Gartner Security & Risk Management Summit 2010imagesrv.gartner.com/summits/docs/na/security/sec16_security_risk... · Gartner Security & Risk Management Summit 2010 ... • Next-generation

a gartner for it leaders summit

Manage Risk and Build a More Secure Future

June 21 – 23 • National Harbor, MD (Washington, D.C. area) gartner.com/us/securityrisk

Gartner Security & Risk Management Summit 2010

Guest KeyNotes

John Ashcroft Former Attorney General of the United States

Michael shermerFounding PublisherSkeptic magazine

Andrew ZolliExecutive Director Pop!Tech

CoNfereNCe Co-CHAirs

Vic WheatmanManaging Vice PresidentGartner Research

f. Christian ByrnesManaging Vice PresidentGartner Research

Four comprehensive programs:• CISO• IT Security• Business Continuity Management• Risk Management and Compliance

neW eVent!Expanded coverage withfour in-depth programs

June 21 – 23 • National Harbor, MD • gartner.com/us/securityrisk

2 save $300 when you register by May 10.

Summit Overview

2 Summit Overview 3 Benefits of Attending 4 Keynotes 5 Agenda Programs 6 Meet the Analysts 8 Agenda at a Glance 10 Summit Highlights11 Session Descriptions 21 Solution Showcase 23 Registration

• CIOs, CISOs and CFOs, and chief security, risk, compliance, process and technology officers

• Corporate governance officers

• IT vice presidents and directors

• Network security executives and directors

• Governance, risk, compliance and privacy executives

• Senior business executives

• General counsel

• Finance, audit, legal risk and compliance regulators

• Continuity of operations

• Crisis/emergency management

• Disaster recovery

• Anyone involved in enterprisewide security, risk management, business continuity management or critical infrastructure protection

Table of contents

Who should attend

Announcing a comprehensive new event for security, risk, compliance and business continuity professionalsBuild a more secure future at your organization It’s a pivotal time for security and risk management. Growing threats, new challenges and a need to align better with business goals have made it increasingly essential to bridge the gap between the security and risk management disciplines. To support this transition, we’ve merged our security, risk and business continuity conferences into one comprehensive new event.

The new Gartner security & risk Management summit, June 21 – 23, National Harbor, MD (Washington, D.C. area), features four distinct programs covering IT security, risk management and compliance, business continuity and disaster recovery, and the role of the CISO. Each program will deliver in-depth research, targeted networking and analyst interaction, but with the added benefit of a broader scope and valuable crossover discussions.

In this highly changeable time, there’s no better place to get up-to-speed on the very latest tools, research and insight to help you improve your professional development and build a more secure future for your organization.

More breadth. More depth. More insight. In addition to updates on trends, best practices and technologies, this year’s newly expanded agenda features a significant amount of never-before presented research designed to help you thrive in today’s rapidly evolving business climate.

• Four role-based programs chaired by specialists in each area—attend any session across the programs

• More than 100 drill-down sessions

• 12 analyst-moderated user roundtables and eight workshops, plus case studies, keynotes and more

• CISO invitational program

• Interdisciplinary emphasis to help bring your security and risk management team together

• More ways to communicate with business leaders, cultivate buy-in and encourage a more risk-aware organizational culture

• New research, trend updates, best practices, Magic Quadrants, long-range scenarios and more

Excellent insight into new ways of looking at security.Matt Vandenbush, Architecture and Application services, Brady Corporation

Gartner security and risk Management summit 2010

3Visit gartner.com/us/securityrisk or call 1 866 405 2511.

Benefits of Attending

Leverage the global expertise of Gartner analysts, clients and partners—understand what it takes to secure the business nowthe year’s must-attend security eventOur newly expanded agenda blends role-specific strategies with big-picture perspectives to help you move your risk and security program forward and support business resilience. We’ll address today’s hottest topics, from network and infrastructure security to cybersecurity, privacy, cloud computing, security as a service, sourcing, e-discovery, identity and access management, and much more.

• Gain the role-specific tools, strategies and insights you need to stay ahead of ever-increasing threats and seize new opportunities.

• Understand the growing interconnectedness of all forms of risk management, and how to architect an overall security and risk management strategy aligned with the business needs.

• Use the latest techniques to evaluate new security risks presented by SaaS, cloud computing and virtualization.

• Align risk management strategies with business goals, and articulate them in language that business leaders understand.

• Be ready for new regulatory, compliance, privacy and e-discovery requirements.

• Maximize resources by using the latest business continuity management models to identify and target the data and processes that will make your enterprise super-resilient.

• Create a more risk-aware organizational culture that supports risk management initiatives.

earn CPe credits Advance your continuing professional education when you attend the Gartner Security & Risk Management Summit. Registered participants are eligible to earn CPE credits toward ISC2, ISACA and DRII certification programs. Find out more at gartner.com/us/securityrisk.

in-depth workshopsDrill down on key topics in eight intensive workshops taught by the analysts. Workshops include: • Strategies for Aligning Security With the Business

• Leadership During a Crisis

• Controlling Costs and Establishing Efficiency in E-Discovery

• SharePoint, Social Software and Security

• Top 5 Mistakes and Top 5 Network Security Architecture Best Practices

• Dealing With Changing FISMA Requirements

• Creating Key Risk Indicators for Your Company

• Cybersecurity

• Business-IT security alignment

• Risk management and security

• Cloud computing and security

• Virtualization and security

• Governance and policy setting

• Security strategy and architecture

• Security process maturity

• Advanced analytics

• Next-generation vulnerabilities

• Single sign-on and passwords

• Data loss prevention

• Secure social networking

• Privacy protection tools

• User provisioning and identity management

• Recovery plan management

• Server virtualization

• Crisis and incident management

• Data center recovery sourcing

• E-discovery and legal risk

• Regulatory compliance

• SaaS, the cloud and risk

• Privacy/protection tools

Hottopics



Keynotes

John AshcroftFormer Attorney General

of the United States

Andrew ZolliExecutive Director

Pop!Tech

Michael ShermerFounding Publisher

Skeptic magazine

Guest keynotes IT Security: Striking a Balance Between Access, Privacy and Usability One of the most high-profile and experienced attorneys general in the nation’s history, Ashcroft led the U.S. law enforcement community through the challenging and transformational period following the tragic attacks of September 11, 2001. As U.S. Attorney General, Ashcroft was the CEO of a cabinet agency larger than most Fortune 500 corporations, comprised of 112,000 employees with an annual operating budget of $22 billion. He ran the world’s largest international law firm, a national prison system and the world’s finest law enforcement agencies. Relying on his executive experience, he emphasized strategic management, integrating strategic planning, budgeting and performance measurement across the department. For the first time in its history, the Justice Department earned a clean audit opinion, which it received each year of his tenure.

Personal and corporate data continues to be compromised at an alarming rate, in part because people are reluctant to use security tools that are too cumbersome to incorporate into their regular routines. Ashcroft addresses these concerns and discusses the critical need for innovative security technologies that strike a balance between access, privacy and usability.

Why Things Bounce Back: Engineering Resilience Into Your OrganizationUsing his gift for making connections between trends in demographics, technology, geopolitics and business, Zolli looks to improve the ways our faltering organizations—financial, corporate, governmental and societal—function. How can we insulate our organizations and ourselves from the increasingly violent shocks we are experiencing: terrorism, economic meltdowns, environmental catastrophe, wars? What makes an organization or system come back, while others collapse? Zolli will address these questions and explore ways to improve the life expectancy of our businesses, our governments and our societies.

Science, Security and SkepticismMichael Shermer, founding publisher of Skeptic magazine, executive director of the Skeptics Society, columnist for Scientific American, and adjunct professor of economics at Claremont Graduate University, is the best-selling author of numerous books, including The Mind of the Market and Why Darwin Matters. His keynote presentation will touch on a range of topics related to how we make decisions, why we often believe strange things (for example, that a “complete solution” to information security exists), and the profound impact these belief systems can have both on individuals and corporations.



Agenda Programs

four in-depth programs focus on your top prioritiesFour distinct conferences within a conference facilitate a more targeted learning and networking experience—build a custom agenda across all four, or attend sessions in a single program.

CISO ProgramThe chief information security officer role is evolving rapidly. Experienced CISOs need to refresh their knowledgebase frequently. Those new to the role need the insight and perspective to see beyond conflicting advice. The CISO Program offers a full track of sessions tailored to the CISO perspective, as well as an invitation-only networking and leadership program.

IT Security ProgramTailored specifically to network, systems and application security executives, this program offers a comprehensive look at how to maintain requirements—ready and secure data and applications, new privacy policies and protection tools, and emerging trends and threats. We’ll provide a long-term vision of where security is headed and how enterprises and solution providers will get there.

Business Continuity Management ProgramVirtualization, automation, cloud computing, telework and vendor movement have made BCM more complex. This program will cover the breadth of the BCM fundamentals and strategies used to support continuity, recovery and 24/7 availability across the enterprise. Participants will acquire the skills and insight to create a five-year strategy and identify immediate next steps.

Risk Management and Compliance Program As senior management gains a greater understanding of the growing risks inherent to IT-reliant business, risk management is evolving toward a more comprehensive role. This program highlights emerging best practices for taking a variety of autonomous specialized functions and drawing them together into a coordinated enterprise IT risk management team.

security and risk management: A critical priority in every industry

Government and public sector: Develop cohesive national cybersecurity initiatives in partnership with consumers and the public sector.

financial services: Fight fraud while keeping online banking seamless and efficient.

Healthcare and pharmaceuticals: Increase quality of service delivery, reduce compliance costs and anticipate healthcare reform while maintaining patient privacy and protecting intellectual property.

retail and wholesale: Enable improved collaboration across supply chains while meeting payment card industry standards and protecting critical logistics data.

Manufacturing: Manage and optimize increasingly interconnected and complex control networks while reducing costs, maintaining system integrity and protecting proprietary data.

energy and utilities: Establish effective and efficient “smart grid” technology while combating fraud, cyberattacks and the loss of control.

telecom services: Seize opportunities for improved “clean pipe” services and protecting end-user devices from malware and other threats.

Customize youragendaWe understand your need for relevant information and guidance that matches the maturity of your security and risk management initiatives. We’ve identified our sessions accordingly to help you navigate your way through the agenda:

foundational. For attendees who are in the early stages of their initiatives

Advanced. For those with advanced security and risk management maturity

Be sure to check out our online Agenda Builder to see which of our 100+ sessions corresponds best to your interests and needs.



Meet the Analysts

Bringing security, risk management and business continuity together at one event gives you access to our top analysts across all security disciplines. Throughout the conference, you’ll network and meet Gartner analysts who will answer your questions and present their latest research.

Ciso

f. Christian Byrnes Managing Vice President

Jeffrey Wheatman Director

John Bace Vice President

Les stevens Director

Jay Heiser Vice President

tom scholtz Vice President

french Caldwell Vice President

Carsten Casper Director

it security

Perry Carpenter Director

Avivah Litan Vice President and Distinguished Analyst

Ant Allan Vice President

Gregg Kreizman Director

Joseph feiman Vice President and Gartner Fellow

Neil MacDonald Vice President and Gartner Fellow

Peter firstbrook Director

Mark Nicolett Vice President and Distinguished Analyst

John Girard Vice President and Distinguished Analyst

Lawrence orans Director

ray Wagner Managing Vice President

Kelly M. Kavanagh Principal Research Analyst

eric ouellet Vice President

Bob Walder Director

earl Perkins Vice President

John Pescatore Vice President and Distinguished Analyst


Andrew Walls Director

Vic Wheatman Managing Vice President


Greg young Vice President

Thought-provoking interaction with analysts and peers on the key elements and opportunities in a successful security program.Donald Borsay, Principle security Architect, fM Global



risk Management and Compliance

John Bace Vice President

Whit Andrews Vice President and Distinguished Analyst

french Caldwell Vice President

richard Hunter Vice President and Distinguished Analyst

Carsten Casper Director


Jeffrey Wheatman Research Director


Paul e. Proctor Vice President and Distinguished Analyst

Dan Miklovic Vice President

Debra Logan Vice President and Distinguished Analyst

Mark Nicolett Vice President and Distinguished Analyst

Business Continuity Management

John P. Morency Director

Bill Malik Director

Jeff Vining Vice President

Donna scott Vice President and Distinguished Analyst

Dan Miklovic Vice President

John Girard Vice President and Distinguished Analyst


roberta J. Witty Vice President

Program ChairsCISO IT Security IT Security

Business Continuity Management

Risk Management and Compliance


Analyst-user roundtablesParticipate in a lively exchange with your peers moderated by Gartner analysts—12 sessions in all, covering today’s hottest topics:

See page 19 for analyst-user roundtable session descriptions.

• Issues in Outsourcing Security

• Best Practices Group Roundtable: Security and Privacy in the Cloud

• Security in Energy and Utilities

• Richard Hunter’s Risk Roundtable

• Data Security Issues in China and the Rest of APAC

• Security, Risk and Compliance Issues in Manufacturing

• Best Practices Roundtable: Information Classification and Management

• Hot Security Topics in Financial Services

• Technology Trade-Offs for Multisite Resiliency

• CISO Leadership

• BCM Plan Management

• Optimizing Disaster Recovery Costs

f. Christian Byrnes Managing Vice President


ray Wagner Managing Vice President

roberta J. Witty Vice President


8 Save $300 when you register by May 10. 9Visit gartner.com/us/securityrisk or call 1 866 405 2511.

Agenda at a GlanceMonday, June 21

9:15 a.m. Welcome Address

9:45 a.m. K1. Opening Keynote IT Security: Striking a Balance Between Access, Privacy and Usability John Ashcroft, Former U.S. Attorney General

CISO Program IT Security Program Business Continuity Management Program Risk Management and Compliance ProgramThe CISO Infrastructure Protection Secure Business Enablement

11:00 a.m. A1. Planning Powerful Processes: Assuring the Quality of Security F. Christian Byrnes

B1. Setting Up or Outsourcing Security Product Testing Bob Walder

C1. Cyberthreats and the IT Security Market Clock John Pescatore

D1. Data Loss Prevention: Are We There Yet?Eric Ouellet

E1. Roles and Entitlements: Frontiers in Entitlement Life Cycle Management Earl Perkins

F1. Five-Year Business Continuity Management and IT Disaster Recovery Management ScenarioRoberta J. Witty, John P. Morency

G1. The Real Business of IT Risk Management Richard Hunter

12:00 p.m. Solution Showcase Lunch and Exhibits

2:00 p.m. A2. Security Budgeting in Lean Times: Droughts Don’t Last Forever, But Budgeting Best Practices Should Vic Wheatman

B2. Analyst Invitational: Network Security Vendors on the Hot Seat Greg Young

C2. Case Study Lessons Learned: Secure Web Gateways as a Primary Defense in Depth ToolLogan Kleier, CISO, City of Portland, OR

D2. In Our Opinion: The Fraud Detection MarketAvivah Litan

E2. A Comprehensive Approach to Password Management and Single Sign-On That Delivers Value Gregg Kreizman

F2. Business Continuity Management Key Performance and Risk Indicator MappingRoberta J. Witty

G2. Build a KRI Catalog to Link Risk and Security to Corporate Performance Paul E. Proctor

H2. Selecting and Applying Governance, Risk and Compliance Frameworks and Standards French Caldwell, Les Stevens

2:00 p.m. WKS1. Strategies for Aligning Security With the Business – Part 1 Tom Scholtz, Jay Heiser

3:15 p.m. Solution Provider Sessions

4:30 p.m. RFA1. Developing Your Career With the Right Security Qualifications Carsten Casper

RFB1. Domain Name System Security ExtensionsLawrence Orans

RFC1. Security as a Service Kelly M. Kavanagh RFD1. Cryptographic Algorithms Eric Ouellet RFE1. Managing Shared Account PasswordsAnt Allan

F2a. Case Study PS-Prep: Is It Still Right for Your Organization? Representative, Department of Homeland Security

G2a. Case Study Building a Risk RegisterSpeaker: Tanya Scott, IT Governance and Compliance Analyst, Standard Insurance Company; Moderator: Paul E. Proctor

H2a. Case Study Risk and Expense Reduction Through Legal Discovery ManagementAndrew Drake, Assistant General Counsel, Discovery Management, Nationwide

4:30 p.m. WKS1. Strategies for Aligning Security With the Business – Part 2 Tom Scholtz, Jay Heiser

4:55 p.m. RFA2. The Value of Standards Jay Heiser RFB2. Directories and Security Andrew Walls RFC2. New Black Boxes Greg Young RFD2. PCI Cryptographic RequirementsAvivah Litan

RFE2. Managing Superuser PrivilegesPerry Carpenter

5:20 p.m. RFA3. GRC Architecture Principles French Caldwell

RFB3. Clean Pipes John Pescatore RFD3. Key Management Eric Ouellet RFE3. Synergies and Evolution Ant Allan

5:45 p.m. Solution Showcase Reception

Tuesday, June 22

7:00 a.m. CISO Community Breakfast Security Community Breakfast BCM Community Breakfast Risk/Compliance Community Breakfast

8:00 a.m. K2. Guest Keynote Why Things Bounce Back: Engineering Resilience Into Your Organization Andrew Zolli, Executive Director, Pop!Tech

9:15 a.m. A3. Information Security and the Law John Bace

B3. Case Study Automating Vulnerability Management at Orbitz Ed Bellis, Vice President, CISO, Orbitz Worldwide

C3. Planning and Deploying the Security Features of Windows 7 Neil MacDonald

D3. E-Mail Hygiene: Don’t Forget to FlossPeter Firstbrook

E3. Best Practices in Choosing Risk-Appropriate Authentication Methods Ant Allan

F3. Developing a Strategy for Data Availability and Protection Donna Scott

G3. Case Study H3. Information Governance Foundations for E-Discovery, E-Disclosure and Regulatory Compliance Debra Logan

9:15 a.m. WKS3. Best Practices in Taking Healthcare to the Next Level Ashwini Ahuja

WKS2. Leadership During a Crisis Roberta J. Witty

10:30 a.m. A4. What You Need to Know About Security Architectures Tom Scholtz

B4. Network Access Control in 2010 and BeyondLawrence Orans

C4. Case Studies in Trusted Portable Personalities: Mixing Security and Portability John Girard

D4. Social Media Is Not a Security ProblemAndrew Walls

E4. Innovative Plumbing: Five Out-of-the-Box Ideas for Leveraging Your IAM Perry Carpenter

F4. 24/7 Availability Bill Malik, Donna Scott G4. E-Discovery Session: Software, Services and Search John Bace, Debra Logan

H4. Assembling a Governance, Risk and Compliance Solution: Beyond MarketScopes and Magic Quadrants French Caldwell, Mark Nicolett, Paul E. Proctor

11:30 a.m. Solution Showcase Lunch and Exhibits


2:45 p.m. A5. Operational Metrics: What Do They Need to Know? Jeffrey Wheatman

B5. Case Study: Practitioner’s Guide to Collection and Analysis of RAM Dale Beauchamp, Branch Chief, Digital Forensics, Office of Information Security, TSA/Department of Homeland Security

C5. From Security Scans to Security IntelligenceJoseph Feiman

D5. Practical Tips to Link IAM to Corporate Performance Tom Scholtz, Ant Allan

E5. Case Study Measuring Community Resiliency: Taking Benchmarking to the Next Level Donald Byrne, Managing Director, North River Solutions

F5. Everyone is a Remote Worker in a Disaster: Is Your Remote-Access Program Ready? John Girard

G5. Research Factory John Bace, French Caldwell

H5. Case Study

2:45 p.m. WKS4. SharePoint, Social Software and Security Debra Logan, Neil MacDonald


5:15 p.m. K3. Guest Keynote Science, Security and Skepticism Michael Shermer, Founding Publisher, Skeptics Society

6:30 p.m. Hospitality Suites

Wednesday, June 23

7:30 a.m. Breakfast With the Analysts

8:30 a.m. A6. Setting Clear Expectations: Governance and Policy Setting Les Stevens

B6. Emerging Use Cases for Security Information and Event Management (SIEM) Mark Nicolett

C6. Three Styles of Security in the Public and Private Cloud John Pescatore

D6. Case Study: How Gartner is Linking Data Classification and Rights ManagementMichael R. Zboray, Chief Security Officer, Gartner

E6. How to Build a Government Continuity of Operations Plan Jeff Vining

F6. New Approaches for Recovery Testing and Exercising John P. Morency, Roberta J. Witty

G6. The Myth of the Chief Risk OfficerJeffrey Wheatman

H6. Cross the Border, Not the Law: Foundation of a Global Privacy Program Carsten Casper

8:30 a.m. WKS6. Top 5 Mistakes and Top 5 Network Security Architecture Best Practices Greg Young WKS5. Controlling Costs and Establishing Efficiency in E-Discovery Whit Andrews, John Bace, Debra Logan

9:45 a.m. Solution Provider Sessions

11:00 a.m. A7. Risk Assessment 101: What You Need to Know Les Stevens

B7. Best Practices in IT Security and IT Operations Integration Mark Nicolett

C7. Magic Quadrants, MarketScopes, MarketShares and the Future of Information Security John Girard, Bob Walder, Greg Young

D7. Your Password is Not Enough: Best Practices in External User Authentication Ant Allan, Avivah Litan

E7. Virtualization and the Cloud: Two Key Technologies That Recovery Managers Should Not Ignore Bill Malik, John P. Morency

F7. Case Study Designing and Managing the Resilient Supply Chain Speaker: John O’Connor, Director, Supply Chain Risk Management, Cisco; Moderator: Dan Miklovic

G7. Stormy Weather: Assessing the Security Risks of SaaS Products and Cloud ServicesJay Heiser

H7. World-Class Privacy on a Shoestring Carsten Casper

11:00 a.m. WKS7. Dealing With Changing FISMA Requirements John Pescatore

12:00 p.m. Solution Showcase Lunch and Exhibits Theater Presentations: Social Media and Security Andrew Walls

Managed Security Service Providers Selection Criteria Kelly M. KavanaghE-Discovery and Security Whit Andrews

1:30 p.m. A8. Workshop: Assessing and Improving Process Maturity—Part 1 F. Christian Byrnes

B8. Lessons Learned in Secure Remote Access: Protection in an Outsourced, Contracted and Partnered World John Girard

C8. DNS: It’s Not as Boring as You ThinkLawrence Orans, John Pescatore

D8. Cyber/Physicall Security Convergence: Is This a Good Idea? Vic Wheatman, Jeff Vining

E8. Identity in Cloud Architectures Earl Perkins F8. Case Study Business Continuity for the Environment Speakers: Ed Levis, Director of IT, EnerNOC; Brian Goss, President, Limbic Networks; Moderator: John P. Morency

G8. Security and Risk Management as a Social Science Tom Scholtz

H8. A New Approach to Enterprise Data Protection Jeffrey Wheatman

1:30 p.m. WKS9. BCM Maturity Roberta J. Witty WKS8. Creating Key Risk Indicators for Your Company – Part 1 Paul E. Proctor


4:00 p.m. A9. Workshop: Assessing and Improving Process Maturity—Part 2 F. Christian Byrnes

B9. Securing the Next-Generation Virtualized Data Center Neil MacDonald

C9. Smartphone Security Assessments John Girard

D9. Cloud Security: Shield or Vapor?Joseph Feiman

E9. Federation and User-Centric Identity Won’t Go Far Without Identity Proofing/AssuranceAvivah Litan, Gregg Kreizman

F9. Best Practices in Risk Assessment and Business Impact Analysis John P. Morency, Roberta J. Witty

G9. Aligning Security Assessment With the Business Mark Nicolett

H9. Content or Workflow: Who Dominates the Governance, Risk and Compliance Space?Dan Miklovic, French Caldwell

4:00 p.m. WKS8. Creating Key Risk Indicators for Your Company – Part 2 Paul E. Proctor

5:15 p.m. K4. Gartner Keynote Closing Remarks Ray Wagner, Gartner Analyst Team

6:00 p.m. Conference Adjourns

RF – Rapid-Fire Session (see page 10 for details) – Additional Business Continuity Management Session Agenda as of March 15, 2010, and subject to change. Visit gartner.com/us/securityrisk for updates.

Build a customized agenda online Use the Agenda Builder to create your own custom summit curriculum prior to the event. You can even customize your agenda via your mobile phone and sign up for RSS alerts. Get started at gartner.com/us/securityrisk.



Summit Highlights

experience insight firsthandAt a Gartner event, you don’t just collect information. You interact with analysts and peer executives at Q & A sessions, workshops, roundtables and networking events that facilitate informed discussions, deepen understanding and trigger game-changing insights.

100+ analyst presentationsNearly 40 Gartner analysts will be on-site to personally present their latest research in 75 sessions, as well as conduct eight workshops, analyst-user roundtables, hundreds of one-on-one meetings and more.

Analyst one-on-ones Sit privately for 30 minutes with a Gartner analyst specializing in the topic you’d like to discuss. To reserve your one-on-one session, visit the Agenda Builder at gartner.com/us/securityrisk or the One-on-One Desk on-site at the conference.

User case studiesGartner invites a number of end users to personally present leading-edge case studies and answer questions. Case study speakers include:

Leading solution providersMeet with today’s leading solution providers across security and risk disciplines, all under one roof. Hear their case studies, get answers to your questions and create a shortlist of top vendors.

New! Rapid-firesessions

Dale Beauchamp Branch Chief, Digital Forensics, Office of Information Security, TSA/Department of Homeland Security

ed Bellis Vice President, CISO, Orbitz Worldwide

Donald Byrne Managing Director, North River Solutions

Andrew Drake Assistant General Counsel, Discovery Management, Office of the Chief Legal Officer, Nationwide

Brian Goss President, Limbic Networks

Logan Kleier CISO, City of Portland, OR

ed Levis Director of IT, EnerNOC

John o’Connor Director of Supply Chain Risk Management, Cisco

tanya scott IT Governance and Compliance Analyst, Standard Insurance Company

A shorter, faster-paced and interactive forum to discuss—or debate—hot topics at the conference. Bring your questions and opinions with you! Rapid-fire sessions include:

CISOProgram

Developing Your Career With the Right Security Qualifications (RFA1) Moderator: Carsten Casper

The Value of Standards (RFA2) Moderator: Jay Heiser

GRC Architecture Principles (RFA3) Moderator: French Caldwell

ITSecurityProgramInfrastructure Protection

Domain Name System Security Extensions (RFB1) Moderator: Lawrence Orans

Directories and Security (RFB2) Moderator: Andrew Walls

Clean Pipes (RFB3) Moderator: John Pescatore

Security as a Service (RFC1) Moderator: Kelly M. Kavanagh

New Black Boxes (RFC2) Moderator: Greg Young

ITSecurityProgramSecure Business Enablement

Cryptographic Algorithms (RFD1) Moderator: Eric Ouellet

PCI Cryptographic Requirements (RFD2) Moderator: Avivah Litan

Key Management (RFD3) Moderator: Eric Ouellet

Managing Shared Account Passwords (RFE1) Moderator: Ant Allan

Managing Superuser Privileges (RFE2) Moderator: Perry Carpenter

Synergies and Evolution (RFE3) Moderator: Ant Allan

Get a video sneakpeakFind out why this is the most comprehensive and valuable security and risk event all year. Watch a video introduction from the conference co-chairs at gartner.com/us/securityrisk.



Session Descriptions

KeynotesK1. Guest Keynote: it security—striking a Balance Between Access, Privacy and usability Personal and corporate data continues to be compromised at an alarming rate, in part because people are reluctant to use security tools that are cumbersome to incorporate into their regular routines. Former U.S. Attorney General Ashcroft addresses these concerns and discusses the critical need for innovative security technologies that strike a balance between access, privacy and usability.

John Ashcroft, Attorney General of the United States, 2001-2005; United States Senator, 1995-2001; Governor of Missouri, 1985-1993; Chairman, The Aschroft Group

K2. Guest Keynote: Why things Bounce Back—engineering resilience into your organization Using his gift for making connections between trends in demographics, technology, geopolitics and business, Zolli looks to improve the ways our faltering organizations—financial, corporate, governmental and societal—function. How can we insulate our organizations and ourselves from the increasingly violent shocks we are experiencing: terrorism, economic meltdowns, environmental catastrophe, wars? What makes an organization or system come back, while others collapse? Zolli will address these questions and explore ways to improve the life expectancy of our businesses, our governments and our societies.

Andrew Zolli, Executive Director, Pop!Tech

K3. Guest Keynote: science, security and skepticism Michael Shermer is executive director of the Skeptics Society, founding publisher of Skeptic magazine and a Scientific American magazine columnist. In this session, Shermer will demonstrate that most decisions made about almost everything done in our personal and professional lives, and by corporations and government agencies, are made under great uncertainty through rule-of-thumb reasoning.

Michael Shermer, Executive Director, Skeptics Society

K4. Gartner Keynote: Closing remarks Join the security/risk/compliance and business continuity management team for an interactive conference summation

where we review what role-oriented lessons were learned, and what was learned across the various roles represented at the conference.

Ray Wagner, Managing Vice President; Gartner analyst team

CISO ProgramThe chief information security officer role is evolving rapidly. Experienced CISOs need to refresh their knowledgebase frequently. Those new to the role need the insight and perspective to see beyond conflicting advice. The CISO Program offers a full track of sessions tailored to the CISO perspective, as well as an invitation-only networking and leadership program.

A1. Planning Powerful Processes: Assuring the Quality of security Security processes exist to implement and maintain controls as well as to detect potential failures. When these processes are immature, security failures occur, resulting in the constant return to firefighting mode. Process maturity is a key enabler of security success. This session will explore what can happen if a company doesn’t embrace proper security processes?

F. Christian Byrnes, Managing Vice President

A2. security Budgeting in Lean times: Droughts Don’t Last forever, But Budgeting Best Practices should Late 2008 and 2009 were revelatory times for security organizations. For the first time in recent memory, enterprises had to put ambitious security projects on hold to provide basic security for their organizations, using fewer dollars. Forced resource rationalization, while painful, commanded more discipline into the security budgeting process. This presentation looks back at measures that security teams took under fiscal duress, and highlights ways to maintain newfound best practices as enterprises ratchet up investment.

Vic Wheatman, Managing Vice President

A3. information security and the Law Information security professionals often find themselves on the front lines of civil and criminal legal matters, or eyeball-to-eyeball with government regulators. That is why a CISO needs to have a basic understanding of legal concepts such as electronic discovery, preservation obligations and cross-border jurisdictional requirements. This session will raise your awareness of potential

The Gartner Security & Risk Management Summit is comprised of four programs of role-specific sessions and networking. Each program offers a full agenda of analyst sessions, keynotes, roundtable discussions, case studies, workshops and more.Build an agenda of sessions across multiple programs, or attend one program alone.






pitfalls and opportunities as well as point you toward appropriate sources of information.

John Bace, Vice President

A4. What you Need to Know About security Architectures Information security architecture is a foundational element of any information security program. However, the term “architecture” means different things to different people, often resulting in confusion and conflict about the role and function of security architecture. Hence, security and architecture practitioners struggle to achieve a common understanding of how security architecture practice can be exploited in the best interests of the enterprise. This session will cover security architecture pitfalls and best practices.

Tom Scholtz, Vice President

A5. operational Metrics: What Do they Need to Know? There are thousands of possible security-related metrics that could be captured. Some are useful in managing the security function, others are important for reporting upward on the health of security. Selecting what to capture and what to report can be difficult. Gartner presents current best practices for both decisions.

Jeffrey Wheatman, Director

A6. setting Clear expectations: Governance and Policy settingInformation security is largely a translation function that converts business risk sensitivity into policies that technical and training staff can implement. The key to success is setting up an effective governance structure to manage policy. This session will explore what governance structures are best for managing policies.

Les Stevens, Director

A7. risk Assessment 101: What you Need to Know Few CISOs do risk assessment well, yet it is the ideal tool for assuring that security matches business needs and for gaining support for security from the business. There are numerous opinions about how and when to do risk assessments. Gartner has developed best practices for security risk assessment.

Les Stevens, Director

A8. Workshop: Assessing and improving Process Maturity, Part 1 In this workshop, you will populate a Gartner security process maturity worksheet on your laptop, resulting in a report of the strengths and weaknesses of your current security program. Laptop required.


A9. Workshop: Assessing and improving Process Maturity, Part 2In this workshop continuation, participants present the findings of Part I and discuss the strengths and weaknesses of current security programs. Laptop required.


IT Security ProgramTailored specifically to network, systems and application security executives, this program offers a comprehensive look at how to maintain requirements—ready and secure data and applications, new privacy policies and protection tools, and emerging trends and threats. We’ll provide a long-term vision of where security is headed and how enterprises and solution providers will get there.

B1. setting up or outsourcing security Product testing As IT infrastructure has become mission-critical to today’s businesses, it is important to maintain continuity of service. Evaluating new security products is fraught with danger, as each new device introduces the possibility of increasing latency to unacceptable levels or, worse still, interrupts business processes entirely. This session will explore how security product evaluations can be run in-house and whether you need to engage a third party to perform testing on your behalf.

Bob Walder, Director

B2. Analyst invitational: Network security Vendors on the Hot seat Gartner invites three network security vendors to answer the hard questions all end users want to know: which solutions are good, better and best?

Greg Young, Vice President

B3. Case study: Automating Vulnerability Management at orbitz Orbitz Worldwide has begun taking advantage of public standards such as Security Content Automation Protocol (SCAP), Web Application Security Consortium-Threat Classification (WASC-TC), and others to automate its vulnerability management program. Learn which standards have provided the program’s foundation and how Orbitz uses them to create the glue behind these disparate information silos across its global travel brands.

Ed Bellis, Vice President and CISO, Orbitz Worldwide



B4. Network Access Control in 2010 and Beyond NAC is poised to move out of its “trough of disillusionment.” Here’s what you need to know as it matures, including the key trends that will shape Network Access Control (NAC) in 2010 and beyond.

Lawrence Orans, Director

B5. Case study: Practitioner’s Guide to Collection and Analysis of rAM This topic outlines the best practices in collection of RAM, volatile data and an overview of how to analyze the collected evidence. The focus is on the effective use of free and purchased tools to extract the most valuable data in regards to a compromised host.

Dale Beauchamp, Branch Chief, Digital Forensics, Office of Information Security, TSA/Department of Homeland Security

B6. emerging use Cases for security information and event Management (sieM) SIEM technology has traditionally been deployed for external threat monitoring and compliance. Emerging use cases include application layer monitoring for targeted attack and fraud detection, database activity monitoring, and operations-oriented monitoring and analysis. This session will identify the major and emerging use cases for SIEM.

Mark Nicolett, Vice President and Distinguished Analyst

B7. Best Practices in it security and it operations integration Project work and technologies that straddle IT security and IT operations are needed to build and maintain an environment that is resilient to attack. Configuration auditing, service dependency mapping and workflow integration will improve security and operational efficiency. This session will address how IT security and IT operations work to integrate technology and process.


B8. Lessons Learned in secure remote Access: Protection in an outsourced, Contracted and Partnered World Contractors are less expensive on the ledger than full-time employees. Business partners must be connected to make just-in-time decisions. Companies give control of critical internal systems to users who are not under direct supervision. Relationships span political boundaries. Enforcement of data protection and SLAs are acts of faith. We take stock of the vulnerabilities caused by extranet access and recommend a survival plan. What are the extranet security and privacy challenges through 2014? How will business integrity be maintained when users may never be seen? This session will cover these issues and more.

John Girard, Vice President and Distinguished Analyst

B9. securing the Next-Generation Virtualized Data Center By 2012, more than 50 percent of all data center workloads will be virtualized. We believe this will foundationally transform security infrastructure requirements. Security policy enforcement mechanisms need to become virtualized, just like the workloads they protect, in our next-generation virtualized data center. This session will explore how should we design our next-generation security infrastructure to protect the next-generation virtualized data center.

Neil MacDonald, Vice President and Gartner Fellow

C1. Cyberthreats and the it security Market Clock In this session we will present the updated Gartner Threats Hype Cycle and the new IT Market Clock framework, giving a full life-cycle view of both problems and the security technologies needed for strategic investment and divestment decisions.

John Pescatore, Vice President and Distinguished Analyst

C2. Case study: Lessons Learned—secure Web Gateways as a Primary Defense in Depth tool The City of Portland, OR, had outdated and limited technology to channel and filter users’ Internet access. Not only did it consume significant resources, but if it failed, all Internet traffic was blocked. What started as a way to do more elegant content filtering ended as a “secure Web gateway” implementation. After testing various Web gateways, the city determined that it had more outbound malware threats than it realized, and that its endpoint protection suite and IPS were insufficient to catch all threats coming and leaving its network.

Logan Kleier, CISO, City of Portland, OR

C3. Planning and Deploying the security features of Windows 7 This session explores the pros and cons and specific deployment recommendations for the most critical Windows 7 capabilities including AppLocker, BitLocker, DirectAccess, Windows firewall and others.

Neil MacDonald, Vice President and Gartner Fellow

C4. Case studies in trusted Portable Personalities: Mixing security and Portability

Every company struggles to adapt to rising demands for portable information access without increasing investments in supervision and dedicated workstations.These demands extend far beyond the question of employee access to encompass sharing of legally sensitive data and competitive intellectual property with external parties.







C5. from security scans to security intelligence Today’s security concepts are based on disparate vulnerability scanning and monitoring of unrelated stovepipes: networks, databases, desktops and applications. Analysis is limited to log and report reviews. This concept should be transformed into enterprise security intelligence, enabling correlation and impact analysis across all intelligence sources, systems’ security understanding, knowledge management and actionable advice.

Joseph Feiman, Vice President and Gartner Fellow

C6. three styles of security in the Public and Private Cloud Security issues have already been a barrier to cloud adoption and Gartner foresees enterprises adopting three major styles of securing cloud services for business benefit. Here’s a methodology for matching the most effective and efficient approach to staying secure while taking advantage of consumer-grade technologies.


C7. Magic Quadrants, Marketscopes, Marketshares and the future of information security Starting with our proprietary data and evaluations, we demonstrate the composition of the security market and reveal submarket interactions for a better understanding of how the pieces comprise the whole.

John Girard, Vice President and Distinguished Analyst; Bob Walder, Director; Greg Young, Vice President

C8. DNs: it’s Not as Boring as you think This session will help you prepare for DNSSEC and will also address best practices for DNS, Dynamic Host Configuration Protocol (DHCP) and IP address management (IPAM) in internal networks.

Lawrence Orans, Director; John Pescatore, Vice President and Distinguished Analyst

C9. smartphone security AssessmentsSmartphones are like little PCs that bring both old and new technological and opportunistic threats to the enterprise. This presentation uses our broad analysis of phone threats and technologies to chart a safe course through your mobile choices. How will smartphone security vulnerabilities impact enterprises over the next five years? What are the basic security requirements that must be present on phones used for business purposes? How do the security features of the major smartphone platforms compare in theory and in practice?


D1. Data Loss Prevention: Are We there yet? Organizations large and small are planning to deploy DLP to better control and protect sensitive assets at the perimeter,

within data stores and document management systems, and at the endpoints. As these tools become mainstream within organizations, they will impact and challenge traditional views of data classification, protection and access controls.

Eric Ouellet, Vice President

D2. in our opinion: the fraud Detection Market This session reviews the Gartner fraud detection MarketScope and relevant Magic Quadrants, and examines the issues and the solutions available to mitigate against online fraud.

Avivah Litan, Vice President and Distinguished Analyst

D3. e-Mail Hygiene: Don’t forget to floss Spam, phishing and viruses continue to infect e-mail traffic. However, most organizations are getting better at harnessing this traffic. IT organizations must now turn their attention to nasty bits of e-mail caught in outbound traffic. Meanwhile, as first- and second-generation e-mail solutions start to decay, proper hygiene requires simplifying the solution and reducing costs. This session will explore how e-mail DLP will fit into overall data management solutions.

Peter Firstbrook, Director

D4. social Media is Not a security Problem Many security organizations have reacted to the novelty and popularity of social networks, blogs, wikis and microblogs by battening down the hatches and shutting off access. Ironically, the significant risks presented by social media cannot be mitigated by infrastructure controls and are not produced by the technology supporting social media.

Andrew Walls, Director

D5. Practical tips to Link iAM to Corporate Performance CIOs, CISOs and IAM leaders struggle to link efforts in IAM to the value they provide at line-of-business and executive levels. In this session we will discuss developing a framework for linking security and IAM strategy to business strategies?

Tom Scholtz, Vice President; Ant Allan, Vice President

D6. Case study: How Gartner is Linking Data Classification and rights Management Data classification and rights management are two sides of a coin. While data classification policies at Gartner specify what needs to be done, many data care responsibilities were left to the end users with mixed results. Hear what worked and what failed in the first attempts at data classification at Gartner and how policies were automated through technology.

Michael R. Zboray, Chief Security Officer, Gartner Strategic Technology Group



D7. your Password is Not enough: Best Practices in external user Authentication Passwords alone are not enough for any but the lowest-risk use cases: higher-assurance authentication methods are often necessary, but are not themselves sufficient. What threats can compromise or circumvent even the strongest authentication method?

Ant Allan, Vice President; Avivah Litan, Vice President and Distinguished Analyst

D8. Cyber/Physical security Convergence: is this a Good idea? This presentation examines the prospects for merging physical security, video surveillance and IT security systems with a focus on the possibility of implementing a more comprehensive security posture.

Vic Wheatman, Managing Vice President; Jeff Vining, Vice President

D9. Cloud security: shield or Vapor? We will present evaluation criteria defining which security services fit the cloud, analyze whether cloud services for storage, infrastructure and applications have a good chance to be reasonably secure, and review the future of security jobs—will they be kept, or evaporate in the cloud?

Joseph Feiman, Vice President and Gartner Fellow

e1. roles and entitlements: frontiers in entitlement Life Cycle Management This presentation examines the role and entitlement management market, the availability and maturity of those solutions, and the impact they have on enterprises seeking secure access.

Earl Perkins, Vice President

e2. A Comprehensive Approach to Password Management and single sign-on that Delivers Value Enterprises continue to grapple with simplifying their internal environment for password management and single sign-on (SSO). Increased use of SaaS adds complexity. This session highlights solutions for the most common requirements and use cases.

Gregg Kreizman, Director

e3. Best Practices in Choosing risk-Appropriate Authentication Methods The best authentication method is not necessarily the strongest—companies must consider requirements for assurance and accountability and balance these against other needs and constraints. This session will address how to evaluate new authentication methods.

Ant Allan, Vice President

e4. innovative Plumbing: five out-of-the-Box ideas for Leveraging your iAM New IAM problems do not necessarily demand new IAM technologies to solve them. This session will explore what capabilities of your existing IAM investment are unused or underused and how to best exploit your IAM investment.

Perry Carpenter, Director

e5. Case study: Measuring Community resiliency—taking Benchmarking to the Next LevelMuch effort is being made to judge, diagnose and enhance the resiliency of businesses, but this focus may fail to take into account the importance of the interdependent nature of a business’s relationships with the community. This session will explore what responsibilities business and government have to assess the level of preparedness of the larger business community.

Donald Byrne, Managing Director, North River Solutions

e6. How to Build a Government Continuity of operations Plan This presentation will examine some common, unique and best practice elements that should be included in all government continuity-of-operation plans.

Jeff Vining, Vice President

e7. Virtualization and the Cloud: two Key technologies that recovery Managers should Not ignore This session will discuss the current maturity and adoption trends of both technologies, the specific recovery and continuity management pain points that they address today and their longer-term potential for making disaster recovery management much more affordable.

Bill Malik, Director; John P. Morency, Director

e8. identity in Cloud Architectures Much has been said about securing cloud computing, but what role does identity play in that effort and beyond? This session will address the short- and long-term implications and demands of increased cloud-computing use on IAM architecture and solutions.


e9. federation and user-Centric identity Won’t Go far Without identity Proofing/Assurance This session covers the trends in federation and user-centric identity and the identity proofing services needed to make the promise a reality.

Avivah Litan, Vice President and Distinguished Analyst; Gregg Kreizman, Director






WKs1. strategies for Aligning security With the Business, Part 1 and 2 To reach adequate levels of maturity in their information security controls, organizations must invest in a strategy for improving business alignment. The actions resulting from this strategy must be executed in conjunction with existing security improvement projects. This workshop will share tactics and best practices for developing a strategy to improve alignment of information security activities with business requirements. Tom Scholtz, Vice President; Jay Heiser, Vice President

WKs3. Best Practices in taking Healthcare to the Next Level This panel workshop will address what healthcare providers should be doing to prepare for the recent change to HIPAA law, the HITECH rules such as breach notification requirements, ARRA requirements of EHR, as well as discuss the challenges faced by hospitals balancing security with patient care (SaaS, cloud, etc.).

Ashwini Ahuja, Leadership Partner, Gartner End-User Programs

WKs4. sharePoint, social software and security Next to e-mail, Microsoft SharePoint is becoming one of the most ubiquitous enterprise applications. Early adopters report mass user acceptance accompanied by numerous information governance issues. Work though the issues surrounding the implementation and governance of SharePoint and other collaboration and social software applications in this interactive workshop, which includes two case studies and a Gartner toolkit designed to help organizations roll out SharePoint successfully and securely.

Debra Logan, Vice President and Distinguished Analyst; Neil MacDonald, Vice President and Gartner Fellow

WKs6. top 5 Mistakes and top 5 Network security Architecture Best Practices Using practical examples, we’ll explore the mistakes made in network security and DMZ design with participants developing their own answers to questions such as what are the best practices in network and DMZ design? What mistakes in network design are most commonly made? How are new technologies like virtualization impacting on security design? How are threats to Web applications best responded to?

Greg Young, Vice President

WKs7. Dealing With Changing fisMA requirements Workshop This interactive session has primarily a government focus, but FISMA/NIST 800-53 requirements are now increasingly showing up in commercial contracts. Key issues: What are the FISMA

requirements? What changes need to be made to COTS to achieve compliance? How should commercial entities look at government mandates in their own acquisitions?


Business Continuity Management ProgramVirtualization, automation, cloud computing, telework and vendor movement have made BCM more complex. This program will cover the breadth of the BCM fundamentals and strategies used to support continuity, recovery and 24/7 availability across the enterprise. Participants will acquire the skills and insight to create a five-year strategy and identify immediate next steps.

f1. five-year Business Continuity Management and it Disaster recovery Management scenario This presentation takes a look at the phased transition from recovery-centric to resiliency-centric operations management. The impact of virtualization technology, nascent public cloud services and improved management automation on facilitating this transition will be discussed.

Roberta J. Witty, Vice President; John P. Morency, Director

f2. Business Continuity Management Key Performance indicator and risk indicator Mapping

In this session, we will address how to present a defensible case for the value and effectiveness of BCM to an executive audience.

Roberta J. Witty, Vice President

f2a. Case study: Ps-Prep—is it still right for your organization? In this session we will discuss the status of PS-Prep, the standards selection process and the road map for making PS-Prep a viable certification program for small, midsize and large organizations.

Representative, Department of Homeland Security

f3. Developing a strategy for Data Availability and Protection This presentation provides guidance for developing a comprehensive tier-based data availability and protection strategy, and how to align architectural and technology choices based on the service levels required for each tier.

Donna Scott, Vice President and Distinguished Analyst



f4. 24/7 Availability This presentation discusses the architectural and technological requirements for a continuously available system, and addresses the issues of cost and core best practices to truly achieve 24/7 services.

Bill Malik, Director; Donna Scott, Vice President and Distinguished Analyst

f5. everyone is a remote Worker in a Disaster: is your remote-Access Program ready? In this session we will discuss what the telecommunications carriers are doing to ensure that Internet access is available to remote workers workers during a pandemic?


f6. New Approaches for recovery testing and exercising This session will focus on those best practices that will ensure that your recovery exercise program provides the organization with a realistic view of the state of your recovery strategy and how to ensure continued success as your own business practices change over time.

John P. Morency, Director; Roberta J. Witty, Vice President

f7. Case study: Designing and Managing the resilient supply Chain In this session, we will explain Cisco’s approach to supply chain resiliency management. It will include an overview and discussion of Cisco’s preparedness, mitigation and resiliency program, including supply chain risk analytics and metrics, business continuity program, crisis management program, component resiliency program, supply chain resiliency program and new product resiliency.

Speaker: John O’Connor, Director, Supply Chain Risk Management, Cisco; Moderator: Dan Miklovic, Vice President

f8. Case study: Business Continuity for the environment This session describes how EnerNOC achieves 24/7 availability for its clean energy business. EnerNOC applies innovative technology solutions to help customers manage their energy demand and reduce costs. During periods of peak demand, the company helps customers curtail their energy usage and offload the power grid. Business continuity is essential for EnerNOC to respond quickly to demand-response events. Learn how EnerNOC keeps business operations running.

Speakers: Ed Levis, Director of IT, EnerNOC; Brian Goss, President, Limbic Networks; Moderator: John P. Morency, Director

f9. Best Practices in risk Assessment and Business impact Analysis Risk assessments are intended to identify threats and vulnerabilities and select controls. The BIA is most probably the most important aspect of the BCM planning process as it provides the foundation on which recovery requirements and objectives are built. This presentation will discuss different risk assessment approaches and give guidance on how best to conduct a BIA for BCM.

John P. Morency, Research Director; Roberta J. Witty, Vice President

WKs2. Leadership During a Crisis Learn about dealing with behavioral and emotional responses to a crisis, including the concept of behavior mapping during various phases of a crisis; what an organization can do before and during a crisis to alleviate individual and organizational impacts; and the value of security being visible and responsive during a crisis.


WKs9. BCM Maturity In this workshop, you will conduct an assessment of your organization’s BCM maturity based on the Gartner Self-Assessment Maturity model, which can be used for follow up on creating a road map for improving it.


see these related business continuity management sessions in the it security Program: e5, e6, e7.

Risk Management and Compliance ProgramAs senior management gains a greater understanding of the growing risks inherent to IT-reliant business, risk management is evolving toward a more comprehensive role. This program highlights emerging best practices for taking a variety of autonomous specialized functions and drawing them together into a coordinated enterprise IT risk management team.

G1. the real Business of it risk Management This presentation, based on cases from the Harvard Business Press best-seller The Real Business of IT: How CIOs Create and Communicate Value, describes the proven path to communicating value used by highly successful IT organizations, and shows how IT risk managers and security professionals can use this path to demonstrate the value of their contribution to the enterprise.

Richard Hunter, Vice President and Distinguished Analyst






G2. Build a Kri Catalog to Link risk and security to Corporate Performance Mapping key risk indicators (KRI) into business-centric key performance indicators (KPI) is an excellent way to link risk and security to corporate performance. Gartner has developed a foundation catalog of both KPIs and KRIs to help risk officers develop their own set. Attendees are encouraged to attend WKS7, to develop your own KRIs first.

Paul E. Proctor, Vice President and Distinguished Analyst

G2a. Case study: Building a risk register A comprehensive, unified IT risk management program can be difficult to implement. See one company’s IT risk program toolkit and learn how to break down barriers, engage all levels of stakeholders and maximize enterprise value.

Speaker: Tanya Scott, IT Governance and Compliance Analyst, The Standard Insurance Company; Moderator: Paul E. Proctor, Vice President and Distinguished Analyst

G3. Case study

G4. e-Discovery session: software, services and search

John Bace, Vice President; Debra Logan, Vice President and Distinguished Analyst

G5. research factory This session features several analysts from the Gartner compliance and risk management research community developing a position on how the U.S. regulatory framework will evolve in light of recent events and what Gartner clients should do to prepare. Audience members will be invited to participate in the debate and will be able to guide the development of the research position.

John Bace, Vice President; French Caldwell, Vice President

G6. the Myth of the Chief risk officerThis presentation examines common myths that have been perpetuated around security and risk management. We will discuss trends that Gartner has seen and would like to see to help move security and risk programs in the right direction.


G7. stormy Weather: Assessing the security risks of saas Products and Cloud servicesProven risk assessment practices can provide a useful level of assurance that a product or service is reliable, including its capabilities to resist both accident and human manipulation. This session will address what types of information facilitates provider transparency and how to get it?

Jay Heiser, Vice President

G8. security and risk Management as a social science As technical security controls are increasingly integrated into the infrastructure fabric, CISOs’ focus will continue to shift toward the behaviors, attitudes and culture of the human stakeholders of the enterprise. This presentation highlights how this will impact the role of information security leaders, the opportunities this presents and the actions that they should take to prepare for the challenge.


G9. Aligning security Assessment With the Business The presentation explains how IT governance, risk and compliance management (GCRM), service dependency maps and user context can be used to produce security assessments with business context.


H2. selecting and Applying Governance, risk and Compliance frameworks and standards Governance, risk and compliance standards and control frameworks are useful for guiding IT risk and security management programs, but not all are applicable or practical. This session will address which standards are most appropriate to align with IT risk management and compliance programs, and what tools support their implementation. Standards and frameworks include ISO 27001/2/5, ISO 15408, ISO 31000, AS/NZS 4360, COSO, NIST, SAS70, CobiT, ITIL and ISO 20000.

French Caldwell, Vice President; Les Stevens, Director

H2a. Case study: risk and expense reduction through Legal Discovery ManagementThis session will explore various ways that leading corporations address risk and cost associated with the legal discovery function. Moving beyond a discussion of the latest software platforms, this session will review various approaches to more comprehensively manage the core functions related to e-discovery, including exploring the debate on insourcing versus outsourcing, as well as building a new working relationship between corporate counsel, outside counsel and IT.

Andrew Drake, Assistant General Counsel, Discovery Management, Nationwide

H3. information Governance foundations for e-Discovery, e-Disclosure and regulatory Compliance Whether you have a strong ongoing partnership with your legal department or are just starting out, this presentation will show you what works and what doesn’t when IT and legal work together. Learn about best practices, cost-optimization



techniques and the latest technology developments that will help you form and strengthen this necessary business partnership.

Debra Logan, Vice President and Distinguished Analyst

H4. Assembling a Governance, risk and Compliance solution: Beyond Marketscopes and Magic Quadrants This presentation provides an overview of the IT GRCM MarketScope, and the enterprise GRC platforms and CCM Magic Quadrants. Going beyond these Gartner market evaluations, learn the architectural elements of GRC, how to prioritize the investments for GRC technology solutions and the organization needed for operational support of risk management and compliance.

French Caldwell, Vice President; Mark Nicolett, Vice President and Distinguished Analyst; Paul E. Proctor, Vice President and Distinguished Analyst

H5. Case study

H6. Cross the Border, Not the Law: foundation of a Global Privacy Program International corporations are struggling with national privacy regulations. Legal requirements vary, and the business benefit of protecting privacy is not always apparent. It is time that privacy jumps on the bandwagon of compliance. This includes pursuing a risk-based approach to privacy, leveraging existing control and management technologies. Moreover, a global standard for privacy and changes in existing privacy laws present new opportunities as much as additional challenges.

Carsten Casper, Director

H7. World-Class Privacy on a shoestring Everyone talks about privacy, but no one wants to invest. In this presentation, we will show the components of a successful, yet affordable global enterprise privacy program.

Carsten Casper, Director

H8. A New Approach to enterprise Data Protection Most enterprises have attempted to build data protection programs around profiles that don’t match business processes or regulatory requirements. Historically, data risks have been evaluated in a static manner that attempts to identify, classify and protect data within individual technology systems, resulting in data protection programs that are incomplete and suffer exposure at the gaps between discrete technology systems.


H9. Content or Workflow: Who Dominates the Governance, risk and Compliance space? Two Gartner Research vice presidents debate the primary issue plaguing enterprises today as they try to build out their compliance platforms: should we choose a platform that is based on exceptional workflow but lacking in content, or a content-rich solution that has less robust workflow?

Dan Miklovic, Vice President; French Caldwell, Vice President

WKs5. Controlling Costs and establishing efficiency in e-Discovery This workshop explores some of the most pressing issues related to e-discovery, including evaluating e-discovery technology and its impact on cost reduction; how early case assessment can save you time, effort and money; and we will hear directly from an active jurist what he sees from the bench, as to why there is so much pain and cost associated with e-discovery. All sessions feature a Gartner analyst and an attorney known for their work in e-discovery.

Whit Andrews, Vice President and Distinguished Analyst; John Bace, Vice President; Debra Logan, Vice President and Distinguished Analyst

WKs8. Creating Key risk indicators for your Company, Part 1 and 2 This two-part workshop follows the concepts from the session “Build a KRI Catalog to Link Risk and Security to Corporate Performance” to help you develop your own set of organization-specific KPIs and KRIs. In Part 1, we review the key risk indicator concepts and develop KPIs and KRIs for a fictitious shipping company. How can we identify casual relationships between KPIS and KRIs? How should we define the characteristics of useful mappings? In Part 2, we work in groups with peers to develop real-world KPIs and KRIs for the companies and industries present.

Paul E. Proctor, Vice President and Distinguished Analyst

Analyst-user roundtablesAur1. issues in outsourcing security Is it an abdication of responsibility to outsource security? In this informal roundtable session, share your perspectives on which security functions are better than others for an outsourced approach.

Kelly M. Kavanagh, Principal Research Analyst






Aur2. Best Practices Group roundtable: security and Privacy in the Cloud As availability of cloud-based delivery models continues to build and the business makes increasing demands to leverage the efficiencies offered by them, organizations need to have an effective approach to the evaluation, selection and adoption of the cloud.

Ashwini Ahuja, Leadership Partner, Gartner End-User Programs

Aur3. security in energy and utilities Smart meters, intrusion prevention, SCADA network protocols—all part of ensuring this vital component of our critical infrastructure is secure. Join peers in discussing common issues.


Aur4. richard Hunter’s risk roundtable An open discussion of the role of risk discipline in business today with Richard Hunter, vice president and distinguished analyst, and co-author of IT Risk: Turning Business Threats Into Competitive Advantage.

Richard Hunter, Vice President and Distinguished Analyst

Aur5. Data security issues in China and the rest of APAC Enterprises doing business in the Far East have to develop accommodating methodologies to protect intellectual property. During this roundtable, listen to the perspective of peers facing these challenges and share your own experience.

Andrew Walls, Director

Aur6. security, risk and Compliance issues in Manufacturing Process and discrete manufacturing enterprises have some unique security issues, including the possibility of converging physical and cybersecurity, making certain that controls are in place and protecting intellectual property, etc. This open forum allows industry security managers to explore topics of mutual concern.

Dan Miklovic, Vice President; Earl Perkins, Vice President

Aur7. Hot security topics in financial services Payment card industry security standards, new fraud risks and increased oversight are among the issues that may surface during this roundtable discussion of end users.

Avivah Litan, Vice President and Distinguished Analyst

Aur8. technology trade-offs for Multisite resiliency In this roundtable, participants will share their implementations of multisite resiliency, including their choices for data replication and failover/failback technologies. We will then uncover best practices in implementing the architectures and maintaining them.

John P. Morency, Director; Donna Scott, Vice President and Distinguished Analyst

Aur9. optimizing Disaster recovery Costs No one wants to overspend on disaster recovery. But in this era of cost optimization, is it possible to squeeze more cost out of disaster recovery and if so at what risk? This roundtable session will discuss methods to reduce the cost of disaster recovery along with the pros, cons and risks of implementation.

Donna Scott, Vice President and Distinguished Analyst;

Aur10. Ciso Leadership This CISO and CISO “wannabe” bull session is a chance to discuss the requirements of the job, how to handle the blame game and how to get your voice heard at the appropriate corporate level.

Michael R. Zboray, Chief Security Officer, Gartner Strategic Technology Group

Aur11. BCM Plan Management Share pitfalls, experiences and best practices in managing business continuity plans.




Today’s leading solution providers and top innovators in the security and risk management space will be on-site with their most informed representatives, ready to answer your questions. Get the research, streamline the vetting process, and leave with a shortlist you can act on immediately.

• Learn details from real-world implementations in case study sessions.

• Be the first to demo the latest products and services.

• Discuss new solutions at sponsor receptions and lunches.

• Use what you learn in analyst sessions to ask more informed questions and make more accurate assessments of the pros and cons of new technologies.

David Calabrese Account Manager +1 203 316 6298 [email protected]

John forcino Account Manager +1 203 316 6142 [email protected]

Dawn re Senior Account Manager +1 203 316 6475 [email protected]

David sorkin Senior Account Manager +1 203 316 3561 [email protected]

sponsorship opportunities

sponsors (as of March 20, 2010)

Solution Showcase

Premier

Platinum

Google’s cloud computing solutions allow you to dramatically lower IT costs, increase productivity and increase security. Google Apps is an enterprise-ready suite of applications that includes Gmail, Google Calendar, Google Docs and Spreadsheets, Google Sites, and Google Video. Google Postini services make email systems more secure, compliant and productive by blocking spam and other intrusions before they reach email networks, and by providing encryption and archiving to help meet compliance requirements.

Qualys® is the leading provider of on demand IT security risk and compliance solutions—delivered as a service. Qualys solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate and continuous view of their security and compliance postures. The QualysGuard® service is used by more than 4,000 organizations in 85 countries, including 40 of the Fortune Global 100, and performs more than 200 million IP audits per year.

Archer Technologies, a leading provider of governance, risk and compliance (GRC) solutions, has joined RSA, the Security Division of EMC. Now, enterprises can deploy RSA’s best-of-breed information security solutions with Archer’s flexible GRC platform to: address and demonstrate compliance more consistently and affordably; identify and mitigate risk throughout their organization; securely enable IT transformation to virtualization and cloud computing; and increase collaboration and mobility by ensuring secure, anytime, anywhere access to systems and information.

Symantec is a global leader in providing security, storage and systems management solutions to help our customers—from consumers and small businesses to the largest global organizations—secure and manage their information-driven world against more risks at more points, more completely and efficiently. Our software and services protect completely, in ways that can be easily managed and with controls that can be enforced automatically—enabling confidence wherever information is used or stored.

Verizon Business is a global leader in IT, security, and communication solutions, with one of the world’s most connected IP networks. We combine our strategic solutions, services, and expertise to help some of the world’s largest organizations - including 96% of the Fortune 1000 - meet the challenges of their extended enterprises. We can help you improve infrastructure and application performance, secure your enterprise, enable collaboration, and connect to customers, partners, suppliers, and employees. www.verizonbusiness.com

Websense provides the industry’s only unified content security solution which gives our customers the best security against modern threats for the lowest Total Cost of Ownership (TCO). As the global leader in integrated Web, data, and email security, we ensure complete visibility and control over organizations’ most critical business information. Distributed through our channel partners around the world, Websense software, appliances, and Security-as-a-Service (SaaS) solutions help organizations block malicious code, prevent the loss of confidential information, and enforce Internet use and security policies. Websense provides Essential Information Protection™ in today’s dynamic business environment. www.websense.com

Authenware is a leading innovator of multi-factor identity authentication software. The company provides its security offerings to customers spanning international borders and business sectors, across a wide variety of industries such as financial services, government, transportation/logistics, manufacturing, and retail. For more information, please visit http://www.authenware.com

As a global leader in information technology, HP applies new thinking and ideas to simplify our customers’ technology experiences. Our goal is to continuously improve the way our customers—from individual consumers to the largest enterprises—live and work by providing simple, valuable and trusted experiences with technology.

Cisco security balances protection and power to deliver highly secure collaboration. With Cisco security, customers can connect, communicate, and conduct business securely while protecting users, information, applications, and the network. Cisco pervasive security can help minimize security and compliance IT risk, reduce IT administrative burden, and lower TCO.



21st Century Software, Inc.Absolute Software CorporationAgilianceApplied Discovery, Inc.ArcSightAT&TAveksaBarracuda NetworksBeta Systems SoftwareBeyondTrust Software, Inc.BigFix, Inc.Bit9, Inc.Blue Coat Systems, Inc.Coop SystemsCore Security TechnologiesCyber-Ark Software, Inc.Cyveillance, Inc., A QinetiQ North America

CompanyDeviceLock, Inc.eIQnetworks, Inc.Fischer International IdentityForeScout Technologies, Inc.Guardium, an IBM CompanyGuidance SoftwareHitachi ID Systems, Inc.HOB, Inc.

IronKey, Inc.LogRhythm, Inc.LumensionM86 SecurityMEGAMethodwareMetricStream, Inc.MitratechModulonCirclenetForensicsNetIQnuBridges, Inc.OpenPages Inc.PGP CorporationProofpoint, Inc.ProtegritySenSage, Inc.SmarshSonicWALLSplunk Inc.Tenable Network Security, Inc.Thomson ReutersTippingPointTripwire, Inc.Trusted Computing Group

Tufin TechnologiesVeracode, Inc.VormetricWebroot, Inc.Zix Corporation

Solution Showcase

Clearwell Systems

silver

Platinum (continued)

Kiosk

Media and Association partners

ScanSafe, now part of Cisco, is the first and largest global provider of SaaS Web Security. Powered by its proactive, multilayered Outbreak Intelligence™ threat detection technology, ScanSafe scans billions of Web requests daily and blocks billions of threats yearly for customers in over 100 countries. ScanSafe has received numerous industry honors including the SC Magazine Reader Trust Award for Best Content Security Solution 4 years running.

We relentlessly tackle the world’s toughest security challenges. McAfee’s comprehensive solutions enable businesses and the public sector to achieve security optimization and prove compliance and we help consumers secure their digital lives with solutions that auto-update and are easy to install and use.

Intel, the world leader in silicon innovation, develops technologies, products and initiatives to continually advance how people work and live. PCs with Intel® Anti-Theft Technology and are so smart they can even disable themselves if they get lost or stolen. If the PC is recovered, it can be easily reactivated to full functionality.

With world-class information security services and over 2,700 clients worldwide, organizations, including more than ten percent of the Fortune 500, rely on SecureWorks to protect their assets, support compliance and reduce costs. Deep security expertise, purpose-built security technology and excellent service makes SecureWorks the premier provider of information security services.

Organizations world-wide depend on Solutionary’s managed security platform, information security and compliance expertise, custom service delivery and strong commitment to solving security challenges and business issues.

Trend Micro, a global leader in Internet content security, focuses on securing the exchange of digital information by providing technology forward Internet content security solutions. Protecting organizations against malware, data leaks and the latest Web threats. Our unique solutions stop threats where they first emerge, in-the-cloud, before they attack corporate networks and PCs.

Sourcefire, Inc. (Nasdaq:FIRE), Snort® creator and open source innovator, is a world leader in intelligent Cybersecurity solutions. Sourcefire is transforming the way organizations and government agencies manage and minimize network security risks. Sourcefire’s IPS and Real-time Adaptive Security solution equips customers with an efficient and effective layered security defense.

VeriSign is the Internet trust company. VeriSign manages one of the largest, most reliable, and most secure networks in the world. And as more consumer and business applications migrate to the cloud, VeriSign’s deep expertise gives the company unsurpassed ability to deliver reliable and secure transactions for cloud-based services.

SunGard Availability Services provides disaster recovery services, managed IT services, information availability consulting services and business continuity management software to more than 10,000 customers in North America and Europe. With four million square feet of data center and operations space, SunGard assists IT organizations across virtually all industry and government sectors.



Registration

Three easy ways to registerWeb: gartner.com/us/securityriskPhone: 1 866 405 2511 e-mail: [email protected]

Bring your team and save Teams that attend a Gartner summit together gain a richer experience of the events. We’ve designed our Team Send Program to help groups of three or more maximize their summit experience. Visit Registration & Pricing at gartner.com/us/securityrisk for complete details.

Start networking with us and your colleagues now Linkedin: linkedin.com (Gartner Security & Risk Management Summit)twitter: twitter.com/gartner_inc #GartnerSecurity

Gartner event tickets We accept one Gartner conference ticket as full payment. If you are a client with questions about tickets, please contact your Gartner account manager.

Interested in becoming a Gartner client?Phone: +1 203 316 1111e-mail: [email protected]

Sign up for the Gartner Security & Risk Management InsiderThe Gartner Security & Risk Management Insider is a monthly e-mail newsletter featuring insight, industry data and best practices from Gartner research. Newsletters often include: • Complimentary Gartner research • Upcoming events and special offers • Webinars and podcasts • Survey and poll results from peers

Sign up at gartnerinfo.com/eventsinsider.

We have reserved a limited block of rooms at the Gaylord National. As these rooms can only be held until May 18, we recommend you contact the hotel now. To obtain the special Gartner rate, inform the hotel that you are attending the Gartner Security & Risk Management Summit.

Gaylord National 201 Waterfront St. National Harbor, MD 20745 (Washington, D.C. area) Phone: +1 301 965 2000 Web: gaylordhotels.com/gaylord-national

Early-bird price:$1,795save $300. Applies if credit card payment is received by May 10. Fee includes conference attendance, documentation and planned functions. Standard price: $2,095

Special Gartner hotel room rate: $199 per night

CISO InvitationalProgramWe also offer the Gartner Ciso invitational Program, which provides a forum for the exploration of top-of-mind IT security and privacy issues for CISOs and chief security officers. Both the CISO track and CISO Invitational Program present unique opportunities for CISOs to network and exchange experiences with peers, and participate in a variety of workshops, roundtables and analyst sessions tailored to the CISO perspective. For details, go to gartner.com/us/securityrisk.

Prio

rity

code

:

56 T

op G

alla

nt R

oad

, P.O

. Box

102

12

Sta

mfo

rd, C

T 06

904-

2212

June

21

– 23

• N

atio

nal H

arb

or, M

D (W

ashi

ngto

n, D

.C. a

rea)

• g

artn

er.c

om/u

s/se

curit

yris

k

Gar

tner

Sec

urit

y&

Ris

kM

anag

emen

tS

umm

it2

010

Man

age

Ris

k an

d B

uild

a M

ore

Sec

ure

Futu

re

CIS

O •

IT

Sec

urity

• B

usin

ess

Con

tinui

ty M

anag

emen

t •

Ris

k M

anag

emen

t and

Com

plia

nce

ear

ly-b

ird

sav

ing

sR

egis

ter

by M

ay 1

0 an

d sa

ve $

300!

3 ea

sy w

ays

to re

gist

erW

eb: g

artn

er.c

om/u

s/se

curit

yris

kP

hone

: 1 8

66 4

05 2

511

e-m

ail:

us.re

gist

ratio

n@ev

entr

eg.c

om

© 2

010

Gar

tner

, Inc

. and

/or

its a

ffilia

tes.

All

right

s re

serv

ed. G

artn

er is

a re

gist

ered

trad

emar

k of

G

artn

er, I

nc. o

r its

affi

liate

s. F

or m

ore

info

rmat

ion,

e-m

ail i

nfo@

gart

ner.c

om o

r vi

sit g

artn

er.c

om.

Pre

sort

edS

tand

ard

U.S

. Pos

tage

PAID

Gar

tner

New

eve

nt fo

r se

curit

y, r

isk,

com

plia

nce

and

busi

ness

con

tinui

ty p

rofe

ssio

nals

!•

Exp

ande

d co

vera

ge

• 10

0+ s

essi

ons

• Fo

ur in

-dep

th p

rogr

ams

• W

orks

hops

, dis

cuss

ions

, cas

e st

udie

s

• Th

e la

test

tool

s, in

sigh

ts a

nd s

trat

egie

s

Documents

Gartner Security & Risk Management Summit 2010imagesrv.gartner.com/summits/docs/na/security/sec16_security_risk... · Gartner Security & Risk Management Summit 2010 ... • Next-generation