge is out, the storm is blowing or the earth is shaking. Here we offer examples of companies that put telework into practice during major disruptive events and provide tips for success in your organization.John Girard, Roberta J. Witty
F4. Case Study: Demographics — An Unknown BCM RiskThebusinessworldisfacedwithlegal/regulatory, strategic, and financial risks, but demographic risk has largely been ignored. Forexample,wehaveanagingworkforce.This session helps you understand how demographics affect your company and identifies solutions strategies.Steve Hannah, Manager, Disaster Recovery, Waddell & Reed
F5. Crisis/Incident Management OverviewBusinessinterruptionsoccuratamorerapid pace than ever before. Awareness of these events is taking its toll on company reputations. Here we discuss best practices forcrisis/incidentmanagementprogramsthat keep management in line and ensure a viable supply chain.Leif Eriksen, Roberta J. Witty
F6a. Net IT Out: Business Continuity Management Planning Markets and Magic QuadrantsTheBCMsoftwaremarketiscomposedofthreemaincategories:emergency/massnotification,BCMplanningandcrisis/incidentmanagement tools. This session and the next both provide the latest market analysis of these tools so that organizations can make the right tool choice for their needs. Leif Eriksen, John Girard, John P. Morency, Roberta J. Witty
F6b. Net IT Out (continued): Business Continuity Management Planning Markets and Magic QuadrantsLeif Eriksen, John Girard, John P. Morency, Roberta J. Witty
F7. Strategies for Achieving Continuous Application AvailabilityContinuous application availability — eliminating planned and unplanned
downtime — is expensive and only justified for the most mission-critical applications. We analyze techniques and architectures to help achieve continuous availability while assessing people- and process-critical success factors.Donna Scott
F8. Can I Recover Through the Cloud? Given the number of cloud-specific alternatives, organizations can now evaluate how a cloud-centric approach can improve the efficiency, effectiveness and economics of IT resilience. We discuss product and service choices, cloud-based recovery and early adopter implementation lessons. John P. Morency, Sheila Childs
F9. Best Practices in Recovery ExercisingExercisingITDRMplansisa“mustdo”activity. Increasing time and resource costs are underscoring the need for more efficient approaches. This session discusses the software and management approaches now used by Gartner clients to improve exercise scope, execution and results.John P. Morency
F10. Panel: Educating Boards of Directors and Management in the Business Case for BCMInvesting in response, recovery, restoration and resilience is in the organization’s best interests but can fall on deaf management ears. How do you make a compelling case for the business to continue in case of disruptionwithoutFUD?Inthispanel,seasonedBCMexpertsdescribetheirapproaches. Moderator: Roberta J. Witty
TuTORIALST5. BCM Maturity: Where We Are, Where We Should Be Going OrganizationsarematuringBCMprogramsacross all industries as the threat of business interruptions rise. Using results of the BCMITScore,thissessionreviewswhereorganizations are across eight dimensions
ofBCMprogrammanagement,whereweshould be in the next five years and how to get there.John P. Morency, Roberta J. Witty
WORkSHOPSW5. Workshop: Implementing BCM Standards for BCM Maturity and Organizational CertificationThis three-hour workshop will review and comparethemostcommonBCMstandards,provide best practices for using them for organization certification, and then have attendees participate in a standards implementation exercise.John P. Morency, Roberta J. Witty
RISk MANAGEMENT AND COMPLIANCE TRACk G
Enterprise and Operational Risk ManagementG1. Road Map: Privacy, Marketing and Behavior Tracking — A Risky MandateBasedonaGartnerInnovationInsightnoteon the business of behavior tracking and its IT implications, we explain why marketing will face pressure to increase behavior trackingactivities(andsocialmediamonitoringandengagement)andwhatthoseresponsiblefor privacy should be doing about it.Andrew Frank
G2. The Missing Link: How Ignoring Business Processes Can Be Fatal for ERMByunderstandingbusinessobjectives and the processes underlying them, risk managers can gain insight to emerging risks across IT and the business. This presentation highlights business process management components that can bolster a company’s risk management program without added investment.John A. Wheeler
G4. Seven Keys to Successful and Cost-Effective Risk OversightGiven heightened regulatory scrutiny and increased liability, board members are looking
24 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
SESSION DESCRIPTIONSto senior business and IT leaders to make major improvements in how companies manage risk. This presentation outlines a practical solution in the form of seven keys to successful and cost-effective risk oversight. John A. Wheeler
G5. Global Supply Chain Risk: Perception and ManagementTomorrow’s profitability is built on today’s risk management capabilities in an uncertain world.Modernsupplychainsarecomplexand exposed to many risks, such as commodity shortages, natural disasters, supply disruptions and external pressure from consumers,government,andNGOs.Discuss!Hiranya Fernando
G6a. Net IT Out: The Realities of CyberinsuranceRiskmanagerstodayaresearchingforwaysto minimize exposure to financial losses that result from information security breaches. This presentation explores the use of cyberinsurance as a potential loss mitigation strategy and discusses what companies should consider before purchasing a policy.John A. Wheeler
G6b. Net IT Out: Selecting IT Risk Assessment Methods and Tools — A Use Case ApproachEffectiveITriskassessment(RA)dependson managing a toolbox of assessment techniques and applying the most appropriate technique on a case-by-case basis. This presentation provides practical advice onselectingRAmethodsandtools,andonoptimizing the utilization of the same.Paul E. Proctor
G8. Risk-Adjusted Value ManagementRisk-AdjustedValueManagement™isaGartner methodology that bridges the risk/businessperformanceknowledge gaps. Using leading indicators of risk and performance,CIOs,CROsandCISOs can improve their relevance, budget justifications, and decision making. Paul E. Proctor
G9. Technical Insights: Road Map — Managing Multinational Privacy Risks in the CloudAs the use of cloud-based services increases, it is likely that even those organizations that
thought they operated entirely within a single jurisdiction will find that their business, transactions and data all cross boundaries. It’s critical to manage the privacy issues that can arise as a result.Ian Glazer
G10. Six CIO Risk Techniques to Please Your BoardCorporate directors are under pressure to improve their risk management oversight. IT leaders can adopt six risk management techniques that will improve the value of their risk management reporting to the board.French Caldwell
RISk MANAGEMENT AND COMPLIANCE TRACk H
Managing Legal and Compliance RiskH1. Lawyers, Users and IT Security: Ten Ways to Work Together to Reduce Risk and Improve Governance Information governance initiatives are increasing in number and scope, but the involvement of IT security and risk management is nonexistent or minimal. Learnhowtoworktogether,setcommonobjectives and achieve security, risk and compliance objectives.Debra Logan, Jeffrey Wheatman
H2. The Corporate Ethics Game Show: “Let’s Make a Deal” or “Jeopardy!”? Just because it’s legal to do, is it right? What if doing the right thing is bad for the enterprise? Does doing the right thing have anROI?ITsecurityprofessionals,riskmanagers and compliance coordinators face vexing moral dilemmas more than they want. This panel parses several real-life ethical scenarios, suggests appropriate courses of action, and fosters second thoughts for the next time you face a “What do I do?” moment. Joseph E. Schmitz, former DoD IG; John Bace, Guest Lecturer, John Marshall Law School
H4. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 — Part 1. View From the BenchE-discovery has become ever more burdensome and expensive, with the cost of individual cases sometimes exceeding that of what used to comprise the total annual U.S. e-discovery cost. Have the amended rules of civil procedure failed against the rising tide of data that shows no signs of abating?Debra Logan, Lew Schwartz, Judges Panel
H5. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 — Part 2. View From the PractitionersE-discovery has become ever more burdensome and expensive, with the cost of individual cases sometimes exceeding that of what used to comprise the total annual U.S. e-discovery cost. Have the amended rules of civil procedure failed against the rising tide of data that shows no signs of abating?Debra Logan, Lew Schwartz, Outside Panel
H6a. Net IT Out: Compliance Controls — When Are Yours Too Old?Manyorganizationsareinacontinuousprogram of maintaining controls that more or less function only to serve auditors and regulators. There are various control types, and each warrants a periodic re-evaluation based on changes in business requirements, compliance initiatives and risk tolerances.Khushbu Pratap
H6b. Net IT Out: SAS 70 Is Gone — So What Are the Alternatives?SAS 70, the audit standard once used to report on IT service providers’ and cloud vendors’ compliance-related controls, has now been replaced by SSAE 16. This transition is an opportunity for service providers and their customers to re-evaluate which internal controls assurances are truly needed.French Caldwell
H8. Internal Auditors: Why They Do What They DoWhile audits may help correct and improve business functions and practices, they may not always adequately cover the most
25Visit gartner.com/us/securityrisk for agenda updates and to register
important risks, obligations and business requirements. A sound audit program can helpcontributetoROIfromcompliance and risk management efforts. Khushbu Pratap
H9. Improving Your Social Risk IQ Whenever there is a gap between public expectations and management’s attention to an issue there are social risks, and those risksaregrowingdaily.By2015,anyglobal enterprise, private or public sector, that does not improve its social risk intelligence will fail.French Caldwell
H10. Managing Litigation and Regulatory Risks of Big DataRegulatoryproliferationande-discoveryreadiness have led to IT being more frequently involved in supporting data management activities. Challenges run from building the right team, to interpreting regulatory requirements, to policy development, to selectingthesolutionsforGRCandinformation governance.Sheila Childs
H11. New Legal Methods for Collecting Cyberinvestigation and Social Media EvidenceThe source of evidence for digital investigationsischanging.Previously,digitalevidence was extracted from hardware in the possession of the investigator. Today, that evidence is increasingly found on the Weborinthecloud.BenjaminWrightofSANSshareshow(andhownot)tocaptureand preserve cyberevidence. Benjamin Wright, Attorney, SANS Institute Instructor: Law of Data Security and Investigations
H12. Road Map: Intelligent Information Governance 2012We seem to have too much information, but not enough of the right kind. Information governance is technically complex, organizationally challenging and politically sensitive. In this session you gain best practices and lessons learned from early adopters of information governance programs.Debra Logan
WORkSHOPSW6. Workshop: Policy Critique In this workshop we examine and discuss examples of actual policy text, looking for typical weaknesses and deciding as a group whether the topic is practical to address through policy, and whether the text is likely to be effective. Attendees are encouraged to bring their own examples for group review.Jay Heiser
W7. Workshop: Implementing COBIT 5COBIT5isamajorstrategicimprovementfor providing the next generation of ISACA guidance on the governance and management of enterprise information and technology(IT)assets.LearnfromISACA’sexpertshowtoimplementCOBIT5inyour enterprise.Robert Stroud, ISACA’s Strategic Advisory Council
W8. Workshop: Creating Key Risk Indicators for Your CompanyThis 90-minute workshop follows the conceptsfromthesession“UsingKeyRiskIndicatorstoInfluenceBusinessDecisionMaking”tohelpyoudevelopyourownsetoforganization-specificKPIsandKRIs.Paul E. Proctor
GENERAL SESSIONSG3. Untangling the Multimillion-Dollar Madoff Ponzi SchemeSince2008,BakerHostetler’sDavidJ.Sheehan has overseen the litigation and case management of the liquidation of BernardL.MadoffInvestmentSecuritiesLLCaschiefcounseltoSecuritiesInvestorProtectionActTrustee,IrvingPicard.Withover 1,000 lawsuits filed seeking more than $100 billion, the unraveling of the fraud is a challenging mission that requires thorough investigations of global banking practices, financial instruments and feeder fund machinations, among countless other
issues stemming from the largest and most complex financial fraud case in history. David J. Sheehan, Partner, Baker Hostetler; Lew Schwartz, Senior Vice President, General Counsel and Corporate Secretary, Gartner
G7. Enterprise and Operational Risk Management: Directors Roundtable — What the Board WantsClosing the gap between board expectations for risk management, IT organization views, and what is within the possibleforGRCtechnologiesischallengingfor most enterprises. This is a high impact panelwithboardmembers,CIOsand other senior executives and advisors from major corporations.French Caldwell; Dale Kutnick, Gartner Executive Programs; Panelists
ANALyST-uSER ROuNDTABLESAUR8. Supply Chain RisksWith business uncertainty unabated, natural disasters and new regulations, supply chains are under pressure. Share lessons learned with fellow participants.Hiranya Fernando
AUR13. Audit Horror StoriesWhat’s your most outrageous auditor demand? Sit around the campfire with fellow participants, and share audit horror stories and lessons learned on negotiating with auditors.Khushbu Pratap
AUR14. IT AvailabilityIn this roundtable discussion, Gartner clients share their experiences and learn from each other in the broad arena of IT resiliency. Topics may include best practices and critical success factors in the areas of continuous application availability, measuring availability, service-level agreements, disaster recovery testing, data center resiliency strategy and failover/failback.Donna Scott
26 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
SESSION DESCRIPTIONSNEW PROGRAM!
THE BuSINESS OF IT SECuRITy AND RISk TRACk JJ1. Security Markets Worldwide 2012This session explores security markets, their growth forecasts and pending priorities, and ways the market landscape is changing.Eric Ahlm, Ruggero Contu
J2. IT Security Survey: 2011-2012 Study Results and Trends AnalysisIn this session we review the results of our most recent security survey data, collected atGartnerSecurity&RiskSummit2011,including the top-of-mind technologies and buying behaviors of the participants.Ruggero Contu, Lawrence Pingree
J3. Technical Insights: The Art of Saying Yes — Selling Application Security to Architects and DevelopersDevelopers feel security too often says “no,” making projects late and over budget. Selling to architects and developers is challenging, but hidden inside application security are tools that make development easier and faster. Knowing how to articulate domain specific benefits makes the sale easier.Ramon Krikken
J4. SWOT Analysis: IBM and HP Application and Data SecurityLargeITproviderssuchasIBMandHPhave a variety of security tools, professional services and solutions. Here we examine
their application and data security profiles in terms of their strengths, weaknesses, opportunitiesandthreats(SWOT).Joseph Feiman
J5. Security Investors Perspectives PanelThis investment capital panel discussion will bring security investment firms together into a room to discover the “under the hood” details from within the confines of the information security market investment community.Alberto Yepez, Trident Capital Group; Walter Pritchard, Citi Investment Research; John Rizzuto, Gartner Investment; Moderator: Vic Wheatman
J6. Security Market Gartner Magic Quadrant OverviewIn this session, discover the latest Gartner MagicQuadrantsandgetarundownofthelatest major players in the security market, how they compete and what has changed.Greg Young
J7. Security Journalists and Bloggers PanelGartner analysts and new media reporters, bloggers and tweeters compare notes on the direction of security, how traditional and social media roles are interacting with the industry and threat-makers, and what is healthy or unwell about security communications today.Moderator: Greg Young
J8. SWOT Analysis: McAfee, Symantec, Cisco While many identify Cisco as providing security solutions, it has historically been a network company.McAfeeisnowpartofIntel.Symantec has branched out from security. What are these companies’ prospects going forward, and what will be their impact on investors?Eric Ahlm, Ruggero Contu, Peter Firstbrook
J9. Security 2020: Technology, Business and Threat Discontinuities Reshaping IT SecurityToday’s information security infrastructure security is static, overpriced and ill-suited to protect against ever-advancing threats. We explore technology and threat discontinuities that will force information security vendors to radically rethink how they approach security over the next five years.Neil MacDonald, Lawrence Pingree
J10. Case Study: Increasing Collaboration Securely When Moving to Cloud-Based AppsHowcanCIOswhoarenotnecessarilysecurity experts become comfortable with cloud-based service? This presentation from marketing services company Dominion Enterprises explains how cloud-based email and document sharing works from a security standpoint, and how concerns about storing important documents in the cloud can be addressed securely. Joe Fuller, Vice President and CIO, Dominion Enterprise
By2016,40%of
enterprises will make
proof of independent
security testing a
precondition for using
any type of cloud service.2012GartnerPredicts
27Visit gartner.com/us/securityrisk for agenda updates and to register
SOLuTION SHOWCASE
Cisco(NASDAQ:CSCO)istheworldwideleaderinnetworkingthattransformshowpeopleconnect,communicateandcollaborate.Ciscosecuritybalances protection and power to deliver highly secure collaboration. With Cisco security, customers can connect, communicate, and conduct business securely while protecting users, information, applications, and the network. Cisco pervasive security can help minimize security and complianceITrisk,reduceITadministrativeburden,andlowerTCO.InformationaboutCiscosecuritycanbefoundatwww.cisco.com/go/security
Delllistenstocustomersanddeliversworldwideinnovativetechnologyandbusinesssolutionstheytrustandvalue.Recognizedasanindustryleader by top analysts, Dell SecureWorks provides world-class information security services to help organizations of all sizes protect their IT assets, comply with regulations and reduce security costs. Thousands of customers around the world and an expert research team allow Dell SecureWorkstoidentifyandprotectagainstemergingthreatsfaster.Ourdeepsecurityexpertise,flexibledeliveryoptionsandcommitmenttoserviceexcellencemakeDellSecureWorksapremierproviderofManagedSecurity,ThreatIntelligenceandSecurityandRiskConsultingservices. www.secureworks.com
Google’s cloud computing solutions allow you to dramatically lower IT costs and increase productivity, security and reliability. Google Apps is a 100%websuiteofapplicationsthatincludesGmail,GoogleCalendar,GoogleDocsandSpreadsheets,GoogleSites,andmore.GooglePostiniservices help make email systems more secure, compliant and reliable by blocking spam and malware before they reach your networks, by providing encryption and archiving to help meet compliance requirements, and by offering email continuity. www.google.com
Foundedin1999,Qualysistheleadingproviderofcloud-basedinformationsecurityandcompliancesolutionswith5,500+customersin85countries,including50oftheForbesGlobal100.TheQualyscloud-basedplatformandintegratedsuiteofapplicationshelpsbusinessessimplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications. www.qualys.com
RSA,TheSecurityDivisionofEMC,isthepremierproviderofsecurity,riskandcompliancemanagementsolutionsforbusinessacceleration.RSAhelpsorganizationssolvetheirmostcomplexandsensitivesecuritychallengesbybringingvisibilityandtrusttomillionsofuseridentities,thetransactionstheyperformandthedatathatisgenerated.RSAdeliversidentityassurance,encryption&keymanagement,SIEM,Data LossPrevention,ContinuousNetworkMonitoring,andFraudProtectionwithindustryleadingeGRCcapabilitiesandrobustconsultingservices.www.RSA.com
Symantecisagloballeaderinprovidingsecurity,storageandsystemsmanagementsolutionstohelpourcustomers–fromconsumersandsmallbusinessestothelargestglobalorganizations–secureandmanagetheirinformation-drivenworldagainstmorerisksatmorepoints,morecompletelyandefficiently.Oursoftwareandservicesprotectcompletely,inwaysthatcanbeeasilymanagedandwithcontrolsthatcanbeenforcedautomatically–enablingconfidencewhereverinformationisusedorstored.www.symantec.com
Terremark, a Verizon Company, is a leader in transforming and securing enterprise-class IT on a global scale. Terremark sets the standard for IT deployments with advanced infrastructure and managed service offerings that deliver the scale, security, and reliability necessary to meet the demanding requirements of enterprises worldwide. With a global network of data centers and a comprehensive portfolio of secure solutions, Terremark helps enterprise and government executives realize the power of the cloud today. www.terremark.com
Websense,Inc.(NASDAQ:WBSN),agloballeaderinunifiedWebsecurity,emailsecurity,anddatalossprevention(DLP)solutions,deliversthebest content security for modern threats at the lowest total cost of ownership to tens of thousands of organizations worldwide. Distributed throughpartnersanddeliveredassoftware,applianceandSecurity-as-a-Service(SaaS),WebsensehelpsorganizationsleverageWeb2.0andcloud communication, while protecting from advanced persistent threats, preventing confidential data loss and enforcing security policies. www.websense.com/content/home.aspx
AT&T Inc. is a global leader in communications, with operating subsidiaries providing services under the AT&T brand. AT&T is a recognized leader in Business-relatedvoiceanddataservices,includingglobalIPservices,hosting,applications,andmanagedservices.IntheUnitedStates,Businessesof all sizes, all over the world, deploy these AT&T services to improve productivity, manage overall costs, and position themselves to take advantage of future technology enhancements.
CheckPointSoftwareTechnologies,theworldwideleaderinsecuringtheInternet,istheonlyvendortodeliverTotalSecurityfornetworks,dataandendpoints,unifiedunderasinglemanagementframework.CheckPoint’sdynamicSoftwareBladearchitecturedeliverssecure,flexiblesimplesolutionsthat can be fully customized to meet the exact security needs of any organization or environment. Current customers include tens of thousands of businessesandorganizationsofallsizesincludingallFortune100companies.
CORESecurityistheleadingproviderofpredictivesecurityintelligencesolutions.Wehelpmorethan1,400customersworldwidepreemptcriticalsecuritythreatsandmoreeffectivelycommunicatebusinessrisk.Ouraward-winningenterprisesolutionsarebackedbyover15yearsofexpertisefromthecompany’sCoreLabsresearchcenter.Learnmoreatwww.coresecurity.com
Astheworld’slargestinformationtechnologycompany,IBMhas100yearsofleadershipinhelpingbusinessandgovernmentorganizationsinnovate.IBM’ssecurityportfolioprovidesthesecurityintelligencetohelporganizationsholisticallyprotectitspeople,infrastructure,dataandapplicationswithsolutionsforidentity/accessmanagement,databaseandnetworksecurity,risk/endpointmanagement,andmore.www.ibm.com/security
Today’s leading solution providers and top innovators in the security, risk management
and business continuity management space will be on-site with the most informed
representatives, ready to answer your questions. Get the research, ask your questions,
streamline the vetting process and leave with a shortlist you can act on immediately.
PREMIER SPONSORS
PLATINuM SPONSORS
Sponsors as of April 3, 2012 and subject to change
28 Gartner Security & Risk Management Summit 2012 | June 11 – 14 | National Harbor, MD
SOLuTION SHOWCASE
JuniperNetworksisinthebusinessofnetworkinnovation.Fromdevicestodatacenters,fromconsumerstocloudproviders,JuniperNetworksdelivers the software, silicon and communications that transform the experience and economics of networking. Additional information can be found at JuniperNetworks(www.juniper.net).
KasperskyLabistheworld’slargestprivately-heldInternetSecuritycompany,providingcomprehensiveprotectionagainstallformsofITthreatssuchas viruses, spyware, hackers and spam. The company’s products provide in-depth computer defense for more than 300 million systems around the globe, including home and mobile users, small and medium sized businesses and large enterprises. Kaspersky technology is also incorporated inside the products and services of nearly 100 of industry leading IT, networking, communications and applications solution vendors.
McAfee,awhollyownedsubsidiaryofIntelCorporation(NASDAQ:INTC),istheworld’slargestdedicatedsecuritytechnologycompany.McAfeeprovidessystem,network,andmobilesecuritysolutionsthatallowuserstosafelyconnecttotheInternet,browse,andshoponline.Backedbyglobalthreat intelligence, our innovative products empower home users and organizations by enabling them to prove compliance, protect data, prevent disruptions,identifyvulnerabilities,andmonitorandimprovetheirsecurity.McAfeeisrelentlesslyfocusedonconstantlyfindingnewwaystokeepourcustomers safe.
Recenteventsprovethatnetworkswillbecompromiseddespitestate-of-the-artdefenses...IntroducingNeuSentry™byNeustar,aservicethatdetects data breaches that other security tools miss, then generates real-time alarms that enable customers to mitigate damages caused by those breaches.NeuSentry™-TheNewLayerinCybersecurityInformationAssurance.
Oracle(NASDAQ:ORCL)istheworld’smostcomplete,open,andintegratedbusinesssoftwareandhardwaresystemscompany.FormoreinformationaboutOracle,visitoracle.com.
PaloAltoNetworksisthenetworksecuritycompany.Itsnext-generationfirewallsenableunprecedentedvisibilityandgranularpolicycontrolofapplications and content at up to 20Gbps with no performance degradation. Its firewalls accurately identify and control applications regardless of port, protocol,evasivetacticorSSLencryption,andscancontenttostopthreatsandpreventdataleakage.PaloAltoNetworksextendsthissamenetworksecuritytoremoteuserswithGlobalProtectandcombatstargetedmalwarewithWildFire.
QuestOneIdentitySolutionssimplifyidentityandaccessmanagementtoincreasecompliance,securityandefficiency.Ourmodularyetintegratedapproach features a broad portfolio of award-winning solutions that simplify access governance, user activity monitoring, privileged account managementandidentityadministration.Unliketraditionalframeworksolutions,QuestOneprovidesgranularenforcementacrossheterogeneoussystemswith360-degreebusinessvisibility–andrapidtimetovalue!LearnwhyQuestOneearnedSCMagazine’shighestfive-starRECOMMENDEDratingorvisitwww.quest.com/identity-management.
Foundedin2002,SecuniaistheleadingproviderofITsecuritysolutionsthathelpbusinessesandprivateindividualsgloballymanageandcontrolvulnerability threats and risks across their networks and endpoints. Secunia plays an important role in the IT security ecosystem, and is the preferred supplierforenterprisesandgovernmentagenciesworldwide,countingFortune500andGlobal2000businessesamongitscustomerbase.
Solutionary reduces the information security and compliance burden, delivering flexible managed security services that align with client goals, enhancing organizations’ existing security program, infrastructure and personnel. Services are based on experienced security professionals, data-driven and actionable threat intelligence, and the ActiveGuard service platform that provide expert security and compliance management. Solutionary works as an extension of clients’ internal teams, providing industry-leading customer service, thought leadership, years of innovation and proprietary certifications that exceed industry standards.
GuidedbyitsvisionofDynamicSecurityfortheGlobalNetwork,SonicWALLdevelopsadvancedintelligentnetworksecurityanddataprotectionsolutionsthatadaptasorganizationsevolveandasthreatsevolve.Trustedbyenterprisesworldwide,SonicWALLsolutionsaredesignedtodetectandcontrol applications and protect networks from intrusions and malware attacks through award-winning hardware, software and virtual appliance-based solutions.Formoreinformation,visithttp://www.sonicwall.com/
Sourcefire,Inc.(Nasdaq:FIRE)isaworldleaderinintelligentcybersecuritysolutions.SourcefireistransformingthewayGlobal2000organizationsandgovernmentagenciesmanageandminimizenetworksecurityrisks.Sourcefire’sNext-GenerationIPS™,Next-GenerationFirewall™,virtual,andanti-virus/malwaresolutionsequipcustomerswithanefficientandeffectivelayeredsecuritydefense-protectingnetworkassetsbefore,duringandafteranattack.Today,thenameSourcefirehasgrownsynonymouswithinnovationandcybersecurityintelligence.Formoreinformation:http://www.sourcefire.com.
Splunk®Inc.providestheengineformachinedata™.Splunksoftwarecollects,indexesandharnessesthemachinedatacontinuouslygeneratedbythe websites, applications, servers, networks and mobile devices that power business. Splunk software enables organizations to act on massive streamsofreal-timeandhistoricalmachinedata.Morethan3,300customersinover75countriesuseSplunkEnterprisetogainoperationalintelligence that deepens business understanding, improves service and uptime, reduces cost and mitigates cyber-security risk.
TrendMicroIncorporated,aglobalcloudsecurityleader,createsaworldsafeforexchangingdigitalinformationwithInternetcontent,securityandthreat management solutions. We deliver top-ranked client, server, and cloud-based security to fit customer and partner needs, stop threats faster, and protectdatainphysical,virtualizedandcloudenvironments.PoweredbytheTrendMicro™SmartProtectionNetwork™infrastructure,ourtechnology,products,andservicesstopthreatswheretheyemerge.Formoreinformation,visitwww.trendmicro.com.
TripwireisaleadingglobalproviderofITsecurityandcomplianceautomationsolutions.TripwireVIA™,thecomprehensivesuiteofindustry-leadingfileintegrity, policy compliance and log and event management solutions, is the way organizations proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation.
Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutionstobusinessesandgovernmententitiesthroughouttheworld.Trustwavehashelpedthousandsoforganizations-rangingfromFortune500businesses and large financial institutions to small and medium-sized retailers-manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe,Africa,AsiaandAustralia.Formoreinformation,visithttps://www.trustwave.com.
PLATINuM SPONSORS
RELEVANT . INTELLIGENT . SECURITY
29Visit gartner.com/us/securityrisk for agenda updates and to register
21st Century Software, Inc.
Absolute Software Corp.
AccessData Group
ActivIdentity Inc.
Agiliance
AirWatch
Alert Enterprise Inc.
Approva an Infor affiliate
Aveksa
BeyondTrustSoftware
Bit9,Inc.
BlueCoatSystems
BoozAllenHamilton
BradfordNetworks
BreakingPoint
Centrify
CloudLock
CloudPassage
ControlPanelGRC
COOPSystems
Courion Corporation
Critical Watch
Cyber-Ark Software
Cyveillance, a QinetiQ Company
Damballa
Digital Defense, Inc.
Fiberlink
FireEye,Inc.
FireMon
FischerInternationalIdentity
ForeScoutTechnologies,Inc.
Fortinet
FoxT
Hitachi ID Systems, Inc.
HPEnterpriseSecurity
Imperva
Lancope
LogRhythm,Inc.
Lumension®
M86Security
Mandiant
MetricStream
Mimecast
ModuloLLC
nCircle
NetIQ
NSFOCUS
Okta
PhishMeIncorporated
PhoneFactor
Rapid7
RedSealNetworks,Inc.
Rsam
SailPoint
SecureAuth Corporation
SilverbackMDM
Skybox Security, Inc.
Solera Networks
SSH Communications Security
Tenable Network Security, Inc.
ThomsonReuters
TrustSphere
Tufin Technologies
Venafi, Inc.
Verdasys
VMware
Vormetric, Inc.
Xceedium, Inc.
ZixCorp
SILVER SPONSORS
MEDIA PARTNERS
Veracodeprovidestheworld’sleadingApplicationRiskManagementPlatform.VeracodeSecurityReview’spatentedandprovencloud-basedcapabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Veracode was founded with one simple mission in mind: to make it simple and cost-effective for organizations to accurately identify and manage application security risk. www.veracode.com
Foundedin2001,WhiteHatSecurityprovidesend-to-endsolutionsforWebsecurity.Thecompany’scloudtechnologyplatformandleadingsecurityengineers turn verified security intelligence into actionable insights for customers. Through a combination of core products and strategic partnerships, WhiteHat Security provides complete Web security at a scale unmatched in the industry. WhiteHat Sentinel, the company’s flagship product line, is the website security solution of choice, covering thousands of websites in every industry including ecommerce, finance and healthcare. www.whitehatsec.com
PLATINuM SPONSORS
Technology Evaluation Centers
BECOME A SPONSOR
Stephen GibertoniSales Director+1 203 316 [email protected]
Silas ManteAccount Manager+1 203 316 [email protected]
John ForcinoAccount Manager+1 203 316 [email protected]
David SorkinSenior Account Manager+1 203 316 [email protected]
Krista WayAccount Manager+1 203 316 [email protected]
Sunday, June 104:00 p.m. Registration
Monday, June 117:00 a.m. Registration8:30 a.m. T1. FedRAMP Focus: Government Strategies for Secure Use
of Cloud John PescatoreT2. Best Practices for Owning Your Airwaves to Provide Security, Maximize Performance and Mitigate Interference Tim Zimmerman
T3. Top Security Trends and Take-Aways for 2012 and 2013 Ray Wagner
T4. IAM RFP: Choosing the Best Solutions for Your Business Earl Perkins
T5. BCM Maturity: Where We Are, Where We Should Be Going John P. Morency, Roberta J. Witty
10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman (10:15 a.m.) K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls
CISO IT SECURITY BCM RISK AND COMPLIANCE BUSINESS OF SECURITY AND RISKThe CISO Infrastructure Protection Secure Business Enablement Business Continuity Management Enterprise and Operational Risk Management Managing Legal and Compliance Risk The Business of IT Security and Risk
11:30 a.m. A1. Security and Risk Management as a Social Science Tom Scholtz
B1. The Security State of the Cloud Jay Heiser C1. Road Map: The Next Generation of Firewalls and IPS Greg Young
D1. Protecting Your Network in the Era of BYOD Lawrence Orans
E1. Higher, Faster, Stronger: The Performant IAM Program Ant Allan
F1. How Real-World Disasters Are Improving Business Resilience: Lessons Learned Since 9/11 John P. Morency, Roberta J. Witty
G1. Road Map: Privacy, Marketing and Behavior Tracking — A Risky Mandate Andrew Frank
H1. Lawyers, Users and IT Security: Ten Ways to Work Together to Reduce Risk and Improve Governance Debra Logan, Jeffrey Wheatman
J1. Security Markets Worldwide 2012 Eric Ahlm, Ruggero Contu
12:30 p.m. Attendee Lunch and Solution Showcase Dessert Reception
1:00 p.m. Theater Presentations
2:45 p.m. K2. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins3:45 p.m. Solution Provider Sessions
5:00 p.m. A2. Security Program Management Overview F. Christian Byrnes
B2. Road Map: Operationalizing Data and Application Defenses Against Hackers and Employees Joseph Feiman
C2. Big Data and Security: Integrating Security and Operations Data for Improved IT Intelligence Neil MacDonald
D2. Taking Privacy to the Next Level With a Privacy Program Carsten Casper
E2. Road Map: IAM Operations — The IAM Data Model Earl Perkins
F2. Case Study: Intel’s Response to the Fukushima Earthquake/Tsunami Jeff Selvala, Director, Assembly Test Global Materials, Intel; Roberta J. Witty
G2. The Missing Link: How Ignoring Business Processes Can Be Fatal for ERM John A. Wheeler
H2. The Corporate Ethics Game Show: “Let’s Make a Deal” or “Jeopardy!”? Joseph E. Schmitz, former DoD IG; John Bace, John Marshall Law School
J2. IT Security Survey: 2011-2012 Study Results and Trends Analysis Ruggero Contu, Lawrence Pingree
6:00 p.m. Solution Showcase Evening Reception
Tuesday, June 127:00 a.m. Registration Breakfast by Role and Industry
8:15 a.m. A3. When Risk Management Does More Harm Than Good: RM 101 Jay Heiser
B3. The Endpoint Protection Platform in the Age of Tablets and Clouds Peter Firstbrook
C3. Monitoring Users for Security Intelligence: Threats and Opportunities Andrew Walls
D3. Road Map: Operationalizing Encryption Eric Ouellet E3. IAM Best Practices for Planning, Implementing and Managing IAM Within Your Enterprise Perry Carpenter
F3. Case Study: Teleworking Through a Disaster John Girard, Roberta J. Witty
G3. General Session Untangling the Multimillion-Dollar Madoff Ponzi Scheme David J. Sheehan, Partner, Baker Hostetler; Lew Schwartz, Senior Vice President, General Counsel and Corporate Secretary, Gartner
J3. Technical Insights: The Art of Saying Yes — Selling Application Security to Architects and Developers Ramon Krikken
9:30 a.m. Solution Provider Sessions10:45 a.m. A4. Metrics That Matter Jeffrey Wheatman B4. Case Study: The World Trade Center’s Situational
Awareness Platform Lou Barani, Director of Security, World Trade Center; Moderator: Jeff Vining
C4. Mobile Security Risks in Depth: How Safe Is the Data on Your Smartphone and Tablet? John Girard, Lawrence Pingree
D4. Technical Insights: Operationalizing PCI DSS Compliance Anton Chuvakin
E4. Layered Fraud Prevention for Land-Based and Mobile Computing Avivah Litan
F4. Case Study: Demographics — An Unknown BCM Risk Steve Hannah, Manager, Disaster Recovery, Waddell & Reed
G4. Seven Keys to Successful and Cost-Effective Risk Oversight John A. Wheeler
H4. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 — Part 1. View From the Bench Debra Logan, Lew Schwartz, Judges Panel
J4. SWOT Analysis: IBM and HP Application and Data Security Joseph Feiman
11:45 a.m. Solution Showcase Lunch Theater Presentations2:00 p.m. A5. Security and Risk Governance: It’s Much More Than
Just Reporting F. Christian Byrnes, Tom ScholtzB5. Road Map: Secure Email Communications With Partners and Customers Peter Firstbrook
C5. Case Study: DoD’s Approach to Security Testing Ray Letteer, Chief, Cyber Security Division of the U.S. Marine Corps
D5. Technical Insights: Improving Collective Defenses Through Information-Sharing and Threat Intelligence Dan Blum
E5. Why Your Security Awareness Program Is Doomed (and What You Can Do to Rescue It) Perry Carpenter, Andrew Walls
F5. Crisis/Incident Management Overview Leif Eriksen, Roberta J. Witty
G5. Global Supply Chain Risk: Perception and Management Hiranya Fernando
H5. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 — Part 2. View From the Practitioners Debra Logan, Lew Schwartz, Outside Panel
J5. Security Investors Perspectives Panel Alberto Yepez, Trident Capital Group; Walter Pritchard, Citi Investment Research; John Rizzuto, Gartner Investment; Moderator: Vic Wheatman
3:15 p.m. Solution Provider Sessions
4:30 p.m. A6a. Net IT Out: Articulating the Business Value of Information Security Tom Scholtz
B6a. Net IT Out: Breaking Down the Walls While Sharing Data Securely Jay Heiser
C6a. Net IT Out: Technical Insights — Securing Browser-Based Applications Mario de Boer
D6a. Net IT Out: Emerging Technologies for Privacy Protection and Privacy Management Carsten Casper
E6a. Net IT Out: One-Time-Password Hardware Tokens — Going, Going … Not Quite Gone Ant Allan
F6a. (4:30 p.m.) and F6b. (4:55 p.m.) Net IT Out: Business Continuity Management Planning Markets and Magic Quadrants Leif Eriksen, John Girard, John P. Morency, Roberta J. Witty
G6a. Net IT Out: The Realities of Cyberinsurance John A. Wheeler
H6a. Net IT Out: Compliance Controls — When Are Yours Too Old? Khushbu Pratap
J6. Security Market Gartner Magic Quadrant Overview Greg Young
4:55 p.m. A6b. Net IT Out: Developing the Key Competencies of the New Security Team Tom Scholtz
B6b. Net IT Out: The DLP Process Is More Than Just a Piece of Technology Rob McMillan
C6b. Net IT Out: Road Map — Gaining Control of Consumerization Lawrence Orans
D6b. Net IT Out: Job Security in Cloud Era — Will Jobs Stay or Vaporize? Joseph Feiman
E6b. Net IT Out: The Undeath of PKI Eric Ouellet G6b. Net IT Out: Selecting IT Risk Assessment Methods and Tools — A Use Case Approach Paul E. Proctor
H6b. Net IT Out: SAS 70 Is Gone — So What Are the Alternatives? French Caldwell
5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted)
Wednesday, June 137:00 a.m. Registration
7:30 a.m. Breakfast With the Analysts
8:30 a.m. A7. How to Run, Grow and Transform Your Risk and Security Program Paul E. Proctor
B7. SIEM for Hybrid Technology and Services Deployments Kelly M. Kavanagh, Mark Nicolett
C7. Technical Insights: Mobility and Security — Gartner Field Research Project on Mobility and Consumerization Eric Maiwald
D7. Operationalize Social Media to Improve Security Performance Andrew Walls
E7. Q&A Session: The Identity and Access Management Marketplace Ant Allan, Perry Carpenter, Gregg Kreizman, Earl Perkins, Ray Wagner
F7. Strategies for Achieving Continuous Application Availability Donna Scott
G7. General Session Enterprise and Operational Risk Management: Directors Roundtable — What the Board Wants French Caldwell, Dale Kutnick, Panelists
J7. Security Journalists and Bloggers Panel Moderator: Greg Young
9:45 a.m. Solution Provider Sessions
11:00 a.m. W1. Workshop: ITScore For Security Management F. Christian Byrnes
B8. Technical Insights: Security Monitoring for the Cloud and in the Cloud Anton Chuvakin
C8. Deep Dive Into Internet Infrastructure Attacks Lawrence Orans, John Pescatore
W2. Workshop: ITScore for Privacy Carsten Casper W3. Workshop: ITScore for IAM Perry Carpenter, Ray Wagner
F8. Can I Recover Through the Cloud? John P. Morency, Sheila Childs
G8. Risk-Adjusted Value Management Paul E. Proctor H8. Internal Auditors: Why They Do What They Do Khushbu Pratap
J8. SWOT Analysis: McAfee, Symantec, Cisco Eric Ahlm, Ruggero Contu, Peter Firstbrook
12:00 p.m. Solution Showcase Lunch and Theater Presentations Exhibits and Theater Presentations
1:30 p.m. A9. Optimizing the Information Security Organization Jeffrey Wheatman
B9. The New Dangers of Machine to Machine (M2M) in the Enterprise Tim Zimmerman
C9. Presenting a Hard Target to Attackers: Road Maps for Effective Vulnerability Management Mark Nicolett
D9. Case Study: TBA E9. Managing Identity and Access in the Hybrid World Gregg Kreizman
F9. Best Practices in Recovery Exercising John P. Morency G9. Technical Insights: Road Map — Managing Multinational Privacy Risks in the Cloud Ian Glazer
H9. Improving Your Social Risk IQ French Caldwell J9. Security 2020: Technology, Business and Threat Discontinuities Reshaping IT Security Neil MacDonald, Lawrence Pingree
2:45 p.m. Solution Provider Sessions
4:00 p.m. A10. Ignore Enterprise Data Protection at Your Peril Jeffrey Wheatman
B10. The Mobile Security Brothers Traveling Roadshow John Girard, John Pescatore
C10. NIST’s National Initiative for Cybersecurity Education (NICE): What CIOs Need to Leverage Steve Hawald
D10. Technical Insights: SaaS Email Security — Trust Versus Technology Dan Blum
E10. Socrates Was Wrong: A Debate Rob McMillan, Andrew Walls, Earl Perkins, Tom Scholtz, Vic Wheatman
F10. Panel: Educating Boards of Directors and Management in the Business Case for BCM Moderator: Roberta J. Witty
G10. Six CIO Risk Techniques to Please Your Board French Caldwell
H10. Managing Litigation and Regulatory Risks of Big Data Sheila Childs
J10. Case Study: Increasing Collaboration Securely When Moving to Cloud-Based Apps Joe Fuller, Dominion Enterprises
5:15 p.m. K4. Guest Keynote Information Security and Technology In General — Problem Solved. You’re Welcome John Hodgman, Actor, Author and Correspondent for “The Daily Show”
6:15 p.m. Summit Party — VIP Boat Cruise
Thursday, June 147:30 a.m. Registration Breakfast by Industry and Role
8:00 a.m. A11. Quo Vadis, CISO? Developing a Realistic Infosec Management Strategy Rob McMillan, Tom Scholtz
B11. How to Securely Deploy and Manage Whitelisting to Counter Advanced Threats Neil MacDonald
C11. Manage Your Security Vendors or Be Mangled Greg Young
W4. (8 – 10 a.m.) Workshop: Securing the Access Layer — Identifying the Right Authentication Strategy for BYOD, Contractors, Guests and Employees Lawrence Orans, Tim Zimmerman
E11. Case Study: Securing the Digital Nation — The New Frontier of Cybersecurity Training and Education Keith Gordon, Senior Vice President, Security and Fraud and Enrollments, Online and Mobile Channels, Bank of America
W5. (8:00 – 11:30 a.m.) Workshop: Implementing BCM Standards for BCM Maturity and Organizational Certification John P. Morency, Roberta J. Witty
W6. Workshop: Policy Critique Jay Heiser W7. (8:00 – 9:00 a.m.) Workshop: Implementing COBIT 5 Robert Stroud, ISACA’s Strategy Advisory Council
9:15 a.m. A12. Road Map: Intelligent Information Governance 2012 Debra Logan
B12. Case Study: Toward a Secure Community Cloud for a Manufacturing Sector Doug Simmons, Gartner Consulting
C12. Network Security Open Q&A Eric Ahlm, John Girard, Kelly M. Kavanagh, John Pescatore, Greg Young
E12. Technical Insights: Endpoint Virtualization Security Considerations Mario de Boer
W8. (9:15 – 11:30 a.m.) Workshop: Creating Key Risk Indicators for Your Company Paul E. Proctor
H11. New Legal Methods for Collecting Cyberinvestigation and Social Media Evidence Benjamin Wright, SANS Institute
10:30 a.m. A13. Trust: The Elusive Final Ingredient Jay Heiser C13. Technical Insights: Network Security Architecture for Internal Private Clouds Eric Maiwald
D13. Developing and Implementing a Superior Mobile Device Policy John Girard
H12. Road Map: Intelligent Information Governance 2012 Debra Logan
11:45 a.m. K5. Closing Insights and a Review of “Aha” Moments Ray Wagner
Agenda as of April 3, 2012, and subject to changeAGENDA AT A GLANCE
REGISTRATION
EARLy-BIRD DISCOuNT ExTENDED!
Save $300 when you register by April 20.
Early-bird price: $1,995Standardprice:$2,295Public-sectorprice:$1,895
3 easy ways to register Web: gartner.com/us/securityrisk
Email: [email protected]
Phone: 18664052511
Gartner clientsA Gartner ticket covers all four days of the summit. Contact your account manager or email [email protected] to register using a ticket.
Bring your team and save! We’vedesignedaprogramthatwillhelpteamsoffourto25maximizethesummitexperience while on-site and long after the event is over.
Team Benefits•TeammeetingwithaGartneranalyst(endusersonly)•Role-basedagendas• On-siteteamcontact:Workwithasinglepointofcontactforon-site
team deliverables •Complimentaryregistrations
Complimentary Registrations•1complimentaryregistrationrewardwith3paidregistrations•2complimentaryregistrationrewardswith5paidregistrations•3complimentaryregistrationrewardswith7paidregistrations
To register a team please email [email protected] or contact your Gartner account manager.
Become a Gartner client Phone: +12033161111
Email: [email protected]
SPECIAL GARTNER HOTEL ROOM RATE
$240pernight(plustax)atthe Gaylord National
A limited supply of rooms are available at a special government rate of $229.
Gaylord National Hotel and Convention Center201 Waterfront StreetNational Harbor, MD 20745Phone: +1 301 965 4000gaylordhotels.com
33Visit gartner.com/us/securityrisk for agenda updates and to register
PresortedStandard
U.S.PostagePAID
Gartner
Gartner, Inc.56 Top Gallant RoadStamford, CT 06902-7700
PO Box 29307 Shawnee, KS 66201
Change Service Requested
Gartner Security & Risk Management Summit 2012June 11 – 14 | National Harbor, MD gartner.com/us/securityrisk
CONNECT WITH GARTNERGLOBAL SECuRITy & RISk MANAGEMENT EVENTSGartner Security & Risk Management Summit 2012 July16–17|Sydney,Australia
Gartner Security & Risk Management Summit 2012 September19–20|London,U.K.
ConnectwiththeGartnerSecurity&RiskManagementSummit2012onTwitterandLinkedIn.
#gartnersecurity
GartnerSecurity&RiskManagement(xChange)
©2012Gartner,Inc.and/oritsaffiliates.Allrightsreserved.Gartnerisaregisteredtrademark ofGartner,Inc.oritsaffiliates.Risk-AdjustedValueManagementisatrademarkofGartneror itsaffiliates.Formoreinformation,[email protected].
Prioritycode
3 EASy WAyS TO REGISTERWeb:gartner.com/us/securityriskEmail: [email protected] Phone:18664052511
Intelligence for today’s business-critical IT security and risk management function
Scan for more information!