Gartner Security & Risk. Management. Summit Visit gartner.com/us/securityrisk or call to register

Transcription

1 Visit gartner.com/us/securityrisk or call to register FIVE COMPLETE PROGRAMS CISO Program IT Security Business Continuity Management Risk Management and Compliance New! The Business of IT Security and Risk Gartner Security & Risk Management Summit 2012 June National Harbor, MD gartner.com/us/securityrisk

2 HOT TOPICS Advanced persistent threats and vulnerabilities Secure mobile applications Cloud and security E-discovery and information governance Network and infrastructure security Social media and security Crisis/incident management Supply chain risk management Identity and access management Enterprise risk management Regulatory compliance Privacy Strategic road maps to secure the enterprise and reduce risk Challenges abound for those charged with making sure business is secure and resilient in the face of threat and adversity. Enterprises of every stripe face a dangerous threat landscape that is evolving rapidly, thanks to swift-moving trends such as cloud, mobile and social technologies. New anti-fraud, anti-corruption and other regulatory changes pose more challenges. Complexity is rising, big data keeps getting bigger and lean budgets require you deliver more with every investment. At the same time, as growth returns to the business cycle, risk management culture is growing in sophistication and relevance across the organization. Embracing and managing risk while mitigating vulnerabilities and becoming more resilient becomes a critical discipline for business success. As the premier gathering of enterprise IT security and risk management executives, the Gartner Security & Risk Management Summit 2012 takes a comprehensive look at the entire spectrum of IT security, business continuity management and risk, including: network and infrastructure security, identity and access management, compliance, privacy, fraud, business continuity management and resilience. This year s summit offers over 140 sessions and five in-depth, role-based programs: CISO Program IT Security Risk Management and Compliance Business Continuity Management (BCM) New! The Business of IT Security and Risk EARN CPE CREDITS Attending the summit helps you advance your continuing professional education (CPE). Registered participants are eligible to earn CPE credits toward ISC2, ISACA, DRII, and IAPP certification programs. Learn more at gartner.com/us/securityrisk. WHAT S NEW FOR 2012 Additional program added to the agenda! The Business of IT Security and Risk New keynote format! Mastermind Interview With Michael Dell, CEO, Dell Special CISO-only sessions and networking opportunities Special workshop! Implementing BCM Standards for BCM Maturity and Organizational Certification Enhanced Risk Management and Compliance Program! New research on legal and regulatory risk trade Advanced CISO virtual track! Advanced sessions for those with experience in the CISO role New Gartner Magic Quadrant technology evaluations More opportunities to interact with vendors! More than 90 solution providers on-site 2 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

3 Benefits of Attending Gain practical insight to improve your IT security and risk management strategy If you re tasked with protecting critical infrastructure, you ll benefit tremendously from four days of intensive, practical learning, including how to: Structure and manage each of your individual IT risk programs Balance and coordinate those programs Make IT risk programs more efficient and effective Select approaches and vendor solutions Articulate security and risk requirements in business language Integrate BCM with overall risk and security programs Who should attend? CIO, CSO, CISO, CRO, CFO, CCO, CGO, CLO, CPO and CTO titles IT vice presidents and directors Governance, risk, compliance, and privacy executives, directors and managers Senior business executives General counsel Finance, audit, legal risk and compliance and regulators Enterprise and operational risk managers Business continuity, disaster recovery managers Exclusive! CISO and CRO Invitational Programs Concurrent with the summit, CISO and CRO Invitational Programs provide a forum for the exploration of top-of-mind leadership, IT security, privacy and risk management issues for CISOs, CSOs and CROs. In these intensive programs, guest executives meet with leading technology providers to exchange ideas and strategies. Participation includes gratis travel, hotel and registration and is by invitation only on a first-come, first-served basis. To learn more and apply, visit gartner.com/us/securityrisk. By 2015, enterprises will be forced to implement integrated GRC to support converged IT and corporate governance, as well as improvement of business performance Gartner Predicts Visit gartner.com/us/securityrisk for agenda updates and to register TABLE OF CONTENTS 4 Summit Programs 5 Virtual and Vertical Tracks 6 Keynote Sessions 7 CISO Program 9 IT Security Program 12 BCM Program 14 Risk Management Program 16 The Business of IT Security and Risk Program 17 Session Descriptions 27 Solution Showcase 30 Agenda at a Glance 33 Registration 3

4 SUMMIT PROGRAMS Analyst One-On-Ones Meet face to face with a Gartner analyst in up to two personalized 30-minute private appointments to discuss your specific risk management and compliance issues. Walk away with invaluable, tailor-made advice that you can apply to your role and your organization immediately. Preregistration is recommended. Analyst-User Roundtables Join us for a hosted peer group discussion with your end-user peers, moderated by a Gartner analyst lending his or her expertise to assist you. Share the latest best practices among your peers. Preregistration is recommended. Five complete programs deliver in-depth insight Chaired by experts in each discipline, five distinct agenda programs facilitate a more targeted learning and networking experience. CISO Program You ve got the job; now what? Being CISO means understanding the big picture and articulating it clearly to the highest levels of the organization. Critical criteria for success include evaluating enterprise risk, dealing with legal issues and understanding security architecture. In recommended and exclusive CISO-only sessions, new CISOs can get up-to-speed while veterans update their insights. And for those who are more experienced, we have added an Advanced CISO virtual track. IT Security Both business and technology issues affect how well organizations protect themselves from threats and vulnerabilities, and how effectively they step up to opportunities. From the cloud to the network, from protecting applications and data to keeping mobile and remote computing safe, security has a direct impact on the bottom line. Here we look at important updates in key trends, big-picture strategy and technical specifics. Plus, we take a deep dive into a variety of security architecture with our Technical Insights virtual track. Business Continuity Management How does the enterprise ensure continuing business operations and systems availability when a business interruption occurs anywhere in the organization? In these sessions, we give you the tools to anticipate the unanticipated and work to reinforce a discipline of risk management, response, recovery and resilience in the corporate culture. Risk Management and Compliance Measuring and managing risk, and complying with a variety of global rules, regulations and laws about financial transactions and privacy, have become critical components of successful operations in the worldwide environment. This program focuses on technologies and strategies to improve governance, manage risk and conform to the letter and spirit of the law. Technical Insights sessions This year s summit features a virtual track on Technical Insights that provides detailed, technically oriented guidance on architecture and planning considerations for protecting information associated with new devices and service hosting models. NEW! The Business of IT Security and Risk How big is the security and risk market for software and services, and who are the market leaders? Where are the innovations coming from? What new threats are being addressed by point solutions? This all-new program looks at this extremely dynamic market, presenting the financial and strategic views that CISOs, investors and media need to make informed evaluations. 4 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

5 Virtual and Vertical Industry Tracks Virtual and vertical industry tracks make it easy to follow a key trend, hot topic or address industry issues in relevant sessions pulled from across all five conference programs. To further customize any track, visit the Agenda Builder at gartner.com/us/securityrisk. Virtual tracks Mobility and Security Business-critical system and data issues emerging from new wireless technologies Cybersecurity Cybersecurity issues such as organized teams of hackers that impact both the private and public sectors Cloud Computing The new imperative to know your risk profile, understand the risks cloud computing can create, minimize those risks, and move forward appropriately Privacy Emerging technologies that have an impact on privacy, but also those that can help to protect personal information and how to pay for them Identity and Access Management How IAM can evolve and mature to help businesses weather today s volatile and rapid change Managing Legal and Regulatory Risk How the IT organization can better support the chief legal officer and corporate compliance officer as they face a proliferation of regulation and litigation Advanced CISO Take your professional development to the next level with sessions to address specific business needs Technical Insights Explore the architecture and planning considerations for protecting information associated with new devices and service hosting models Social Media What can be done about the risks of emerging social media and how do they balance against the opportunities? Vertical industry tracks Financial Services Fighting fraud while keeping online banking seamless and efficient Government Developing cohesive national cybersecurity initiatives in partnership with consumers and the public sector Healthcare Increasing quality of service delivery, reducing compliance costs and anticipating healthcare reform while maintaining patient privacy and protecting intellectual property Energy/Utilities Establishing effective and efficient smart grid technology while combating for fraud, cyberattacks and the loss of control Manufacturing Managing increasingly interconnected and complex control networks while reducing costs, maintaining system integrity and protecting proprietary data Maximize your experience with our unique conference features First-class peer networking Engage in informal and structured networking opportunities such as workshops, networking breakfasts by industry, conference receptions and more. Hands-on workshops These small group workshops immerse you in real-world problem solving, with practical take-aways. Tutorials Join us for our complimentary preconference sessions to get up-to-speed and gain an overall perspective on security and risk management terms and definitions. Solution Provider Showcase Meet with today s leading and emerging security and risk management solution providers all under one roof, and get the latest information and demos on new products and services. Visit gartner.com/us/securityrisk for agenda updates and to register 5

6 KEYNOTE SESSIONS Guest keynotes Michael Dell Chairman and CEO Dell John Hodgman Actor, Author and Correspondent for The Daily Show Howard Schmidt Cybersecurity Coordinator and Special Assistant to the President (Accepted) Mastermind Interview With Michael Dell, Chairman and CEO, Dell It s been over a year since Dell made its move into information security by acquiring SecureWorks, a managed security services provider. The transition from being a stand-alone, pure-play security provider to a unit within a larger IT vendor often causes organizational integration issues or loss of focus, but Dell has had a positive view. What s on the road map for Dell, how does it see information security and what are its prospects? Chairman of the Board and CEO Michael Dell answers the analysts and your questions about Dell, security and risk. Information Security and Technology in General Problem Solved. You re Welcome The Daily Show correspondent and PC personified in the long-running Mac vs. PC ad campaign, John Hodgman, has done it all from TV and film to best-selling books. He has been seen on HBO s Bored to Death and Flight of the Conchords, and in movies like Arthur, The Invention of Lying and Baby Mama. As an author, his first book was The Areas of My Expertise, followed by More Information Than You Require. His final book in this trilogy on complete world knowledge is That Is All. Cybersecurity: A View From the White House Howard Schmidt is Cybersecurity Coordinator and Special Assistant to the President (Accepted), former vice chair of the President s Critical Infrastructure Protection Board, and former Chief Information Security Officer at Microsoft and ebay. Here he discusses the Obama administration s effort to reduce cyberthreats. This includes the administration s legislative proposals and plans to protect critical infrastructure such as the electric grid, transportation systems and Wall Street, as well as protecting U.S. military defenses and businesses from cyberattacks. Gartner keynotes Opening Keynote: Strategic Road Maps for IT Security and Risk Management A security leader s mission is to road-map a security strategy and drive operations to effectively and efficiently sustain business performance in dynamic and chaotic environments. This session looks at the overall risk management programs within organizations working toward that goal. Andrew Walls Gartner Research Ray Wagner Managing Vice President Gartner Research Closing Insights and a Review of Aha Moments By the end of the conference attendees, sponsors and Gartner analysts each gain new insights, so we conclude the event by sharing what we have learned, or our aha moments. Through interviews and social media, the session reveals valuable insights gathered during the week. Gartner analysts each have a few minutes to share their new insights. We then turn to the audience for an open discussion. It is a great way to crystallize ideas to take back to your team, coupled with a touch of humor to close the conference. 6 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

7 CISO PROGRAM You ve got the job; now what? Being a CISO means having the big picture and articulating it clearly and compellingly to the highest levels of the organization. Evaluating enterprise risk, dealing with legal issues and comprehending the impact of a security architecture overlay are all critical criteria for success. From metrics that matter, to enterprise data protection, to articulating the business value of IT security, key topics get in-depth treatment that cover the latest tools, research and insights. The agenda includes a thoughtful mix of practical sessions, such as how to develop key competencies in a new security team, and big-picture insights, including sessions on security as a social science and the importance of trust. Featuring exclusive networking events for CISO Program attendees and plenty of opportunities to put your questions directly to the analysts, this is a rich learning environment designed to help you evaluate, run and improve your security and risk management programs. This year s CISO Program includes both foundational and advanced sessions to deliver the information you need to succeed at every stage in your career. Meet the analysts Gartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide. HOT TOPICS Enterprise security intelligence Business-IT security alignment Governance and policy setting Privacy regulations policy Corporate risk management Business value of information security Enterprise security strategy and architecture Creating a risk-aware culture Legal implications associated with information security Advanced analytics and operational metrics best practices F. Christian Byrnes Managing Vice President Jay Heiser Vice President Rob McMillan Paul E. Proctor Vice President and Distinguished Analyst Tom Scholtz Vice President and Distinguished Analyst Jeffrey Wheatman Through 2016, 75% of CISOs who experience publicly disclosed security breaches, and lack documented, tested response plans, will be fired Gartner Predicts Visit gartner.com/us/securityrisk for agenda updates and to register 7

8 CISO AGENDA CISO Invitational Program Features Direct interaction with analysts The latest research on top priorities for CISOs Boardroom case study presentations with leading solution providers Advanced CISO virtual track for more experienced CISOs C-level-only roundtable discussions Exclusive CISO networking events Keynotes, general sessions and a Mastermind Interview with Dell Chairman of the Board and CEO, Michael Dell Security management workshop Monday, June 11 10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15 a.m. K1b. Opening Keynote Andrew Walls Strategic Road Maps for IT Security and Risk Management CISO The CISO 11:30 a.m. A1. Security and Risk Management as a Social Science Tom Scholtz 2:45 p.m. K2. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins 5:00 p.m. A2. Security Program Management Overview F. Christian Byrnes Tuesday, June 12 8:15 a.m. A3. When Risk Management Does More Harm Than Good: RM 101 Jay Heiser 10:45 a.m. A4. Metrics That Matter Jeffrey Wheatman 2:00 p.m. A5. Security and Risk Governance: It s Much More Than Just Reporting F. Christian Byrnes, Tom Scholtz 4:30 p.m. A6a. Net IT Out: Articulating the Business Value of Information Security Tom Scholtz 4:55 p.m. A6b. Net IT Out: Developing the Key Competencies of the New Security Team Tom Scholtz 5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted) Wednesday, June 13 8:30 a.m. A7. How to Run, Grow and Transform Your Risk and Security Program Paul E. Proctor 11:00 a.m. W1. Workshop: ITScore For Security Management F. Christian Byrnes 1:30 p.m. A9. Optimizing the Information Security Organization Jeffrey Wheatman CRO Invitational Program Features Direct interaction with analysts The latest research on top priorities for CROs Boardroom case study presentations with leading solution providers CRO roundtable discussions Exclusive CRO networking events Keynotes, general sessions and a Mastermind Interview with Dell Chairman of the Board and CEO, Michael Dell 4:00 p.m. A10. Ignore Enterprise Data Protection at Your Peril Jeffrey Wheatman 5:15 p.m. K4. Guest Keynote Information Security and Technology In General Problem Solved. You re Welcome John Hodgman, Actor, Author and Correspondent for The Daily Show Thursday, June 14 8:00 a.m. A11. Quo Vadis, CISO? Developing a Realistic Infosec Management Strategy Rob McMillan, Tom Scholtz 9:15 a.m. A12. Intelligent Information Governance 2012 Debra Logan 10:30 a.m. A13. Trust: The Elusive Final Ingredient Jay Heiser 11:45 a.m. K5. Closing Insights and a Review of Aha Moments Ray Wagner Special Agenda for Chief Risk Officer, Chief Legal Officer, Chief Compliance Officer Critical business uncertainties like reputational risks, regulatory proliferation and increasing litigation costs all require risk intelligence to support critical business decisions. The technology to support risk management and compliance is also advancing. It must be scalable to the entire enterprise and enable collaboration between multiple risk management activities, such as auditing, legal, finance, IT and compliance functions. Reporting and analytics must be on-demand in order to support business decisions and short-notice requests from regulators. Information governance, e-discovery and controls automation technologies must be in place to prevent problems in the first place, and to automate labor-intensive processes. To provide insight into critical governance, risk and compliance technologies, Gartner is pleased to offer a special agenda for senior business executives who have risk management, legal and compliance responsibilities. 8 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

9 IT SECURITY Given the complexity and seriousness of today s threat environment, it s no wonder the IT Security Program includes more than 60 analyst sessions that cover everything from privacy to fraud prevention to emerging technologies, and everything in between. Our team of security analysts will be on-site to meet with attendees, present their latest research, answer questions and lead roundtable discussions focusing on today s most urgent security topics. You ll find multiple sessions that cover such rapidly evolving trends as mobile, cloud and social technologies, as well as privacy concerns, consumerization, network access control, the next generation of threats and more. The program agenda features: Eight analyst-user roundtables on such topics as privacy, application security and cloud risks Four tutorials on choosing solutions, understanding trends and more HOT TOPICS Mobile application and security Social media and security Consumerization Advanced persistent threats Cybersecurity Cloud computing security Securing the virtualized data center Critical infrastructure protection Fraud detection Endpoint security Six Technical Insights sessions that drill down on best practices in cloud, mobile and virtualization New case studies, including The World Trade Center s Situational Platform, and others on cybersecurity and creating a secure community cloud Plus, three workshops, eight just the facts Net IT Out sessions, networking events and much more Through 2016, the financial impact of cybercrime will grow 10% per year, due to the continuing discovery of new vulnerabilities Gartner Predicts Visit gartner.com/us/securityrisk for agenda updates and to register 9

10 MEET THE ANALYSTS Gartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide. Ant Allan Vice President Dan Blum Vice President and Distinguished Analyst Perry Carpenter Carsten Casper Anton Chuvakin Mario de Boer Joseph Feiman Vice President and Gartner Fellow Peter Firstbrook John Girard Vice President and Distinguished Analyst Steve Hawald Jay Heiser Vice President Kelly M. Kavanagh Principal Analyst Gregg Kreizman Avivah Litan Vice President and Distinguished Analyst Neil MacDonald Vice President and Gartner Fellow Eric Maiwald Vice President Rob McMillan Mark Nicolett Managing Vice President Lawrence Orans Vice President Eric Ouellet Vice President Earl Perkins Vice President John Pescatore Vice President and Distinguished Analyst Lawrence Pingree Tom Scholtz Vice President and Distinguished Analyst Doug Simmons Vice President Gartner Consulting Ray Wagner Andrew Walls Vic Wheatman Vice President Greg Young Vice President Tim Zimmerman 10 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

11 it security AGENDA Monday, June 11 10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15 a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls IT SECURITY 11:30 a.m. B1. The Security State of the Cloud Jay Heiser Infrastructure Protection C1. Road Map: The Next Generation of Firewalls and IPS Greg Young D1. Protecting Your Network in the Era of BYOD Lawrence Orans Secure Business Enablement 2:45 p.m. K2. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins 5:00 p.m. B2. Road Map: Operationalizing Data and Application Defenses Against Hackers and Employees Joseph Feiman Tuesday, June 12 8:15 a.m. B3. The Endpoint Protection Platform in the Age of Tablets and Clouds Peter Firstbrook 10:45 a.m. B4. Case Study: The World Trade Center s Situational Awareness Platform Lou Barani, of Security, World Trade Center; Moderator: Jeff Vining 2:00 p.m. B5. Road Map: Secure Communications With Partners and Customers Peter Firstbrook 4:30 p.m. B6a. Net IT Out: Breaking Down the Walls While Sharing Data Securely Jay Heiser 4:55 p.m. B6b. Net IT Out: The DLP Process Is More Than Just a Piece of Technology Rob McMillan C2. Big Data and Security: Integrating Security and Operations Data for Improved IT Intelligence Neil MacDonald C3. Monitoring Users for Security Intelligence: Threats and Opportunities Andrew Walls C4. Mobile Security Risks in Depth: How Safe Is the Data on Your Smartphone and Tablet? John Girard, Lawrence Pingree C5. Case Study: DoD s Approach to Security Testing Ray Letteer, Chief, Cyber Security Division of the U.S. Marine Corps C6a. Net IT Out: Technical Insights Securing Browser-Based Applications Mario de Boer C6b. Net IT Out: Road Map Gaining Control of Consumerization Lawrence Orans D2. Taking Privacy to the Next Level With a Privacy Program Carsten Casper D3. Road Map: Operationalizing Encryption Eric Ouellet D4. Technical Insights: Operationalizing PCI DSS Compliance Anton Chuvakin D5. Technical Insights: Improving Collective Defenses Through Information-Sharing and Threat Intelligence Dan Blum D6a. Net IT Out: Emerging Technologies for Privacy Protection and Privacy Management Carsten Casper D6b. Net IT Out: Job Security in Cloud Era Will Jobs Stay or Vaporize? Joseph Feiman 5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted) Wednesday, June 13 8:30 a.m. B7. SIEM for Hybrid Technology and Services Deployments Kelly M. Kavanagh, Mark Nicolett 11:00 a.m. B8. Technical Insights: Security Monitoring for the Cloud and in the Cloud Anton Chuvakin 1:30 p.m. B9. The New Dangers of Machine to Machine (M2M) in the Enterprise Tim Zimmerman 4:00 p.m. B10. The Mobile Security Brothers Traveling Roadshow John Girard, John Pescatore C7. Technical Insights: Mobility and Security Gartner Field Research Project on Mobility and Consumerization Eric Maiwald C8. Deep Dive Into Internet Infrastructure Attacks Lawrence Orans, John Pescatore C9. Road Map: Presenting a Hard Target to Attackers: Road Maps for Effective Vulnerability Management Mark Nicolett C10. NIST s National Initiative for Cybersecurity Education (NICE): What CIOs Need to Leverage Steve Hawald D7. Operationalize Social Media to Improve Security Performance Andrew Walls W2. Workshop: ITScore for Privacy Carsten Casper E1. Higher, Faster, Stronger: The Performant IAM Program Ant Allan E2. Road Map: IAM Operations The IAM Data Model Earl Perkins E3. IAM Best Practices for Planning, Implementing and Managing IAM Within Your Enterprise Perry Carpenter E4. Layered Fraud Prevention for Land-Based and Mobile Computing Avivah Litan E5. Why Your Security Awareness Program Is Doomed (and What You Can Do to Rescue It) Perry Carpenter, Andrew Walls E6a. Net IT Out: One-Time-Password Hardware Tokens Going, Going Not Quite Gone Ant Allan E6b. Net IT Out: The Undeath of PKI Eric Ouellet E7. Q&A Session: The Identity and Access Management Marketplace Ant Allan, Perry Carpenter, Gregg Kreizman, Earl Perkins, Ray Wagner W3. Workshop: ITScore for IAM Perry Carpenter, Ray Wagner D9. Case Study: TBA E9. Managing Identity and Access in the Hybrid World Gregg Kreizman D10. Technical Insights: SaaS Security Trust Versus Technology Dan Blum 5:15 p.m. K4. Guest Keynote Information Security and Technology In General Problem Solved. You re Welcome John Hodgman, Actor, Author and Correspondent for The Daily Show Thursday, June 14 8:00 a.m. B11. How to Securely Deploy and Manage Whitelisting to Counter Advanced Threats Neil MacDonald 9:15 a.m. B12. Case Study: Toward a Secure Community Cloud for a Manufacturing Sector Doug Simmons, Gartner Consulting C11. Manage Your Security Vendors or Be Mangled Greg Young C12. Network Security Open Q&A Eric Ahlm, John Girard, Kelly M. Kavanagh, John Pescatore, Greg Young 10:30 a.m. C13. Technical Insights: Network Security Architecture for Internal Private Clouds Eric Maiwald 11:45 a.m. K5. Closing Insights and a Review of Aha Moments Ray Wagner W4. (8:00 10:00 a.m.) Workshop: Securing the Access Layer Identifying the Right Authentication Strategy for BYOD, Contractors, Guests and Employees Lawrence Orans, Tim Zimmerman D13. Developing and Implementing a Superior Mobile Device Policy John Girard E10. Socrates Was Wrong: A Debate Rob McMillan, Earl Perkins, Tom Scholtz, Andrew Walls, Vic Wheatman E11. Case Study: Securing the Digital Nation The New Frontier of Cybersecurity Training and Education Keith Gordon, Senior Vice President, Security and Fraud and Enrollments, Online and Mobile Channels, Bank of America E12. Technical Insights: Endpoint Virtualization Security Considerations Mario de Boer Visit gartner.com/us/securityrisk for agenda updates and to register 11

12 Business continuity management HOT TOPICS BCM/IT DRM program management BCM standards and organization certification Supply chain risk management The business case for BCM Failing over into the cloud Disaster recovery Continuous application availability Social software and recovery Crisis and incident management Emergency/mass notification Recovery plan exercising The business case for business continuity management has never been more convincing. Effective enterprise risk management, response, recovery and resilience are increasingly seen not only as requirements, but as potentially critical business advantages. In the BCM program, more than a dozen analyst sessions examine the latest best practices, evolving trends and the burgeoning frontiers of mobile, social and cloud-based recovery strategies. Six leading Gartner analysts specializing in BCM will be on hand to present their latest research and answer questions on everything from achieving continuous application availability to recovery in the cloud, teleworking through a disaster, crisis management and much more. The program agenda includes: Two Gartner Magic Quadrant Net IT Out sessions that cover the BCM marketplace for tools and solutions Analyst-user roundtable discussions on IT availability, social media in BCM and recovery exercising A tutorial on BCM maturity and evolution Plus workshop on BCM standards and certification and BCM-focused networking events Meet the analysts Gartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide Leif Eriksen John Girard Vice President and Distinguished Analyst John P. Morency Vice President Donna Scott Vice President and Distinguished Analyst Jeff Vining Vice President Roberta J. Witty Vice President 12 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

13 BCM AGENDA Monday, June 11 10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15 a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls BCM Business Continuity Management 11:30 a.m. F1. How Real-World Disasters Are Improving Business Resilience: Lessons Learned Since 9/11 John P. Morency, Roberta J. Witty 2:45 p.m. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins 5:00 p.m. F2. Case Study: Intel s Response to the Fukushima Earthquake/Tsunami Jeff Selvala,, Assembly Test Global Materials, Intel; Roberta J. Witty Tuesday, June 12 8:15 a.m. F3. Case Study: Teleworking Through a Disaster John Girard, Roberta J. Witty 10:45 a.m. F4. Case Study: Demographics An Unknown BCM Risk Steve Hannah, Manager, Disaster Recovery, Waddell & Reed 2:00 p.m. F5. Crisis/Incident Management Overview Leif Eriksen, Roberta J. Witty 4:30 p.m. F6a. (4:30 p.m.) and F6b. (4:55 p.m.) Net IT Out: Business Continuity Management Planning Markets and Magic Quadrants Leif Eriksen, John Girard, John P. Morency, Roberta J. Witty 5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted) Wednesday, June 13 8:30 a.m. F7. Strategies for Achieving Continuous Application Availability Donna Scott 11:00 a.m. F8. Can I Recover Through the Cloud? John P. Morency, Sheila Childs 1:30 p.m. F9. Best Practices in Recovery Exercising John P. Morency 4:00 p.m. F10. Panel: Educating Boards of s and Management in the Business Case for BCM Moderator: Roberta J. Witty 5:15 p.m. K4. Guest Keynote Information Security and Technology In General Problem Solved. You re Welcome John Hodgman, Actor, Author and Correspondent for The Daily Show Thursday, June 14 8:00 a.m. W5. (8:00 11:30 a.m.) Workshop: Implementing BCM Standards for BCM Maturity and Organizational Certification John P. Morency, Roberta J. Witty 11:45 a.m. K5. Closing Insights and a Review of Aha Moments Ray Wagner By 2015, 30% of midsize businesses will adopt recovery-in-the-cloud services to support IT operations recovery Gartner Predicts New Business Continuity Management program features for 2012 Learn the latest best practices, evolving trends and the burgeoning frontiers of mobile, social and cloud-based recovery strategies in a program dedicated to your BCM needs. Features include: 10 BCM-focused analyst sessions Two Gartner Magic Quadrant Net IT Out sessions covering the BCM marketplace for tools and solutions Six BCM-focused Gartner analysts available for private one-on-one meetings Analyst-user roundtable discussions on IT availability, social media in BCM and recovery exercising A tutorial on BCM maturity and evolution A workshop on BCM standards and certification and BCM-focused networking events By 2014, almost half of organizations will have integrated public social media services with their crisis communication strategies Gartner Predicts Visit gartner.com/us/securityrisk for agenda updates and to register 13

14 RISK MANAGEMENT and Compliance HOT TOPICS Enterprise and IT risk management effectiveness Risk-adjusted value management Creating key risk indicators Legal and regulatory info governance E-discovery Supporting the chief legal officer Social risk management Reporting on risk management initiatives to the board Managing risk and compliance issues with big data Cloud risks A major shift is under way, in which senior business leaders and boards of directors begin to recognize enterprise risk management as more than a compliance-driven cost. Today s risk management executives are using enterprise risk management strategies to minimize business risk, support next-generation business needs and improve business performance. The Risk Management and Compliance Program focuses on strategic issues in risk management and adds additional emphasis on legal and regulatory risks, including: How to better communicate the benefits and objectives of the risk management program to the board and senior business leaders Key trends such as growing concerns around privacy and data protection New anti-fraud and anti-corruption legislation Mobility, cloud computing and their impacts on security and risk Legal and regulatory governance strategies Meet the analysts Gartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide French Caldwell Vice President and Gartner Fellow Sheila Childs Managing Vice President Hiranya Fernando Senior Analyst Andrew Frank Vice President By 2016, enterprises that combine BPM and ERM will achieve higherperformance business results than those that employ them separately Gartner Predicts Ian Glazer Khushbu Pratap Senior Analyst Jeffrey Wheatman Debra Logan Vice President and Distinguished Analyst Paul E. Proctor Vice President and Distinguished Analyst John A. Wheeler 14 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

15 Risk AGENDA Monday, June 11 10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15 a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls RISK AND COMPLIANCE Enterprise and Operational Risk Management Managing Legal and Compliance Risk 11:30 a.m. G1. Road Map: Privacy, Marketing and Behavior Tracking A Risky Mandate H1. Lawyers, Users and IT Security: Ten Ways to Work Together to Reduce Andrew Frank Risk and Improve Governance Debra Logan, Jeffrey Wheatman 2:45 p.m. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins 5:00 p.m. G2. The Missing Link: How Ignoring Business Processes Can Be Fatal for ERM John A. Wheeler H2. The Corporate Ethics Game Show: Let s Make a Deal or Jeopardy!? Joseph E. Schmitz, former DoD IG; John Bace, John Marshall Law School Tuesday, June 12 8:15 a.m. G3. General Session Untangling the Multimillion-Dollar Madoff Ponzi Scheme David J. Sheehan, Partner, Baker Hostetler; Lew Schwartz, Senior Vice President, General Counsel and Corporate Secretary, Gartner 10:45 a.m. G4. Seven Keys to Successful and Cost-Effective Risk Oversight H4. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 John A. Wheeler Part 1. View From the Bench Debra Logan, Lew Schwartz, Judges Panel 2:00 p.m. G5. Global Supply Chain Risk: Perception and Management Hiranya Fernando H5. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 Part 2. View From the Practitioners Debra Logan, Lew Schwartz, Outside Panel 4:30 p.m. G6a. Net IT Out: The Realities of Cyberinsurance John A. Wheeler H6a. Net IT Out: Compliance Controls When Are Yours Too Old? Khushbu Pratap 4:55 p.m. G6b. Net IT Out: Selecting IT Risk Assessment Methods and Tools A Use Case Approach Paul E. Proctor H6b. Net IT Out: SAS 70 Is Gone So What Are the Alternatives? French Caldwell 5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted) Wednesday, June 13 8:30 a.m. G7. General Session Enterprise and Operational Risk Management: s Roundtable What the Board Wants French Caldwell, Dale Kutnick, Panelists 11:00 a.m. G8. Risk-Adjusted Value Management Paul E. Proctor H8. Internal Auditors: Why They Do What They Do Khushbu Pratap 1:30 p.m. G9. Technical Insights: Road Map Managing Multinational Privacy Risks in H9. Improving Your Social Risk IQ French Caldwell the Cloud Ian Glazer 4:00 p.m. G10. Six CIO Risk Techniques to Please Your Board French Caldwell H10. Managing Litigation and Regulatory Risks of Big Data Sheila Childs 5:15 p.m. K4. Guest Keynote Information Security and Technology In General Problem Solved. You re Welcome John Hodgman, Actor, Author and Correspondent for The Daily Show Thursday, June 14 8:00 a.m. W6. Workshop: Policy Critique Jay Heiser W7. Workshop: Implementing COBIT 5 Robert Stroud, ISACA S Strategic Advisory Council 9:15 a.m. W8. (9:15 11:30 a.m.) Workshop: Creating Key Risk Indicators for Your Company Paul E. Proctor H11. New Legal Methods for Collecting Cyberinvestigation and Social Media Evidence Benjamin Wright, SANS Institute 10:30 a.m. H12. Road Map: Intelligent Information Governance 2012 Debra Logan 11:45 a.m. K5. Closing Insights and a Review of Aha Moments Ray Wagner New Risk and Compliance program features for 2012 Divided into two tracks Enterprise and Operational Risk Management, and Managing Legal and Compliance Risk the Risk Management and Compliance program offers: 25 in-depth sessions and two general sessions CRO Invitational Program Three workshops, two Road Map sessions, four Net IT Out sessions, and one Technical Insights session Two analyst-user roundtables focused on risk management and compliance 10 on-site Gartner analysts focused on risk management and compliance, available for private one-on-one meetings Special risk-management-and-compliance networking opportunities Visit gartner.com/us/securityrisk for agenda updates and to register 15

16 NEW! The Business of IT Security and Risk Meet the analysts Eric Ahlm Ruggero Contu Principal Analyst Joseph Feiman Vice President and Gartner Fellow Peter Firstbrook Ramon Krikken Lawrence Pingree John Rizzuto Vice President and Invest Analyst Greg Young Vice President Mobility, cloud and social technologies have transformed IT, posing a stupefying array of new security threats and engendering an equally overwhelming number of new security and risk management options. In a climate of volatile change, how do you know you are making the right security and risk management investments? New this year, The Business of IT Security and Risk program examines today s dynamic marketplace, the current landscape of market leaders and upstart innovators, as well as how the scenery is likely to change. We take an investor s financial and strategic view of the market, based on the evaluations of our analysts, the financial community and the media. Will your current partners see you through into the mobile, social, cloud-based future? Where will the leading innovations come from? Where should you put your money? Featuring 10 sessions with leading analysts, investors, journalists and bloggers, this unique program provides extremely important information for CISOs and others investing in security and risk solutions. Monday, June 11 10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15 a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls NEW! Business The Business of IT Security and Risk 11:30 a.m. J1. Security Markets Worldwide 2012 Eric Ahlm, Ruggero Contu 2:45 p.m. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins 5:00 p.m. J2. IT Security Survey: Study Results and Trends Analysis Ruggero Contu, Lawrence Pingree Tuesday, June 12 8:15 a.m. J3. Technical Insights: The Art of Saying Yes Selling Application Security to Architects and Developers Ramon Krikken 10:45 a.m. J4. SWOT Analysis: IBM and HP Application and Data Security Joseph Feiman 2:00 p.m. J5. Security Investors Perspectives Panel Alberto Yepez, Trident Capital Group; Walter Pritchard, Citi Investment Research; John Rizzuto, Gartner Investment; Moderator: Vic Wheatman 4:30 p.m. J6. Security Market Gartner Magic Quadrant Overview Greg Young 5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted) Wednesday, June 13 8:30 a.m. J7. Security Journalists and Bloggers Panel Moderator: Greg Young 11:00 a.m. J8. SWOT Analysis: McAfee, Symantec, Cisco Eric Ahlm, Ruggero Contu, Peter Firstbrook 1:30 p.m. J9. Security 2020: Technology, Business and Threat Discontinuities Reshaping IT Security Neil MacDonald, Lawrence Pingree 4:00 p.m. J10. Case Study: Increasing Collaboration Securely When Moving to Cloud-Based Apps Joe Fuller, Dominion Enterprises 5:15 p.m. K4. Guest Keynote Information Security and Technology In General Problem Solved. You re Welcome John Hodgman, Actor, Author and Correspondent for The Daily Show Thursday, June 14 11:45 a.m. K5. Closing Insights and a Review of Aha Moments Ray Wagner HOT TOPICS I nformation security forecasts worldwide Market shares in the infosec domain User wants-and-needs survey results Strengths, weaknesses, opportunities and threat (SWOT) evaluations on leading IT security and risk vendors Gartner Magic Quadrant trends Investors perspectives panel 16 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

17 SESSION DESCRIPTIONS CISO Program TRACK A The CISO A1. Security and Risk Management as a Social Science As technical security controls are increasingly integrated into the infrastructure fabric, CISOs focuses will continue to shift toward the behaviors, attitudes and cultures of stakeholders. This presentation highlights how this will impact security leaders, and which actions they should take. Tom Scholtz A2. Security Program Management Overview Security programs have evolved and continue to mature. This session describes the maturity level characteristics of current information security programs and reviews the Gartner ITScore survey results. F. Christian Byrnes A3. When Risk Management Does More Harm Than Good: RM 101 Risk used to be like the weather everybody talked about it, but few did anything about it. While the weather still remains unpredictable, business demands a more predictable approach to IT-related risks. This session helps the new risk manager understand the basic principles of risk management. Jay Heiser A4. Metrics That Matter Enterprises still continue to create and report on security metrics that have no context and that nobody cares about. The effective metrics program highlights a few key measures with reasonable achievable targets that drive continuous improvement. Jeffrey Wheatman A5. Security and Risk Governance: It s Much More Than Just Reporting Effective governance provides accountability, responsibility, authority and assurance. Security and risk governance consists of processes and activities executed and overseen by governance bodies. Their success depends on the effectiveness of the groups tasked with executing them. F. Christian Byrnes, Tom Scholtz A6a. Net IT Out: Articulating the Business Value of Information Security While security budgets held up comparatively well during the recession, organizations are shifting their focuses from survival back to growth mode. This requires investment of (still-limited) financial resources into innovation and growth projects, resulting in increasing pressure on security budgets. Tom Scholtz A6b. Net IT Out: Developing the Key Competencies of the New Security Team As the information security discipline matures, the security-related skills and knowledge of a chief information security officer and his or her teams are taken for granted. However, security professionals who expect to thrive in a dynamic business environment need to continually learn new skills. Tom Scholtz A7. How to Run, Grow and Transform Your Risk and Security Program Creating and formalizing a security and risk program is inexpensive, but developing a mature program requires high-level support, a strategic approach and proper time to execute. Modern enterprises must also align with business needs and address cultural gaps with the non-it parts of the business. Paul E. Proctor A9. Optimizing the Information Security Organization Stop worrying about where the CISO reports, and think about how security meets your clients needs. Governance, accountability and responsibility can t be fixed by moving head count. Here, we discuss how organizational changes may or may not impact your information security program s success. Jeffrey Wheatman A10. Ignore Enterprise Data Protection at Your Peril Clients are missing the big picture when they protect data in technology silos without garnering a clear understanding of the value and risk associated with that data. This session analyzes the real drivers for data protection and provides a survey of some of the available tools to address the problem. Jeffrey Wheatman Visit gartner.com/us/securityrisk for agenda updates and to register A11. Quo Vadis, CISO? Developing a Realistic Infosec Management Strategy If you aim at nothing, you will hit it. A realistic strategy is a key component of any information security program. Developing and maintaining a strategy in dynamic-threat, technology and business environments is indeed challenging. Rob McMillan, Tom Scholtz A12. Intelligent Information Governance 2012 We seem to have too much information, but not enough of the right kind. Information governance is technically complex, organizationally challenging and politically sensitive. In this session you gain best practices and lessons learned from early adopters of information governance programs. Debra Logan A13. Trust: The Elusive Final Ingredient Substantive external sharing only happens when everyone is confident that no harm will be caused. Trust conditions must be enabled before partners access information. Architects must understand social trust mechanisms, enabling external collaboration through the use of data protection technology. Jay Heiser WORKSHOPS W1. Workshop: ITScore for Security Management Workshop Balanced scorecards provide security teams with critical tools to demonstrate value by identifying and leveraging security s benefits across multiple business domains. This workshop discusses the building blocks for balanced scorecards for information security and how clients can avoid the hurdles. F. Christian Byrnes Analyst-User Roundtable AUR15. Secure Web Gateways This session is restricted to attendees with a CISO or equivalent tile, or other C-level or senior management role related to information security. This is a discussion session. F. Christian Byrnes 17

18 SESSION DESCRIPTIONS IT SECURITY TRACK B Infrastructure Protection B1. The Security State of the Cloud Where does the world stand on cloud computing risks? This presentation provides an overview of the technical and process mechanisms that can be applied to help reduce the risks of cloud computing. Jay Heiser B2. Road Map: Operationalizing Data and Application Defenses Against Hackers and Employees As attacks become more motivated by money, and as enterprises get better at securing the infrastructure, there s been a shift to application attacks. Now it is not just hackers but also employees that create serious threats. Addressing new risks, new application and data security market spaces have emerged. Joseph Feiman B3. The Endpoint Protection Platform in the Age of Tablets and Clouds Tests show that current endpoint protection platforms (EPP) do not provide full protection from mass-propagated or targeted attacks. In addition, security teams are grappling with the diversification of the traditional endpoint. Here we compare current and future EPP requirements. Peter Firstbrook B4. Case Study: The World Trade Center s Situational Awareness Platform The security director of the iconic World Trade Center describes best practices, lessons learned and technologies deployed while implementing a situational awareness platform to monitor events and identities in real-time using an integrated command center for correlating data and imagery. Lou Barani, of Security, World Trade Center; Moderator: Jeff Vining B5. Road Map: Secure Communications With Partners and Customers Regulations and data theft are increasing the focus on protecting intellectual property and sensitive information. The most common data exchange solution for most companies is . Organizations struggle with securing communications to partners, customers and contractors. Peter Firstbrook B6a. Net IT Out: Breaking Down the Walls While Sharing Data Securely Organizations need to permit employees of other companies to have access to sensitive information. But multienterprise collaboration can t be secured by traditional means. Learn how flexible and affordable trust technologies and services are being used to securely share data among enterprises. Jay Heiser B6b. Net IT Out: The DLP Process Is More Than Just a Piece of Technology Data loss prevention continues to be a hot topic, and clients continue to face the challenge of seeing beyond the technology to derive value. The key to this is understanding that you need to implement a DLP process, and not just the tool. What does this mean? What are the pitfalls? Rob McMillan B7. SIEM for Hybrid Technology and Services Deployments We get many client calls about options for using SIEM service providers. Hybrid deployments of technology and services address activities from planning to operations and cover monitoring from corporate data centers to cloud services providers. Here we address use cases supported with SIEM services. Kelly M. Kavanagh, Mark Nicolett B8. Technical Insights: Security Monitoring for the Cloud and in the Cloud This presentation is about security monitoring for cloud environments as well as about using the cloud-delivered tools for monitoring traditional on-premises IT environments. Do we have to use the cloud to monitor the cloud? What traditional approaches will work? Anton Chuvakin B9. The New Dangers of Machine to Machine (M2M) in the Enterprise By 2015 there will be more M2M devices than laptops or tablets. This presentation examines how these devices communicate, authenticate and access resources across the infrastructure and introduce new security dangers to the enterprise. Tim Zimmerman B10. The Mobile Security Brothers Traveling Roadshow Repeating and updating this popular and fun session, the brothers explore critical issues in the rapidly changing world of mobile and wireless computing but within an audience-interactive game show format with valuable prizes! John Girard, John Pescatore B11. How to Securely Deploy and Manage Whitelisting to Counter Advanced Threats Here we explore extending a whitelisting paradigm from servers to all endpoints using best-practice techniques such as trusted change, IT operations integration and systematic workload reprovisioning of servers and desktops to pull the rug out from under advanced persistent threats. Neil MacDonald B12. Case Study: Toward a Secure Community Cloud for a Manufacturing Sector This case study looks at an industry-specific, secure community cloud environment designed to improve collaboration. We identify the key components and necessary safeguards for tactical and strategic deployment, and project when vendors will support the emerging community cloud concept. Doug Simmons, Gartner Consulting IT SECURITY TRACK C Infrastructure Protection C1. Road Map: The Next Generation of Firewalls and IPS Threats continue to advance, and network security defenses must evolve to become effective against advanced targeted threats. Enterprises should require vendors to add next-generation intrusion prevention features to network security products. Greg Young 18 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

19 C2. Big Data and Security: Integrating Security and Operations Data for Improved IT Intelligence IT infrastructures have become increasingly virtualized and complex, with workload mobility in conjunction with the cloud becoming the norm. This presentation provides a framework for using big data to deliver actionable insight and intelligence for security and operations from a sea of data. Neil MacDonald C3. Monitoring Users for Security Intelligence: Threats and Opportunities Monitoring the communications of employees (and others), on both internal and external systems, is critical to security intelligence and situational awareness. While leveraging this data to improve security, we must also defend against unfriendly monitoring and data discovery that could be damaging. Andrew Walls C4. Mobile Security Risks in Depth: How Safe Is the Data on Your Smartphone and Tablet? Loss and data exposure are the primary risks organizations face with mobile devices. Using off-the-shelf forensic tools to analyze typical mobile devices, we demonstrate how data is exposed and unintentionally propagated. The analysts then recommend best-practice defenses. John Girard, Lawrence Pingree C5. Case Study: DoD s Approach to Security Testing Ray Letteer, Chief, Cyber Security Division of the U.S. Marine Corps C6a. Net IT Out: Technical Insights Securing Browser-Based Applications Applications running in Web browsers may be implemented in HTML4, HTML5 and JavaScript, or they may use Java, Silverlight, Flash or other platforms. This session discusses the client-side risks of running applications in Web browsers, and covers the strengths and weaknesses of the various protections. Mario de Boer C6b. Net IT Out: Road Map Gaining Control of Consumerization Consumerization is here and IT struggles to keep up. End users have embraced tablets, smartphones, VoIP and Dropbox, giving little thought to security. Reclaim control to create a secure consumerized environment by implementing new technologies and developing reasonable policies and controls. Lawrence Orans C7. Technical Insights: Mobility and Security Gartner Field Research on Mobility and Consumerization Gartner field research identified security issues that arise when introducing consumer devices into the enterprise. We also identified solutions as enterprises deal with the problems. This session presents the results, regarding governance, technical security and management solutions. Eric Maiwald C8. Deep Dive Into Internet Infrastructure Attacks Cracks appear in the Internet s infrastructure. DDoS attacks have increased in intensity and frequency. Attacks on certificate authorities expose SSL s fragility. Attacks on the DNS infrastructure can cause large-scale fraud and disrupt trust. We analyze recent attacks and identify solutions. Lawrence Orans, John Pescatore C9. Presenting a Hard Target to Attackers: Road Maps for Effective Vulnerability Management Attackers are improving their ability to find and exploit security weaknesses. The first order of business is to present a hard target. This requires IT security organizations to run operationally effective vulnerability management across multiple cooperating IT operations and application support teams. Mark Nicolett C10. NIST s National Initiative for Cybersecurity Education (NICE): What CIOs Need to Leverage NIST s new cyberframework, the NICE program, defines 31 cybersecurity skill specialty areas in today s security workforce. This session addresses how CIOs and CISOs can leverage the framework s best practices to save time and money in future IT cyberworkforce planning and development. Steve Hawald C11. Manage Your Security Vendors or Be Mangled This session presents best practices for deciphering and assessing proposals for security equipment and offerings, as well as the associated discounts you should receive. And what about all your security spending Is there a way to manage it as a portfolio? Greg Young C12. Network Security Open Q&A Have a network security problem or issue? Wondering about the next-generation thingie, appliance or as a service service? What is coming in network security? How can organizations provide a strong security when the perimeter is essentially porous? Does network security have a future, or does the data, application and infrastructure need hardening? Bring your questions to this open forum with top Gartner network security analysts. Eric Ahlm, John Girard, Kelly M. Kavanagh, John Pescatore, Greg Young C13. Technical Insights: Network Security Architecture for Internal Private Clouds Private clouds change the data center world. It is no longer easy to know which application is running on which server. This leads to concerns about how to efficiently move, monitor and control traffic between virtual machines. Enterprises need to rethink network security architecture options. Eric Maiwald IT SECURITY TRACK D Secure Business Enablement D1. Protecting Your Network in the Era of BYOD Network access control (NAC) burst on the scene in 2003 as the answer to Sasser, Blaster and the worm era. It was derided as an overhyped concept. Now that bring your own device (BYOD) has emerged as an unstoppable trend, NAC is back in favor again this time as a solution for gaining back control of the network. Lawrence Orans Visit gartner.com/us/securityrisk for agenda updates and to register 19

20 SESSION DESCRIPTIONS D2. Taking Privacy to the Next Level With a Privacy Program Leading enterprises avoid piecemeal, costly and risky approaches to privacy by combining governance, policy, education and incident response aligned with application development, security and risk management for world-class privacy programs. Learn about privacy by design. Carsten Casper D3. Road Map: Operationalizing Encryption Encryption benefits security postures. But without adequately understanding resources, controls and risk mitigation, the ultimate benefit may be no better than before encryption. Here we look at the major categories of data, devices and service considerations when maximizing encryption s value. Eric Ouellet D4. Technical Insights: Operationalizing PCI DSS Compliance Here we discuss how to make compliance with the Payment Card Industry Data Security Standard (PCI DSS) an ongoing effort that is tied to security management, operations and other units. We present guidance on how to remain compliant despite changes in environments. Anton Chuvakin D5. Technical Insights: Improving Collective Defenses Through Information- Sharing and Threat Intelligence When it comes to getting infected, cyberattacked, or having vulnerabilities, no organization remains untouched. Thousands of security companies build security tools and services, research malware, probe vulnerabilities and try to help organizations with defense or response, but they struggle to connect the dots. Dan Blum D6a. Net IT Out: Emerging Technologies for Privacy Protection and Privacy Management Do you need to share data while preserving privacy? To use public clouds or consolidate global data centers while being compliant with privacy laws? To respond to breaches? To monitor changes in privacy regulations? This session helps you understand the usefulness of various emerging technologies. Carsten Casper D6b. Net IT Out: Job Security in Cloud Era Will Jobs Stay or Vaporize? Cloud is a transformational phenomenon that changes our businesses and our IT organizations. Will cloud transform IT workforce? Will it threaten job security? Joseph Feiman D7. Operationalize Social Media to Improve Security Performance Business is moving past the experimental stage and is actively developing new ways to maximize profits through social media. It is time for security to do the same and use social media to improve security. This presentation explores the opportunities for security improvement through social media. Andrew Walls D9. Case Study TBA D10. Technical Insights: SaaS Security Trust Versus Technology Enterprises would love to commoditize by cutting costs through outsourcing. However, it is a primary channel, carrying sensitive and proprietary content that needs protection. Much intellectual property resides in databases. Outsourcing to a SaaS provider raises a number of critical questions. Dan Blum D13. Developing and Implementing a Superior Mobile Device Policy Mobile devices, particularly consumer-level products, have trampled over the well-crafted policies that companies put in place for trusted work systems. Businesses must adapt and do so quickly, and they must learn to prioritize the basic configuration and security policies that they will need to preserve. John Girard IT SECURITY IT SECURITY TRACK e Secure Business Enablement E1. Higher, Faster, Stronger: The Performant IAM Program Every enterprise has to manage workforce, partner and customer identities and the access they get. Not all enterprises are tackling IAM initiatives to maximize IAM value to the business through enhanced security and risk management, improved operations or better business outcomes. Ant Allan E2. Road Map: IAM Operations The IAM Data Model Great IAM operations don t just happen. They re built on solid infrastructure foundations that include high-fidelity identity data stored and used in a structured manner to deliver access and other identity-based services. This presentation describes this operational infrastructure foundation. Earl Perkins E3. IAM Best Practices for Planning, Implementing and Managing IAM Within Your Enterprise When it comes to good practices, IAM programs generate information about what to do and what not to do from planning and design, to product/service choices, deployment and operations. This session explores lessons learned when IAM solutions have addressed both business and technical requirements. Perry Carpenter E4. Layered Fraud Prevention for Land-Based and Mobile Computing This presentation proposes five layers for fraud prevention and sets priorities for managing immediate threats, such as malware-based cyberattacks, within a framework of fraud management. What are the five layers for fraud prevention? Avivah Litan 20 Gartner Security & Risk Management Summit 2012 June National Harbor, MD